OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 

I run OpenSSH on linux

	@ client

		which ssh
			/usr/local/bin/ssh
		ssh -v
			OpenSSH_6.7p1, OpenSSL 1.0.1j 15 Oct 2014

	@ server

		which sshd
			/usr/local/bin/sshd
		sshd -v
			unknown option -- V
			OpenSSH_6.7p1, OpenSSL 1.0.1j 15 Oct 2014
			usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file]
			            [-E log_file] [-f config_file] [-g login_grace_time]
			            [-h host_key_file] [-k key_gen_time] [-o option] [-p port]


I have configured for hostbased authentication

	client ssh_config
		...
		PreferredAuthentications           hostbased,publickey
		HostbasedAuthentication            yes
		PubkeyAuthentication               yes
		PasswordAuthentication             no
		...

	server sshd_config
		...
		AuthenticationMethods              hostbased,publickey
		HostbasedAuthentication            yes
		HostbasedUsesNameFromPacketOnly    yes
		PubkeyAuthentication               yes
		PasswordAuthentication             no
		...

on the server, because I'm not entirely sure where to put it yet

	echo "client.DOMAIN.COM" > /etc/shosts.equiv
	echo "client.DOMAIN.COM" > /usr/local/etc/shosts.equiv

when I try to connect

	ssh -vvv server.DOMAIN.COM

hostname auth fails

	...
	Permission denied (hostbased).

debug logs return

	client log
		...
		debug1: Authentications that can continue: hostbased
		debug3: start over, passed a different list hostbased
		debug3: preferred hostbased,publickey
		debug3: authmethod_lookup hostbased
		debug3: remaining preferred: publickey,password
		debug3: authmethod_is_enabled hostbased
		debug1: Next authentication method: hostbased
		debug2: userauth_hostbased: chost client.DOMAIN.COM.
		debug2: we sent a hostbased packet, wait for reply
		debug1: Authentications that can continue: hostbased
		debug2: userauth_hostbased: chost client.DOMAIN.COM.
		debug2: we sent a hostbased packet, wait for reply
		debug1: Authentications that can continue: hostbased
		debug2: userauth_hostbased: chost client.DOMAIN.COM.
		debug2: we sent a hostbased packet, wait for reply
		debug1: Authentications that can continue: hostbased
		debug2: userauth_hostbased: chost client.DOMAIN.COM.
		debug2: we sent a hostbased packet, wait for reply
		debug1: Authentications that can continue: hostbased
		debug1: No more client hostkeys for hostbased authentication.
		debug2: we did not send a packet, disable method
		debug1: No more authentication methods to try.
		Permission denied (hostbased).

	server log
		...
		Jan  9 07:37:31 server sshd[19835]: debug2: input_userauth_request: try method hostbased [preauth]
		Jan  9 07:37:31 server sshd[19835]: debug1: userauth_hostbased: cuser root chost client.DOMAIN.COM. pkalg ssh-ed25519 slen 83 [preauth]
		Jan  9 07:37:31 server sshd[19835]: debug3: mm_key_allowed entering [preauth]
		Jan  9 07:37:31 server sshd[19835]: debug3: mm_request_send entering: type 22 [preauth]
		Jan  9 07:37:31 server sshd[19835]: debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth]
		Jan  9 07:37:31 server sshd[19835]: debug3: mm_request_receive_expect entering: type 23 [preauth]
		Jan  9 07:37:31 server sshd[19835]: debug3: mm_request_receive entering [preauth]
		Jan  9 07:37:31 server sshd[19835]: debug3: mm_request_receive entering
		Jan  9 07:37:31 server sshd[19835]: debug3: monitor_read: checking request 22
		Jan  9 07:37:31 server sshd[19835]: debug3: mm_answer_keyallowed entering
		Jan  9 07:37:31 server sshd[19835]: debug3: mm_answer_keyallowed: key_from_blob: 0x7cd1262cbc76
		Jan  9 07:37:31 server sshd[19835]: debug2: userauth_hostbased: chost client.DOMAIN.COM. resolvedname xxxx:xxx:xxxx:xxx::10 ipaddr xxxx:xxx:xxxx:xxx::10
		Jan  9 07:37:31 server sshd[19835]: debug2: stripping trailing dot from chost client.DOMAIN.COM.
		Jan  9 07:37:31 server sshd[19835]: debug2: auth_rhosts2: clientuser root hostname client.DOMAIN.COM ipaddr client.DOMAIN.COM
		Jan  9 07:37:31 server sshd[19835]: debug1: temporarily_use_uid: 0/0 (e=0/0)
		Jan  9 07:37:31 server sshd[19835]: debug1: restore_uid: 0/0
		Jan  9 07:37:31 server sshd[19835]: debug1: temporarily_use_uid: 0/0 (e=0/0)
		Jan  9 07:37:31 server sshd[19835]: debug1: restore_uid: 0/0
		Jan  9 07:37:31 server sshd[19835]: Failed hostbased for root from xxxx:xxx:xxxx:xxx::10 port 40452 ssh2: ED25519 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx, client user "root", client host "client.DOMAIN.COM"
		Jan  9 07:37:31 server sshd[19835]: debug3: mm_answer_keyallowed: key 0x7cd1262cbc76 is not allowed
		Jan  9 07:37:31 server sshd[19835]: debug3: mm_request_send entering: type 23
		Jan  9 07:37:31 server sshd[19835]: debug2: userauth_hostbased: authenticated 0 [preauth]
		Jan  9 07:37:31 server sshd[19835]: debug3: userauth_finish: failure partial=0 next methods="hostbased" [preauth]
		...

I see that

	mm_answer_keyallowed: key 0x7cd1262cbc76 is not allowed

but am not clear what key that is.  grep'ing for '7cd1262cbc76' turns up nothing.

What's wrong or missing in my config?
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux