Re: OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Fri, Jan 09, 2015 at 13:00:10 -0800, grantksupport@xxxxxxxxxxxxx wrote:
> Hi
> 
> On Fri, Jan 9, 2015, at 12:34 PM, Mark Hahn wrote:
> > >> The one you are missing is EnableSSHKeysign.
> > 
> > I suppose it's worth asking: is your ssh-keysign suid root
> > (and are the permissions on your host keys sufficiently tight)?
> 
> Note that everything works correctly with other auth methods: pubkey, password, ...
> I suspect key perms issues would've come up there.

Not so, only hostbased authentication uses the client's host keys, and
it is likewise the only method that uses ssh-keysign. Further,
ssh-keysign is only used for non-root users.

> 
> Here's also the ssk-keysign perms
> 
> 	client
> 
> 		ls -al /usr/local/libexec/ssh-keysign
> 			-rwsr-xr-x+ 1 root root 459K Oct 11 06:51 /usr/local/libexec/ssh-keysign*
> 
> 		ls -al /usr/local/etc/ssh/ssh.client.ed25519*
> 			-rw-------+ 1 root root 517 May  9  2014 /usr/local/etc/ssh/ssh.client.ed25519
> 			-rw-r--r--+ 1 root root 107 May  9  2014 /usr/local/etc/ssh/ssh.client.ed25519.pub
> 

Err, those _should_ be ssh_host_ed25519 and ssh_host_ed25519.pub.
> 
> 	server
> 
> 		ls -al /usr/local/libexec/ssh-keysign
> 			-rwsr-xr-x+ 1 root root 455K Oct 11 06:51 /usr/local/libexec/ssh-keysign*
> 
> 		ls -al /usr/local/etc/ssh/ssh.server.ed25519*
> 			-rw-------+ 1 root root 464 May 10  2014 /usr/local/etc/ssh/ssh.server.ed25519
> 			-rw-r--r--+ 1 root root 107 May 10  2014 /usr/local/etc/ssh/ssh.server.ed25519.pub
> 

Renaming the keys in your output only serves to complicate matters for
those who are taking time to try to help you. Further, ssh-keysign plays
no role on the server and the server's keys are not a factor in the
problem you are facing.
> 
> > > 	ssh-keyscan -t ed25519 server.DOMAIN.COM >> /usr/local/etc/ssh/ssh_known_hosts
> > 
> > fine, though it's worth verifying that these are the files being used
> > by the (non-default, right) sshd and ssh (client) that you're using.
> 
> i have
> 
> 	@ server
> 
> 	which sshd
> 		/usr/local/sbin/sshd
> 
> 	systemctl status sshd
> 		sshd.service - OpenSSH Daemon
> 		   Loaded: loaded (/etc/systemd/system/sshd.service; enabled)
> 		   Active: active (running) since Fri 2015-01-09 12:57:12 PST; 2s ago
> 		 Main PID: 21534 (sshd)
> 		   CGroup: /system.slice/sshd.service
> 		           ├─ 4662 sshd: root@pts/0
> 		           ├─ 4664 -bash
> 		           ├─21534 /usr/local/sbin/sshd -D -f /usr/local/etc/ssh/sshd_config
> 		           └─21541 systemctl status sshd
> 
> 	ps ax | grep sshd_config
> 		20989 ?        Ss     0:00 /usr/local/sbin/sshd -D -f /usr/local/etc/ssh/sshd_config
> 
> and
> 
> 	@ client
> 
> 		which ssh
> 			/usr/local/bin/ssh
> 
> 		ssh server.DOMAIN.COM -vvv
> 			...
> 			debug3: load_hostkeys: loading entries for host "server.DOMAIN.COM" from file "/usr/local/etc/ssh/ssh_known_hosts"
> 			debug3: load_hostkeys: found key type ED25519 in file /usr/local/etc/ssh/ssh_known_hosts:2
> 			debug3: load_hostkeys: loaded 1 keys
> 			debug3: load_hostkeys: loading entries for host "server.DOMAIN.COM" from file "/usr/local/etc/ssh/ssh_known_hosts"
> 			debug3: load_hostkeys: found key type ED25519 in file /usr/local/etc/ssh/ssh_known_hosts:2
> 			debug3: load_hostkeys: loaded 1 keys
> 			...
> 
> > > 		Permission denied (hostbased).
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@xxxxxxxxxxx
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

-- 
Iain Morgan
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux