[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ssh version 3.4p1-1and RSA authentification

>
> It seems there's some confusion here...
>
> There's a misunderstanding between the different authentication methods.
> Are you using RhostsRSAAuthentication or PublicKeyAuthentication ? I
> mean do you use RSA host-keys or do you use per-user identity keys in
> ~/.ssh/{identity,id_rsa,id_dsa} ?
>
> If you want to use PublicKeyAuthentication, then it's a totally
> different problem. You need to have identity keys (id_rsa or id_dsa) in
> each user's $HOME, and to add the public part of the key in their
> ~/.ssh/authorized_keys file.
>
> But if you're planning to use RhostsRSAAuthentication (which seems to be
> the case since you told us about your hosts.equiv file), then it seems
> this authentication method is not tried in your ssh output.
>
> I think you need 3 things set to enable this authentication method :
> - Have "RhostsRSAAuthentication yes" in /etc/ssh/ssh_config on the
>   client.PublicKeyAuthentication
> - Have "RhostsRSAAuthentication yes" in /etc/ssh/sshd_config on the
>   server.
> - Have /usr/lib/ssh-keysign with the setuid bit set. You can achieve
>   this by answering yes to the question with "dpkg-reconfigure ssh".
>
The 3 steps are done. To avoid too much conflicts, I putted the 
PublicKeyAuthentication to off. the message given by ssh -v now no more try 
to use PublicKey, but it still doesn't work...

/usr/lib/ssh-keysign with the setuid bit set OK. 

There's a lot of possible combinations! I'm a little bit confused, thanks a 
lot for your help. My goal is to make connect the nodes using one secure way, 
and if possible easy to maintain. It seems more easy to use the 
RhostsRSAAuthentication. (files all in /etc/). I should have thought to those 
problems BEFORE the upgrade. Now the cluster doesn't work...

Fabrice

/etc/ssh/sshd_config
----------------------------------------------------------
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
UsePrivilegeSeparation no 
PAMAuthenticationViaKbdInt no 
KeyRegenerationInterval 3600
ServerKeyBits 768
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 600
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes 
PubkeyAuthentication no 
#AuthorizedKeysFile     %h/.ssh/authorized_keys
RhostsAuthentication no 
IgnoreRhosts no 
RhostsRSAAuthentication yes 
HostbasedAuthentication no 
PermitEmptyPasswords no
#ChallengeResponseAuthentication no
PasswordAuthentication yes
----------------------------------------------------------

/etc/ssh/ssh_config
----------------------------------------------------------
# Host *
#   ForwardAgent no
#   ForwardX11 no
#   RhostsAuthentication no
   RhostsRSAAuthentication yes 
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   BatchMode no
#   CheckHostIP yes
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
   Port 22
   Protocol 2
#   Cipher 3des
#   Ciphers 
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
#   EscapeChar ~
----------------------------------------------------------



the ssh -v command actually tell me:
----------------------------------------------------------
OpenSSH_3.4p1 Debian 1:3.4p1-1, SSH protocols 1.5/2.0, OpenSSL 0x0090603f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to pc000 [192.168.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/fyerly/.ssh/id_rsa type -1
debug1: identity file /home/fyerly/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.4p1 
Debian 1:3.4p1-1
debug1: match: OpenSSH_3.4p1 Debian 1:3.4p1-1 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 132/256
debug1: bits set: 1565/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'pc000' is known and matches the RSA host key.
debug1: Found key in /home/fyerly/.ssh/known_hosts:3
debug1: bits set: 1538/3191
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: password,keyboard-interactive
debug1: next auth method to try is keyboard-interactive
debug1: authentications that can continue: password,keyboard-interactive
debug1: next auth method to try is password
fyerly@pc000's password: 
debug1: ssh-userauth2 successful: method password
debug1: channel 0: new [client-session]
debug1: send channel open 0
debug1: Entering interactive session.
debug1: ssh_session2_setup: id 0
debug1: channel request 0: pty-req
debug1: channel request 0: shell
debug1: fd 3 setting TCP_NODELAY
debug1: channel 0: open confirm rwindow 0 rmax 3276
--------------------------------------------------------------
Reply to: