Mailing List Archive

is it me or should there be an encrypt function before the decrypt?

Ed Eden wrote:
>
> is it me or should there be an encrypt function before the decrypt?

You can try it, but it didn't work for me.

I tried bypassing the test and building anyway. RSA authentication
works, but DSA doesn't.

I'm using OpenSSL 0.9.5 on AIX 4.3.1.

what's the problem w/ DSA auth? did you generate a DSA server key?

On Wed, May 10, 2000 at 03:21:27PM -0400, Tom Bertelson wrote:
> Ed Eden wrote:
> >
> > is it me or should there be an encrypt function before the decrypt?
>
> You can try it, but it didn't work for me.
>
> I tried bypassing the test and building anyway. RSA authentication
> works, but DSA doesn't.
>
> I'm using OpenSSL 0.9.5 on AIX 4.3.1.
>

Markus Friedl wrote:
>
> what's the problem w/ DSA auth? did you generate a DSA server key?

If you mean "ssh-keygen -d -N '' -f /etc/ssh_host_dsa_key" then yes.

The problem is that it simply refuses the DSA key. Here are traces from
sshd -d and ssh -v. Note the lines beginning with "**".

Since the simple test in the configure script fails, I suspect the
problem is with OpenSSL and not ssh.

sshd -d:
debug: sshd version OpenSSH-2.1
debug: Seeding random number generator
debug: read DSA private key done
debug: Seeding random number generator
debug: Bind to port 2202 on 0.0.0.0.
Server listening on 0.0.0.0 port 2202.
Generating 768 bit RSA key.
debug: Seeding random number generator
debug: Seeding random number generator
RSA key generation complete.
debug: Server will not fork when running in debugging mode.
Connection from 127.0.0.1 port 37533
debug: Client protocol version 2.0; client software version OpenSSH-2.1
Enabling compatibility mode for protocol 2.0
debug: Local version string SSH-1.99-OpenSSH-2.1
debug: Sending KEX init.
debug: done
debug: got kexinit string: diffie-hellman-group1-sha1
debug: got kexinit string: ssh-dss
debug: got kexinit string: 3des-cbc,blowfish-cbc,arcfour,cast128-cbc
debug: got kexinit string: 3des-cbc,blowfish-cbc,arcfour,cast128-cbc
debug: got kexinit string: hmac-sha1,hmac-md5,hmac-ripemd160@openssh.com
debug: got kexinit string: hmac-sha1,hmac-md5,hmac-ripemd160@openssh.com
debug: got kexinit string: none
debug: got kexinit string: none
debug: got kexinit string:
debug: got kexinit string:
debug: first kex follow == 0
debug: reserved == 0
debug: done read kexinit
debug: kex: client->server 3des-cbc hmac-sha1 none
debug: kex: server->client 3des-cbc hmac-sha1 none
debug: Wait SSH2_MSG_KEXDH_INIT.
debug: bits set: 513/1024
debug: bits set: 500/1024
debug: sig size 20 20
debug: send SSH2_MSG_NEWKEYS.
debug: done: send SSH2_MSG_NEWKEYS.
debug: Wait SSH2_MSG_NEWKEYS.
debug: GOT SSH2_MSG_NEWKEYS.
debug: done: KEX2.
debug: userauth-request for user tbert service ssh-connection method
none
Failed none for tbert from 127.0.0.1 port 37533 ssh2
** debug: userauth-request for user tbert service ssh-connection method
publickey
** debug: keytype ssh-dss
** Failed publickey for tbert from 127.0.0.1 port 37533 ssh2
debug: userauth-request for user tbert service ssh-connection method
password
Accepted password for tbert from 127.0.0.1 port 37533 ssh2
debug: Entering interactive session for SSH2.

** junk removed **

Connection closed by remote host.
debug: Calling cleanup 0x20005a80(0x0)
debug: Calling cleanup 0x20005990(0x0)

ssh -v:
SSH Version OpenSSH-2.1, protocol versions 1.5/2.0.
Compiled with SSL (0x00905100).
debug: Reading configuration data /home/tbert/.ssh/config
debug: Reading configuration data /home/tbert/SSH2/etc/ssh_config
debug: Applying options for *
debug: Seeding random number generator
debug: ssh_connect: getuid 200 geteuid 200 anon 1
debug: Connecting to localhost [127.0.0.1] port 2202.
debug: Connection established.
debug: Remote protocol version 1.99, remote software version OpenSSH-2.1
Enabling compatibility mode for protocol 2.0
debug: Local version string SSH-2.0-OpenSSH-2.1
debug: Sending KEX init.
debug: Seeding random number generator
debug: done
debug: got kexinit string: diffie-hellman-group1-sha1
debug: got kexinit string: ssh-dss
debug: got kexinit string: 3des-cbc,blowfish-cbc,arcfour,cast128-cbc
debug: got kexinit string: 3des-cbc,blowfish-cbc,arcfour,cast128-cbc
debug: got kexinit string: hmac-sha1,hmac-md5,hmac-ripemd160@openssh.com
debug: got kexinit string: hmac-sha1,hmac-md5,hmac-ripemd160@openssh.com
debug: got kexinit string: zlib,none
debug: got kexinit string: zlib,none
debug: got kexinit string:
debug: got kexinit string:
debug: first kex follow == 0
debug: reserved == 0
debug: done read kexinit
debug: kex: server->client 3des-cbc hmac-sha1 none
debug: kex: client->server 3des-cbc hmac-sha1 none
debug: Sending SSH2_MSG_KEXDH_INIT.
debug: bits set: 500/1024
debug: Wait SSH2_MSG_KEXDH_REPLY.
debug: Got SSH2_MSG_KEXDH_REPLY.
** debug: keytype ssh-dss
** debug: Forcing accepting of host key for loopback/localhost.
** debug: bits set: 513/1024
** debug: len 55 datafellows 0
** debug: dsa_verify: signature correct
debug: Wait SSH2_MSG_NEWKEYS.
debug: GOT SSH2_MSG_NEWKEYS.
debug: send SSH2_MSG_NEWKEYS.
debug: done: send SSH2_MSG_NEWKEYS.
debug: done: KEX2.
debug: send SSH2_MSG_SERVICE_REQUEST
debug: service_accept: ssh-userauth
debug: got SSH2_MSG_SERVICE_ACCEPT
debug: authentications that can continue: publickey,password
debug: try pubkey: /home/tbert/.ssh/id_dsa
** debug: PEM_read_bio_DSAPrivateKey failed
debug: read DSA private key done
debug: read DSA private key done
debug: sig size 20 20
debug: authentications that can continue: publickey,password
debug: ssh-userauth2 successfull
debug: fd 5 setting O_NONBLOCK
debug: fd 6 setting O_NONBLOCK
debug: channel 0: new [client-session]
debug: send channel open 0
debug: Entering interactive session.

** junk removed **

Connection to localhost closed.
debug: Transferred: stdin 0, stdout 0, stderr 33 bytes in 8.1 seconds
debug: Bytes per second: stdin 0.0, stdout 0.0, stderr 4.1
debug: Exit status 0

--
Tom Bertelson "Any sufficiently advanced technology
RHI Consulting is indistinguishable from magic."
tbert@abac.com -- Arthur C. Clarke

On Thu, May 11, 2000 at 08:50:23AM -0400, Tom Bertelson wrote:
> The problem is that it simply refuses the DSA key. Here are traces from
> sshd -d and ssh -v. Note the lines beginning with "**".

could you please mail me your public DSA key...

I'm seeing this too.

--
Mark H. Wood, radical centrist OpenPGP ID 876A8B75 mhwood@ameritech.net
01/01/00 00:00:00 -- Apocralypse Now

On Thu, May 11, 2000 at 08:16:17PM -0500, Mark H. Wood wrote:
> I'm seeing this too.
>
> --
> Mark H. Wood, radical centrist OpenPGP ID 876A8B75 mhwood@ameritech.net
> 01/01/00 00:00:00 -- Apocralypse Now

You can bypass the test with the attached patch -- it makes the test all
but useless, however, and I've been meaning to look fixing it the Right
way for a few days now. (The patch turns the test into a check to see
that the app will link, instead of checking if it can actually encrypt
data. This explanation is actually longer than the patch, I think.)

The odd thing of it is that the rsa_test in the openssl test subdirectory
can encrypt and decrypt just fine. Anyway, the patch is attached.

Nalin

I kind of merged rsa_test and came up with the following that seems to
work with rsaref. The problem areas on the original was 32 for the key
gen, rsaref likes 1024 at least. And rsaref likes RSA_PKCS1_PADDING but
not RSA_NO_PADDING for some reason. I am not versed in ssl but just
tried different things with debugging until it worked. I assume it will
work with the non-rsaref also.



#line 2032 "configure"
#include "confdefs.h"

#include <string.h>
#include <openssl/rand.h>
#include <openssl/rsa.h>
#include <openssl/bn.h>
#include <openssl/sha.h>
int main(void)
{
int num;
RSA *key; char a[2048],b[2048];
static unsigned char ptext_ex[] = "This is the text to encrypt";
unsigned char ctext[256];
unsigned char ptext[256];

memset(a, 0, sizeof(a));memset(b, 0, sizeof(b));
RAND_add(a, sizeof(a), sizeof(a));
key=RSA_generate_key(512,3,NULL,NULL);
if (key==NULL) return(1);
num=RSA_public_encrypt(sizeof(ptext_ex)-1,ptext_ex,ctext,
key,RSA_PKCS1_PADDING);

return(-1==RSA_private_decrypt(num,ctext,ptext,key,RSA_PKCS1_PADDING));
}

>The problem areas on the original was 32 for the key
gen, rsaref likes 1024 at least

opps, i mean 512 or higher for the key size.

On Fri, 12 May 2000, Ed Eden wrote:

> I kind of merged rsa_test and came up with the following that
> seems to work with rsaref. The problem areas on the original was
> 32 for the key gen, rsaref likes 1024 at least. And rsaref likes
> RSA_PKCS1_PADDING but not RSA_NO_PADDING for some reason. I am not
> versed in ssl but just tried different things with debugging until
> it worked. I assume it will work with the non-rsaref also.

Thanks - I have adapted this for configure.

configure now detects OpenSSL and RSA seperatly. This is to pave the
way for RSAless operation.

-d

--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm@mindrot.org (home) -or- djm@ibs.com.au (work)