[Bug 417221] New: one side ssh host-based authentication failure
https://bugzilla.novell.com/show_bug.cgi?id=417221 User gilles.sabourin@free.fr added comment https://bugzilla.novell.com/show_bug.cgi?id=417221#c53 Summary: one side ssh host-based authentication failure Product: openSUSE 11.0 Version: Final Platform: x86-64 OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: gilles.sabourin@free.fr QAContact: qa@suse.de Found By: Customer Created an attachment (id=233376) --> (https://bugzilla.novell.com/attachment.cgi?id=233376) ssh client config I have set up a DNS server in my LAN network and reconfigured both ssh clients and servers according to the method described in this document : http://itg.chem.indiana.edu/inc/wiki/software/openssh/189.html I am running openssh 5.0-p1 on openSUSE 11.0 on both my 32bits laptop and my 64bits desktop. DNS server is running well on my 64bits desktop : gilles@gilles-bureau:~> nslookup 192.168.0.100 Server: 192.168.0.100 Address: 192.168.0.100#53 100.0.168.192.in-addr.arpa name = gilles-bureau.site. gilles@gilles-bureau:~> nslookup 192.168.0.101 Server: 192.168.0.100 Address: 192.168.0.100#53 101.0.168.192.in-addr.arpa name = gilles-portable.site.
From my laptop towards my desktop, host-based authentication performs well, so I don't need to give a password anymore.
From my desktop towards my laptop, host-based authentication fails : I still got a prompt for the password.
I have checked all the points in the method, so, I am sure that: - ssh_config and sshd_config are the same on both machines; - /etc/ssh/ssh_known_hosts and /etc/hosts.equiv are the same on both sides; - suid bit is set for ssh-keysign on both PC. (see attachments) So, I tried to investigate furthermore and have launched ssh daemon at highest debug level for the 2 cases success / failure authentication. (see attachments). In the 2 cases, the dialog between the server and the client is roughly the same at the beginning, up to a point, where : - in case of success, I got : debug1: PAM: initializing for "gilles" debug1: PAM: setting PAM_RHOST to "gilles-portable.site" debug1: PAM: setting PAM_TTY to "ssh" .. debug1: userauth-request for user gilles service ssh-connection method hostbased debug1: attempt 1 failures 1 debug2: input_userauth_request: try method hostbased - in case of failure, there are missing settings of PAM_RHOST and PAM_TTY : .. debug1: PAM: initializing for "gilles" debug1: userauth-request for user gilles service ssh-connection method keyboard-interactive -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=417221 User gilles.sabourin@free.fr added comment https://bugzilla.novell.com/show_bug.cgi?id=417221#c1 --- Comment #1 from Gilles Sabourin <gilles.sabourin@free.fr> 2008-08-14 02:11:50 MDT --- Created an attachment (id=233377) --> (https://bugzilla.novell.com/attachment.cgi?id=233377) ssh server config -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=417221 User gilles.sabourin@free.fr added comment https://bugzilla.novell.com/show_bug.cgi?id=417221#c2 --- Comment #2 from Gilles Sabourin <gilles.sabourin@free.fr> 2008-08-14 02:12:37 MDT --- Created an attachment (id=233378) --> (https://bugzilla.novell.com/attachment.cgi?id=233378) hosts.equiv on both machines -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=417221 User gilles.sabourin@free.fr added comment https://bugzilla.novell.com/show_bug.cgi?id=417221#c3 --- Comment #3 from Gilles Sabourin <gilles.sabourin@free.fr> 2008-08-14 02:13:56 MDT --- Created an attachment (id=233379) --> (https://bugzilla.novell.com/attachment.cgi?id=233379) ssh log server - failed authentication -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=417221 User gilles.sabourin@free.fr added comment https://bugzilla.novell.com/show_bug.cgi?id=417221#c4 --- Comment #4 from Gilles Sabourin <gilles.sabourin@free.fr> 2008-08-14 02:14:51 MDT --- Created an attachment (id=233380) --> (https://bugzilla.novell.com/attachment.cgi?id=233380) ssh log server - successfull authentication -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=417221 User gilles.sabourin@free.fr added comment https://bugzilla.novell.com/show_bug.cgi?id=417221#c5 --- Comment #5 from Gilles Sabourin <gilles.sabourin@free.fr> 2008-08-14 02:28:51 MDT --- I have kept an openSUSE 10.3/64 bits and set up same DNS server and ssh configurations on my desktop and I got the same issue. Before to set up a DNS server, I tried to put hosts declarations in /etc/hosts on both machines, but I got also the same issue, but I think this test case is not significant since the method warn well about authentication failures and DNS problems. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=417221 User gilles.sabourin@free.fr added comment https://bugzilla.novell.com/show_bug.cgi?id=417221#c6 --- Comment #6 from Gilles Sabourin <gilles.sabourin@free.fr> 2008-08-16 04:21:57 MDT --- I have noticed that both sides works when logged as root, but does not when logged as simple user gilles I have seen that a simple user has no access permissions to read public keys : ls -l *key.pub -rw------- 1 root root 608 Apr 15 23:28 ssh_host_dsa_key.pub -rw------- 1 root root 228 Apr 15 23:28 ssh_host_rsa_key.pub This is wrong and should be : -rw-r--r-- 1 root root 608 Apr 15 23:28 ssh_host_dsa_key.pub -rw-r--r-- 1 root root 228 Apr 15 23:28 ssh_host_rsa_key.pub This is really 64 bits platform related, since access permissions are set up correctly on openSUSE 11.0 32 bits. So, I have changed access permissions for these public keys, and host-based authentication works on both sides now. openssh package should be corrected in order to have openssh creating new public keys with 644 mode instead of 600. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=417221 Robert Vojcik <rvojcik@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team-screening@forge.provo.novell.com |anicka@novell.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=417221 Anna Bernathova <anicka@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=417221 User anicka@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=417221#c7 Anna Bernathova <anicka@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |INVALID --- Comment #7 from Anna Bernathova <anicka@novell.com> 2008-09-01 05:12:22 MDT --- I tried to reproduce your bug in similar settings and it worked fine. Both of my installations (even the 64bit one) were default and keys had permissions set correctly. I have checked the init script that generates the keys. I am quite sure that there was never any difference between i386 and x86_64 installations. And I am also quite sure that there were no relevant changes in the code recently. So I do not really think that any reasonably old openssh package is to blame. I cannot say that I know where the wrong permissions came from. But as package permissions fixes permissions for ssh keys automatically now (at least for 11.1), I think there is no more problem here. Because I was never able to reproduce the problem with wrong key permissions, I am closing as invalid. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=417221 User gilles.sabourin@free.fr added comment https://bugzilla.novell.com/show_bug.cgi?id=417221#c8 --- Comment #8 from Gilles Sabourin <gilles.sabourin@free.fr> 2008-09-01 12:54:02 MDT --- I have performed a fresh install of openSUSE 11.0, not an upgrade from an older version : maybe the problem has been corrected between now and the time where the release come out.
From a security point of view, these public keys should _NOT_ be word readable to work currently with authenticated users.
This is administrator's responsability to check these ones are word readable to set up a host-based authentication. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com