Mahmood, The files are /home/username/.ssh/known_hosts on both server and client. By FQDN, I meant host's fully qualified domain name. Following is the example: Assuming both client and server are linux hosts: Server IP: 192.168.1.1 Client IP: 192.168.1.101 Server Name: lnx_srvr_1.domain.com Client Name: lnx_clnt_101.domain.com User name on each host is mahmood. Following would be the entries in .shosts on lnx_srvr_1 lnx_srvr_1:/home/mahmood $ cat .shosts lnx_clnt_101.domain.com mahmood 192.168.1.101 mahmood lnx_clnt_101 mahmood Following should exist in /home/mahmood/.ssh/known_hosts file on the server side: 192.168.1.101,lnx_clnt_101,lnx_clnt_101.domain.com ssh-rsa AAAAB3Nz... Following should also exist in /home/mahmood/.ssh/known_hosts file on the client side: 192.168.1.1,lnx_srvr_1,lnx_srvr_1.domain.com ssh-rsa AAAAB3Nz... Ensure that .ssh directory on both client and server are rwx for owner only and group/rest of world is 000. Hope this helps! Good Luck! :) Regards, Sharad --- On Thu, 28/4/11, Mahmood Naderan <nt_mahmood@xxxxxxxxx> wrote: > From: Mahmood Naderan <nt_mahmood@xxxxxxxxx> > Subject: Re: problem with HostbasedAuthentication > To: "Sharad" <sharad2011@xxxxxxxxx> > Cc: "secureshell@xxxxxxxxxxxxxxxxx" <secureshell@xxxxxxxxxxxxxxxxx> > Date: Thursday, 28 April, 2011, 3:54 PM > Can you explain exactly which file I > should edit? What is FQDN? By 'hostname', Do you mean server > hostname of client hostname. > Should I do that on both side or server side?... > > // Naderan *Mahmood; > > > ----- Original Message ----- > From: Sharad <sharad2011@xxxxxxxxx> > To: Mahmood Naderan <nt_mahmood@xxxxxxxxx>; > Asif Iqbal <vadud3@xxxxxxxxx> > Cc: "secureshell@xxxxxxxxxxxxxxxxx" > <secureshell@xxxxxxxxxxxxxxxxx> > Sent: Thursday, April 28, 2011 1:16 PM > Subject: Re: problem with HostbasedAuthentication > > Sometimes the issue lies with hostname as well. What I mean > with that is the known_hosts may have just the host name > where as when the connection is established, the debug shows > the FQDN. I faced this issue so to be sure, I edited the > known_hosts file and inserted the hostname, hostname's FQDN > and it's IP address (all comma separated). > > Also ensure that you both the hosts' known_hosts files have > opposite servers names (as prescribed above). > > All the above checks makes it work for me. > > Hope this solves. > > Kind regards, > Sharad > --- On Thu, 28/4/11, Asif Iqbal <vadud3@xxxxxxxxx> > wrote: > > > From: Asif Iqbal <vadud3@xxxxxxxxx> > > Subject: Re: problem with HostbasedAuthentication > > To: "Mahmood Naderan" <nt_mahmood@xxxxxxxxx> > > Cc: "secureshell@xxxxxxxxxxxxxxxxx" > <secureshell@xxxxxxxxxxxxxxxxx> > > Date: Thursday, 28 April, 2011, 12:38 AM > > On Wed, Apr 27, 2011 at 1:12 AM, > > Mahmood Naderan <nt_mahmood@xxxxxxxxx> > > wrote: > > >>Change the order method. Have hostbased > before > > password > > > > > > Sorry where should I do that? > > > > man ssh_config and look into PreferredAuthentications > > > > > > > > // Naderan *Mahmood; > > > > > > From: Asif Iqbal <vadud3@xxxxxxxxx> > > > To: Mahmood Naderan <nt_mahmood@xxxxxxxxx> > > > Cc: "secureshell@xxxxxxxxxxxxxxxxx" > > <secureshell@xxxxxxxxxxxxxxxxx> > > > Sent: Wednesday, April 27, 2011 9:17 AM > > > Subject: Re: problem with > HostbasedAuthentication > > > > > > > > > Change the order method. Have hostbased before > > password > > > On Apr 26, 2011 11:52 PM, "Mahmood Naderan" > <nt_mahmood@xxxxxxxxx> > > wrote: > > >> > > >> > > >> Hi, > > >> I am trying to setup a hostbased passwrodless > ssh > > from a client to a server using this guide http://www.ehow.com/how_7621307_set-up-hostbased-authentication.html. > > >> > > >> The client looks like: > > >> > > >> mahmood@client:~$ cat /etc/ssh/ssh_config | > grep > > "HostbasedAuthentication" > > >> HostbasedAuthentication yes > > >> mahmood@client:~$ cat /etc/ssh/ssh_config | > grep > > "EnableSSHKeysign" > > >> EnableSSHKeysign yes > > >> > > >> > > >> and the server looks like: > > >> mahmood@server:~$ cat /etc/ssh/sshd_config > | > > grep "HostbasedAuthentication" > > >> HostbasedAuthentication yes > > >> mahmood@server:~$ cat /etc/ssh/sshd_config > | > > grep "IgnoreRhosts" > > >> IgnoreRhosts no > > >> > > >> also the server has the key for client: > > >> > > >> mahmood@server:~$ cat > /etc/ssh/ssh_known_hosts > > >> client ssh-rsa AAAAB3Nz..... > > >> > > >> the ~/.shosts file on the server contains: > > >> mahmood@server:~$ cat .shosts > > >> client.domain mahmood > > >> > > >> Then on both server and client, the ssh > service is > > restarted: > > >> mahmood@client:~$ sudo service ssh restart > > >> ssh start/running, process 1355 > > >> mahmood@server:~$ sudo service ssh restart > > >> ssh start/running, process 28982 > > >> > > >> How, when I run "ssh -vvv server" from client > (to > > show the verbose messages), I still get the password > > prompt. > > >> > > >> mahmood@client:~$ ssh -vvv server > > >> OpenSSH_5.3p1 Debian-3ubuntu6, OpenSSL 0.9.8k > 25 > > Mar 2009 > > >> debug1: Reading configuration data > > /etc/ssh/ssh_config > > >> debug1: Applying options for * > > >> debug2: ssh_connect: needpriv 0 > > >> debug1: Connecting to server [192.168.1.1] > port > > 22. > > >> debug1: Connection established. > > >> debug1: identity file > /home/mahmood/.ssh/identity > > type -1 > > >> debug1: identity file > /home/mahmood/.ssh/id_rsa > > type -1 > > >> debug1: identity file > /home/mahmood/.ssh/id_dsa > > type -1 > > >> debug1: Remote protocol version 2.0, remote > > software version OpenSSH_5.3p1 Debian-3ubuntu4 > > >> debug1: match: OpenSSH_5.3p1 Debian-3ubuntu4 > pat > > OpenSSH* > > >> debug1: Enabling compatibility mode for > protocol > > 2.0 > > >> debug1: Local version string > SSH-2.0-OpenSSH_5.3p1 > > Debian-3ubuntu6 > > >> debug2: fd 3 setting O_NONBLOCK > > >> debug1: SSH2_MSG_KEXINIT sent > > >> debug3: Wrote 792 bytes for a total of 831 > > >> debug1: SSH2_MSG_KEXINIT received > > >> debug2: kex_parse_kexinit: > > > diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman- > > >> group1-sha1 > > >> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > > >> debug2: kex_parse_kexinit: > > > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192- > > >> cbc,aes256-cbc,arcfour,rijndael-cbc@xxxxxxxxxxxxxx > > >> debug2: kex_parse_kexinit: > > > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192- > > >> cbc,aes256-cbc,arcfour,rijndael-cbc@xxxxxxxxxxxxxx > > >> debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac- > > >> md5-96 > > >> debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac- > > >> md5-96 > > >> debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx,zlib > > >> debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx,zlib > > >> debug2: kex_parse_kexinit: > > >> debug2: kex_parse_kexinit: > > >> debug2: kex_parse_kexinit: first_kex_follows > 0 > > >> debug2: kex_parse_kexinit: reserved 0 > > >> debug2: kex_parse_kexinit: > > > diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman- > > >> group1-sha1 > > >> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > > >> debug2: kex_parse_kexinit: > > > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192- > > >> cbc,aes256-cbc,arcfour,rijndael-cbc@xxxxxxxxxxxxxx > > >> debug2: kex_parse_kexinit: > > > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192- > > >> cbc,aes256-cbc,arcfour,rijndael-cbc@xxxxxxxxxxxxxx > > >> debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac- > > >> md5-96 > > >> debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac- > > >> md5-96 > > >> debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx > > >> debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx > > >> debug2: kex_parse_kexinit: > > >> debug2: kex_parse_kexinit: > > >> debug2: kex_parse_kexinit: first_kex_follows > 0 > > >> debug2: kex_parse_kexinit: reserved 0 > > >> debug2: mac_setup: found hmac-md5 > > >> debug1: kex: server->client aes128-ctr > hmac-md5 > > none > > >> debug2: mac_setup: found hmac-md5 > > >> debug1: kex: client->server aes128-ctr > hmac-md5 > > none > > >> debug1: > > SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) > sent > > >> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > > >> debug3: Wrote 24 bytes for a total of 855 > > >> debug2: dh_gen_key: priv key bits set: > 124/256 > > >> debug2: bits set: 507/1024 > > >> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > > >> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > > >> debug3: Wrote 144 bytes for a total of 999 > > >> debug3: check_host_in_hostfile: filename > > /home/mahmood/.ssh/known_hosts > > >> debug3: check_host_in_hostfile: match line 1 > > >> debug3: check_host_in_hostfile: filename > > /home/mahmood/.ssh/known_hosts > > >> debug3: check_host_in_hostfile: match line 2 > > >> debug1: Host 'server' is known and matches > the RSA > > host key. > > >> debug1: Found key in > > /home/mahmood/.ssh/known_hosts:1 > > >> debug2: bits set: 503/1024 > > >> debug1: ssh_rsa_verify: signature correct > > >> debug2: kex_derive_keys > > >> debug2: set_newkeys: mode 1 > > >> debug1: SSH2_MSG_NEWKEYS sent > > >> debug1: expecting SSH2_MSG_NEWKEYS > > >> debug3: Wrote 16 bytes for a total of 1015 > > >> debug2: set_newkeys: mode 0 > > >> debug1: SSH2_MSG_NEWKEYS received > > >> debug1: SSH2_MSG_SERVICE_REQUEST sent > > >> debug3: Wrote 48 bytes for a total of 1063 > > >> debug2: service_accept: ssh-userauth > > >> debug1: SSH2_MSG_SERVICE_ACCEPT received > > >> debug2: key: /home/mahmood/.ssh/identity > ((nil)) > > >> debug2: key: /home/mahmood/.ssh/id_rsa > ((nil)) > > >> debug2: key: /home/mahmood/.ssh/id_dsa > ((nil)) > > >> debug3: Wrote 64 bytes for a total of 1127 > > >> debug1: Authentications that can continue: > > publickey,password,hostbased > > >> debug3: start over, passed a different list > > publickey,password,hostbased > > >> debug3: preferred > > > gssapi-keyex,gssapi-with-mic,gssapi,hostbased,publickey,keyboard-interactive,password > > >> debug3: authmethod_lookup hostbased > > >> debug3: remaining preferred: > > publickey,keyboard-interactive,password > > >> debug3: authmethod_is_enabled hostbased > > >> debug1: Next authentication method: > hostbased > > >> debug2: userauth_hostbased: chost client. > > >> debug2: ssh_keysign called > > >> debug3: ssh_msg_send: type 2 > > >> debug3: ssh_msg_recv entering > > >> debug1: permanently_drop_suid: 1000 > > >> debug2: we sent a hostbased packet, wait for > > reply > > >> debug3: Wrote 608 bytes for a total of 1735 > > >> debug1: Authentications that can continue: > > publickey,password,hostbased > > >> debug2: userauth_hostbased: chost client. > > >> debug2: ssh_keysign called > > >> debug3: ssh_msg_send: type 2 > > >> debug3: ssh_msg_recv entering > > >> debug1: permanently_drop_suid: 1000 > > >> debug2: we sent a hostbased packet, wait for > > reply > > >> debug3: Wrote 672 bytes for a total of 2407 > > >> debug1: Authentications that can continue: > > publickey,password,hostbased > > >> debug1: No more client hostkeys for > hostbased > > authentication. > > >> debug2: we did not send a packet, disable > method > > >> debug3: authmethod_lookup publickey > > >> debug3: remaining preferred: > > keyboard-interactive,password > > >> debug3: authmethod_is_enabled publickey > > >> debug1: Next authentication method: > publickey > > >> debug1: Trying private key: > > /home/mahmood/.ssh/identity > > >> debug3: no such identity: > > /home/mahmood/.ssh/identity > > >> debug1: Trying private key: > > /home/mahmood/.ssh/id_rsa > > >> debug3: no such identity: > > /home/mahmood/.ssh/id_rsa > > >> debug1: Trying private key: > > /home/mahmood/.ssh/id_dsa > > >> debug3: no such identity: > > /home/mahmood/.ssh/id_dsa > > >> debug2: we did not send a packet, disable > method > > >> debug3: authmethod_lookup password > > >> debug3: remaining preferred: ,password > > >> debug3: authmethod_is_enabled password > > >> debug1: Next authentication method: password > > >> mahmood@server's password: > > >> > > >> > > >> Any idea about that? > > >> > > >> // Naderan *Mahmood; > > >> > > > > > > > > > > > -- > > Asif Iqbal > > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > > A: Because it messes up the order in which people > normally > > read text. > > Q: Why is top-posting such a bad thing? > > >
