[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

SSH2 + HostbasedAuthentication

I cannot use HostbasedAuthentication with ssh. ssh just keeps on asking
for the password. Here is what I tried:

I have SSH (OpenSSH_2.9p2) running with RhostsRSAAuthentication just
fine -- users can log in from one computer to another without using a
password or setting up and .ssh/authorized_keys file. But now the ssh in
woody changed and protocol version two is the default so I want to make
sure that HostbasedAuthentication is working as well.

I set "HostbasedAuthentication yes" in /etc/ssh/sshd_config. I then
added the public keys from the other hosts to /etc/ssh/ssh_known_hosts2
(by logging in to them and then copying my ~/.ssh/known_hosts2 file to
/etc/ssh/ssh_known_hosts2). Now /etc/ssh/ssh_known_hosts2 contains:

gandalf,192.168.1.2 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA1zi/GNCWr0RAKwyI2dfo5ut4V/ixE/lXCoQo0gCq6KmAiUzW/bei+CcROrXIYd2D+GEZx5DzvkCZung/9dukffYMto9FVcYIShSnTi/c4k5d8utU6XWT2RfPfq85dcL+wGuTS/JzxL1M8r/pvskCjEzboeULGhdNF6cllqmPxSs=
gandalf.local ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA1zi/GNCWr0RAKwyI2dfo5ut4V/ixE/lXCoQo0gCq6KmAiUzW/bei+CcROrXIYd2D+GEZx5DzvkCZung/9dukffYMto9FVcYIShSnTi/c4k5d8utU6XWT2RfPfq85dcL+wGuTS/JzxL1M8r/pvskCjEzboeULGhdNF6cllqmPxSs=

But when I try to log in from gandalf to the computer in question ssh
will still ask for the password.

Here is the debug output from sshd:

aragorn:/etc/ssh# sshd -d -e
debug1: Seeding random number generator
debug1: sshd version OpenSSH_2.9p2
debug1: private host key: #0 type 0 RSA1
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from 192.168.1.2 port 1154
debug1: Client protocol version 2.0; client software version
OpenSSH_2.9p2
debug1: match: OpenSSH_2.9p2 pat ^OpenSSH
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_2.9p2
debug1: Rhosts Authentication disabled, originating port not trusted.
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: dh_gen_key: priv key bits set: 139/256
debug1: bits set: 989/2049
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: bits set: 995/2049
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user wh service ssh-connection method none
debug1: attempt 0 failures 0
debug1: Starting up PAM with username "wh"
debug1: PAM setting rhost to "gandalf.local"
Failed none for wh from 192.168.1.2 port 1154 ssh2
[the client asks for the password now]
[...]

And from the client:
wh@gandalf:~$ ssh -v aragorn.local
OpenSSH_2.9p2, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Seeding random number generator
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: restore_uid
debug1: ssh_connect: getuid 1000 geteuid 0 anon 1
debug1: Connecting to aragorn.local [192.168.1.8] port 22.
debug1: temporarily_use_uid: 1000/1000 (e=0)
debug1: restore_uid
debug1: temporarily_use_uid: 1000/1000 (e=0)
debug1: restore_uid
debug1: Connection established.
debug1: read PEM private key done: type DSA
debug1: read PEM private key done: type RSA
debug1: identity file /home/wh/.ssh/identity type 0
debug1: identity file /home/wh/.ssh/id_rsa type -1
debug1: identity file /home/wh/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version
OpenSSH_2.9p2
debug1: match: OpenSSH_2.9p2 pat ^OpenSSH
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_2.9p2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 134/256
debug1: bits set: 1023/2049
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'aragorn.local' is known and matches the RSA host key.
debug1: Found key in /home/wh/.ssh/known_hosts2:2
debug1: bits set: 1026/2049
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue:
publickey,password,keyboard-interactive,hostbased
debug1: next auth method to try is publickey
debug1: try privkey: /home/wh/.ssh/id_rsa
debug1: try privkey: /home/wh/.ssh/id_dsa
debug1: next auth method to try is password
wh@aragorn.local's password:


Can someone see what is wrong?

I tried to strace sshd and found that it will not open the file
/etc/ssh/shosts.equiv (which is where gandalf is listed) unless the
client is invoked by the -1 option. So how can I make sure that ssh uses
the /etc/ssh/shosts.equiv file??

(I'm pretty sure that DNS is set up correctly, logging in with protocol
version 1, i.e. "ssh -1" still works without asking for passwords.)

Thanks for your help,

Walter
Reply to: