Re: OpenSSH protocol 2 won't use identity file

From: s c o t t <spaceacademy(at)hotmail.com>
Date: Thu Dec 12 2002 - 19:41:26 EST

identity is typically the default file name for RSA1 keys (for use with SSH1). man ssh-keygen:

see the descriptions of,

   $HOME/.ssh/identity,
and,

   $HOME/.ssh/identity.pub

This is proper behavior.

If you want to use userkey authentication with SSH2 you will need to generate an RSA or DSA key and transfer that to the proper authorized_keys file for the host side user you are trying to login with.

Cheers,
scott

----Original Message Follows----
From: Adam Cioccarelli <alciocca@yahoo.com.au> To: secureshell@securityfocus.com
Subject: OpenSSH protocol 2 won't use identity file Date: Wed, 11 Dec 2002 13:17:01 +1100 (EST)

Hi,

we are in the process of upgrading our solaris boxes from ssh 1.2.32 using SSH protocol 1 to OpenSSH 3.4p1 using both SSH protocol 1 and SSH protocol 2. However after the upgrade users using a protocol 2 client are no longer asked for the passphrase of their ~/.ssh/identity file, they are asked for their user password on the server. Is it not possible to use the old indentity file?

It seems that it isn't even looking for an identity file. Am I doing something wrong or is this normal?

-Adam

ssh -v -v -v localhost
OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090605f
debug1: Reading configuration data
/usr/local/etc/ssh_config

debug1: Applying options for *
debug3: cipher ok: aes128-cbc
[aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfou r,aes192-cbc,aes256-cbc]
debug3: cipher ok: 3des-cbc
[aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, aes192-cbc,aes256-cbc]
debug3: cipher ok: blowfish-cbc
[aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcf our,aes192-cbc,aes256-cbc]
debug3: cipher ok: cast128-cbc
[aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfo ur,aes192-cbc,aes256-cbc]
debug3: cipher ok: arcfour
[aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,a es192-cbc,aes256-cbc]
debug3: cipher ok: aes192-cbc
[aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfou r,aes192-cbc,aes256-cbc]
debug3: cipher ok: aes256-cbc
[aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfou r,aes192-cbc,aes256-cbc]
debug3: ciphers ok:
[aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-c bc,aes256-cbc]
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to localhost [::1] port 22. ssh: connect to address ::1 port 22: Network is unreachable

debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file

/usr/local/home/cioccaad/.ssh/identity type 0
debug1: identity file
/usr/local/home/cioccaad/.ssh/id_rsa type -1
debug1: identity file
/usr/local/home/cioccaad/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.4p1
debug1: match: OpenSSH_3.4p1 pat OpenSSH* Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_3.4p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:

diffie-hellman-group-exchange-sha1,diffie-hellman-group 1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,ae s192-cbc,aes256-cbc
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,ae s192-cbc,aes256-cbc
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openss h.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openss h.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:

diffie-hellman-group-exchange-sha1,diffie-hellman-group 1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,ae s192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,ae s192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openss h.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openss h.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 129/256
debug1: bits set: 1562/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename

/usr/local/home/cioccaad/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 148 debug1: Host 'localhost' is known and matches the RSA host key.
debug1: Found key in
/usr/local/home/cioccaad/.ssh/known_hosts:148

debug1: bits set: 1639/3191
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue:
publickey,password,keyboard-interactive

debug3: start over, passed a different list publickey,password,keyboard-interactiv
e
debug3: preferred
publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred:
keyboard-interactive,password

debug3: authmethod_is_enabled publickey
debug1: next auth method to try is publickey
debug1: try privkey:

/usr/local/home/cioccaad/.ssh/id_rsa

debug3: no such identity:
/usr/local/home/cioccaad/.ssh/id_rsa

debug1: try privkey:
/usr/local/home/cioccaad/.ssh/id_dsa

debug3: no such identity:
/usr/local/home/cioccaad/.ssh/id_dsa

debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
Do you need more help?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:
Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: next auth method to try is

keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: authentications that can continue: publickey,password,keyboard-interactive

debug3: userauth_kbdint: disable: no info_req_seen
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred:
debug3: authmethod_is_enabled password
debug1: next auth method to try is password

cioccaad@localhost's password:

http://greetings.yahoo.com.au - Yahoo! Greetings - Send your seasons greetings online this year!

---

The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail Received on Fri Dec 13 13:05:45 2002