Hi, On Fri, Jan 9, 2015, at 01:02 PM, Iain Morgan wrote: > I suppose I wan't specific enough; I was recommending that you should > first get each of the two authentication methods working separately > before you set AuthenticationMethods in sshd_config to require both > hostbased and public-key authentication. While you are debugging your > issue, I would recommend leaving PreferredAuthentications at the default > and leaving the various authentication methods enabled. Sorry, perhaps I'm being thick. I don't get it. pubkey auth works fine. password auth works fine. pubkey,password works fine hostbased &/or hostbased,anything_else does not. What config would you like me to try? > When you invoke ssh with the -v option and an authentication method > (such as hostbased authentication) fails, the client can display some > diagnostic information from the server -- provided that you are able to > successfully authenticate by some other method, such as public-key > authentication. As above, if hostbased is enabled, NOTHING works. > > I already have the server's key in the known hosts file on the client. > > > > But, for hostbased authentication, the _server_ must have the key for > the _client_ in the ssh_known_hosts file (or potentially in the user's > ~/.ssh/known_hosts file). I've now done @ both server & @client ssh-keyscan -t ed25519 client.DOMAIN.COM > /usr/local/etc/ssh/ssh_known_hosts ssh-keyscan -t ed25519 server.DOMAIN.COM >> /usr/local/etc/ssh/ssh_known_hosts It makes no difference; failure as reported. > You may want to check that you are using the right location for your > shosts.equiv and that the ssh-keysign binary is setuid root (assuming > that you are now trying as a regular user). already done man 5 sshd_config | grep shosts Specifies whether or not the server will attempt to perform a reverse name lookup when matching the name in the ~/.shosts, ~/.rhosts, and /etc/hosts.equiv files during HostbasedAuthentication. A setting of “yes” means Specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication. ---> /etc/hosts.equiv and /usr/local/etc/ssh/shosts.equiv are still used. The default is “yes”. @ both server & client cat /usr/local/etc/ssh/shosts.equiv client.DOMAIN.COM server.DOMAIN.COM > Damien recently added some additional debugging messages for hostbased > authentication, so if you continue to have problems you could try > building a recent snapshot for the server. how recently? these are tarball builds -rw-rwxr--+ 1 root root 1.3M Oct 6 15:34 openssh-6.7p1.tar.gz* newer that the release, I presume? > Hostbased authentication can be a bit thorny to get right since it > depends upon multiple files being correct. Try to keep things simple > initially to avoid unnecessary complications: Only change those options > in the client and server that are necessary to enable hostbased > authentication. I start with a KNOWN TO WORK pubkey,password config, then ONLY change to add the hostbased auth. And then it fails. Reverse JUST those changes, and it succeeds. > make sure that you are using the right location for the > shosts.equiv file and that the entry in the file matches the hostname > (ususally teh fully-qualified hostname) that the client uses. The server > must have the clients public-key in the ssh_known_hosts file, and the > name must also match the client. all hostnames a FQDNs. all have correct/verified forward & reverse DNS entries. both IPv4 & IPv6 ssh, from any to all machines works using pubkey/password auth. In all cases, on alll machines, hostbased auth fails, as above. > In most cases, problems with hostbased authentication end up being due > to either a typo or an inconsistency between the name claimed by the > client and the name that the server associates with the client's IP > address. everything matches afaict @ client hostname client.DOMAIN.COM hostname -s client hostname -f client.DOMAIN.COM dig A `hostname` +short 192.168.1.65 dig AAAA `hostname` +short xxxx:xxx:xxxx:xxx::65 host 192.168.1.65 65.1.168.192.in-addr.arpa domain name pointer client.DOMAIN.COM. host xxxx:xxx:xxxx:xxx::65 65.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.1.0.0.2.ip6.arpa domain name pointer client.DOMAIN.COM. dig A server.DOMAIN.COM +short 192.168.1.68 dig AAAA server.DOMAIN.COM +short xxxx:xxx:xxxx:xxx::68 host 192.168.1.68 68.1.168.192.in-addr.arpa domain name pointer server.DOMAIN.COM. host xxxx:xxx:xxxx:xxx::68 68.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.1.0.0.2.ip6.arpa domain name pointer server.DOMAIN.COM. host client.DOMAIN.COM client.DOMAIN.COM has address 192.168.1.65 client.DOMAIN.COM has IPv6 address xxxx:xxx:xxxx:xxx::65 host server.DOMAIN.COM server.DOMAIN.COM has address 192.168.1.68 server.DOMAIN.COM has IPv6 address xxxx:xxx:xxxx:xxx::68 ssh-keyscan -t ed25519 client.DOMAIN.COM # client.DOMAIN.COM SSH-2.0-OpenSSH_6.7 client.DOMAIN.COM ssh-ed25519 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ssh-keyscan -t ed25519 server.DOMAIN.COM # server.DOMAIN.COM SSH-2.0-OpenSSH_6.7 server.DOMAIN.COM ssh-ed25519 BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB @ server hostname server.DOMAIN.COM hostname -s server hostname -f server.DOMAIN.COM dig A `hostname` +short 192.168.1.68 dig AAAA `hostname` +short xxxx:xxx:xxxx:xxx::68 host 192.168.1.68 68.1.168.192.in-addr.arpa domain name pointer server.DOMAIN.COM. host xxxx:xxx:xxxx:xxx::68 68.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.1.0.0.2.ip6.arpa domain name pointer server.DOMAIN.COM. dig A client.DOMAIN.COM +short 192.168.1.65 dig AAAA client.DOMAIN.COM +short xxxx:xxx:xxxx:xxx::65 host 192.168.1.65 65.1.168.192.in-addr.arpa domain name pointer client.DOMAIN.COM. host xxxx:xxx:xxxx:xxx::65 65.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.1.0.0.2.ip6.arpa domain name pointer desk.DOMAIN.COM. host client.DOMAIN.COM client.DOMAIN.COM has address 192.168.1.65 client.DOMAIN.COM has IPv6 address xxxx:xxx:xxxx:xxx::65 host server.DOMAIN.COM server.DOMAIN.COM has address 192.168.1.68 server.DOMAIN.COM has IPv6 address xxxx:xxx:xxxx:xxx::68 ssh-keyscan -t ed25519 client.DOMAIN.COM # client.DOMAIN.COM SSH-2.0-OpenSSH_6.7 client.DOMAIN.COM ssh-ed25519 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ssh-keyscan -t ed25519 server.DOMAIN.COM # server.DOMAIN.COM SSH-2.0-OpenSSH_6.7 server.DOMAIN.COM ssh-ed25519 BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev