'password-less' logins on solaris 2.5.1 boxen - subtle troubles

From: Thomison, Lee (ThomisonL_at_ci.anchorage.ak.us)
Date: 01/14/05

  • Next message: Derek Martin: "Re: rssh and scponly arbitrary command execution"
    Date: Fri, 14 Jan 2005 11:20:56 -0900
    To: <secureshell@securityfocus.com>
    
    

    Trying to set up password-less keypair logins between solaris 2.5.1
    boxes. I can get them to work with some usernames, but not others. All
    using the exact same setup procedures:

    local hostname: spa1amlp
    remote hostname: adm1amlp

    username: spsy

    shell is ksh (and can't be changed)

    ------------------------------------------

    spa1amlp[spsy]> rm -rf .ssh
    spa1amlp[spsy]> ssh-keygen -t rsa -C "spsy" -N ""
    Generating public/private rsa key pair.
    Enter file in which to save the key (/home/spsy/.ssh/id_rsa): Created
    directory '/home/spsy/.ssh'. Your identification has been saved in
    /home/spsy/.ssh/id_rsa. Your public key has been saved in
    /home/spsy/.ssh/id_rsa.pub. The key fingerprint is:
    73:2c:ab:d1:02:5f:81:4b:b2:02:7e:06:e4:b3:40:44 spsy spa1amlp[spsy]> cd
    .ssh /home/spsy/.ssh spa1amlp[spsy]> ssh spsy@adm1amlp mkdir .ssh The
    authenticity of host 'adm1amlp (10.70.1.10)' can't be established. RSA
    key fingerprint is b4:91:cb:1e:4d:94:ec:70:9f:cc:8b:11:21:51:40:0e.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added 'adm1amlp,10.70.1.10' (RSA) to the list of
    known hosts. spsy@adm1amlp's password: spa1amlp[spsy]> scp *
    spsy@adm1amlp:.ssh spsy@adm1amlp's password:
    authorized_keys

    100% 214 0.0KB/s 00:00
    id_rsa

    100% 887 0.0KB/s 00:00
    id_rsa.pub

    100% 214 0.0KB/s 00:00
    known_hosts

    100% 229 0.0KB/s 00:00
    spa1amlp[spsy]> ssh adm1amlp
    spsy@adm1amlp's password:

    Why is it still asking me for a password?

    The first username I did this on works just fine.

    These were all installed using the same sun pkg (which I put together
    here), all using the same openssl-0.9.7e (which I got from sunfreeware).

    I've diff'ed the /etc/ssh/ssh_config and the /etc/ssh/sshd_config on
    both machines, they are identical....

    -----------------------------------------------------------

    sshd_config:

    spa1amlp[spsy]> cat /etc/ssh/sshd_config
    # $OpenBSD: sshd_config,v 1.65 2003/08/28 12:54:34 markus Exp $

    # This is the sshd server system-wide configuration file. See #
    sshd_config(5) for more information.

    # This sshd was compiled with
    PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin

    # The strategy used for options in the default sshd_config shipped with
    # OpenSSH is to specify options with their default value where #
    possible, but leave them commented. Uncommented options change a #
    default value.

    Port 22
    Protocol 2
    AllowTCPForwarding yes
    X11Forwarding yes
    HostKey /usr/local/etc/ssh/ssh_host_rsa_key
    HostKey /usr/local/etc/ssh/ssh_host_dsa_key

    #Port 22
    #Protocol 2,1
    #ListenAddress 0.0.0.0
    #ListenAddress ::

    # HostKey for protocol version 1
    #HostKey /usr/local/etc/ssh/ssh_host_key
    # HostKeys for protocol version 2
    #HostKey /usr/local/etc/ssh/ssh_host_dsa_key
    #HostKey /usr/local/etc/ssh/ssh_host_rsa_key

    # Lifetime and size of ephemeral version 1 server key
    #KeyRegenerationInterval 1h #ServerKeyBits 768

    # Logging
    #obsoletes QuietMode and FascistLogging
    #SyslogFacility AUTH
    #LogLevel INFO

    # Authentication:

    #LoginGraceTime 2m
    #PermitRootLogin yes
    #StrictModes yes

    #RSAAuthentication yes
    #PubkeyAuthentication yes
    #AuthorizedKeysFile .ssh/authorized_keys

    # For this to work you will also need host keys in
    /usr/local/etc/ssh/ssh_known_hosts
    #RhostsRSAAuthentication no
    # similar for protocol version 2
    #HostbasedAuthentication no
    # Change to yes if you don't trust ~/.ssh/known_hosts for
    # RhostsRSAAuthentication and HostbasedAuthentication
    #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts
    files #IgnoreRhosts yes

    # To disable tunneled clear text passwords, change to no here!
    #PasswordAuthentication yes #PermitEmptyPasswords no

    # Change to no to disable s/key passwords
    #ChallengeResponseAuthentication yes

    # Kerberos options
    #KerberosAuthentication no
    #KerberosOrLocalPasswd yes
    #KerberosTicketCleanup yes

    # GSSAPI options
    #GSSAPIAuthentication no
    #GSSAPICleanupCreds yes

    # Set this to 'yes' to enable PAM authentication (via
    challenge-response) # and session processing. Depending on your PAM
    configuration, this may # bypass the setting of 'PasswordAuthentication'
    #UsePAM yes

    #AllowTcpForwarding yes
    #GatewayPorts no
    #X11Forwarding no
    #X11DisplayOffset 10
    #X11UseLocalhost yes
    #PrintMotd yes
    #PrintLastLog yes
    #KeepAlive yes
    #UseLogin no
    #UsePrivilegeSeparation yes
    #PermitUserEnvironment no
    #Compression yes
    #ClientAliveInterval 0
    #ClientAliveCountMax 3
    #UseDNS yes
    #PidFile /var/run/sshd.pid
    #MaxStartups 10

    # no default banner path
    #Banner /some/path

    # override default of no subsystems
    Subsystem sftp /usr/local/libexec/sftp-server

    ----------------------------------------------------------

    ssh_config:

    spa1amlp[spsy]> cat /etc/ssh/ssh_config
    # $OpenBSD: ssh_config,v 1.19 2003/08/13 08:46:31 markus Exp $

    # This is the ssh client system-wide configuration file. See
    # ssh_config(5) for more information. This file provides defaults for #
    users, and the values can be changed in per-user configuration files #
    or on the command line.

    # Configuration data is parsed as follows:
    # 1. command line options
    # 2. user-specific file
    # 3. system-wide file
    # Any configuration value is only changed the first time it is set. #
    Thus, host-specific definitions should be at the beginning of the #
    configuration file, and defaults at the end.

    # Site-wide defaults for various options

    Host *
            Port 22
            Protocol 2
            ForwardX11 yes

    # Host *
    # ForwardAgent no
    # ForwardX11 no
    # RhostsRSAAuthentication no
    # RSAAuthentication yes
    # PasswordAuthentication yes
    # HostbasedAuthentication no
    # BatchMode no
    # CheckHostIP yes
    # AddressFamily any
    # ConnectTimeout 0
    # StrictHostKeyChecking ask
    # IdentityFile ~/.ssh/identity
    # IdentityFile ~/.ssh/id_rsa
    # IdentityFile ~/.ssh/id_dsa
    # Port 22
    # Protocol 2,1
    # Cipher 3des
    # Ciphers
    aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-c
    bc
    # EscapeChar ~
    spa1amlp[spsy]>

    -------------------------------------------

    Here's the ssh -vvv adm1amlp:

    spa1amlp[spsy]> ssh -vvv adm1amlp
    OpenSSH_3.7.1p2, SSH protocols 1.5/2.0, OpenSSL 0.9.7b 10 Apr 2003
    debug1: Reading configuration data /usr/local/etc/ssh/ssh_config
    debug1: Applying options for *
    debug2: ssh_connect: needpriv 0
    debug1: Connecting to adm1amlp [10.70.1.10] port 22.
    debug1: Connection established.
    debug3: Not a RSA1 key file /home/spsy/.ssh/id_rsa.
    debug2: key_type_from_name: unknown key type '-----BEGIN'
    debug3: key_read: missing keytype
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug2: key_type_from_name: unknown key type '-----END'
    debug3: key_read: missing keytype
    debug1: identity file /home/spsy/.ssh/id_rsa type 1
    debug1: identity file /home/spsy/.ssh/id_dsa type -1
    debug1: Remote protocol version 2.0, remote software version
    OpenSSH_3.7.1p2
    debug1: match: OpenSSH_3.7.1p2 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_3.7.1p2
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug2: kex_parse_kexinit:
    diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
    debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
    debug2: kex_parse_kexinit:
    aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-c
    bc,r
    ijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
    debug2: kex_parse_kexinit:
    aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-c
    bc,r
    ijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
    debug2: kex_parse_kexinit:
    hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-9
    6,hm
    ac-md5-96
    debug2: kex_parse_kexinit:
    hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-9
    6,hm
    ac-md5-96
    debug2: kex_parse_kexinit: none,zlib
    debug2: kex_parse_kexinit: none,zlib
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit: first_kex_follows 0
    debug2: kex_parse_kexinit: reserved 0
    debug2: kex_parse_kexinit:
    diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
    debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
    debug2: kex_parse_kexinit:
    aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-c
    bc,r
    ijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
    debug2: kex_parse_kexinit:
    aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-c
    bc,r
    ijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
    debug2: kex_parse_kexinit:
    hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-9
    6,hm
    ac-md5-96
    debug2: kex_parse_kexinit:
    hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-9
    6,hm
    ac-md5-96
    debug2: kex_parse_kexinit: none,zlib
    debug2: kex_parse_kexinit: none,zlib
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit: first_kex_follows 0
    debug2: kex_parse_kexinit: reserved 0
    debug2: mac_init: found hmac-md5
    debug1: kex: server->client aes128-cbc hmac-md5 none
    debug2: mac_init: found hmac-md5
    debug1: kex: client->server aes128-cbc hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug2: dh_gen_key: priv key bits set: 127/256
    debug2: bits set: 511/1024
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug3: check_host_in_hostfile: filename /home/spsy/.ssh/known_hosts
    debug3: check_host_in_hostfile: match line 1
    debug3: check_host_in_hostfile: filename /home/spsy/.ssh/known_hosts
    debug3: check_host_in_hostfile: match line 1
    debug1: Host 'adm1amlp' is known and matches the RSA host key.
    debug1: Found key in /home/spsy/.ssh/known_hosts:1
    debug2: bits set: 526/1024
    debug1: ssh_rsa_verify: signature correct
    debug2: kex_derive_keys
    debug2: set_newkeys: mode 1
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug2: set_newkeys: mode 0
    debug1: SSH2_MSG_NEWKEYS received
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug2: service_accept: ssh-userauth
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug2: key: /home/spsy/.ssh/id_rsa (67180)
    debug2: key: /home/spsy/.ssh/id_dsa (0)
    debug1: Authentications that can continue:
    publickey,password,keyboard-interactive
    debug3: start over, passed a different list
    publickey,password,keyboard-interactive
    debug3: preferred publickey,keyboard-interactive,password
    debug3: authmethod_lookup publickey
    debug3: remaining preferred: keyboard-interactive,password
    debug3: authmethod_is_enabled publickey
    debug1: Next authentication method: publickey
    debug1: Offering public key: /home/spsy/.ssh/id_rsa
    ->debug3: send_pubkey_test
    ->debug2: we sent a publickey packet, wait for reply
    ->debug1: Authentications that can continue:
    publickey,password,keyboard-interactive debug1: Trying private key:
    /home/spsy/.ssh/id_dsa debug3: no such identity: /home/spsy/.ssh/id_dsa
    debug2: we did not send a packet, disable method debug3:
    authmethod_lookup keyboard-interactive debug3: remaining preferred:
    password debug3: authmethod_is_enabled keyboard-interactive debug1: Next
    authentication
    method: keyboard-interactive debug2: userauth_kbdint
    debug2: we sent a keyboard-interactive packet, wait for reply debug1:
    Authentications that can continue:
    publickey,password,keyboard-interactive
    debug3: userauth_kbdint: disable: no info_req_seen debug2: we did not
    send a packet, disable method debug3: authmethod_lookup password
    debug3: remaining preferred:
    debug3: authmethod_is_enabled password debug1: Next authentication
    method:
    password spsy@adm1amlp's password:

    ---------------------------

    I've marked the lines I think point to the problem with ->, but I don't
    know what to do next.

    It looks like it takes the hostkey authentication, no problem, but when
    it sends the user's publickey, it never gets a reply back?

    It's really weird that it works on one username, but not another.

    I've verified that the uid and gid on both machines for all the
    usernames are the same. the only difference between the usernames I can
    see is the shell, but I've changed the working username's shell to ksh,
    and ssh still would passwordless connect just fine. (I changed it back
    to /bin/bash after the test)

    Any ideas? What do I do next?

    Thanks in advance!


  • Next message: Derek Martin: "Re: rssh and scponly arbitrary command execution"

    Relevant Pages