[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#164325: marked as done (ssh: RhostsRSAAuthentication needs a setuid ssh)

Your message dated Fri, 23 Dec 2016 22:23:04 +0000
with message-id <20161223222303.GA3518@riva.ucam.org>
and subject line Re: Bug#164325: Acknowledgement (RhostsRSA/Hostbased auth doesn't work)
has caused the Debian Bug report #164325,
regarding ssh: RhostsRSAAuthentication needs a setuid ssh
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
164325: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=164325
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: ssh
Version: 1:3.4p1-1

I'm trying to use RhostsRSA (protocol version 1) and Hostbased (protocol
version 2) authentication with ssh, but this doesn't work unless I make
/usr/bin/ssh suid root. Now, older ssh packages asked me whether I want
to do this, while the current one only asks about ssh-keysign. If I
understand this correctly, ssh-keysign is supposed to support Hostbased
authentication for protocol version 2, so that ssh no longer has to be
suid root. But even with a suid ssh-keysign, Hostbased authentication
doesn't work for me.

So there are actually a few bugs:
1. Hostbased auth doesn't work even with suid ssh-keysign
2. There's no way to do RhostsRSA auth with the current setup. Since
protocol version 1 is probably considered obsolete, I can understand
that this is not supported out-of-the-box. However, a little note in the
debconf dialog which asks about suid ssh-keysign that for procotol
version 1 with RhostsRSA, ssh still needs to be suid would be useful.
3. README.Debian.gz still talks about debconf making ssh suid instead of
ssh-keysign. It also would be useful to mention that this not only
affects Rhosts but also RhostsRSA authentication.


Here are logs of ssh -v trying to log in using protocol 1 and 2 with a
non-suid ssh:

buck@cobra:~$ ll /usr/bin/ssh
-rwxr-xr-x    1 root     root       230248 Jun 28 17:28 /usr/bin/ssh*
buck@cobra:~$ ssh -1 -v cobra
OpenSSH_3.4p1 Debian 1:3.4p1-1, SSH protocols 1.5/2.0, OpenSSL
0x0090603f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to cobra [139.79.100.38] port 22.
debug1: Connection established.
debug1: identity file /home/buck/.ssh/identity type -1
debug1: Remote protocol version 1.99, remote software version
OpenSSH_3.4p1 Debian 1:3.4p1-1
debug1: match: OpenSSH_3.4p1 Debian 1:3.4p1-1 pat OpenSSH*
debug1: Local version string SSH-1.5-OpenSSH_3.4p1 Debian 1:3.4p1-1
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (1024 bits).
debug1: Host 'cobra' is known and matches the RSA1 host key.
debug1: Found key in /etc/ssh/ssh_known_hosts:3
debug1: Encryption type: 3des
debug1: Sent encrypted session key.
debug1: cipher_init: set keylen (16 -> 32)
debug1: cipher_init: set keylen (16 -> 32)
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug1: RSA authentication using agent refused.
debug1: Doing challenge response authentication.
debug1: No challenge.
debug1: Doing password authentication.
buck@cobra's password: ^C

buck@cobra:~$ ssh -2 -v cobra
OpenSSH_3.4p1 Debian 1:3.4p1-1, SSH protocols 1.5/2.0, OpenSSL
0x0090603f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to cobra [139.79.100.38] port 22.
debug1: Connection established.
debug1: identity file /home/buck/.ssh/id_rsa type -1
debug1: identity file /home/buck/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version
OpenSSH_3.4p1 Debian 1:3.4p1-1
debug1: match: OpenSSH_3.4p1 Debian 1:3.4p1-1 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 126/256
debug1: bits set: 1602/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'cobra' is known and matches the RSA host key.
debug1: Found key in /etc/ssh/ssh_known_hosts:19
debug1: bits set: 1639/3191
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue:
publickey,password,keyboard-interactive,hostbased
debug1: next auth method to try is hostbased
debug1: ssh_keysign called
debug1: Remote: Accepted for cobra.ma.tech.ascom.ch [139.79.100.38] by
/etc/ssh/shosts.equiv.
debug1: authentications that can continue:
publickey,password,keyboard-interactive,hostbased
debug1: ssh_keysign called
debug1: Remote: Accepted for cobra.ma.tech.ascom.ch [139.79.100.38] by
/etc/ssh/shosts.equiv.
debug1: authentications that can continue:
publickey,password,keyboard-interactive,hostbased
debug1: userauth_hostbased: no more client hostkeys
debug1: next auth method to try is publickey
debug1: try privkey: /home/buck/.ssh/id_rsa
debug1: try privkey: /home/buck/.ssh/id_dsa
debug1: next auth method to try is keyboard-interactive
debug1: authentications that can continue:
publickey,password,keyboard-interactive,hostbased
debug1: next auth method to try is password
buck@cobra's password: ^C

