Mailinglist Archive: opensuse-bugs (5916 mails)
|< Previous||Next >|
[Bug 671820] New: ssh host-based authentication does not work for non root users
- From: bugzilla_noreply@xxxxxxxxxx
- Date: Mon, 14 Feb 2011 18:33:23 +0000
- Message-id: <firstname.lastname@example.org/>
Summary: ssh host-based authentication does not work for non
Product: openSUSE 11.4
Version: RC 1
Priority: P5 - None
Found By: ---
Created an attachment (id=413917)
ssh client traces
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:22.214.171.124)
Gecko/20101203 Firefox/3.6.13 ( .NET CLR 3.5.30729)
I have configured an openssh server and client to perform host-based
authentication between one openSUSE 11.4 (milestone 5) installed in virtualbox
4.0.2 and openSUSE 11.3 on a laptop.
This kind of authentication ceased to work since milestone 6, and does not work
for RC1 (openssh-5.8p1-3.1) for non root user. This always works for root user
since ssh client has enough access permissions to directly get machine's
private key. For a non root user, ssh client has no permission access to read
directly machine's private key. In this case, this task is devoted to keysign
I'm trying to connect to an openssh 5.4 server. Here's a short exchange from
openssh 5.8 client :
gilles@gilles-vbureau:~> ssh gilles-portable
no matching hostkey found
ssh_keysign: no reply
in attachments, you'll find a complete debugged traces from client and ssh
client and server configurations. Let me know if you want more informations.
I can see many "debug1: permanently_drop_suid: 1000" from ssh client's traces.
I thought this was a security hardening, but I have not seen anything related
to that in 5.5 to 5.8 release notes. From a strict security point of view, that
is OK since access is restricted to system access or administrator user.
As a workaround, one can simply use user-based authentication for a few users,
which does not require client or server configuration, and is simpler to set up
: user public key content has simply to be added to server
Steps to Reproduce:
1. Configure ssh host-based authentication on 2 hosts :
* set /etc/hosts with ip addresses of the 2 machines, simple host names and
FQDN names (or configure a dns server).
* set /etc/hosts.equiv + .shosts (into root account) with simple host names and
* set ssh_config and sshd_config (see attachments)
* set suid bit of ssh-keysign on client host, with command :
chmod u+s /usr/lib/ssh/ssh-keysign
* on the server, get the public key of the client :
ssh-keyscan -t rsa <server FQDN> <server name> >> \
2. try to connect from 11.4 ssh client with command : "ssh <server>"
3. host-based authentication filed and server password is
The ssh client asks the user for the ssh server password since no component can
provide the host private key.
The user should have his ssh session directly, without providing any password.
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
|< Previous||Next >|