Re: ssh braindamage (protocols, RSA auth)
On Mon, Sep 17, 2001 at 10:32:36AM +0200, Pietro Cagnoni wrote:
> ...
>
> i've always been able to solve my ssh problems using sshd -d and ssh -v
doh. yeah, I probably tried that. but now I've poked at it some more.
sshd -d -d -d, all protocols enabled:
not very interesting. just so you know what keys it finds:
debug1: private host key: #0 type 0 RSA1
debug1: private host key: #1 type 1 RSA
debug1: private host key: #2 type 2 DSA
and then ssh -2 -v -v -v:
eh, dumped to logs and ran diff.
< w/ all protocols enabled, > w/ only 2 (only let it see the DSA key)
17c17
< debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9p2
---
> debug1: Remote protocol version 2.0, remote software version OpenSSH_2.9p2
36c36
< debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
---
> debug2: kex_parse_kexinit: ssh-dss
53,54c53,54
< debug1: dh_gen_key: priv key bits set: 122/256
< debug1: bits set: 1016/2049
---
> debug1: dh_gen_key: priv key bits set: 135/256
> debug1: bits set: 995/2049
62c62
< RSA key fingerprint is eb:a9:6b:36:7e:16:33:d7:38:80:48:61:c7:44:4f:e3.
---
> DSA key fingerprint is d0:51:d4:c5:b7:a5:93:de:05:aa:c1:ac:87:c3:a7:7a.
Yes, I actually have to hide the ssh_host_rsa_key to get it to use v2.
Just setting 'Protocol 2' isn't enough, it still falls back to protocol
1 and finds the RSA key. Even though the debug output shows prot v2.0.
At first I thought the "protocol v1.99" threw it off, but the third case
with the setting 'Protocol 2' produces this output, among others:
debug1: Remote protocol version 2.0, remote software version OpenSSH_2.9p2
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
RSA key fingerprint is ...
...so now I think that's it. Seems to me to be preferring protocol 1,
ssh-rsa, if it's available regardless of the 'Protocol' setting.
Which seems to me to be broken behavior. Which I'd file a bug report
for, if I wasn't worried that I'm just being an idiot.
eh. Again, any comments? Anybody else trying to figure out why
protocol 2 won't work? :)
Mike McGuire
Reply to: