From owner-freebsd-questions Thu Jun 21 10:51:53 2001 Delivered-To: freebsd-questions@freebsd.org Received: from ptavv.es.net (ptavv.es.net [198.128.4.29]) by hub.freebsd.org (Postfix) with ESMTP id 39FE137B401 for ; Thu, 21 Jun 2001 10:51:48 -0700 (PDT) (envelope-from oberman@ptavv.es.net) Received: from ptavv.es.net (localhost [127.0.0.1]) by ptavv.es.net (8.10.1/8.10.1) with ESMTP id f5LHpfc09030; Thu, 21 Jun 2001 10:51:41 -0700 (PDT) Message-Id: <200106211751.f5LHpfc09030@ptavv.es.net> To: Martin McCormick Cc: questions@FreeBSD.ORG Subject: Re: Secure Shell ssh-1.2.27 is Almost Right but not quite. In-reply-to: Your message of "Thu, 21 Jun 2001 11:55:53 CDT." Date: Thu, 21 Jun 2001 10:51:41 -0700 From: "Kevin Oberman" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG The original version of ssh (now at 1.2.27 or so) defaults to IDEA. IDEA is a patented algorithm, so is not used in OpenSSH. Your two good choices are 3DES and Blowfish. You can edit your ssh_config file to change the default with the line: Cipher 3des The other problem is probably a configuration problem, too. OpenSSH in FreeBSD has VERY conservative defaults. For example, the default is to not forward X or the authentication agent. Try entering: RhostsAuthentication yes to your config. Do NOT assume that the values in this file really are defaults! Finally, make sure the remote server is configured to allow rhost/shosts access. I don't think that this is the default. R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634 > Date: Thu, 21 Jun 2001 11:55:53 -0500 > From: Martin McCormick > Sender: owner-freebsd-questions@FreeBSD.ORG > > I wrote to this group on the thirteenth of June and > asked about installing ssh-1.2.27. I was informed that this was > not necessary as there is a good port of ssh and sshd all ready > to go in freebsd. After getting past that little bit of > ignorance on my part, I found that to be true and also that the > ssh version supports both the ssh-1 and ssh-2 protocols. In > other words, it is really neat. > > I now have a .shosts file in my home directory on the > freebsd system and /etc/ssh/shosts.equiv identifying the remote > system I am communicating with. > > I can go from the remote system to the freebsd box > without a password after installing the key in known_hosts, of > course, but I still can't ssh from the freebsd box to anywhere > else without having to enter a password. Here is the output from > the ssh -v command. I hope somebody might find this familiar as > I have stared at it so long, I may be missing something obvious. > Debug output follows: > > SSH Version OpenSSH_2.3.0 green@FreeBSD.org 20010321, protocol versions 1.5/2.0. > Compiled with SSL (0x0090600f). > debug: Reading configuration data /etc/ssh/ssh_config > debug: ssh_connect: getuid 1234 geteuid 1234 anon 1 > debug: Connecting to remote.system.okstate.edu [139.78.x.x] port 22. > debug: Connection established. > debug: Remote protocol version 1.5, remote software version 1.2.27 > debug: no match: 1.2.27 > debug: Local version string SSH-1.5-OpenSSH_2.3.0 green@FreeBSD.org 20010321 > debug: Waiting for server public key. > debug: Received server public key (768 bits) and host key (1024 bits). > debug: Host 'remote.system.okstate.edu' is known and matches the RSA host key. > debug: Encryption type: 3des > debug: Sent encrypted session key. > debug: Installing crc compensation attack detector. > debug: Received encrypted confirmation. > > > ------------- > > Here is where it seems to not be quite right. > > > -------- > debug: Doing password authentication. > > > At that point, one gets a login which works fine after > entering the password. > > The ssh-1.2.27 systems use "idea" as the encryption > technique when they talk to each other instead of 3des but I am > not sure if that matters so long as both systems agree on the > same type. > > Martin McCormick WB5AGZ Stillwater, OK > OSU Center for Computing and Information Services Data Communications Group > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message