After upgrading our machines (all running RedHat Linux 7.1) to OpenSSH 3.4p1, connections using RhostsRSAAuthentication seem to be impossible. ssh does not even try this mode of authentication, even when it is the only one enabled in the configuration file. This is my ssh_config: Host * ForwardX11 yes Protocol 1,2 RhostsAuthentication no RhostsRSAAuthentication yes HostbasedAuthentication yes RSAAuthentication no PasswordAuthentication no And this is my sshd_config: IgnoreUserKnownHosts yes X11Forwarding yes RhostsAuthentication no RhostsRSAAuthentication yes HostbasedAuthentication no RSAAuthentication yes PasswordAuthentication yes PermitEmptyPasswords no ChallengeResponseAuthentication no Subsystem sftp /usr/libexec/openssh/sftp-server Finally, the protocol of running "ssh -v chinon" (chinon being the name of a computer) between two machines with identical ssh configurations and which are in each other's "known hosts" list: OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1: Connecting to chinon [163.9.6.107] port 22. debug1: Connection established. debug1: identity file /users1/hinsen/.ssh/identity type 0 debug1: identity file /users1/hinsen/.ssh/id_rsa type -1 debug1: identity file /users1/hinsen/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.4p1 debug1: match: OpenSSH_3.4p1 pat OpenSSH* debug1: Local version string SSH-1.5-OpenSSH_3.4p1 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug1: Host 'chinon' is known and matches the RSA1 host key. debug1: Found key in /etc/ssh/ssh_known_hosts:3 debug1: Encryption type: 3des debug1: Sent encrypted session key. debug1: cipher_init: set keylen (16 -> 32) debug1: cipher_init: set keylen (16 -> 32) debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. Permission denied. debug1: Calling cleanup 0x80651d0(0x0)
ssh is by default not set-uid root. re-open if this is the the cause. RhostsRSAAuthentication Specifies whether to try rhosts based authentication with RSA host authentication. The argument must be ``yes'' or ``no''. The default is ``no''. This option applies to protocol version 1 only and requires ssh to be setuid root.
When PrivilegeSeparation is enabled, RhostsRSAAuthentication seems to look up the connecting host in the known_hosts file by IP address rather than by name. The tests below were run as root on the client side, so setuid is not an issue. With UsePrivilegeSeparation=yes, sshd -d -d -d reports: [...] debug1: Attempting authentication for root. debug3: mm_auth_password entering debug3: mm_request_send entering: type 10 debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD debug3: mm_request_receive_expect entering: type 11 debug3: mm_request_receive entering debug2: monitor_read: 6 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 10 debug3: mm_answer_authpassword: sending result 0 debug3: mm_request_send entering: type 11 debug3: mm_auth_password: user not authenticated Failed none for root from 128.100.2.31 port 56036 debug3: mm_request_receive entering debug1: Trying rhosts with RSA host authentication for client user root debug3: Trying to reverse map address 128.100.2.31. debug1: Rhosts RSA authentication: canonical host 128.100.2.31 debug3: mm_key_allowed entering debug3: mm_request_send entering: type 20 debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED debug3: mm_request_receive_expect entering: type 21 debug3: mm_request_receive entering debug3: monitor_read: checking request 20 debug3: mm_answer_keyallowed entering debug3: mm_answer_keyallowed: key_from_blob: 1414a0 debug3: Trying to reverse map address 128.100.2.31. debug2: auth_rhosts2: clientuser root hostname jane.cs ipaddr 128.100.2.31 debug1: temporarily_use_uid: 0/1 (e=0/1) debug1: restore_uid: 0/1 debug1: temporarily_use_uid: 0/1 (e=0/1) debug1: restore_uid: 0/1 debug3: check_host_in_hostfile: filename /usr/slocal/etc/ssh_known_hosts debug1: temporarily_use_uid: 0/1 (e=0/1) debug3: check_host_in_hostfile: filename /.ssh/known_hosts debug1: restore_uid: 0/1 debug2: check_key_in_hostfiles: key not found for 128.100.2.31 debug3: mm_answer_keyallowed: key 1414a0 is disallowed debug3: mm_append_debug: Appending debug messages for child debug3: mm_request_send entering: type 21 debug3: mm_send_debug: Sending debug: Accepted by .rhosts. debug3: mm_send_debug: Sending debug: Accepted host jane.cs ip 128.100.2.31 client_user root server_user root debug1: Rhosts with RSA host authentication denied: unknown or invalid host key Failed rhosts-rsa for root from 128.100.2.31 port 56036 ruser root With UsePrivilegeSeparation=no: [...] debug1: Attempting authentication for root. debug1: Trying rhosts with RSA host authentication for client user root debug3: Trying to reverse map address 128.100.2.31. debug1: Rhosts RSA authentication: canonical host jane.cs debug2: auth_rhosts2: clientuser root hostname jane.cs ipaddr 128.100.2.31 debug1: temporarily_use_uid: 0/1 (e=0/1) debug1: restore_uid: 0/1 debug1: temporarily_use_uid: 0/1 (e=0/1) debug1: restore_uid: 0/1 debug3: check_host_in_hostfile: filename /usr/slocal/etc/ssh_known_hosts debug3: check_host_in_hostfile: match line 11 debug2: check_key_in_hostfiles: key ok for jane.cs Rhosts with RSA host authentication accepted for root, root on jane.cs. Accepted rhosts-rsa for root from 128.100.2.31 port 56048 ruser root The first case fails and the second succeeds, because the sshd_known_hosts file contains an entry for *.cs but not for 128.100.2.31.
hostbased was broken for some of the earlier privsep releases, this should have been fixed ages ago. Reopen if this is not the case.
Mass change of RESOLVED bugs to CLOSED