On Fri, Jan 09, 2015 at 13:00:10 -0800, grantksupport@xxxxxxxxxxxxx wrote: > Hi > > On Fri, Jan 9, 2015, at 12:34 PM, Mark Hahn wrote: > > >> The one you are missing is EnableSSHKeysign. > > > > I suppose it's worth asking: is your ssh-keysign suid root > > (and are the permissions on your host keys sufficiently tight)? > > Note that everything works correctly with other auth methods: pubkey, password, ... > I suspect key perms issues would've come up there. Not so, only hostbased authentication uses the client's host keys, and it is likewise the only method that uses ssh-keysign. Further, ssh-keysign is only used for non-root users. > > Here's also the ssk-keysign perms > > client > > ls -al /usr/local/libexec/ssh-keysign > -rwsr-xr-x+ 1 root root 459K Oct 11 06:51 /usr/local/libexec/ssh-keysign* > > ls -al /usr/local/etc/ssh/ssh.client.ed25519* > -rw-------+ 1 root root 517 May 9 2014 /usr/local/etc/ssh/ssh.client.ed25519 > -rw-r--r--+ 1 root root 107 May 9 2014 /usr/local/etc/ssh/ssh.client.ed25519.pub > Err, those _should_ be ssh_host_ed25519 and ssh_host_ed25519.pub. > > server > > ls -al /usr/local/libexec/ssh-keysign > -rwsr-xr-x+ 1 root root 455K Oct 11 06:51 /usr/local/libexec/ssh-keysign* > > ls -al /usr/local/etc/ssh/ssh.server.ed25519* > -rw-------+ 1 root root 464 May 10 2014 /usr/local/etc/ssh/ssh.server.ed25519 > -rw-r--r--+ 1 root root 107 May 10 2014 /usr/local/etc/ssh/ssh.server.ed25519.pub > Renaming the keys in your output only serves to complicate matters for those who are taking time to try to help you. Further, ssh-keysign plays no role on the server and the server's keys are not a factor in the problem you are facing. > > > > ssh-keyscan -t ed25519 server.DOMAIN.COM >> /usr/local/etc/ssh/ssh_known_hosts > > > > fine, though it's worth verifying that these are the files being used > > by the (non-default, right) sshd and ssh (client) that you're using. > > i have > > @ server > > which sshd > /usr/local/sbin/sshd > > systemctl status sshd > sshd.service - OpenSSH Daemon > Loaded: loaded (/etc/systemd/system/sshd.service; enabled) > Active: active (running) since Fri 2015-01-09 12:57:12 PST; 2s ago > Main PID: 21534 (sshd) > CGroup: /system.slice/sshd.service > ├─ 4662 sshd: root@pts/0 > ├─ 4664 -bash > ├─21534 /usr/local/sbin/sshd -D -f /usr/local/etc/ssh/sshd_config > └─21541 systemctl status sshd > > ps ax | grep sshd_config > 20989 ? Ss 0:00 /usr/local/sbin/sshd -D -f /usr/local/etc/ssh/sshd_config > > and > > @ client > > which ssh > /usr/local/bin/ssh > > ssh server.DOMAIN.COM -vvv > ... > debug3: load_hostkeys: loading entries for host "server.DOMAIN.COM" from file "/usr/local/etc/ssh/ssh_known_hosts" > debug3: load_hostkeys: found key type ED25519 in file /usr/local/etc/ssh/ssh_known_hosts:2 > debug3: load_hostkeys: loaded 1 keys > debug3: load_hostkeys: loading entries for host "server.DOMAIN.COM" from file "/usr/local/etc/ssh/ssh_known_hosts" > debug3: load_hostkeys: found key type ED25519 in file /usr/local/etc/ssh/ssh_known_hosts:2 > debug3: load_hostkeys: loaded 1 keys > ... > > > > Permission denied (hostbased). > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev -- Iain Morgan _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev