Date: Fri, 28 Jun 2002 08:42:03 -0700 (PDT) From: jestrix <jestrix@jestrix.net> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/39953: Resolve failure in OpenSSH 3.4p1 when using PrivilegeSeperation in 4.5-RELEASE Message-ID: <200206281542.g5SFg3OG055334@www.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 39953 >Category: ports >Synopsis: Resolve failure in OpenSSH 3.4p1 when using PrivilegeSeperation in 4.5-RELEASE >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Jun 28 08:50:01 PDT 2002 >Closed-Date: >Last-Modified: >Originator: jestrix >Release: 4.5-RELEASE >Organization: N/A >Environment: FreeBSD foo.org 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Mon Jan 28 14:31:56 GMT 2002 murray@builder.freebsdmall.com:/usr/src/sys/compile/GENERIC i386 >Description: When upgrading to OpenSSH 3.4p1 from the ports collection (using Makefile 1.48 and OPENSSH_OVERWRITE_BASE=yes), sshd hangs when trying to do a lookup of the connecting IP. After about a minute, the password prompt appears and an ssh connection is successfully established. sshd -ddd output as follows: debug1: sshd version OpenSSH_3.4p1 debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #0 type 2 DSA debug1: Bind to port 22 on ::. Server listening on :: port 22. <snip> debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug3: Trying to reverse map address xx.xx.xx.xx. <hangs for a minute here> Could not reverse map address xx.xx.xx.xx. debug1: userauth-request for user blah service ssh-connection method none debug1: attempt 0 failures 0 debug3: mm_getpwnamallow entering <snip> daemon still works correctly, but the wait is an annoyance. Furthermore, nslookup successfully resolves the IP in question, so even though sshd is ignoring "VerifyReverseMapping no" (full sshd_config pasted in 'how to repeat') it should not fail. This problem did NOT occur on a second system when using the same OpenSSH port: FreeBSD foo2.org 4.6-RC FreeBSD 4.6-RC #0: Fri May 31 00:44:30 EDT 2002 jestrix@jestrix.net:/usr/obj/usr/src/sys/JESTRIX i386 >How-To-Repeat: Repeated on a second 4.5-RELEASE system by installing the new OpenSSH port and using the following sshd_config: # $OpenBSD: sshd_config,v 1.56 2002/06/20 23:37:12 markus Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH= # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. Port 22 Protocol 2 #ListenAddress :: # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 3600 #ServerKeyBits 768 # Logging #obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 600 PermitRootLogin no StrictModes yes #RSAAuthentication no #PubkeyAuthentication no #AuthorizedKeysFile .ssh/authorized_keys # rhosts authentication should not be used RhostsAuthentication no # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication IgnoreUserKnownHosts yes # To disable tunneled clear text passwords, change to no here! PasswordAuthentication yes PermitEmptyPasswords no # Change to no to disable s/key passwords ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #AFSTokenPassing no # Kerberos TGT Passing only works with the AFS kaserver #KerberosTgtPassing no # Set this to 'yes' to enable PAM keyboard-interactive authentication # Warning: enabling this may bypass the setting of 'PasswordAuthentication' #PAMAuthenticationViaKbdInt yes X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #KeepAlive yes UseLogin no UsePrivilegeSeparation yes Compression no #MaxStartups 10 # no default banner path #Banner /some/path VerifyReverseMapping no # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server >Fix: Set "UsePrivilegeSeperation no" in sshd_config >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200206281542.g5SFg3OG055334>