FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian ISP

 
 
LinkBack Thread Tools
 
Old 06-13-2008, 12:14 PM
"Wojciech Ziniewicz"
 
Default openssh public key (after upgrade) problem

Hello,
in response to DSA-1571 I've upgraded almost all of my servers .

But on server is acting strange.. I cannot use my key-auth anymore..

After upgrading , it's openssh server generated pair of non-vulnerable
keys, then on my client computers that authenticate on this server
i've deleted the server's entry from known_hosts. Then i've uploaded
new id_rsa.pub's on the upgraded server ( not sure if it was
necessary)
Everything should be done clearly , BUT ...

1. Node authenticating on the upgraded server get's something like
that ,(after deletion of .ssh/known_hosts , also there should be no
password):


brama ~ # ssh -p 60200 my.server.dot.com -l wojtek
The authenticity of host '[my.server.dot.com]:60200 ([x.x.x.x]:60200)'
can't be established. <<<<< why ?
RSA key fingerprint is f5:76:cf:6c:81:XX:XX:74:92:52:18:7f:ff:10:b5:2d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[my.server.dot.com]:60200,[x.x.x.x]:60200'
(RSA) to the list of known hosts.
wojtek@my.server.dot.com's password:

^^^^ WTF ?


2. Second node (also with .ssh/known_hosts erased) get's something else :

root@hlds:/# ssh -p 60200 root@my.server.dot.com
root@my.server.dot.com's password:

So only password prompt, without any auth errors.

2a) the same with verbosity :


root@hlds:/# ssh -vp 60200 root@my.server.dot.com
OpenSSH_4.3p2 Debian-9, OpenSSL 0.9.8c 05 Sep 2006
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to my.server.dot.com [x.x.x.x] port 60200.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type 1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version
OpenSSH_4.3p2 Debian-9etch2
debug1: match: OpenSSH_4.3p2 Debian-9etch2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3p2 Debian-9
debug1: Miscellaneous failure
No credentials cache found

debug1: Miscellaneous failure
No credentials cache found

debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'ids.cebit.com.pl' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:4
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Offering public key: /root/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Next authentication method: password
root@my.server.dot.com's password:


I've erased all the keys several times and started from the beggining
but with no effect..

help appreciated

Wojtek




--
Wojciech Ziniewicz
Unix SEX :{look;gawk;find;sed;talk;grep;touch;finger;find;f l
ex;unzip;head;tail; mount;workbone;fsck;yes;gasp;fsck;more;yes;yes;eje
ct;umount;makeclean; zip;split;done;exit:xargs!!}


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 06-13-2008, 12:21 PM
Adam McGreggor
 
Default openssh public key (after upgrade) problem

On Fri, Jun 13, 2008 at 02:14:43PM +0200, Wojciech Ziniewicz wrote:
> Hello,
> in response to DSA-1571 I've upgraded almost all of my servers .
>
> But on server is acting strange.. I cannot use my key-auth anymore..
>
> After upgrading , it's openssh server generated pair of non-vulnerable
> keys, then on my client computers that authenticate on this server
> i've deleted the server's entry from known_hosts. Then i've uploaded
> new id_rsa.pub's on the upgraded server ( not sure if it was
> necessary)
> Everything should be done clearly , BUT ...
>
> 1. Node authenticating on the upgraded server get's something like
> that ,(after deletion of .ssh/known_hosts , also there should be no
> password):
>

If the key-auth's working...

[...]

> 2a) the same with verbosity :
>
>
> root@hlds:/# ssh -vp 60200 root@my.server.dot.com
> OpenSSH_4.3p2 Debian-9, OpenSSL 0.9.8c 05 Sep 2006
[...]

> debug1: Authentications that can continue: publickey,password
> debug1: Next authentication method: publickey
> debug1: Trying private key: /root/.ssh/identity
> debug1: Offering public key: /root/.ssh/id_rsa
> debug1: Authentications that can continue: publickey,password
> debug1: Trying private key: /root/.ssh/id_dsa

So publickey's not being used.

> debug1: Next authentication method: password
> root@my.server.dot.com's password:
>
> I've erased all the keys several times and started from the beggining
> but with no effect..
>
> help appreciated

Checkng the perms on /root/.ssh/* would be my starting point.


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 06-13-2008, 01:09 PM
Marek Podmaka
 
Default openssh public key (after upgrade) problem

Hello,

Friday, June 13, 2008, 14:21:39, Adam McGreggor wrote:

> Checkng the perms on /root/.ssh/* would be my starting point.

Also ssh should log to syslog the reason why key was refused.

Is the key you are trying to use not vulnerable? Because the SSH
daemon was updated to refuse when someone tries to authentificate
using vulnerable key.




--
bYE, Marki


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 06-14-2008, 11:03 AM
"Andrew M.A. Cater"
 
Default openssh public key (after upgrade) problem

On Fri, Jun 13, 2008 at 02:14:43PM +0200, Wojciech Ziniewicz wrote:
> Hello,
> in response to DSA-1571 I've upgraded almost all of my servers .
>
> But on server is acting strange.. I cannot use my key-auth anymore..
>

I have a similar problem - openssh appears to be started, but may not be
running. Everything trying to connect gets connection refused.

There is an errormessage seen on the console when you're
sitting directly at the machine something like "requires newpriv 0" as
connections fail (when you're running sshd with -vvv) - unfortunately
that server is elsewhere - and I can't ssh in to see the messages

Server is etch, upgraded over a long time and last upgraded with the
contents of the released DVDs for Debian 4.0r3 - I can't get to
debian.security and can't remember whether these DVDs included the
openssl and ssh fixes.

In an effort to track this down, I did aptitude remove openssh-server,
dpkg --purge openssh-server and then reinstalled openssh server but to
no effect.

Posted to this list primarily because I saw Wojciech's similar posting
immediately prior. All help on both these issues would be appreciated

Andy


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 06-15-2008, 04:21 PM
"Wojciech Ziniewicz"
 
Default openssh public key (after upgrade) problem

2008/6/14 Andrew M.A. Cater <amacater@galactic.demon.co.uk>:
> Posted to this list primarily because I saw Wojciech's similar posting
> immediately prior. All help on both these issues would be appreciated
Hi again,

FIXED - the problem was faulty id_rsa.pub on my clients. Didn't know
that DSA is that "restrictive"

Now everything works fine - it took about 2 days to upgrade all the
machines . I have also some gentoo machines - there was no problem
with upgrade and stuff.

regards
wojtek

p.s. andy - i don't think that You have similar problem because i did
not receive "connection refused" but only password prompt (which i
should not get) . only thing i can suppose is causing your problem is
dependencies mismatch or something.

regards once more
Wojtek

--
Wojciech Ziniewicz
Unix SEX :{look;gawk;find;sed;talk;grep;touch;finger;find;f l
ex;unzip;head;tail; mount;workbone;fsck;yes;gasp;fsck;more;yes;yes;eje
ct;umount;makeclean; zip;split;done;exit:xargs!!}


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 06-16-2008, 03:03 PM
Steve Haavik
 
Default openssh public key (after upgrade) problem

On Sun, 15 Jun 2008, Wojciech Ziniewicz wrote:


FIXED - the problem was faulty id_rsa.pub on my clients. Didn't know
that DSA is that "restrictive"


I had a similar problem on a few machines. I was having to copy my new key
in twice to get it to work. Turned out that one of the other admins didn't
put in a return at the end of his key when he copied it, so my new key was
just getting appended to the end of his.



--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 06-21-2008, 10:53 AM
"Andrew M.A. Cater"
 
Default openssh public key (after upgrade) problem

Fixed. The machine had moved subnets so changed IP address. Buried in
/etc/ssh/sshd_config was the answer: I'd carefully been security aware
and set the machine ListenAddress to it's actual IP address i.e.

ListenAddress 192.168.1.2
Protocol 2

Two years or so later, I'd forgotten all about this Once I'd brought
in the latest Debian OpenSSL and the OpenSSH which incorporates
blacklisting, I regenerated all my keys and then checked the sshd
config. Change to the actual IP address now:

ListenAddress 192.168.10.1

and all was well - users could log in again. The hard bit was working
out why SSH was effectively "one way" when the machine could SSH
outwards fine.

You live and learn, so I thought I'd document this here so that other
people can find it easily.

AndyC


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 11:42 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org