From owner-freebsd-stable@FreeBSD.ORG Wed Mar 31 13:14:45 2004 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E16CB16A4CF for ; Wed, 31 Mar 2004 13:14:45 -0800 (PST) Received: from gilmore.nas.nasa.gov (gilmore.nas.nasa.gov [129.99.33.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id CF34A43D49 for ; Wed, 31 Mar 2004 13:14:45 -0800 (PST) (envelope-from tweten@nas.nasa.gov) Received: from gilmore.nas.nasa.gov (IDENT:Er5h4mI+16Pk1CPmlII6qOj1Vu4amjtH@localhost.nas.nasa.gov [127.0.0.1]) i2VLEfCS003269; Wed, 31 Mar 2004 13:14:41 -0800 (PST) (envelope-from tweten@gilmore.nas.nasa.gov) X-Mailer: exmh version 2.6.3 04/04/2003 with nmh-1.0.4 To: Daren Desjardins From: Dave Tweten Mime-Version: 1.0 Content-Type: multipart/mixed ; boundary="==_Exmh_6582748370" Date: Wed, 31 Mar 2004 13:14:41 -0800 Message-ID: <3268.1080767681@gilmore.nas.nasa.gov> Sender: tweten@nas.nasa.gov cc: freebsd-stable@freebsd.org Subject: Re: SSH issues with 4.9 stable (key_verify failed for server_host_key) X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: David.E.Tweten@nasa.gov List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Mar 2004 21:14:46 -0000 This is a multipart MIME message. --==_Exmh_6582748370 Content-Type: text/plain; charset=us-ascii desjardins@canada.com said: >A friend also did an 4.9 release to 4.9stable upgrade and ran into the >exact same [SSH] problem. Odd. We've been using SSH for years here to protect authentication information on lots of machines, and I've been using the FreeBSD STABLE version for just as long. Two weeks ago, in response to a disk failure, I rebuilt FreeBSD from the 4.9 CD and cvsup upgraded (eventually) to the version as of 0800 GMT yesterday morning. >The machine is using a default(empty) ssh_config and sshd_config. My guess is this is your problem. SSH developers have changed defaults and even configuration element names frequently. It is probable that the different versions you tried had different defaults, causing their different results. >... the base system seems to force a DSA host key authentication, whereas the >port and openssh release use RSA ... Why do you care? Give your machine all three kinds of machine key (protocol 1.5, protocol 2.0 RSA, and protocol 2.0 DSA). If you want to use public key authentication, give yourself all three types of personal key too. That way, you are prepared for whatever slight misconfiguration there may be at the other end of your attempted connection. For what it's worth, I've attached the ssh master config files I use. They are the starting point recommended by our Computer Security Group for other machines around here. Their philosophy is that the SSH client only cares that the user's connection should be made successfully and that the SSH daemon is responsible for maintaining security. They reflect ssh-agent being the parent of the user's session. The fiddling in the client config file with whether or not to compress has to do with the fact compression shortens wall-clock time if you have to go over the Internet's comparitively slow links, instead of a LAN or a high-speed long haul link. Cipher preferences were chosen for adequate security and highest speed. I assure you that SSH from FreeBSD STABLE will work fine, if configured correctly. Good luck. --==_Exmh_6582748370 Content-Type: text/plain ; name="ssh_config"; charset=us-ascii Content-Description: ssh_config # ssh_config system client configuration file for OpenSSH 3.5p1, FreeBSD 4.8 # $Id: ssh_config,v 1.1.1.1 2003/06/05 22:21:28 tweten Exp $ # Actual path names for files may need to be changed for specific # hosts. The names used in this file work under the operating system # and version number listed on the top line of this file. # OpenSSH developers change parameters fairly often. It is not # guaranteed that this configuration file will work with OpenSSH # versions other than the one listed on the top line of this file. # Each configuration value is defined for a given destination host by # its first appearance across all configuration sources. Parameters # that are allowed to default are listed as comments for the ultimate # wild-carded host. # First come configuration blocks for specific hosts; ... # ... then we have configuration blocks for wild-carded hosts, ... Host *.nasa.gov Compression no Host *.* Compression yes # ... followed ultimately by the ultimate wild-carded host. Host * # AFSTokenPassing no # BatchMode no # BindAddress # ChallengeResponseAuthentication yes CheckHostIP yes Cipher blowfish Ciphers arcfour,blowfish-cbc,cast128-cbc,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc # ClearAllForwardings no # Compression no # CompressionLevel 6 ConnectionAttempts 3 # DynamicForward # EscapeChar ~ ForwardAgent yes ForwardX11 yes # GatewayPorts no # GlobalKnownHostsFile /etc/ssh/ssh_known_hosts HostbasedAuthentication yes # HostKeyAlgorithms ssh-rsa,ssh-dss # HostKeyAlias # HostName # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa # IdentityFile ~/.ssh/identity # KeepAlive yes # KerberosAuthentication no # KerberosTgtPassing no # LocalForward # LogLevel INFO MACs hmac-md5,hmac-md5-96,hmac-sha1,hmac-sha1-96,hmac-ripemd160 # NoHostAuthenticationForLocalhost no # NumberOfPasswordPrompts 3 # PasswordAuthentication yes # Port 22 PreferredAuthentications publickey,hostbased,password,keyboard-interactive # Protocol 2,1 # ProxyCommand # PubkeyAuthentication yes # RemoteForward RhostsAuthentication yes RhostsRSAAuthentication yes # RSAAuthentication yes # SmartcardDevice StrictHostKeyChecking yes UsePrivilegedPort yes # User $USER # UserKnownHostsFile $HOME/.ssh/known_hosts VersionAddendum ssh_config $Revision: 1.1.1.1 $ # XAuthLocation /usr/X11R6/bin/xauth --==_Exmh_6582748370 Content-Type: text/plain ; name="sshd_config"; charset=us-ascii Content-Description: sshd_config # sshd_config server configuration file for OpenSSH 3.5p1, FreeBSD 4.8 # $Id: sshd_config,v 1.1.1.1 2003/06/05 22:21:28 tweten Exp $ # Actual path names for files may need to be changed for specific # hosts. The names used in this file work under the operating system # and version number listed on the top line of this file. # OpenSSH developers change parameters fairly often. It is not # guaranteed that this configuration file will work with OpenSSH # versions other than the one listed on the top line of this file. # All parameters are listed in alphabetical order unless semantic # requirements dictate otherwise. Parameters that are allowed to # default and their default values are listed as comments. # The philosophy of this configuration is that the client process # cares only about fulfilling the user's request and the server is # responsible for maintaining security. # Examples: # The client configuration file permits RhostsAuthentication and # ChallengeResponseAuthentication, but the server configuration file # forbids them. # AFSTokenPassing no # AllowGroups * # AllowTcpForwarding yes # AllowUsers * # AuthorizedKeysFile .ssh/authorized_keys Banner /etc/ftpwelcome ChallengeResponseAuthentication no # Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc ClientAliveInterval 60 ClientAliveCountMax 10 # Compression yes # DenyGroups # DenyUsers # GatewayPorts no HostbasedAuthentication yes HostKey /etc/ssh/ssh_host_key HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key IgnoreRhosts no # IgnoreUserKnownHosts no # KeepAlive yes # KerberosAuthentication no # KerberosOrLocalPasswd yes # KerberosTgtPassing no # KerberosTicketCleanup yes # KeyRegenerationInterval 1h # Port 22 # ListenAddress 0.0.0.0 LoginGraceTime 10m # LogLevel INFO # MACs hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 # MaxStartups 10 # PasswordAuthentication yes # PermitEmptyPasswords no PermitRootLogin forced-commands-only # PermitUserEnvironment no # PidFile /var/run/sshd.pid # PrintLastLog yes PrintMotd no # Protocol 2,1 # PubkeyAuthentication yes # RhostsAuthentication no RhostsRSAAuthentication yes # RSAAuthentication yes # ServerKeyBits 768 # StrictModes yes Subsystem sftp /usr/libexec/sftp-server # SyslogFacility AUTH # UseLogin no # UsePrivilegeSeparation yes VerifyReverseMapping yes VersionAddendum sshd_config $Revision: 1.1.1.1 $ # X11DisplayOffset 10 # X11Forwarding yes # X11UseLocalhost yes # XAuthLocation /usr/X11R6/bin/xauth --==_Exmh_6582748370 Content-Type: text/plain; charset=us-ascii M/S 258-5 |1024-bit PGP fingerprint:|tweten@nas.nasa.gov NASA Ames Research Center | 41 B0 89 0A 8F 94 6C 59| (650) 604-4416 Moffett Field, CA 94035-1000| 7C 80 10 20 25 C7 2F E6|FAX: (650) 604-4377 Not an official NASA position. You can't even be certain who sent this! --==_Exmh_6582748370--