SSH upgrade to ver 4.4 on OBSD 3.9 stable broke key auth

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

SSH upgrade to ver 4.4 on OBSD 3.9 stable broke key auth

Sjöholm Per-Olov
After I upgraded to 3.9 stable from Oct 10 SSH key login no longer work.

All my servers stopped working with SSH key logins with the result that all my
rsync automated backups gave up. This happened after my last upgrade October
10, where I did a full source update of my 3.9 stable. I could however still
login with any account where I use passwords. Both source and target SSH was
OpenBSD and 3.9 from October 10. And as said it happened on six server at the
same time. The only thing that could have caused this is that this update
contained the new OpenSSH 4.4.

I think the thread "
Cannot login into OpenSSH after applying patch 020_ssh2.patch to OpenBSD 3.8
stable" is not the same problem. Or is it? Well... the fix for that thread
problem was "cd /usr/src/usr.bin/ssh && make obj depend && make && make
install". And that does not help here.... Apart from that, the result is
EXACTLY the same as the referenced thread.

Login with keys from a patched 3.9 system to a non patched system (ssh 4.4
against 4.3) still works...

Any clues?

Thanks in advance
Per-Olov

Reply | Threaded
Open this post in threaded view
|

Re: SSH upgrade to ver 4.4 on OBSD 3.9 stable broke key auth

Sjöholm Per-Olov
On Tuesday 17 October 2006 01:07, you wrote:

> After I upgraded to 3.9 stable from Oct 10 SSH key login no longer work.
>
> All my servers stopped working with SSH key logins with the result that all
> my rsync automated backups gave up. This happened after my last upgrade
> October 10, where I did a full source update of my 3.9 stable. I could
> however still login with any account where I use passwords. Both source and
> target SSH was OpenBSD and 3.9 from October 10. And as said it happened on
> six server at the same time. The only thing that could have caused this is
> that this update contained the new OpenSSH 4.4.
>
> I think the thread "
> Cannot login into OpenSSH after applying patch 020_ssh2.patch to OpenBSD
> 3.8 stable" is not the same problem. Or is it? Well... the fix for that
> thread problem was "cd /usr/src/usr.bin/ssh && make obj depend && make &&
> make install". And that does not help here.... Apart from that, the result
> is EXACTLY the same as the referenced thread.
>
> Login with keys from a patched 3.9 system to a non patched system (ssh 4.4
> against 4.3) still works...
>
> Any clues?
>
> Thanks in advance
> Per-Olov

Will add some output of a verbose login as well.....
(name and IP changed)

This worked on all six servers before the 3.9 STABLE update that changed
OpenSSH to 4.4. And after the stable update all key logins are broken and
only password login works.


root@xanadu:~#ssh -v [hidden email]

OpenSSH_4.4, OpenSSL 0.9.7g 11 Apr 2005
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to MYSERVER.MYDOMAIN.COM [1.1.1.1] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type 2
debug1: Remote protocol version 1.99, remote software version OpenSSH_4.4
debug1: match: OpenSSH_4.4 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'MYSERVER.MYDOMAIN.COM' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:3
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Offering public key: /root/.ssh/id_dsa
debug1: Server accepts key: pkalg ssh-dss blen 1585
debug1: read PEM private key done: type DSA
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
Connection closed by 1.1.1.1


/Per-Olov

Reply | Threaded
Open this post in threaded view
|

Re: SSH upgrade to ver 4.4 on OBSD 3.9 stable broke key auth

Otto Moerbeek
On Tue, 17 Oct 2006, Per-Olov Sjvholm wrote:

> On Tuesday 17 October 2006 01:07, you wrote:
> > After I upgraded to 3.9 stable from Oct 10 SSH key login no longer work.
> >
> > All my servers stopped working with SSH key logins with the result that
all
> > my rsync automated backups gave up. This happened after my last upgrade
> > October 10, where I did a full source update of my 3.9 stable. I could
> > however still login with any account where I use passwords. Both source
and
> > target SSH was OpenBSD and 3.9 from October 10. And as said it happened
on
> > six server at the same time. The only thing that could have caused this
is
> > that this update contained the new OpenSSH 4.4.
> >
> > I think the thread "
> > Cannot login into OpenSSH after applying patch 020_ssh2.patch to OpenBSD
> > 3.8 stable" is not the same problem. Or is it? Well... the fix for that
> > thread problem was "cd /usr/src/usr.bin/ssh && make obj depend && make &&
> > make install". And that does not help here.... Apart from that, the
result
> > is EXACTLY the same as the referenced thread.
> >
> > Login with keys from a patched 3.9 system to a non patched system (ssh
4.4

> > against 4.3) still works...
> >
> > Any clues?
> >
> > Thanks in advance
> > Per-Olov
>
> Will add some output of a verbose login as well.....
> (name and IP changed)
>
> This worked on all six servers before the 3.9 STABLE update that changed
> OpenSSH to 4.4. And after the stable update all key logins are broken and
> only password login works.

It could be you forgat the make depend.
To rule out bad dependencies. run make cleandir first and then try again.

        -Otto

>
>
> root@xanadu:~#ssh -v [hidden email]
>
> OpenSSH_4.4, OpenSSL 0.9.7g 11 Apr 2005
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Connecting to MYSERVER.MYDOMAIN.COM [1.1.1.1] port 22.
> debug1: Connection established.
> debug1: permanently_set_uid: 0/0
> debug1: identity file /root/.ssh/identity type -1
> debug1: identity file /root/.ssh/id_rsa type -1
> debug1: identity file /root/.ssh/id_dsa type 2
> debug1: Remote protocol version 1.99, remote software version OpenSSH_4.4
> debug1: match: OpenSSH_4.4 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_4.4
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: server->client aes128-cbc hmac-md5 none
> debug1: kex: client->server aes128-cbc hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug1: Host 'MYSERVER.MYDOMAIN.COM' is known and matches the RSA host key.
> debug1: Found key in /root/.ssh/known_hosts:3
> debug1: ssh_rsa_verify: signature correct
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug1: SSH2_MSG_NEWKEYS received
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentications that can continue:
> publickey,password,keyboard-interactive
> debug1: Next authentication method: publickey
> debug1: Trying private key: /root/.ssh/identity
> debug1: Trying private key: /root/.ssh/id_rsa
> debug1: Offering public key: /root/.ssh/id_dsa
> debug1: Server accepts key: pkalg ssh-dss blen 1585
> debug1: read PEM private key done: type DSA
> debug1: Authentications that can continue:
> publickey,password,keyboard-interactive
> debug1: Next authentication method: keyboard-interactive
> Connection closed by 1.1.1.1
>
>
> /Per-Olov

Reply | Threaded
Open this post in threaded view
|

Re: SSH upgrade to ver 4.4 on OBSD 3.9 stable broke key auth

Maxim Bourmistrov
In reply to this post by Sjöholm Per-Olov
Well, I did a cvsup (no manual patching). With cvsup came openssl patches too.
So I, personly , compiled/installed openssl first, then continued with openssh.
I do setup extra instance of sshd/telnet before any major upgrade.
I did the same with openssh as you - make clean obj depend , etc.
Works well here with keys from -current boxes.

On Tuesday 17 October 2006 01:07, Per-Olov Sjvholm wrote:

> After I upgraded to 3.9 stable from Oct 10 SSH key login no longer work.
>
> All my servers stopped working with SSH key logins with the result that all my
> rsync automated backups gave up. This happened after my last upgrade October
> 10, where I did a full source update of my 3.9 stable. I could however still
> login with any account where I use passwords. Both source and target SSH was
> OpenBSD and 3.9 from October 10. And as said it happened on six server at the
> same time. The only thing that could have caused this is that this update
> contained the new OpenSSH 4.4.
>
> I think the thread "
> Cannot login into OpenSSH after applying patch 020_ssh2.patch to OpenBSD 3.8
> stable" is not the same problem. Or is it? Well... the fix for that thread
> problem was "cd /usr/src/usr.bin/ssh && make obj depend && make && make
> install". And that does not help here.... Apart from that, the result is
> EXACTLY the same as the referenced thread.
>
> Login with keys from a patched 3.9 system to a non patched system (ssh 4.4
> against 4.3) still works...
>
> Any clues?
>
> Thanks in advance
> Per-Olov

Reply | Threaded
Open this post in threaded view
|

Re: SSH upgrade to ver 4.4 on OBSD 3.9 stable broke key auth

Sjöholm Per-Olov
Don't really like top posts...

You did not do any manual patching, but compile openssl separatley?? ;-)


Well. Why should I compile and install openssl first when I do a total cvs
stable update. And we use STABLE for production. And I expect stable to
work... ;-)

Wouldn't the following be sufficient? It should be... Don't you think? It
usually is....

--snip--
cd /usr
export CVSROOT="[hidden email]:/cvs"
cvs -z5 -q get -rOPENBSD_3_9 -P src
cd /usr/src/sys/arch/i386/conf
config GENERIC
cd ../compile/GENERIC
make clean && make depend && make
mv /bsd /bsd.old
cp bsd /
reboot
cd /usr/src
rm -r /usr/obj/*
make obj && make build
reboot
--snip--


-current is not an option on the production servers. We update OpenBSD servers
once every year (i.e not every new release) with a new release and do the
above updates in between if needed....



Inte schysst att jdmfvra -current med -stable de kanske inte ens versionerna
av ingeende komponenter dr samma!

Regards
/Per-Olov

On Tuesday 17 October 2006 09:44, Maxim Bourmistrov wrote:

> Well, I did a cvsup (no manual patching). With cvsup came openssl patches
> too. So I, personly , compiled/installed openssl first, then continued with
> openssh. I do setup extra instance of sshd/telnet before any major upgrade.
> I did the same with openssh as you - make clean obj depend , etc.
> Works well here with keys from -current boxes.
>
> On Tuesday 17 October 2006 01:07, Per-Olov Sjvholm wrote:
> > After I upgraded to 3.9 stable from Oct 10 SSH key login no longer work.
> >
> > All my servers stopped working with SSH key logins with the result that
> > all my rsync automated backups gave up. This happened after my last
> > upgrade October 10, where I did a full source update of my 3.9 stable. I
> > could however still login with any account where I use passwords. Both
> > source and target SSH was OpenBSD and 3.9 from October 10. And as said it
> > happened on six server at the same time. The only thing that could have
> > caused this is that this update contained the new OpenSSH 4.4.
> >
> > I think the thread "
> > Cannot login into OpenSSH after applying patch 020_ssh2.patch to OpenBSD
> > 3.8 stable" is not the same problem. Or is it? Well... the fix for that
> > thread problem was "cd /usr/src/usr.bin/ssh && make obj depend && make &&
> > make install". And that does not help here.... Apart from that, the
> > result is EXACTLY the same as the referenced thread.
> >
> > Login with keys from a patched 3.9 system to a non patched system (ssh
> > 4.4 against 4.3) still works...
> >
> > Any clues?
> >
> > Thanks in advance
> > Per-Olov

Reply | Threaded
Open this post in threaded view
|

Re: SSH upgrade to ver 4.4 on OBSD 3.9 stable broke key auth

Sjöholm Per-Olov
In reply to this post by Otto Moerbeek
On Tuesdayen den 17 October 2006 09:19, you wrote:

> On Tue, 17 Oct 2006, Per-Olov SjC6holm wrote:
> > On Tuesday 17 October 2006 01:07, you wrote:
> > > After I upgraded to 3.9 stable from Oct 10 SSH key login no longer
> > > work.
> > >
> > > All my servers stopped working with SSH key logins with the result that
> > > all my rsync automated backups gave up. This happened after my last
> > > upgrade October 10, where I did a full source update of my 3.9 stable.
> > > I could however still login with any account where I use passwords.
> > > Both source and target SSH was OpenBSD and 3.9 from October 10. And as
> > > said it happened on six server at the same time. The only thing that
> > > could have caused this is that this update contained the new OpenSSH
> > > 4.4.
> > >
> > > I think the thread "
> > > Cannot login into OpenSSH after applying patch 020_ssh2.patch to
> > > OpenBSD 3.8 stable" is not the same problem. Or is it? Well... the fix
> > > for that thread problem was "cd /usr/src/usr.bin/ssh && make obj depend
> > > && make && make install". And that does not help here.... Apart from
> > > that, the result is EXACTLY the same as the referenced thread.
> > >
> > > Login with keys from a patched 3.9 system to a non patched system (ssh
> > > 4.4 against 4.3) still works...
> > >
> > > Any clues?
> > >
> > > Thanks in advance
> > > Per-Olov
> >
> > Will add some output of a verbose login as well.....
> > (name and IP changed)
> >
> > This worked on all six servers before the 3.9 STABLE update that changed
> > OpenSSH to 4.4. And after the stable update all key logins are broken and
> > only password login works.
>
> It could be you forgat the make depend.
> To rule out bad dependencies. run make cleandir first and then try again.
>
> -Otto

What should I clean when I totaly wiped out /usr/src and /usr/obj before the
cvs update.

The build is done as follows...
--snip--
cd /usr
export CVSROOT="[hidden email]:/cvs"
cvs -z5 -q get -rOPENBSD_3_9 -P src
cd /usr/src/sys/arch/i386/conf
config GENERIC
cd ../compile/GENERIC
make clean && make depend && make
mv /bsd /bsd.old
cp bsd /
reboot
cd /usr/src
rm -r /usr/obj/*
make obj && make build
reboot
--snip--


Am I missing something? If so. What?
The above has worked every time on every release for many years....

Regards and thanks in advance
/Per-Olov

>
> > root@xanadu:~#ssh -v [hidden email]
> >
> > OpenSSH_4.4, OpenSSL 0.9.7g 11 Apr 2005
> > debug1: Reading configuration data /etc/ssh/ssh_config
> > debug1: Connecting to MYSERVER.MYDOMAIN.COM [1.1.1.1] port 22.
> > debug1: Connection established.
> > debug1: permanently_set_uid: 0/0
> > debug1: identity file /root/.ssh/identity type -1
> > debug1: identity file /root/.ssh/id_rsa type -1
> > debug1: identity file /root/.ssh/id_dsa type 2
> > debug1: Remote protocol version 1.99, remote software version OpenSSH_4.4
> > debug1: match: OpenSSH_4.4 pat OpenSSH*
> > debug1: Enabling compatibility mode for protocol 2.0
> > debug1: Local version string SSH-2.0-OpenSSH_4.4
> > debug1: SSH2_MSG_KEXINIT sent
> > debug1: SSH2_MSG_KEXINIT received
> > debug1: kex: server->client aes128-cbc hmac-md5 none
> > debug1: kex: client->server aes128-cbc hmac-md5 none
> > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> > debug1: Host 'MYSERVER.MYDOMAIN.COM' is known and matches the RSA host
> > key. debug1: Found key in /root/.ssh/known_hosts:3
> > debug1: ssh_rsa_verify: signature correct
> > debug1: SSH2_MSG_NEWKEYS sent
> > debug1: expecting SSH2_MSG_NEWKEYS
> > debug1: SSH2_MSG_NEWKEYS received
> > debug1: SSH2_MSG_SERVICE_REQUEST sent
> > debug1: SSH2_MSG_SERVICE_ACCEPT received
> > debug1: Authentications that can continue:
> > publickey,password,keyboard-interactive
> > debug1: Next authentication method: publickey
> > debug1: Trying private key: /root/.ssh/identity
> > debug1: Trying private key: /root/.ssh/id_rsa
> > debug1: Offering public key: /root/.ssh/id_dsa
> > debug1: Server accepts key: pkalg ssh-dss blen 1585
> > debug1: read PEM private key done: type DSA
> > debug1: Authentications that can continue:
> > publickey,password,keyboard-interactive
> > debug1: Next authentication method: keyboard-interactive
> > Connection closed by 1.1.1.1
> >
> >
> > /Per-Olov

Reply | Threaded
Open this post in threaded view
|

Re: SSH upgrade to ver 4.4 on OBSD 3.9 stable broke key auth

Otto Moerbeek
On Tue, 17 Oct 2006, Per-Olov SjC6holm wrote:

> What should I clean when I totaly wiped out /usr/src and /usr/obj before the
> cvs update.
>
> The build is done as follows...
> --snip--
> cd /usr
> export CVSROOT="[hidden email]:/cvs"
> cvs -z5 -q get -rOPENBSD_3_9 -P src
> cd /usr/src/sys/arch/i386/conf
> config GENERIC
> cd ../compile/GENERIC
> make clean && make depend && make
> mv /bsd /bsd.old
> cp bsd /
> reboot
> cd /usr/src
> rm -r /usr/obj/*
> make obj && make build
> reboot

Hmm, that looks allright. One possibility might be that anoncvs1 was
not up-to-date, but that's unlikely, since the stable update was some
time ago. If updating doesn't show any new files, try to run the sshd
in debug mode (on another port), that might give a clue.

        -Otto

Reply | Threaded
Open this post in threaded view
|

Re: SSH upgrade to ver 4.4 on OBSD 3.9 stable broke key auth

Sjöholm Per-Olov
On Tuesdayen den 17 October 2006 11:17, you wrote:

> On Tue, 17 Oct 2006, Per-Olov SjCB6holm wrote:
> > What should I clean when I totaly wiped out /usr/src and /usr/obj before
> > the cvs update.
> >
> > The build is done as follows...
> > --snip--
> > cd /usr
> > export CVSROOT="[hidden email]:/cvs"
> > cvs -z5 -q get -rOPENBSD_3_9 -P src
> > cd /usr/src/sys/arch/i386/conf
> > config GENERIC
> > cd ../compile/GENERIC
> > make clean && make depend && make
> > mv /bsd /bsd.old
> > cp bsd /
> > reboot
> > cd /usr/src
> > rm -r /usr/obj/*
> > make obj && make build
> > reboot
>
> Hmm, that looks allright. One possibility might be that anoncvs1 was
> not up-to-date, but that's unlikely, since the stable update was some
> time ago. If updating doesn't show any new files, try to run the sshd
> in debug mode (on another port), that might give a clue.
>
> -Otto

I just run a debug "/usr/sbin/sshd -ddde -p 2022" as  Darren Tucker asked me
for it.  And I just sent the debug output to him....

A key login works from a patched (now ssh 4.4) to a non patched (ssh 4.3)
system. but it wont work between two ssh 4.4 updated systems. Between these
only password login works.



Regards
Per-Olov

--
GPG keyID: 4DB283CE
GPG fingerprint: 45E8 3D0E DE05 B714 D549 45BC CFB4 BBE9 4DB2 83CE

Reply | Threaded
Open this post in threaded view
|

Re: SSH upgrade to ver 4.4 on OBSD 3.9 stable broke key auth

Otto Moerbeek
On Tue, 17 Oct 2006, Per-Olov SjC6holm wrote:

> On Tuesdayen den 17 October 2006 11:17, you wrote:
> > On Tue, 17 Oct 2006, Per-Olov SjCB6holm wrote:
> > > What should I clean when I totaly wiped out /usr/src and /usr/obj
before

> > > the cvs update.
> > >
> > > The build is done as follows...
> > > --snip--
> > > cd /usr
> > > export CVSROOT="[hidden email]:/cvs"
> > > cvs -z5 -q get -rOPENBSD_3_9 -P src
> > > cd /usr/src/sys/arch/i386/conf
> > > config GENERIC
> > > cd ../compile/GENERIC
> > > make clean && make depend && make
> > > mv /bsd /bsd.old
> > > cp bsd /
> > > reboot
> > > cd /usr/src
> > > rm -r /usr/obj/*
> > > make obj && make build
> > > reboot
> >
> > Hmm, that looks allright. One possibility might be that anoncvs1 was
> > not up-to-date, but that's unlikely, since the stable update was some
> > time ago. If updating doesn't show any new files, try to run the sshd
> > in debug mode (on another port), that might give a clue.
> >
> > -Otto
>
> I just run a debug "/usr/sbin/sshd -ddde -p 2022" as  Darren Tucker asked me
> for it.  And I just sent the debug output to him....
>
> A key login works from a patched (now ssh 4.4) to a non patched (ssh 4.3)
> system. but it wont work between two ssh 4.4 updated systems. Between these
> only password login works.

OK, you're in good hands now, thanks for the report,

        -Otto

Reply | Threaded
Open this post in threaded view
|

Solution to -> Re: SSH upgrade to ver 4.4 on OBSD 3.9 stable broke key auth

Sjöholm Per-Olov
In reply to this post by Sjöholm Per-Olov
On Tuesday 17 October 2006 12:08, Per-Olov SjC6holm wrote:

> On Tuesdayen den 17 October 2006 11:17, you wrote:
> > On Tue, 17 Oct 2006, Per-Olov SjCB6holm wrote:
> > > What should I clean when I totaly wiped out /usr/src and /usr/obj
> > > before the cvs update.
> > >
> > > The build is done as follows...
> > > --snip--
> > > cd /usr
> > > export CVSROOT="[hidden email]:/cvs"
> > > cvs -z5 -q get -rOPENBSD_3_9 -P src
> > > cd /usr/src/sys/arch/i386/conf
> > > config GENERIC
> > > cd ../compile/GENERIC
> > > make clean && make depend && make
> > > mv /bsd /bsd.old
> > > cp bsd /
> > > reboot
> > > cd /usr/src
> > > rm -r /usr/obj/*
> > > make obj && make build
> > > reboot
> >
> > Hmm, that looks allright. One possibility might be that anoncvs1 was
> > not up-to-date, but that's unlikely, since the stable update was some
> > time ago. If updating doesn't show any new files, try to run the sshd
> > in debug mode (on another port), that might give a clue.
> >
> > -Otto
>
> I just run a debug "/usr/sbin/sshd -ddde -p 2022" as  Darren Tucker asked
> me for it.  And I just sent the debug output to him....
>
> A key login works from a patched (now ssh 4.4) to a non patched (ssh 4.3)
> system. but it wont work between two ssh 4.4 updated systems. Between these
> only password login works.
>
>
>
> Regards
> Per-Olov

