OpenSSH problem after upgrade

deesto · 06-18-2008, 02:33 PM

I recently had to upgrade my version of OpenSSH from 4.7 to 5.0 on my MacBook (Darwin). I installed the latest 'portable' tarball and removed the system version:

Code:

$ ssh -V
OpenSSH_5.0p1, OpenSSL 0.9.7l 28 Sep 2006
$ which ssh
/usr/bin/ssh

sshd is the same version, installed in /usr/sbin/sshd. Now, things are a bit broken: I am able to ssh from another machine into my MacBook, so the server (sshd) is working, but the outgoing client (ssh) hangs indefinitely on connect. ssh-add also hangs on any operation. ssh-agent shows:

Code:

ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-35xNGanxBs/agent.2282; export SSH_AUTH_SOCK;
SSH_AGENT_PID=2283; export SSH_AGENT_PID;
echo Agent pid 2283;

The interesting bits from an ssh -vvv localhost are:

Code:

...
debug3: Not a RSA1 key file /Users/jd/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
...
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype

The ssh connection attempt just hangs and sits at:

Code:

...
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received

I don't know why the error 'Not a RSA1 key file' comes up, as my private key (id_rsa) remains unchanged and begins thusly:

Code:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,E4E5E1C1F000924A
...

Any thoughts on what may be wrong or what else I can try?

pinniped · 06-19-2008, 07:31 AM

Check the configuration files.

deesto · 06-19-2008, 07:32 AM

Quote:

Originally Posted by pinniped

Check the configuration files.

... for....?

pinniped · 06-19-2008, 07:45 AM

Well, check the config files for everything. For example, my client has these default settings:

Host *
SendEnv LANG LC_*
HashKnownHosts yes

It wouldn't make sense for me to post my server settings though. You just need to go through the config file and make sure the correct host files are used etc.

deesto · 06-19-2008, 07:50 AM

Interesting ... my .ssh/config has none of those lines, just these:

Code:

Host *
 ServerAliveInterval 120
 ServerAliveCountMax 3
 ForwardAgent yes
 ForwardX11 yes
 ForwardX11Trusted yes
 TCPKeepAlive yes
 IdentityFile ~/.ssh/id_rsa

I got rid of mine and used yours instead, and ssh hangs in the same place.

/etc/ssh_config is:

Code:

   ForwardAgent yes
   ForwardX11 yes
   ForwardX11Trusted yes

/etc/sshd_config is:

Code:

Protocol 2
SyslogFacility AUTHPRIV
Subsystem       sftp    /usr/libexec/sftp-server
Match User jd
        X11Forwarding yes

deesto · 06-19-2008, 02:31 PM

I removed *all installations* of OpenSSH from my system (both manually installed, and from port/MacPorts), rebooted, cleaned up any trace of ssh and sshd, then re-installed openssh using ports, which installs v5.0p_1. I restored my key files (public and private), authorized_keys, and known_hosts files to ~/.ssh, then tried to ssh into my own machine, which seems to be rejecting my key:

Code:

ssh -vvv localhost
OpenSSH_5.0p1, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /Users/jd/.ssh/config
debug1: Applying options for *
debug1: Reading configuration data /opt/local/etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to localhost [::1] port 22.
debug1: Connection established.
debug3: Not a RSA1 key file /Users/jd/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /Users/jd/.ssh/id_rsa type 1
ssh_exchange_identification: Connection closed by remote host

Now I'm confused: first, if I have 'Protocol 2' set in my sshd_config, why is sshd looking for 'a RSA1 key file'? Does that mean version 1 of RSA?

Second, my private key begins like this:

Code:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC, ...

Isn't that the way it should be?

If I connect to a remote host, it once again hangs in the same place:

Code:

debug1: Found key in /Users/jd/.ssh/known_hosts:22
debug2: bits set: 525/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received

pinniped · 06-19-2008, 09:36 PM

"Second, my private key begins like this ..."
Proc-Type: 4,ENCRYPTED

Well, you shouldn't encrypt your SSH private key or else you will have to put in the passphrase before the authentication can be completed - and apparently you're not being asked for the passphrase -- is this an SSH bug or was SSH never intended to use an encrypted private key?

Aside from that, check the permissions of your private and public keys:
-rw------- 1 <user> <group> 1675 Mar 3 01:30 id_rsa
-rw-r--r-- 1 <user> <group> 395 Mar 3 01:30 id_rsa.pub

The private key should be read/writable by the user ONLY. You can turn off the 'write' flag as well if you wish. The public key should only have 'read' permission for groups and others; as with the private key you can remove all write permissions.

How are you generating your keys?

"I have 'Protocol 2' set in my sshd_config, why is sshd looking for 'a RSA1 key file'?"
Well, that would be because v2 uses RSA and/or DSA; v1 uses RSA only.

deesto · 06-20-2008, 10:18 AM

Quote:

Originally Posted by pinniped

"Second, my private key begins like this ..."
Proc-Type: 4,ENCRYPTED

Well, you shouldn't encrypt your SSH private key or else you will have to put in the passphrase before the authentication can be completed - and apparently you're not being asked for the passphrase -- is this an SSH bug or was SSH never intended to use an encrypted private key?

Unfortunately this is an option that is not up for discussion for me: my key *has* to be protected with a passphrase per guidelines at work. And I never had a problem with other versions of SSH before this.

Quote:

Aside from that, check the permissions of your private and public keys:
-rw------- 1 <user> <group> 1675 Mar 3 01:30 id_rsa
-rw-r--r-- 1 <user> <group> 395 Mar 3 01:30 id_rsa.pub

The private key should be read/writable by the user ONLY. You can turn off the 'write' flag as well if you wish. The public key should only have 'read' permission for groups and others; as with the private key you can remove all write permissions.

Yup, permissions are fine.

Quote:

How are you generating your keys?

Using OpenSSH itself (ssh-keygen). In fact, I just tried generating new keys (both on this machine and on others), and they all return the same error.

Quote:

"I have 'Protocol 2' set in my sshd_config, why is sshd looking for 'a RSA1 key file'?"
Well, that would be because v2 uses RSA and/or DSA; v1 uses RSA only.

OK, but why "RSA1"? I've also tried setting 'Protocol' to '1','1,2', same result.