Mailinglist Archive: opensuse-security (465 mails)

< Previous Next >
Re: [suse-security] Problems with OpenSSH after upgrading: private keys broken !
  • From: JW <jw@xxxxxxxxxxxxxxxxxx>
  • Date: Thu, 06 Dec 2001 12:22:39 -0600
  • Message-id: <>
At 02:51 PM 12/5/2001 -0300, you wrote:
>Who is you? me? I digress.

I presume you are referring to YOU when you say you (heh). YOU is SuSE's YaST Online Updater (Y O U) - but I presume "you" knew that and were teasing me.

>Try enabling rsa logins, etc, etc in the config file. Just a wild and crazy

You mean in /etc/ssh/sshd_config ?

It already has:

RSAAuthentication yes

I tried un-commenting the following in /etc/ssh/ssh_config (they were commented out by default):

Host *
RSAAuthentication yes
PasswordAuthentication yes
IdentityFile ~/.ssh/identity
IdentityFile ~/.ssh/id_dsa
IdentityFile ~/.ssh/id_rsa

I also changed

Protocol 1,2


Protocol 2,1

Because I don't want it defaulting to protocol 1.

I've tried making new keys with rsa1, rsa, and dsa. None of them work.

I'm not a pro at this. In each case I copied the contents of the .pub file to ~/.ssh/authorized_keys on the remote server - that's all I should really need to do, yes?

In case it helps any, here's the output of ssh -v:

jw@suse3:~ > ssh -v
OpenSSH_2.9.9p2, SSH protocols 1.5/2.0, OpenSSL 0x0090601f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Seeding random number generator
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: restore_uid
debug1: ssh_connect: getuid 501 geteuid 501 anon 1
debug1: Connecting to [] port 22.
debug1: temporarily_use_uid: 501/100 (e=501)
debug1: restore_uid
debug1: temporarily_use_uid: 501/100 (e=501)
debug1: restore_uid
debug1: Connection established.
debug1: identity file /home/jw/.ssh/identity type -1
debug1: identity file /home/jw/.ssh/id_dsa type 2
debug1: identity file /home/jw/.ssh/id_rsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_2.3.0p1
debug1: match: OpenSSH_2.3.0p1 pat ^OpenSSH_2\.3\.0
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_2.9.9p2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client 3des-cbc hmac-md5 none
debug1: kex: client->server 3des-cbc hmac-md5 none
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 201/384
debug1: bits set: 530/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '' is known and matches the DSA host key.
debug1: Found key in /home/jw/.ssh/known_hosts:15
debug1: bits set: 488/1024
debug1: ssh_dss_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: service_accept: ssh-userauth
debug1: authentications that can continue: publickey,password
debug1: next auth method to try is publickey
debug1: try privkey: /home/jw/.ssh/identity
debug1: try pubkey: /home/jw/.ssh/id_dsa
debug1: authentications that can continue: publickey,password
debug1: try privkey: /home/jw/.ssh/id_rsa
debug1: next auth method to try is password
jw@xxxxxxxxxxxxxxxxxx's password:

I just don't understand why it's failing.

>----- Original Message -----
>From: "JW" <jw@xxxxxxxxxxxxxxxxxx>
>To: <suse-security@xxxxxxxx>
>Sent: Thursday, December 06, 2001 2:31 PM
>Subject: [suse-security] Problems with OpenSSH after upgrading: private keys
>broken !
>> Hello,
>> Last night I installed the OpenSSH update from YOU, and this morning I
>found that all our public keys don't work anymore.
>> What's worse, generating new ones doesn't work either.
>> Several of our users have been using RSA keys for months now with no
>problem at all, we use them for backup jobs and other things where passwords
>would cause a problem.
>> We tried generating new RSA keys, that help .
>> We also tried generating new DSA keys, that didn't help either.
>> Has anyone else had this problem?
>> Info for the box in question:
>> Linux fluorite 2.4.0-64GB-SMP #1 SMP Wed Jan 24 15:52:30 GMT 2001 i686
>> SuSE Linux 7.1 (i386)
>> VERSION = 7.1
>> Please note I did not download and update the box by hand, I used YOU.
>> If anyone could provide me with a work-around that doesn't require
>entering any sort of pass phrase (remember, programs that's can't type
>passwords need it, not humans) I'd really appreciate it.
>> Additionally, I'd like to know what caused the problem to begin with - I'm
>pretty surprised the upgrade broke they keys, I would think that would cause
>serious problems for a lot of people.
>> ----------------------------------------------------
>> Jonathan Wilson
>> System Administrator
>> Cedar Creek Software
>> Central Texas IT
>> --
>> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
>> For additional commands, e-mail: suse-security-help@xxxxxxxx

Jonathan Wilson
System Administrator

Cedar Creek Software
Central Texas IT

< Previous Next >
Follow Ups