[9fans] inbound ssh

[9fans] inbound ssh

[geoff]

Has anybody got inbound ssh v1 from (l)unix to work?
If so, how?

I've had outbound working (with factotum holding the ssh keys)
for a long time, but haven't had any success with inbound
from (l)unix, and the debugging options aren't much help
at describing what sshserve is failing at.

ssh from Plan 9 to Plan 9 works fine.

does anybody know why sshserve doesn't implement rsa authentication?

Re: [9fans] inbound ssh

[Russ Cox]

it sounds like your auth server is not quite right.
also, make sure you are allowing passwords if that's
how you want to authenticate.

> does anybody know why sshserve doesn't implement rsa authentication?

because we don't have a place to store the public keys.

russ

Re: [9fans] inbound ssh

[lucio]

> Has anybody got inbound ssh v1 from (l)unix to work?
> If so, how?

All I can find in what is a working system is a very simple services.auth/tcp22:

	#!/bin/rc

	exec /bin/aux/sshserve -A 'tis password' `{cat $3/remote} >>[2]/sys/log/ssh

more or less what comes out of the box.  I do believe there ought to
be a certificate somewhere to be used in setting up the connection,
but I'll have to look for it.  This is the missing link:

key proto=rsa service=sshserve size=1024 ek=11 n=D5E8CC3604C7C91575BDF8D6CE93BCDC969CBA1C7498608850B04F87A01C98A08A208012966C43CE7CCFA75F60012C474234D0797E25F7C465D5AFFD7A36795E765B48D18F1B221F8C733E918AD47C69B286317901A7EC02C418DBB58ECAA787480C9A7E6DB1F63E5589537D9F106BB164770181EC756BCD84319E0C6A5A95E7 !dk? !p? !q? !kp? !kq? !c2?

I install it by running

	auth/secstore -n -G factotum >> /mnt/factotum/ctl >[2]/dev/null

in the startup procedure (cpurc).  Of course, I generated the
certificate according to the man page, but saved it in the secstore.

++L

Re: [9fans] inbound ssh

[Dan Cross]

geoff@collyer.net writes:
>
> Has anybody got inbound ssh v1 from (l)unix to work?
> If so, how?
>
> I've had outbound working (with factotum holding the ssh keys)
> for a long time, but haven't had any success with inbound
> from (l)unix, and the debugging options aren't much help
> at describing what sshserve is failing at.
>
> ssh from Plan 9 to Plan 9 works fine.

What kind of authentication is your sshd configured to use?  I
never got netkey authentication with SSH to work, but I wasn't
interested in it anyway and opted to use password authentication
instead.  My /rc/bin/service.auth/tcp22 looks like this:

brahma% cat tcp22
#!/bin/rc

exec /bin/aux/sshserve -A password `{cat $3/remote} >>[2]/sys/log/ssh
brahma%

> does anybody know why sshserve doesn't implement rsa authentication?

Russ said it's something to do with the public keys, but why they can't
be stored in a file like under Unix I don't understand.  Russ?  What
exactly did you mean by that?

In a similar vein, is anyone using Plan 9 as a mail server for an IMAP
client and have you noticed problems with outbound SMTP lately?  In
particular, when I used the Apple mail client, outgoing messages
(authenticated and transmitted over TLS) seem to do weird things:  the
client reports sending 100% of data, but then the mail server times out
sending back a response or something and the client returns an error
and thinks the message hasn't been sent.  It usually has been, though.
This is giving me headaches as some of my correspondants have noticed
that I'm sending them duplicate emails....  Has anyone else had this
problem?  I'm curious as to whether it's something simple before I dive
into the smtpd code again.

Oh, btw- I turned off logging of the base64 authentication data that
comes from the mail client in smtpd; when using PLAIN authentication,
that includes both the uid and password.

	- Dan C.

Re: [9fans] inbound ssh

[Russ Cox]

> Russ said it's something to do with the public keys, but why they can't
> be stored in a file like under Unix I don't understand.  Russ?  What
> exactly did you mean by that?

I log into machines where I don't have a shared home directory.
Storing them in $home/lib/ssh is not the answer.
The auth server should know about them, it just doesn't.

Russ

Re: [9fans] inbound ssh

[Skip Tavakkolian]

> This is giving me headaches as some of my correspondants have noticed
> that I'm sending them duplicate emails....  Has anyone else had this
> problem?  I'm curious as to whether it's something simple before I dive
> into the smtpd code again.

I've been seeing this on incoming messages to smtpd. I can't tell
what the problem is by looking at the logs. I assumed it was the other
side that was misbehaving.