Hi misc

For the archives...

Here is a post with info that solves and explain the case if someone else get
stuck in the problem.

 This problem was actually caused by an updated OpenSSL. I have had 2048 and
4096 SSH keys that have worked perfect until my last complete 3-9 -stable
update.

In OpenSSL  the limit is 3kbit for DSA keys and 16k for RSA keys.  These days
ssh-keygen won't let you generate DSA keys other than 1024 bit ones (which is
all the FIPS-186-2 spec allows) so if you want larger keys then you should
use RSA. The thing that actually caused the problem was an openssl update
earlier (013_openssl2.patch or its equivalent in -stable), but it didn't
become apparent until sshd was rebuilt with the new openssl.


Thanks you *very* much for the help Darren Tucker!

Regards
/Per-Olov SjC6holm

Reply | Threaded
Open this post in threaded view
|

Re: Solution to -> Re: SSH upgrade to ver 4.4 on OBSD 3.9 stable broke key auth

Girish Venkatachalam-2
On Sat, Oct 21, 2006 at 10:04:19PM +0200, Per-Olov Sj??holm wrote:

> Here is a post with info that solves and explain the case if someone else get
> stuck in the problem.
>
>  This problem was actually caused by an updated OpenSSL. I have had 2048 and
> 4096 SSH keys that have worked perfect until my last complete 3-9 -stable
> update.
>
> In OpenSSL  the limit is 3kbit for DSA keys and 16k for RSA keys.  These days
> ssh-keygen won't let you generate DSA keys other than 1024 bit ones (which is
> all the FIPS-186-2 spec allows) so if you want larger keys then you should
> use RSA. The thing that actually caused the problem was an openssl update
> earlier (013_openssl2.patch or its equivalent in -stable), but it didn't
> become apparent until sshd was rebuilt with the new openssl.
>
>
> Thanks you *very* much for the help Darren Tucker!

This is excellent news for me since I was investigating an ssh breakage problem in FreeBSD and I could point my finger at OpenSSL but not proceed further since I had other things to do in life. :-)

But there are some things not clear to me from what you are saying. It will be great if you can help.

You mean to say that newer versions of OpenSSL do not allow you to create DSA keys longer than 1024 bits, but then isn't there an export and a non export version?

I am assuming that all this FIPS/export etc. are some political crap that gets in the way of people wanting to use strong crypto.

Now, the problem with RSA is that it used to be patent encumbered (well) and even now I prefer DSA over RSA for whatever reason.

Now what?

Looks to me there are some holes in your analysis.

Thanks.

regards,
Girish

Reply | Threaded
Open this post in threaded view
|

Re: Solution to -> Re: SSH upgrade to ver 4.4 on OBSD 3.9 stable broke key auth

Sjöholm Per-Olov
On Sunday 22 October 2006 15:48, Girish Venkatachalam wrote:

> On Sat, Oct 21, 2006 at 10:04:19PM +0200, Per-Olov Sj??holm wrote:
> > Here is a post with info that solves and explain the case if someone else
> > get stuck in the problem.
> >
> >  This problem was actually caused by an updated OpenSSL. I have had 2048
> > and 4096 SSH keys that have worked perfect until my last complete 3-9
> > -stable update.
> >
> > In OpenSSL  the limit is 3kbit for DSA keys and 16k for RSA keys.  These
> > days ssh-keygen won't let you generate DSA keys other than 1024 bit ones
> > (which is all the FIPS-186-2 spec allows) so if you want larger keys then
> > you should use RSA. The thing that actually caused the problem was an
> > openssl update earlier (013_openssl2.patch or its equivalent in -stable),
> > but it didn't become apparent until sshd was rebuilt with the new
> > openssl.
> >
> >
> > Thanks you *very* much for the help Darren Tucker!
>
> This is excellent news for me since I was investigating an ssh breakage
> problem in FreeBSD and I could point my finger at OpenSSL but not proceed
> further since I had other things to do in life. :-)
>
> But there are some things not clear to me from what you are saying. It will
> be great if you can help.
>
> You mean to say that newer versions of OpenSSL do not allow you to create
> DSA keys longer than 1024 bits, but then isn't there an export and a non
> export version?
>
> I am assuming that all this FIPS/export etc. are some political crap that
> gets in the way of people wanting to use strong crypto.
>
> Now, the problem with RSA is that it used to be patent encumbered (well)
> and even now I prefer DSA over RSA for whatever reason.
>
> Now what?
>
> Looks to me there are some holes in your analysis.
>
> Thanks.
>
> regards,
> Girish

Well... I solved it thanks to Darren Tucker. So positive feedback should go to
him... I haven't done any deeper analysis of it as it solved my problem. And
I don't have the time to dig...

Then you say Darren Tucker maybe has a hole in the analysis.... Well, ask him!
maybe he read this post and can answer directly.

Regards
Per-Olov

Reply | Threaded
Open this post in threaded view
|

Re: Solution to -> Re: SSH upgrade to ver 4.4 on OBSD 3.9 stable broke key auth

Damien Miller
In reply to this post by Girish Venkatachalam-2
On Sun, 22 Oct 2006, Girish Venkatachalam wrote:

> You mean to say that newer versions of OpenSSL do not allow you to
> create DSA keys longer than 1024 bits, but then isn't there an export
> and a non export version?

No, longer DSA keys do not offer extra cryptographic strength unless
you make other modifications to the algorithm.

> I am assuming that all this FIPS/export etc. are some political crap
>that gets in the way of people wanting to use strong crypto.

Politics have nothing to do with it.

> Now, the problem with RSA is that it used to be patent encumbered
> (well) and even now I prefer DSA over RSA for whatever reason.

Patents have nothing to do with it.

> Now what?

Use RSA if you want longer keys if you like.

> Looks to me there are some holes in your analysis.

No.

-d

Reply | Threaded
Open this post in threaded view
|

Re: Solution to -> Re: SSH upgrade to ver 4.4 on OBSD 3.9 stable broke key auth

Girish Venkatachalam-2
In reply to this post by Sjöholm Per-Olov
> Well... I solved it thanks to Darren Tucker. So positive feedback should go to
> him... I haven't done any deeper analysis of it as it solved my problem. And
> I don't have the time to dig...
>
> Then you say Darren Tucker maybe has a hole in the analysis.... Well, ask him!
> maybe he read this post and can answer directly.

Sorry I regretted using these exact words.

What I meant to say was that this does not explain everything.

Let me leave it at that.

If I don't understand something most likely my understanding is to take the blame. :-)

All is well that ends well.

Thanks to Damien and Darren for clearing certain things.

And to you of course for letting the list know this.

regards,
Girish

Reply | Threaded
Open this post in threaded view
|

Re: Solution to -> Re: SSH upgrade to ver 4.4 on OBSD 3.9 stable broke key auth

Girish Venkatachalam-2
> Sorry I regretted using these exact words.
>
> What I meant to say was that this does not explain everything.
>
> Let me leave it at that.
>
> If I don't understand something most likely my understanding is to take the blame. :-)
>
> All is well that ends well.
>
> Thanks to Damien and Darren for clearing certain things.
>
> And to you of course for letting the list know this.

Ok in order to bring things to a certain logical conclusion I will get a little bit of context to all this.

I have been having problems with my md5 and sha1 checksums not matching. I mean the shell commands. And also scp transfers used to abort with a "Corrupted MAC on input" error.

All these problems on my FreeBSD 6.0 box. Then someone else in China had a problem connecting to his FreeBSD box in San Diego. So I was investigating that and found that the kex protocol of ssh was not completing. It was crapping out at different places at different times.

And I could only go so far as DH params. Well I am not a math guru. :-)

However once the FreeBSD OpenSSL was reinstalled all these problems disappeared magically.

You can clearly see what I am getting at. That OpenSSL is the root cause for  all this.

That is why I tried to correlate what you were saying with this.

But now it is apparent that this problem and my problem don't exactly coincide.

My apologies to OpenBSD devs and in particular Darren and Damien if I sounded rude.

Hope this clears things up a bit.

regards,
Girish