Re: problem with HostbasedAuthentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Mahmood, 

The files are /home/username/.ssh/known_hosts on both server and client.

By FQDN, I meant host's fully qualified domain name. 

Following is the example:

Assuming both client and server are linux hosts:

Server IP: 192.168.1.1
Client IP: 192.168.1.101

Server Name: lnx_srvr_1.domain.com
Client Name: lnx_clnt_101.domain.com

User name on each host is mahmood.

Following would be the entries in .shosts on lnx_srvr_1


lnx_srvr_1:/home/mahmood $ cat .shosts

lnx_clnt_101.domain.com mahmood
192.168.1.101 mahmood
lnx_clnt_101 mahmood

Following should exist in /home/mahmood/.ssh/known_hosts file on the server side:
192.168.1.101,lnx_clnt_101,lnx_clnt_101.domain.com  ssh-rsa AAAAB3Nz...

Following should also exist in /home/mahmood/.ssh/known_hosts file on the client side:
192.168.1.1,lnx_srvr_1,lnx_srvr_1.domain.com  ssh-rsa AAAAB3Nz...

Ensure that .ssh directory on both client and server are rwx for owner only and group/rest of world is 000.

Hope this helps! Good Luck! :)

Regards,
Sharad  
--- On Thu, 28/4/11, Mahmood Naderan <nt_mahmood@xxxxxxxxx> wrote:

> From: Mahmood Naderan <nt_mahmood@xxxxxxxxx>
> Subject: Re: problem with HostbasedAuthentication
> To: "Sharad" <sharad2011@xxxxxxxxx>
> Cc: "secureshell@xxxxxxxxxxxxxxxxx" <secureshell@xxxxxxxxxxxxxxxxx>
> Date: Thursday, 28 April, 2011, 3:54 PM
> Can you explain exactly which file I
> should edit? What is FQDN? By 'hostname', Do you mean server
> hostname of client hostname. 
> Should I do that on both side or server side?...
> 
> // Naderan *Mahmood;
> 
> 
> ----- Original Message -----
> From: Sharad <sharad2011@xxxxxxxxx>
> To: Mahmood Naderan <nt_mahmood@xxxxxxxxx>;
> Asif Iqbal <vadud3@xxxxxxxxx>
> Cc: "secureshell@xxxxxxxxxxxxxxxxx"
> <secureshell@xxxxxxxxxxxxxxxxx>
> Sent: Thursday, April 28, 2011 1:16 PM
> Subject: Re: problem with HostbasedAuthentication
> 
> Sometimes the issue lies with hostname as well. What I mean
> with that is the known_hosts may have just the host name
> where as when the connection is established, the debug shows
> the FQDN. I faced this issue so to be sure, I edited the
> known_hosts file and inserted the hostname, hostname's FQDN
> and it's IP address (all comma separated).
> 
> Also ensure that you both the hosts' known_hosts files have
> opposite servers names (as prescribed above). 
> 
> All the above checks makes it work for me.
> 
> Hope this solves.
> 
> Kind regards,
> Sharad
> --- On Thu, 28/4/11, Asif Iqbal <vadud3@xxxxxxxxx>
> wrote:
> 
> > From: Asif Iqbal <vadud3@xxxxxxxxx>
> > Subject: Re: problem with HostbasedAuthentication
> > To: "Mahmood Naderan" <nt_mahmood@xxxxxxxxx>
> > Cc: "secureshell@xxxxxxxxxxxxxxxxx"
> <secureshell@xxxxxxxxxxxxxxxxx>
> > Date: Thursday, 28 April, 2011, 12:38 AM
> > On Wed, Apr 27, 2011 at 1:12 AM,
> > Mahmood Naderan <nt_mahmood@xxxxxxxxx>
> > wrote:
> > >>Change the order method. Have hostbased
> before
> > password
> > >
> > > Sorry where should I do that?
> > 
> > man ssh_config and look into PreferredAuthentications
> > 
> > >
> > > // Naderan *Mahmood;
> > >
> > > From: Asif Iqbal <vadud3@xxxxxxxxx>
> > > To: Mahmood Naderan <nt_mahmood@xxxxxxxxx>
> > > Cc: "secureshell@xxxxxxxxxxxxxxxxx"
> > <secureshell@xxxxxxxxxxxxxxxxx>
> > > Sent: Wednesday, April 27, 2011 9:17 AM
> > > Subject: Re: problem with
> HostbasedAuthentication
> > >
> > >
> > > Change the order method. Have hostbased before
> > password
> > > On Apr 26, 2011 11:52 PM, "Mahmood Naderan"
> <nt_mahmood@xxxxxxxxx>
> > wrote:
> > >>
> > >>
> > >> Hi,
> > >> I am trying to setup a hostbased passwrodless
> ssh
> > from a client to a server using this guide http://www.ehow.com/how_7621307_set-up-hostbased-authentication.html.
> > >>
> > >> The client looks like:
> > >>
> > >> mahmood@client:~$ cat /etc/ssh/ssh_config  |
> grep
> > "HostbasedAuthentication"
> > >>    HostbasedAuthentication yes
> > >> mahmood@client:~$ cat /etc/ssh/ssh_config  |
> grep
> > "EnableSSHKeysign"
> > >>    EnableSSHKeysign yes
> > >>
> > >>
> > >> and the server looks like:
> > >> mahmood@server:~$ cat /etc/ssh/sshd_config 
> |
> > grep "HostbasedAuthentication"
> > >> HostbasedAuthentication yes
> > >> mahmood@server:~$ cat /etc/ssh/sshd_config 
> |
> > grep "IgnoreRhosts"
> > >> IgnoreRhosts no
> > >>
> > >> also the server has the key for client:
> > >>
> > >> mahmood@server:~$ cat
> /etc/ssh/ssh_known_hosts
> > >> client ssh-rsa AAAAB3Nz.....
> > >>
> > >> the ~/.shosts file on the server contains:
> > >> mahmood@server:~$ cat .shosts
> > >> client.domain mahmood
> > >>
> > >> Then on both server and client, the ssh
> service is
> > restarted:
> > >> mahmood@client:~$ sudo service ssh restart
> > >> ssh start/running, process 1355
> > >> mahmood@server:~$ sudo service ssh restart
> > >> ssh start/running, process 28982
> > >>
> > >> How, when I run "ssh -vvv server" from client
> (to
> > show the verbose messages), I still get the password
> > prompt.
> > >>
> > >> mahmood@client:~$ ssh -vvv server
> > >> OpenSSH_5.3p1 Debian-3ubuntu6, OpenSSL 0.9.8k
> 25
> > Mar 2009
> > >> debug1: Reading configuration data
> > /etc/ssh/ssh_config
> > >> debug1: Applying options for *
> > >> debug2: ssh_connect: needpriv 0
> > >> debug1: Connecting to server [192.168.1.1]
> port
> > 22.
> > >> debug1: Connection established.
> > >> debug1: identity file
> /home/mahmood/.ssh/identity
> > type -1
> > >> debug1: identity file
> /home/mahmood/.ssh/id_rsa
> > type -1
> > >> debug1: identity file
> /home/mahmood/.ssh/id_dsa
> > type -1
> > >> debug1: Remote protocol version 2.0, remote
> > software version OpenSSH_5.3p1 Debian-3ubuntu4
> > >> debug1: match: OpenSSH_5.3p1 Debian-3ubuntu4
> pat
> > OpenSSH*
> > >> debug1: Enabling compatibility mode for
> protocol
> > 2.0
> > >> debug1: Local version string
> SSH-2.0-OpenSSH_5.3p1
> > Debian-3ubuntu6
> > >> debug2: fd 3 setting O_NONBLOCK
> > >> debug1: SSH2_MSG_KEXINIT sent
> > >> debug3: Wrote 792 bytes for a total of 831
> > >> debug1: SSH2_MSG_KEXINIT received
> > >> debug2: kex_parse_kexinit:
> >
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-
> > >> group1-sha1
> > >> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> > >> debug2: kex_parse_kexinit:
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
> > >> cbc,aes256-cbc,arcfour,rijndael-cbc@xxxxxxxxxxxxxx
> > >> debug2: kex_parse_kexinit:
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
> > >> cbc,aes256-cbc,arcfour,rijndael-cbc@xxxxxxxxxxxxxx
> > >> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-
> > >> md5-96
> > >> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-
> > >> md5-96
> > >> debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx,zlib
> > >> debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx,zlib
