Solution to -> Re: SSH upgrade to ver 4.4 on OBSD 3.9 stable broke key auth

Sat, 21 Oct 2006 13:06:18 -0700 

On Tuesday 17 October 2006 12:08, Per-Olov SjC6holm wrote:
> On Tuesdayen den 17 October 2006 11:17, you wrote:
> > On Tue, 17 Oct 2006, Per-Olov SjCB6holm wrote:
> > > What should I clean when I totaly wiped out /usr/src and /usr/obj
> > > before the cvs update.
> > >
> > > The build is done as follows...
> > > --snip--
> > > cd /usr
> > > export CVSROOT="[EMAIL PROTECTED]:/cvs"
> > > cvs -z5 -q get -rOPENBSD_3_9 -P src
> > > cd /usr/src/sys/arch/i386/conf
> > > config GENERIC
> > > cd ../compile/GENERIC
> > > make clean && make depend && make
> > > mv /bsd /bsd.old
> > > cp bsd /
> > > reboot
> > > cd /usr/src
> > > rm -r /usr/obj/*
> > > make obj && make build
> > > reboot
> >
> > Hmm, that looks allright. One possibility might be that anoncvs1 was
> > not up-to-date, but that's unlikely, since the stable update was some
> > time ago. If updating doesn't show any new files, try to run the sshd
> > in debug mode (on another port), that might give a clue.
> >
> >     -Otto
>
> I just run a debug "/usr/sbin/sshd -ddde -p 2022" as  Darren Tucker asked
> me for it.  And I just sent the debug output to him....
>
> A key login works from a patched (now ssh 4.4) to a non patched (ssh 4.3)
> system. but it wont work between two ssh 4.4 updated systems. Between these
> only password login works.
>
>
>
> Regards
> Per-Olov

Hi misc

For the archives...

Here is a post with info that solves and explain the case if someone else get 
stuck in the problem.

 This problem was actually caused by an updated OpenSSL. I have had 2048 and 
4096 SSH keys that have worked perfect until my last complete 3-9 -stable 
update.

In OpenSSL  the limit is 3kbit for DSA keys and 16k for RSA keys.  These days 
ssh-keygen won't let you generate DSA keys other than 1024 bit ones (which is 
all the FIPS-186-2 spec allows) so if you want larger keys then you should 
use RSA. The thing that actually caused the problem was an openssl update 
earlier (013_openssl2.patch or its equivalent in -stable), but it didn't 
become apparent until sshd was rebuilt with the new openssl.


Thanks you *very* much for the help Darren Tucker!

Regards
/Per-Olov SjC6holm

Reply via email to