Re: [suse-security] openssh client configuration files
On Wed, Apr 10, 2002 at 17:17 +0200, Joerg Ruhe wrote:
The man page and the o'reily book state the order in which configuration data is obtained as : 1. command line options, 2. user's configuration file ($HOME/.ssh/config) 3. system-wide configuration file (/etc/ssh/ssh_config)
and for each parameter the first obtained value will be used. For me that
^^^^^ ^^^^
means, that if I set an parameter in my $HOME/.ssh/config and agin in /etc/ssh/ssh_config the value from the $HOME/.ssh/config will be used.
Right. That's a regular philosophy which generally applies in UNIX systems: The software author suggests some compiled in defaults, the admin may provide a system wide default config for a site, the user is free to customize things for everyday use while still being able to overide settings on the command line for a single invocation. That's accepted and most of all expected behaviour.
My trouble is, I'm observing a differnt behaviour ( as you can see in the log below ): OpenSSH_2.9.9p2, SSH protocols 1.5/2.0, OpenSSL 0x0090602f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Reading configuration data /home/ruhej/.ssh/config debug1: Applying options for *
I cannot see a deviation from the doc here, it's just a different POV: Reading configuration files in the "from general to more specific" order and applying parameters from the command line last will result in the very effect the doc states -- the most specific settings will "win". So where's the problem? Should you not get what you expected from reading the doc please show the /etc and the $HOME config sections and the logs (ssh -v) which prove that the program does otherwise. The cite above doesn't qualify as "behaviour differs from design" but is quite the opposite. :) No matter how it's implemented, you get the promised functionality. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
[...]
means, that if I set an parameter in my $HOME/.ssh/config and agin in /etc/ssh/ssh_config the value from the $HOME/.ssh/config will be used.
Right. That's a regular philosophy which generally applies in UNIX systems: The software author suggests some compiled in defaults, the admin may provide a system wide default config for a site, the user is free to customize things for everyday use while still being able to overide settings on the command line for a single invocation. That's accepted and most of all expected behaviour.
My trouble is, I'm observing a differnt behaviour ( as you can see in the log below ): OpenSSH_2.9.9p2, SSH protocols 1.5/2.0, OpenSSL 0x0090602f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Reading configuration data /home/ruhej/.ssh/config debug1: Applying options for *
I cannot see a deviation from the doc here, it's just a different POV: Reading configuration files in the "from general to more specific" order and applying parameters from the command line last will result in the very effect the doc states -- the most specific settings will "win". So where's the problem?
Should you not get what you expected from reading the doc please show the /etc and the $HOME config sections and the logs (ssh -v) which prove that the program does otherwise. The cite above doesn't qualify as "behaviour differs from design" but is quite the opposite. :) No matter how it's implemented, you get the promised functionality.
I sorry it took some time for my reply Okay here is my /etc/sshd_config : # more /etc/ssh/ssh_config # $OpenBSD: ssh_config,v 1.10 2001/04/03 21:19:38 todd Exp $ # This is ssh client systemwide configuration file. See ssh(1) for more # information. This file provides defaults for users, and the values can # be changed in per-user configuration files or on the command line. # Configuration data is parsed as follows: # 1. command line options # 2. user-specific file # 3. system-wide file # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the # configuration file, and defaults at the end. # Site-wide defaults for various options Host * # ForwardAgent no # ForwardX11 no RhostsAuthentication no RhostsRSAAuthentication yes # RSAAuthentication yes # PasswordAuthentication yes FallBackToRsh no UseRsh no # BatchMode no CheckHostIP yes StrictHostKeyChecking ask # IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/id_dsa # IdentityFile ~/.ssh/id_rsa # Port 22 Protocol 2,1 # Cipher blowfish # EscapeChar ~ PreferredAuthentications publickey,password MACs hmac-sha1,hmac-ripemd160,hmac-md5,hmac-sha1-96,hmac-md5-96 # s. http://www.linuxsecurity.com/docs/LDP/Secure-Programs-HOWTO/crypto.html JR Ciphers aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc,blowfish-cbc ---------------------------------------------------------------------------------------------------- And here ist the $HOME/.ssh/config : ruhej@lintest:~/.ssh> more config Host * Protocol 2 PreferredAuthentications publickey ---------------------------------------------------------------------------------------------------------- And here is the log . The server is ssh v1 and doesn't have a public for the acount netz, so it if the setings from my $HOME/.ssh/config are applied it shouldn't work : ruhej@lintest:~/.ssh> ssh s0038021 -l netz -v OpenSSH_2.9.9p2, SSH protocols 1.5/2.0, OpenSSL 0x0090602f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Reading configuration data /home/ruhej/.ssh/config debug1: Applying options for * debug1: Seeding random number generator debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 501 geteuid 501 anon 1 debug1: Connecting to s0038021 [130.197.4.38] port 22. debug1: temporarily_use_uid: 501/100 (e=501) debug1: restore_uid debug1: temporarily_use_uid: 501/100 (e=501) debug1: restore_uid debug1: Connection established. debug1: identity file /home/ruhej/.ssh/identity type -1 debug1: identity file /home/ruhej/.ssh/id_rsa type -1 debug1: identity file /home/ruhej/.ssh/id_dsa type -1 debug1: Remote protocol version 1.5, remote software version 1.2.25 debug1: no match: 1.2.25 debug1: Local version string SSH-1.5-OpenSSH_2.9.9p2 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug1: Host 's0038021' is known and matches the RSA1 host key. debug1: Found key in /home/ruhej/.ssh/known_hosts:1 debug1: Encryption type: 3des debug1: Sent encrypted session key. debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. debug1: Doing password authentication. netz@s0038021's password: Roland Kuhn wrote in another message in this thread, that he could an reproduce my problem with OpenSSH 2.9.9p2 and SuSE 7.3, but that it worked correctly with OpenSSH 3.0.2p1 and RedHat 7.2.1beta2 . I would be really glad about any ideas you have, how to deal with this, or waht causes this problem. And thanks again for your message. Joerg Ruhe Joerg.Ruhe@epost.de
participants (2)
-
Gerhard Sittig
-
Joerg Ruhe