Re: RhostsAuthentication under AIX 4.3.3

From: Alf Nicolaysen <Alf.Nicolaysen(at)de.ibm.com>
Date: Mon Mar 24 2003 - 06:44:02 EST

Hi Max!

This was a bunch of ideas from you, thank you for that. Where to start?

First I have to say, that AIX in Version 4.3.3 does NOT support PAM. Even Version 5.1 does support PAM in a so-called "AS-IS-STATE", that means, no further changes or fixes will be delivered, and only Version 5.2 does support PAM full functional. Unfortunately, AIX 5.2 can not be used because of incompatibilies in hardware. Second, the MD5-Hash is not used on AIX 4.3.3, but crypt-Hash.

An explanation of - -without-rsh I could not find, nor I understand, why you want to make port entries of port 22 in /etc/services.

I think, the rest is clear to me.

Regards

Alf Nicolaysen

Max Gregis <mgregis@sorint.it> on 24.03.2003 10:03:34

Please respond to Max Gregis <mgregis@sorint.it>

To: Alf Nicolaysen/Germany/Contr/IBM@IBMDE cc: secureshell@securityfocus.com
Subject: Re: RhostsAuthentication under AIX 4.3.3

Friday, March 21, 2003, 1:00:23 PM, you wrote:

Hi Alf,

this is Max from Milan,Italy.

I've compiled Openssh 3.5p1 on Sparc Solaris Platform (Solaris 8 is my OS) and it runs well.
Before of this , i've compiled Zlibs, openssl. I've made:

Create SSHD user:

# mkdir /var/empty
# chown root:sys /var/empty
# chmod 755 /var/empty
# groupadd -g 10000 sshd
# useradd -u 10000 -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false
sshd

I've compiled ssh with the following options (my compiler is GCC 3.x):

# CFLAGS="-O -s" ./configure --prefix=/usr/local

--sysconfdir=/usr/local/etc --with-ipv4-default
--with-xauth=/usr/openwin/bin/xauth --with-md5-passwords --enable-suid-ssh
--with-pam
--without-rsh


.

.
.
OpenSSH has been configured with the following options:

                     User binaries: /usr/local/bin
                   System binaries: /usr/local/sbin
               Configuration files: /usr/local/etc
                   Askpass program: /usr/local/libexec/ssh-askpass
                      Manual pages: /usr/local/man/manX
                          PID file: /var/run
  Privilege separation chroot path: /var/empty
            sshd default user PATH:
            /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
                    Manpage format: man
                       PAM support: yes
                KerberosIV support: no
                 KerberosV support: no
                 Smartcard support: no
                       AFS support: no
                     S/KEY support: no
              TCP Wrappers support: no
              MD5 password support: yes
       IP address in $DISPLAY hack: no
          Use IPv4 by default hack: yes
           Translate v4 in v6 hack: no
                  BSD Auth support: no
              Random number source: ssh-rand-helper

              Host: sparc-sun-solaris2.8
          Compiler: gcc
    Compiler flags: -O -s -Wall -Wpointer-arith -Wno-uninitialized
Preprocessor flags:  -I/usr/local/include
      Linker flags:  -L/usr/local/lib -R/usr/local/lib
         Libraries:  -lpam -ldl -lz -lsocket -lnsl -lcrypto

PAM is enabled. You may need to install a PAM control file for sshd, otherwise password authentication may fail. Example PAM control files can be found in the contrib/ subdirectory

NOw execute:

# gmake
# gmake install

Try to configure SSH as follows:

# cd /usr/local/etc
# vi sshd_config

# This sshd was compiled with
PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
# This is the sshd server system-wide configuration file. See sshd(8)

Port 22
Protocol 2,1 <------ COmment out ( Before it use protocollo 2 and then 1 )
#ListenAddress 0.0.0.0
HostKey /usr/local/etc/ssh_host_key
# HostKeys for protocol version 2
HostKey /usr/local/etc/ssh_host_rsa_key
HostKey /usr/local/etc/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

LoginGraceTime 600
PermitRootLogin yes

# rhosts authentication should not be used
RhostsAuthentication yes
# Don't read ~/.rhosts and ~/.shosts files
IgnoreRhosts no <-------- From YES to NO ( setting NO to use .rhosts files )
# Uncomment if you don't trust ~/.ssh/known_hosts for
RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

StrictModes yes
X11Forwarding yes <-------- from NO to YES ( setting YES for using encrypting X11 and automatic export of DISPLAY variable ) .
.

In /etc/services add these entries:

# cd /etc
# vi services

ssh             22/tcp
ssh             22/udp  # for secure FTP

AN> Hi all,

AN> second try to make it work: After I gave up using the precompiled AN> OPENSSH3.4p1 version for AIX, I compiled the sources for OPENSSH3.5p1 on
AN> the AIX machines and used one for client-purposes, the ohter as a AN> ssh-server. I want to have the same behaviour as I used the "r-" commands,
AN> without password. It still appears to me, as if openssh does not care about
AN> any .rhosts or .shosts files. Look what it says in the debuglog:

AN> # /opt/sbin/sshd -f /opt/etc/sshd_config -d -d
AN> debug1: sshd version OpenSSH_3.5p1
AN> debug1: private host key: #0 type 0 RSA1
AN> debug1: read PEM private key done: type RSA
AN> debug1: private host key: #1 type 1 RSA
AN> debug1: read PEM private key done: type DSA
Don't know where to look next?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:
Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
AN> debug1: private host key: #2 type 2 DSA
AN> debug1: Bind to port 22 on 0.0.0.0.
AN> Server listening on 0.0.0.0 port 22.
AN> Generating 768 bit RSA key.
AN> RSA key generation complete.
AN> debug1: Server will not fork when running in debugging mode.
AN> Connection from 9.164.18.22 port 943
AN> debug1: Client protocol version 1.5; client software version

OpenSSH_3.5p1

AN> debug1: match: OpenSSH_3.5p1 pat OpenSSH*
AN> debug1: Local version string SSH-1.99-OpenSSH_3.5p1
AN> debug1: permanently_set_uid: 7/204
AN> debug1: Sent 768 bit server key and 1024 bit host key.
AN> debug2: Network child is on pid 16256
AN> debug1: Encryption type: 3des
AN> debug1: cipher_init: set keylen (16 -> 32)
AN> debug1: cipher_init: set keylen (16 -> 32)
AN> debug1: Received session key; encryption turned on.
AN> debug2: monitor_read: 28 used once, disabling now
AN> debug2: monitor_read: 30 used once, disabling nowdebug1: Installing crc
AN> compensation attack detector.

AN> debug1: Attempting authentication for root.
AN> debug2: monitor_read: 6 used once, disabling now
AN> Failed none for root from 9.164.18.22 port 943
AN> debug2: auth_rhosts2: clientuser root hostname 9.164.18.22 ipaddr
AN> 9.164.18.22
AN> debug1: temporarily_use_uid: 0/0 (e=7/204)
AN> debug1: restore_uid: (unprivileged)
AN> Failed rhosts for root from 9.164.18.22 port 943 ruser root

AN> Connection closed by 9.164.18.22
AN> debug1: Calling cleanup 0x200013b0(0x0)

AN> My Client call was

AN> /opt/bin/ssh <hostname> -o RhostsAuthentication=yes -o Protocol=1 -o AN> UsePrivilegedPort=yes

AN> Is there anyone out there in the wide world, who made this work under any
AN> OS?

AN> Alf Nicolaysen

---

 Massimiliano Gregis
 Sun Microsystems Senior Consultant

 Phone.: 035.697534
 Mobile: 347.1167790
 Fax...: 035.697590
 E.mail: - mgregis@sorint.it
         - massimiliano@sorint.it
         - massimiliano.gregis@sorint.it

 Sorint http://www.sorint.it

---

Received on Mon Mar 24 12:17:57 2003