Date: Wed, 31 Mar 2004 13:14:41 -0800 From: Dave Tweten <tweten@nas.nasa.gov> To: Daren Desjardins <desjardins@canada.com> Cc: freebsd-stable@freebsd.org Subject: Re: SSH issues with 4.9 stable (key_verify failed for server_host_key) Message-ID: <3268.1080767681@gilmore.nas.nasa.gov>
next in thread | raw e-mail | index | archive | help
This is a multipart MIME message.
--==_Exmh_6582748370
Content-Type: text/plain; charset=us-ascii
desjardins@canada.com said:
>A friend also did an 4.9 release to 4.9stable upgrade and ran into the
>exact same [SSH] problem.
Odd. We've been using SSH for years here to protect authentication
information on lots of machines, and I've been using the FreeBSD STABLE
version for just as long. Two weeks ago, in response to a disk failure, I
rebuilt FreeBSD from the 4.9 CD and cvsup upgraded (eventually) to the
version as of 0800 GMT yesterday morning.
>The machine is using a default(empty) ssh_config and sshd_config.
My guess is this is your problem. SSH developers have changed defaults
and even configuration element names frequently. It is probable that the
different versions you tried had different defaults, causing their
different results.
>... the base system seems to force a DSA host key authentication, whereas the
>port and openssh release use RSA ...
Why do you care? Give your machine all three kinds of machine key
(protocol 1.5, protocol 2.0 RSA, and protocol 2.0 DSA). If you want to
use public key authentication, give yourself all three types of personal
key too. That way, you are prepared for whatever slight misconfiguration
there may be at the other end of your attempted connection.
For what it's worth, I've attached the ssh master config files I use.
They are the starting point recommended by our Computer Security Group for
other machines around here. Their philosophy is that the SSH client only
cares that the user's connection should be made successfully and that the
SSH daemon is responsible for maintaining security.
They reflect ssh-agent being the parent of the user's session. The
fiddling in the client config file with whether or not to compress has to
do with the fact compression shortens wall-clock time if you have to go
over the Internet's comparitively slow links, instead of a LAN or a
high-speed long haul link. Cipher preferences were chosen for adequate
security and highest speed.
I assure you that SSH from FreeBSD STABLE will work fine, if configured
correctly. Good luck.
--==_Exmh_6582748370
Content-Type: text/plain ; name="ssh_config"; charset=us-ascii
Content-Description: ssh_config
# ssh_config system client configuration file for OpenSSH 3.5p1, FreeBSD 4.8
# $Id: ssh_config,v 1.1.1.1 2003/06/05 22:21:28 tweten Exp $
# Actual path names for files may need to be changed for specific
# hosts. The names used in this file work under the operating system
# and version number listed on the top line of this file.
# OpenSSH developers change parameters fairly often. It is not
# guaranteed that this configuration file will work with OpenSSH
# versions other than the one listed on the top line of this file.
# Each configuration value is defined for a given destination host by
# its first appearance across all configuration sources. Parameters
# that are allowed to default are listed as comments for the ultimate
# wild-carded host.
# First come configuration blocks for specific hosts; ...
# ... then we have configuration blocks for wild-carded hosts, ...
Host *.nasa.gov
Compression no
Host *.*
Compression yes
# ... followed ultimately by the ultimate wild-carded host.
Host *
# AFSTokenPassing no
# BatchMode no
# BindAddress
# ChallengeResponseAuthentication yes
CheckHostIP yes
Cipher blowfish
Ciphers arcfour,blowfish-cbc,cast128-cbc,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
# ClearAllForwardings no
# Compression no
# CompressionLevel 6
ConnectionAttempts 3
# DynamicForward
# EscapeChar ~
ForwardAgent yes
ForwardX11 yes
# GatewayPorts no
# GlobalKnownHostsFile /etc/ssh/ssh_known_hosts
HostbasedAuthentication yes
# HostKeyAlgorithms ssh-rsa,ssh-dss
# HostKeyAlias
# HostName
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# IdentityFile ~/.ssh/identity
# KeepAlive yes
# KerberosAuthentication no
# KerberosTgtPassing no
# LocalForward
# LogLevel INFO
MACs hmac-md5,hmac-md5-96,hmac-sha1,hmac-sha1-96,hmac-ripemd160
# NoHostAuthenticationForLocalhost no
# NumberOfPasswordPrompts 3
# PasswordAuthentication yes
# Port 22
PreferredAuthentications publickey,hostbased,password,keyboard-interactive
# Protocol 2,1
# ProxyCommand
# PubkeyAuthentication yes
# RemoteForward
RhostsAuthentication yes
RhostsRSAAuthentication yes
# RSAAuthentication yes
# SmartcardDevice
StrictHostKeyChecking yes
UsePrivilegedPort yes
# User $USER
# UserKnownHostsFile $HOME/.ssh/known_hosts
VersionAddendum ssh_config $Revision: 1.1.1.1 $
# XAuthLocation /usr/X11R6/bin/xauth
--==_Exmh_6582748370
Content-Type: text/plain ; name="sshd_config"; charset=us-ascii
Content-Description: sshd_config
# sshd_config server configuration file for OpenSSH 3.5p1, FreeBSD 4.8
# $Id: sshd_config,v 1.1.1.1 2003/06/05 22:21:28 tweten Exp $
# Actual path names for files may need to be changed for specific
# hosts. The names used in this file work under the operating system
# and version number listed on the top line of this file.
# OpenSSH developers change parameters fairly often. It is not
# guaranteed that this configuration file will work with OpenSSH
# versions other than the one listed on the top line of this file.
# All parameters are listed in alphabetical order unless semantic
# requirements dictate otherwise. Parameters that are allowed to
# default and their default values are listed as comments.
# The philosophy of this configuration is that the client process
# cares only about fulfilling the user's request and the server is
# responsible for maintaining security.
# Examples:
# The client configuration file permits RhostsAuthentication and
# ChallengeResponseAuthentication, but the server configuration file
# forbids them.
# AFSTokenPassing no
# AllowGroups *
# AllowTcpForwarding yes
# AllowUsers *
# AuthorizedKeysFile .ssh/authorized_keys
Banner /etc/ftpwelcome
ChallengeResponseAuthentication no
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
ClientAliveInterval 60
ClientAliveCountMax 10
# Compression yes
# DenyGroups
# DenyUsers
# GatewayPorts no
HostbasedAuthentication yes
HostKey /etc/ssh/ssh_host_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
IgnoreRhosts no
# IgnoreUserKnownHosts no
# KeepAlive yes
# KerberosAuthentication no
# KerberosOrLocalPasswd yes
# KerberosTgtPassing no
# KerberosTicketCleanup yes
# KeyRegenerationInterval 1h
# Port 22
# ListenAddress 0.0.0.0
LoginGraceTime 10m
# LogLevel INFO
# MACs hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
# MaxStartups 10
# PasswordAuthentication yes
# PermitEmptyPasswords no
PermitRootLogin forced-commands-only
# PermitUserEnvironment no
# PidFile /var/run/sshd.pid
# PrintLastLog yes
PrintMotd no
# Protocol 2,1
# PubkeyAuthentication yes
# RhostsAuthentication no
RhostsRSAAuthentication yes
# RSAAuthentication yes
# ServerKeyBits 768
# StrictModes yes
Subsystem sftp /usr/libexec/sftp-server
# SyslogFacility AUTH
# UseLogin no
# UsePrivilegeSeparation yes
VerifyReverseMapping yes
VersionAddendum sshd_config $Revision: 1.1.1.1 $
# X11DisplayOffset 10
# X11Forwarding yes
# X11UseLocalhost yes
# XAuthLocation /usr/X11R6/bin/xauth
--==_Exmh_6582748370
Content-Type: text/plain; charset=us-ascii
M/S 258-5 |1024-bit PGP fingerprint:|tweten@nas.nasa.gov
NASA Ames Research Center | 41 B0 89 0A 8F 94 6C 59| (650) 604-4416
Moffett Field, CA 94035-1000| 7C 80 10 20 25 C7 2F E6|FAX: (650) 604-4377
Not an official NASA position. You can't even be certain who sent this!
--==_Exmh_6582748370--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3268.1080767681>