buck@cobra:~$ 


With suid ssh, it works as expected:

buck@cobra:~$ ll /usr/bin/ssh
-rwsr-xr-x    1 root     root       230248 Jun 28 17:28 /usr/bin/ssh*
buck@cobra:~$ ssh -1 -v cobra
OpenSSH_3.4p1 Debian 1:3.4p1-1, SSH protocols 1.5/2.0, OpenSSL
0x0090603f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to cobra [139.79.100.38] port 22.
debug1: Connection established.
debug1: read PEM private key done: type DSA
debug1: read PEM private key done: type RSA
debug1: identity file /home/buck/.ssh/identity type -1
debug1: Remote protocol version 1.99, remote software version
OpenSSH_3.4p1 Debian 1:3.4p1-1
debug1: match: OpenSSH_3.4p1 Debian 1:3.4p1-1 pat OpenSSH*
debug1: Local version string SSH-1.5-OpenSSH_3.4p1 Debian 1:3.4p1-1
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (1024 bits).
debug1: Host 'cobra' is known and matches the RSA1 host key.
debug1: Found key in /etc/ssh/ssh_known_hosts:3
debug1: Encryption type: 3des
debug1: Sent encrypted session key.
debug1: cipher_init: set keylen (16 -> 32)
debug1: cipher_init: set keylen (16 -> 32)
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug1: Trying rhosts or /etc/hosts.equiv with RSA host authentication.
debug1: Remote: Accepted for cobra.ma.tech.ascom.ch [139.79.100.38] by
/etc/ssh/shosts.equiv.
debug1: Received RSA challenge for host key from server.
debug1: Sending response to host key RSA challenge.
debug1: Remote: Rhosts with RSA host authentication accepted.
debug1: Rhosts or /etc/hosts.equiv with RSA host authentication accepted
by server.
debug1: Requesting pty.
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: fd 3 setting TCP_NODELAY
debug1: Requesting shell.
debug1: Entering interactive session.
Linux cobra 2.2.21 #4 Tue Jul 23 10:32:06 CEST 2002 i686 unknown
Last login: Fri Oct 11 18:08:48 2002 from cobra.ma.tech.ascom.ch
buck@cobra:~$ logout
Connection to cobra closed.
debug1: Transferred: stdin 23, stdout 168, stderr 29 bytes in 3.6
seconds
debug1: Bytes per second: stdin 6.5, stdout 47.2, stderr 8.1
debug1: Exit status 0
buck@cobra:~$ ssh -2 -v cobra
OpenSSH_3.4p1 Debian 1:3.4p1-1, SSH protocols 1.5/2.0, OpenSSL
0x0090603f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to cobra [139.79.100.38] port 22.
debug1: Connection established.
debug1: read PEM private key done: type DSA
debug1: read PEM private key done: type RSA
debug1: identity file /home/buck/.ssh/id_rsa type -1
debug1: identity file /home/buck/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version
OpenSSH_3.4p1 Debian 1:3.4p1-1
debug1: match: OpenSSH_3.4p1 Debian 1:3.4p1-1 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 121/256
debug1: bits set: 1554/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'cobra' is known and matches the RSA host key.
debug1: Found key in /etc/ssh/ssh_known_hosts:19
debug1: bits set: 1602/3191
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue:
publickey,password,keyboard-interactive,hostbased
debug1: next auth method to try is hostbased
debug1: Remote: Accepted for cobra.ma.tech.ascom.ch [139.79.100.38] by
/etc/ssh/shosts.equiv.
debug1: ssh-userauth2 successful: method hostbased
debug1: channel 0: new [client-session]
debug1: send channel open 0
debug1: Entering interactive session.
debug1: ssh_session2_setup: id 0
debug1: channel request 0: pty-req
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: channel request 0: x11-req
debug1: channel request 0: shell
debug1: fd 3 setting TCP_NODELAY
debug1: channel 0: open confirm rwindow 0 rmax 32768
Linux cobra 2.2.21 #4 Tue Jul 23 10:32:06 CEST 2002 i686 unknown
Last login: Fri Oct 11 18:13:54 2002 from cobra.ma.tech.ascom.ch
buck@cobra:~$ logout
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: rcvd eof
debug1: channel 0: output open -> drain
debug1: channel 0: obuf empty
debug1: channel 0: close_write
debug1: channel 0: output drain -> closed
debug1: channel 0: rcvd close
debug1: channel 0: close_read
debug1: channel 0: input open -> closed
debug1: channel 0: almost dead
debug1: channel 0: gc: notify user
debug1: channel 0: gc: user detached
debug1: channel 0: send close
debug1: channel 0: is dead
debug1: channel 0: garbage collecting
debug1: channel_free: channel 0: client-session, nchannels 1
Connection to cobra closed.
debug1: Transferred: stdin 0, stdout 0, stderr 29 bytes in 0.9 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 31.4
debug1: Exit status 0
buck@cobra:~$ 


Here are the relevant config files:

buck@cobra:~$ egrep '^[^#]+' /etc/ssh/ssh_config
Host *
   ForwardX11 yes
   RhostsRSAAuthentication yes
   HostBasedAuthentication yes
   StrictHostKeyChecking no
buck@cobra:~$ egrep '^[^#]+' /etc/ssh/sshd_config
Port 22
Protocol 2,1
HostKey /etc/ssh/ssh_host_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
UsePrivilegeSeparation yes
PAMAuthenticationViaKbdInt no
KeyRegenerationInterval 3600
ServerKeyBits 768
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 600
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
RhostsAuthentication no
IgnoreRhosts no
RhostsRSAAuthentication yes
HostbasedAuthentication yes
PermitEmptyPasswords no
PasswordAuthentication yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
KeepAlive yes
Subsystem       sftp    /usr/lib/sftp-server
buck@cobra:~$ grep cobra /etc/ssh/shosts.equiv 
cobra
cobra.ma.tech.ascom.ch
buck@cobra:~$ grep cobra /etc/ssh/ssh_known_hosts | cut -c 1-70
cobra,cobra.ma.tech.ascom.ch,139.79.100.38 1024 35 1524307617068423279
cobra,cobra.ma.tech.ascom.ch,139.79.100.38 ssh-dss AAAAB3NzaC1kc3MAAAC
cobra,cobra.ma.tech.ascom.ch,139.79.100.38 ssh-rsa AAAAB3NzaC1yc2EAAAA

--- End Message ---
--- Begin Message --- 
On Mon, Oct 14, 2002 at 02:14:11AM +0100, Colin Watson wrote:
> On Fri, Oct 11, 2002 at 06:36:51PM +0200, Martin Buck wrote:
> > Just noticed that bug#1 in my previous email is actually the same as
> > #151561.
> 
> Yep. I fixed HostbasedAuthentication in openssh 1:3.4p1-4, so I'm
> retitling this bug accordingly.

Since sshd is no longer built with protocol 1 support as of 7.1p1 (and
the server code was removed altogether in 7.4p1), the remaining part of
this bug is no longer relevant, so I'm closing it.

Thanks,

-- 
Colin Watson                                       [cjwatson@debian.org]

--- End Message ---
Reply to: