Issues on sshd host keys - openssh

This is a discussion on Issues on sshd host keys - openssh ; Hello openssh-unix-dev list members, This is related to my previous post, but I need to ask specific questions. I'm building openssh with iPhone Toolchain ( http://wikee.iphwn.org/howto:toolchain_on_leopard_aspen ) for iPhone 2.1 firmware. This is not an iPhone mailing list, but probably ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: Issues on sshd host keys

  1. Issues on sshd host keys

    Hello openssh-unix-dev list members,

    This is related to my previous post, but I need to ask specific questions.

    I'm building openssh with iPhone Toolchain
    (http://wikee.iphwn.org/howto:toolchain_on_leopard_aspen) for iPhone
    2.1 firmware.
    This is not an iPhone mailing list, but probably anyone with deep
    knowledge of openssh could give a hint.

    So this is what I do:
    1. I patch the files using Saurik's patches from
    http://svn.telesphoreo.org/trunk/data/openssh
    1. I added the appropriate CFLAGS and LDFLAGS for arm-apple-darwin.
    2. I changed the path on configure.ac to point to my own build of
    libcrypto.a (using http://svn.telesphoreo.org/trunk/data/openssl, with
    the same methods).
    3. I did autoconf
    4. configure --prefix=/path/to/ssh --host=arm-apple-darwin
    5. make
    6. Since there are some things that have to be done on iPhone in the
    makefile script, I did make install on iPhone.
    7. when it got to the point of:

    root# /path/to/ssh/sshd -t -f /path/to/ssh/etc/sshd_config
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@
    @ WARNING: UNPROTECTED PRIVATE KEY FILE! @
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@
    Permissions 0140 for '(null)' are too open.
    It is recommended that your private key files are NOT accessible by others.
    This private key will be ignored.
    bad permissions: ignore key: /path/to/ssh/etc/ssh_host_rsa_key
    Could not load host key: /path/to/ssh/etc/ssh_host_rsa_key
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@
    @ WARNING: UNPROTECTED PRIVATE KEY FILE! @
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@
    Permissions 0136 for '(null)' are too open.
    It is recommended that your private key files are NOT accessible by others.
    This private key will be ignored.
    bad permissions: ignore key: /path/to/ssh/etc/ssh_host_dsa_key
    Could not load host key: /path/to/ssh/etc/ssh_host_dsa_key
    Disabling protocol version 2. Could not load host key
    sshd: no hostkeys available -- exiting.

    I'm confused as to why it's pointing to a NULL file ?

    Jesse Armand
    ----------------------------------------
    (http://jessearm.blogspot.com)
    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  2. Re: Issues on sshd host keys

    Thanks Chris,

    I already did that, I think the problem is with the filename parameter in:

    Key * key_load_private(const char *filename, const char *passphrase,
    char **commentp)
    {
    ....
    }

    This function returns NULL.

    I'm not sure why it's pointing to a null filename, as I don't change
    anything in the code.

    I only add a prefix to configure, even though I did this on iPhone, do
    you think this problem is related to platform differences ?

    Jesse Armand
    ----------------------------------------
    (http://jessearm.blogspot.com)



    On Thu, Oct 9, 2008 at 6:45 PM, Christian Pfaffel-Janser
    wrote:
    > Jesse Armand wrote:


    > Hi Jesse,
    >
    > Make sure that You do something like
    >
    > chmod 0600 /path/to/ssh/etc/ssh_host_rsa_key
    > chmod 0600 /path/to/ssh/etc/ssh_host_dsa_key
    >
    > ( I do not have an iphone, it's just a guess)
    >
    > Regards,
    > Christian Pfaffel-Janser
    >
    >

    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  3. Re: Issues on sshd host keys

    Jesse Armand wrote:
    > Thanks Chris,
    >
    > I already did that, I think the problem is with the filename parameter in:
    >
    > Key * key_load_private(const char *filename, const char *passphrase,
    > char **commentp)
    > {
    > ....
    > }
    >
    > This function returns NULL.
    >
    > I'm not sure why it's pointing to a null filename, as I don't change
    > anything in the code.
    >
    > I only add a prefix to configure, even though I did this on iPhone, do
    > you think this problem is related to platform differences ?
    >


    The filename is set prior to being passed to key_load_private(), or You
    would not get the following error message:

    Permissions 0140 for '(null)' are too open.
    It is recommended that your private key files are NOT accessible by others.
    This private key will be ignored.
    bad permissions: ignore key: /path/to/ssh/etc/ssh_host_rsa_key

    Is it possible that You tried to compile ssh, applied the patch and then
    tried to recompile ssh without doing a make distclean?

    Christian

    --
    Firma: Siemens Aktiengesellschaft Österreich
    Rechtsform: Aktiengesellschaft
    Firmensitz: Wien, Firmenbuchnummer: FN 60562 m
    Firmenbuchgericht: Handelsgericht Wien, DVR: 0001708

    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  4. Re: Issues on sshd host keys

    >
    > The filename is set prior to being passed to key_load_private(), or You
    > would not get the following error message:
    >
    > Permissions 0140 for '(null)' are too open.
    > It is recommended that your private key files are NOT accessible by others.
    > This private key will be ignored.
    > bad permissions: ignore key: /path/to/ssh/etc/ssh_host_rsa_key
    >


    What do you mean, by the "filename is set" ?

    I didn't set any permissions on the files, if there's something to be
    set before that, it must be something that was done by the standard
    Makefile.

    > Is it possible that You tried to compile ssh, applied the patch and then
    > tried to recompile ssh without doing a make distclean?
    >


    Not exactly, I applied the patch, reautoconf, configure, and make,
    everytime I tried to reautoconf / configure, I did make clean, though
    not make distclean.

    Even though, if I patch the function, by making it to consider the
    keys don't have bad permissions, the sshd is still not runnable.

    This could be a platform difference or specific situation that only
    happens on certain platforms, in this case is arm-apple-darwin, am I
    right ?
    Though I'm not sure what may cause that, in openssh code.

    Or a problem with my built of openssl with libcrypto ?
    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


  5. Re: Issues on sshd host keys

    Jesse Armand wrote:
    >> The filename is set prior to being passed to key_load_private(), or You
    >> would not get the following error message:
    >>
    >> Permissions 0140 for '(null)' are too open.
    >> It is recommended that your private key files are NOT accessible by others.
    >> This private key will be ignored.
    >> bad permissions: ignore key: /path/to/ssh/etc/ssh_host_rsa_key
    >>

    >
    > What do you mean, by the "filename is set" ?
    >
    > I didn't set any permissions on the files, if there's something to be
    > set before that, it must be something that was done by the standard
    > Makefile.
    >


    What I meant was that the code calling key_load_private() is using the
    value of filename to print the error message. But in key_load_private()
    the value of filename is not the same, i.e. NULL.

    Therefor I think that the addresses of the function's parameters are
    incorrect, which can happen if You compile sources, patch them and do
    not recompile all files that depend on the touched files. Something
    similar happened to me in the past.

    Regards,
    Christian

    --
    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev@mindrot.org
    https://lists.mindrot.org/mailman/li...enssh-unix-dev


+ Reply to Thread