> > >> debug2: kex_parse_kexinit:
> > >> debug2: kex_parse_kexinit:
> > >> debug2: kex_parse_kexinit: first_kex_follows
> 0
> > >> debug2: kex_parse_kexinit: reserved 0
> > >> debug2: kex_parse_kexinit:
> >
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-
> > >> group1-sha1
> > >> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> > >> debug2: kex_parse_kexinit:
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
> > >> cbc,aes256-cbc,arcfour,rijndael-cbc@xxxxxxxxxxxxxx
> > >> debug2: kex_parse_kexinit:
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
> > >> cbc,aes256-cbc,arcfour,rijndael-cbc@xxxxxxxxxxxxxx
> > >> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-
> > >> md5-96
> > >> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-
> > >> md5-96
> > >> debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx
> > >> debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx
> > >> debug2: kex_parse_kexinit:
> > >> debug2: kex_parse_kexinit:
> > >> debug2: kex_parse_kexinit: first_kex_follows
> 0
> > >> debug2: kex_parse_kexinit: reserved 0
> > >> debug2: mac_setup: found hmac-md5
> > >> debug1: kex: server->client aes128-ctr
> hmac-md5
> > none
> > >> debug2: mac_setup: found hmac-md5
> > >> debug1: kex: client->server aes128-ctr
> hmac-md5
> > none
> > >> debug1:
> > SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192)
> sent
> > >> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> > >> debug3: Wrote 24 bytes for a total of 855
> > >> debug2: dh_gen_key: priv key bits set:
> 124/256
> > >> debug2: bits set: 507/1024
> > >> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> > >> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> > >> debug3: Wrote 144 bytes for a total of 999
> > >> debug3: check_host_in_hostfile: filename
> > /home/mahmood/.ssh/known_hosts
> > >> debug3: check_host_in_hostfile: match line 1
> > >> debug3: check_host_in_hostfile: filename
> > /home/mahmood/.ssh/known_hosts
> > >> debug3: check_host_in_hostfile: match line 2
> > >> debug1: Host 'server' is known and matches
> the RSA
> > host key.
> > >> debug1: Found key in
> > /home/mahmood/.ssh/known_hosts:1
> > >> debug2: bits set: 503/1024
> > >> debug1: ssh_rsa_verify: signature correct
> > >> debug2: kex_derive_keys
> > >> debug2: set_newkeys: mode 1
> > >> debug1: SSH2_MSG_NEWKEYS sent
> > >> debug1: expecting SSH2_MSG_NEWKEYS
> > >> debug3: Wrote 16 bytes for a total of 1015
> > >> debug2: set_newkeys: mode 0
> > >> debug1: SSH2_MSG_NEWKEYS received
> > >> debug1: SSH2_MSG_SERVICE_REQUEST sent
> > >> debug3: Wrote 48 bytes for a total of 1063
> > >> debug2: service_accept: ssh-userauth
> > >> debug1: SSH2_MSG_SERVICE_ACCEPT received
> > >> debug2: key: /home/mahmood/.ssh/identity
> ((nil))
> > >> debug2: key: /home/mahmood/.ssh/id_rsa
> ((nil))
> > >> debug2: key: /home/mahmood/.ssh/id_dsa
> ((nil))
> > >> debug3: Wrote 64 bytes for a total of 1127
> > >> debug1: Authentications that can continue:
> > publickey,password,hostbased
> > >> debug3: start over, passed a different list
> > publickey,password,hostbased
> > >> debug3: preferred
> >
> gssapi-keyex,gssapi-with-mic,gssapi,hostbased,publickey,keyboard-interactive,password
> > >> debug3: authmethod_lookup hostbased
> > >> debug3: remaining preferred:
> > publickey,keyboard-interactive,password
> > >> debug3: authmethod_is_enabled hostbased
> > >> debug1: Next authentication method:
> hostbased
> > >> debug2: userauth_hostbased: chost client.
> > >> debug2: ssh_keysign called
> > >> debug3: ssh_msg_send: type 2
> > >> debug3: ssh_msg_recv entering
> > >> debug1: permanently_drop_suid: 1000
> > >> debug2: we sent a hostbased packet, wait for
> > reply
> > >> debug3: Wrote 608 bytes for a total of 1735
> > >> debug1: Authentications that can continue:
> > publickey,password,hostbased
> > >> debug2: userauth_hostbased: chost client.
> > >> debug2: ssh_keysign called
> > >> debug3: ssh_msg_send: type 2
> > >> debug3: ssh_msg_recv entering
> > >> debug1: permanently_drop_suid: 1000
> > >> debug2: we sent a hostbased packet, wait for
> > reply
> > >> debug3: Wrote 672 bytes for a total of 2407
> > >> debug1: Authentications that can continue:
> > publickey,password,hostbased
> > >> debug1: No more client hostkeys for
> hostbased
> > authentication.
> > >> debug2: we did not send a packet, disable
> method
> > >> debug3: authmethod_lookup publickey
> > >> debug3: remaining preferred:
> > keyboard-interactive,password
> > >> debug3: authmethod_is_enabled publickey
> > >> debug1: Next authentication method:
> publickey
> > >> debug1: Trying private key:
> > /home/mahmood/.ssh/identity
> > >> debug3: no such identity:
> > /home/mahmood/.ssh/identity
> > >> debug1: Trying private key:
> > /home/mahmood/.ssh/id_rsa
> > >> debug3: no such identity:
> > /home/mahmood/.ssh/id_rsa
> > >> debug1: Trying private key:
> > /home/mahmood/.ssh/id_dsa
> > >> debug3: no such identity:
> > /home/mahmood/.ssh/id_dsa
> > >> debug2: we did not send a packet, disable
> method
> > >> debug3: authmethod_lookup password
> > >> debug3: remaining preferred: ,password
> > >> debug3: authmethod_is_enabled password
> > >> debug1: Next authentication method: password
> > >> mahmood@server's password:
> > >>
> > >>
> > >> Any idea about that?
> > >>
> > >> // Naderan *Mahmood;
> > >>
> > >
> > 
> > 
> > 
> > -- 
> > Asif Iqbal
> > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> > A: Because it messes up the order in which people
> normally
> > read text.
> > Q: Why is top-posting such a bad thing?
> >
> 



[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux