On Fri, Jan 09, 2015 at 12:07:38 -0800, grantksupport@xxxxxxxxxxxxx wrote: > Hi, > > On Fri, Jan 9, 2015, at 10:48 AM, Tim Rice wrote: > > My ssh_config has > > Host * > > HostbasedAuthentication yes > > EnableSSHKeysign yes > > NoHostAuthenticationForLocalhost yes > > > > NoHostAuthenticationForLocalhost is not necessary. > > The one you are missing is EnableSSHKeysign. > > > > Additionally, you made no mention of your ssh_known_hosts files. Make > > sure the client's public keys are in the server's ssh_known_hosts file. > > > On Fri, Jan 9, 2015, at 11:40 AM, Iain Morgan wrote: > > To begin with, don't complicate the situation by requiring two forms of > > authentication before you've gotten a single form of authentication > > working. In addition, root is too much of a special case for useful > > debugging; try your tests as a regular user. > > > > As Tim Rice noted, you will need to set EnableSSHKeysign in the > > system--wide client configuration for hostbased authentication to work > > for non-root users. > > I edited configs to > > client ssh_config > ... > - PreferredAuthentications hostbased,publickey > + PreferredAuthentications hostbased > HostbasedAuthentication yes > PubkeyAuthentication yes > + PubkeyAuthentication no > PasswordAuthentication no > ... I suppose I wan't specific enough; I was recommending that you should first get each of the two authentication methods working separately before you set AuthenticationMethods in sshd_config to require both hostbased and public-key authentication. While you are debugging your issue, I would recommend leaving PreferredAuthentications at the default and leaving the various authentication methods enabled. When you invoke ssh with the -v option and an authentication method (such as hostbased authentication) fails, the client can display some diagnostic information from the server -- provided that you are able to successfully authenticate by some other method, such as public-key authentication. > EnableSSHKeysign yes (note: this had already been 'in there' --- just further down in the config) > ... > > server sshd_config > ... > - AuthenticationMethods hostbased,publickey > + AuthenticationMethods hostbased > HostbasedAuthentication yes > - HostbasedUsesNameFromPacketOnly yes > + #HostbasedUsesNameFromPacketOnly yes > - PubkeyAuthentication yes > + PubkeyAuthentication no > PasswordAuthentication no > ... > > I already have the server's key in the known hosts file on the client. > But, for hostbased authentication, the _server_ must have the key for the _client_ in the ssh_known_hosts file (or potentially in the user's ~/.ssh/known_hosts file). > @ client > > cat ssh_config > ... > GlobalKnownHostsFile /usr/local/etc/ssh/ssh_known_hosts > UserKnownHostsFile /usr/local/etc/ssh/ssh_known_hosts > ... > > ssh-keyscan -t ed25519 server.DOMAIN.COM >> /usr/local/etc/ssh/ssh_known_hosts > > and @server > > ssh-keyscan -t ed25519 client.DOMAIN.COM >> /usr/local/etc/ssh/ssh_known_hosts > > with all of the above, the hostbased auth connnect still fails just as before, > > ssh server.DOMAIN.COM > ... > Permission denied (hostbased). You may want to check that you are using the right location for your shosts.equiv and that the ssh-keysign binary is setuid root (assuming that you are now trying as a regular user). Damien recently added some additional debugging messages for hostbased authentication, so if you continue to have problems you could try building a recent snapshot for the server. Hostbased authentication can be a bit thorny to get right since it depends upon multiple files being correct. Try to keep things simple initially to avoid unnecessary complications: Only change those options in the client and server that are necessary to enable hostbased authentication. make sure that you are using the right location for the shosts.equiv file and that the entry in the file matches the hostname (ususally teh fully-qualified hostname) that the client uses. The server must have the clients public-key in the ssh_known_hosts file, and the name must also match the client. In most cases, problems with hostbased authentication end up being due to either a typo or an inconsistency between the name claimed by the client and the name that the server associates with the client's IP address. -- Iain Morgan _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev