Re: OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 

Hi,

On Fri, Jan 9, 2015, at 10:48 AM, Tim Rice wrote:
> My ssh_config has
> Host *
>   HostbasedAuthentication yes
>   EnableSSHKeysign yes
>   NoHostAuthenticationForLocalhost yes
> 
> NoHostAuthenticationForLocalhost is not necessary.
> The one you are missing is EnableSSHKeysign.
> 
> Additionally, you made no mention of your ssh_known_hosts files. Make
> sure the client's public keys are in the server's ssh_known_hosts file.


On Fri, Jan 9, 2015, at 11:40 AM, Iain Morgan wrote:
> To begin with, don't complicate the situation by requiring two forms of
> authentication before you've gotten a single form of authentication
> working. In addition, root is too much of a special case for useful
> debugging; try your tests as a regular user.
> 
> As Tim Rice noted, you will need to set EnableSSHKeysign in the
> system--wide client configuration for hostbased authentication to work
> for non-root users.

I edited configs to

	client ssh_config
		...
-		PreferredAuthentications           hostbased,publickey
+		PreferredAuthentications           hostbased
		HostbasedAuthentication            yes
		PubkeyAuthentication               yes
+		PubkeyAuthentication               no
		PasswordAuthentication             no
		...
		EnableSSHKeysign                   yes      (note: this had already been 'in there' --- just further down in the config)
		...

	server sshd_config
		...
-		AuthenticationMethods              hostbased,publickey
+		AuthenticationMethods              hostbased
		HostbasedAuthentication            yes
-		HostbasedUsesNameFromPacketOnly    yes
+		#HostbasedUsesNameFromPacketOnly    yes
-		PubkeyAuthentication               yes
+		PubkeyAuthentication               no
		PasswordAuthentication             no
		...

I already have the server's key in the known hosts file on the client.

@ client

	cat ssh_config
		...
		GlobalKnownHostsFile /usr/local/etc/ssh/ssh_known_hosts
		UserKnownHostsFile   /usr/local/etc/ssh/ssh_known_hosts
		...

	ssh-keyscan -t ed25519 server.DOMAIN.COM >> /usr/local/etc/ssh/ssh_known_hosts

and @server

	ssh-keyscan -t ed25519 client.DOMAIN.COM >> /usr/local/etc/ssh/ssh_known_hosts

with all of the above, the hostbased auth connnect still fails just as before,

	ssh server.DOMAIN.COM
		...
		Permission denied (hostbased).
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux