[unisog] SSH postponed public key....

H. Morrow Long morrow.long at yale.edu
Tue Oct 2 23:09:40 GMT 2007


Russell -

I found a thread from 2004 which implies that this condition
typically happens when the SSH client machine's user has
a .ssh subdirectory (and/or files in it) which have the wrong
ownerships and/or permissions such that the public key
cannot be read and usually the remote host key cannot be
written to the file with the list of known hosts either.

I'd look for the ~/.ssh of the initiating user on the client side
to be owned by someone else (e.g. root rather than oracle)
and possibly read/write permissions set incorrectly as well.

http://lists.debian.org/debian-security/2004/09/msg00097.html
http://lists.debian.org/debian-security/2004/09/msg00056.html
http://lists.debian.org/debian-security/2004/09/msg00056.html
http://lists.debian.org/debian-security/2004/09/msg00100.html

- H. Morrow Long, CISSP, CISM, CEH
   University Information Security Officer
   Director -- Information Security Office
   Yale University, ITS



On Oct 2, 2007, at 6:51 PM, Russell Fulton wrote:

> Hi
>
> This isn't a big deal but I hate things I can't account for...
>
> Going through the logs for a couple of Linux boxes (RHE if it  
> matters) I
> find that there are lots of
>
> sshd[xxx]: 'Postponed publickey for oracle from ::ffff: 
> 130.216.249.147 port 9348 ssh2'
>
> These two boxes form a cluster and apparently use ssh to constantly  
> check on each other.  I have logged on the the boxes and su'ed to  
> the oracle account and done a manual ssh to the other machine and  
> got the same message in /var/log/secure.
>
>
> The two oracle account have a normal set up with authorized keys  
> file, the only slightly odd thing is that someone has generated  
> both dsa and rsa keys on both machines but only the rsa key is in  
> the authorized keys file.
>
> If these were any 'ordinary' systems I would simply start fiddling  
> but they are part of our oracle cluster upon which everything else  
> depends.
>
> I've tried replicating the set up on another system but don't get  
> the odd log messages.
>
> I have also spent some time googling around this without coming up  
> with a good explanation of what causes the postponed message
>
> Any ideas?
>
> Russell
>
>
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/unisog/attachments/20071002/7c656479/attachment.htm 


More information about the unisog mailing list