Re: Solaris 9 SSH: HostbasedAuthentication?

From: Jan-Philip Velders (jpv@jpv.xs4all.nl)
Date: 06/28/02 

Date: Fri, 28 Jun 2002 01:59:37 +0200 (CEST)
From: Jan-Philip Velders <jpv@jpv.xs4all.nl>
To: focus-sun@securityfocus.com

> Date: Tue, 25 Jun 2002 17:29:45 +0200
> From: Sean Boran <sean@boran.com>
> To: focus-sun@securityfocus.com
> Subject: Solaris 9 SSH: HostbasedAuthentication?

> I though Sun's SSH was based on OpenSSH, but it refuses to accept
> the option:

it's based on it, though it's not clear which version (or
modifications, see my post earlier to the list)

> HostbasedAuthentication yes
> in sshd_config. Which is used for protocol v2 Rsa/DSA+.shosts
> authentication.

In the stock /etc/ssh/sshd_config on Solaris 9 the only
.shosts/.rhosts stuff I can find pertains to SSHv1:
# SSH protocol v1 specific options
#
# The following options only apply to the v1 protocol and provide
# some form of backwards compatibility with the very weak security
# of /usr/bin/rsh. Their use is not recommended and the functionality
# will be removed when support for v1 protocol is removed.

# Should sshd use .rhosts and .shosts for password less
authentication.
IgnoreRhosts yes
RhostsAuthentication no

# Rhosts RSA Authentication
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts.
# If the user on the client side is not root then this won't work on
# Solaris since /usr/bin/ssh is not installed setuid.
RhostsRSAAuthentication no

# Uncomment if you don't trust ~/.ssh/known_hosts for
RhostsRSAAuthentication.
#IgnoreUserKnownHosts yes

# Is pure RSA authentication allowed.
# Default is yes
RSAAuthentication yes

I'm gathering that the OpenSSH version it's based on didn't have
HostBased authentication for SSHv2... (though it luckily *did* contain
sftp)

> Does anything know if Sun use another directive or have simply cut
> out that code? If Sun have cut it out, what else is removed? Are
> there any docs?

I think SUN added code to have all the limits and stuff enforced (via
PAM probably). That was one of the drawbacks of using OpenSSH, you
only had full Solaris auditing (and other stuff) when letting
/bin/login handle the actual login... And we all remember the CERT
advisory on that one...

Kind Regards,
JP Velders

Relevant Pages

  • Re: Using RSA key _and_ password
    ... OpenSSH should be able to do this. ... "As a second authentication method, ssh supports RSA based ... The scheme is based on public-key cryptography: ...
    (SSH)
  • OpenSSH 3.1p1 and broken X forwarding
    ... with upgrade to OpenSSH 3.1p1, when I SSH into certain systems and try to ... them through a Solaris system. ... authentication, should it have? ...
    (comp.security.ssh)
  • Re: OpenSSH_3.0.2p1 and PubkeyAuthentication
    ... > TD> PubkeyAuthentication to work to hosts running older OpenSSH. ... But if i go to older ssh hosts ... > TD>, the authentication falls through to ...
    (comp.security.ssh)
  • scp/sftp keyboard-interactive
    ... I'm trying to get scp/sftp to work with keyboard interactive ... authentication. ... Is this possible with OpenSSH? ... able to get it to work with ssh. ...
    (comp.security.ssh)
  • FreeBSD Security Advisory FreeBSD-SA-03:15.openssh
    ... For general information regarding FreeBSD Security Advisories, ... OpenSSH is a free version of the SSH protocol suite of network ... The ssh2 protocol supports a wide range of authentication ... Its challenge / response mechanisms, ...
    (Bugtraq)