Re: problem with HostbasedAuthentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I may have missed some of the details, so I apologize if this has been covered, but if you want to do a host-based authentication, the SSH config's (client and server).

HostbasedAuthentication yes

If you need to change the config's, restart SSHD.

service sshd restart

The server has to allow the connections from the remote host. So the remote host's public key, from /etc/ssh/ssh_host_(r|d)sa_key.pub, has to be in /etc/ssh/ssh_known_hosts2, and as stated, you may want to place a comma-separated list of shortname, FQDN and IP before the start of the key so it matches any of those iterations.

Finally, you also need to include the hostname in the user's .shosts file on the server. You said you have this:

mahmood@server:~$ cat .shosts
client.domain mahmood

That doesn't look right to me. It should just be hostname followed by a user, unless you just want to allow in connections as the user.

mahmood@server:~$ cat .shosts
mahmood.domain.com

OR

mahmood@server:~$ cat .shosts
mahmood.domain.com myaccount
mahmood.domain.com anotheruser

Good luck.

Tim

On Apr 28, 2011, at 1:42 PM, Mahmood Naderan wrote:

> Dear Sharad,
> I am now trying to setup a hostbased ssh from server to client (previously client->server worked fine based on your help). I want it to be bidirectional.
>  
> I did the same thing in reverse (now the client becomes server and the server becoms client). However this is what I get while trying to ssh from server to client:
>  
>  
> debug3: Wrote 48 bytes for a total of 1063
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug2: key: /home/mahmood/.ssh/identity ((nil))
> debug2: key: /home/mahmood/.ssh/id_rsa ((nil))
> debug2: key: /home/mahmood/.ssh/id_dsa ((nil))
> debug3: Wrote 64 bytes for a total of 1127
> debug1: Authentications that can continue: publickey,password,hostbased
> debug3: start over, passed a different list publickey,password,hostbased
> debug3: preferred gssapi-keyex,gssapi-with-mic,gssapi,hostbased,publickey,keyboard-interactive,password
> debug3: authmethod_lookup hostbased
> debug3: remaining preferred: publickey,keyboard-interactive,password
> debug3: authmethod_is_enabled hostbased
> debug1: Next authentication method: hostbased
> get_socket_address: getnameinfo 8 failed: Name or service not known
> debug2: userauth_hostbased: chost server.
> debug2: ssh_keysign called
> debug3: ssh_msg_send: type 2
> debug3: ssh_msg_recv entering
> debug1: permanently_drop_suid: 1000
> get_socket_address: getnameinfo 8 failed: Name or service not known
> cannot get sockname for fd
> ssh_keysign: no reply
> key_sign failed
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_is_enabled publickey
> debug1: Next authentication method: publickey
> debug1: Trying private key: /home/mahmood/.ssh/identity
> debug3: no such identity: /home/mahmood/.ssh/identity
> debug1: Trying private key: /home/mahmood/.ssh/id_rsa
> debug3: no such identity: /home/mahmood/.ssh/id_rsa
> debug1: Trying private key: /home/mahmood/.ssh/id_dsa
> debug3: no such identity: /home/mahmood/.ssh/id_dsa
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup password
> debug3: remaining preferred: ,password
> debug3: authmethod_is_enabled password
> debug1: Next authentication method: password
> mahmood@xxxxxxxxxxx's password:
> 
>  
> What is your suggestion?
> 
> // Naderan *Mahmood;
> 
> 
> ----- Original Message -----
> From: Sharad <sharad2011@xxxxxxxxx>
> To: Mahmood Naderan <nt_mahmood@xxxxxxxxx>
> Cc: "secureshell@xxxxxxxxxxxxxxxxx" <secureshell@xxxxxxxxxxxxxxxxx>
> Sent: Thursday, April 28, 2011 5:20 PM
> Subject: Re: problem with HostbasedAuthentication
> 
> Mahmood, 
> 
> The files are /home/username/.ssh/known_hosts on both server and client.
> 
> By FQDN, I meant host's fully qualified domain name. 
> 
> Following is the example:
> 
> Assuming both client and server are linux hosts:
> 
> Server IP: 192.168.1.1
> Client IP: 192.168.1.101
> 
> Server Name: lnx_srvr_1.domain.com
> Client Name: lnx_clnt_101.domain.com
> 
> User name on each host is mahmood.
> 
> Following would be the entries in .shosts on lnx_srvr_1
> 
> 
> lnx_srvr_1:/home/mahmood $ cat .shosts
> 
> lnx_clnt_101.domain.com mahmood
> 192.168.1.101 mahmood
> lnx_clnt_101 mahmood
> 
> Following should exist in /home/mahmood/.ssh/known_hosts file on the server side:
> 192.168.1.101,lnx_clnt_101,lnx_clnt_101.domain.com  ssh-rsa AAAAB3Nz...
> 
> Following should also exist in /home/mahmood/.ssh/known_hosts file on the client side:
> 192.168.1.1,lnx_srvr_1,lnx_srvr_1.domain.com  ssh-rsa AAAAB3Nz...
> 
> Ensure that .ssh directory on both client and server are rwx for owner only and group/rest of world is 000.
> 
> Hope this helps! Good Luck! :)
> 
> Regards,
> Sharad  
> --- On Thu, 28/4/11, Mahmood Naderan <nt_mahmood@xxxxxxxxx> wrote:
> 
>> From: Mahmood Naderan <nt_mahmood@xxxxxxxxx>
>> Subject: Re: problem with HostbasedAuthentication
>> To: "Sharad" <sharad2011@xxxxxxxxx>
>> Cc: "secureshell@xxxxxxxxxxxxxxxxx" <secureshell@xxxxxxxxxxxxxxxxx>
>> Date: Thursday, 28 April, 2011, 3:54 PM
>> Can you explain exactly which file I
>> should edit? What is FQDN? By 'hostname', Do you mean server
>> hostname of client hostname. 
>> Should I do that on both side or server side?...
>> 
>> // Naderan *Mahmood;
>> 
>> 
>> ----- Original Message -----
>> From: Sharad <sharad2011@xxxxxxxxx>
>> To: Mahmood Naderan <nt_mahmood@xxxxxxxxx>;
>> Asif Iqbal <vadud3@xxxxxxxxx>
>> Cc: "secureshell@xxxxxxxxxxxxxxxxx"
>> <secureshell@xxxxxxxxxxxxxxxxx>
>> Sent: Thursday, April 28, 2011 1:16 PM
>> Subject: Re: problem with HostbasedAuthentication
>> 
>> Sometimes the issue lies with hostname as well. What I mean
>> with that is the known_hosts may have just the host name
>> where as when the connection is established, the debug shows
>> the FQDN. I faced this issue so to be sure, I edited the
>> known_hosts file and inserted the hostname, hostname's FQDN
>> and it's IP address (all comma separated).
>> 
>> Also ensure that you both the hosts' known_hosts files have
>> opposite servers names (as prescribed above). 
>> 
>> All the above checks makes it work for me.
>> 
>> Hope this solves.
>> 
>> Kind regards,
>> Sharad
>> --- On Thu, 28/4/11, Asif Iqbal <vadud3@xxxxxxxxx>
>> wrote:
>> 
>>> From: Asif Iqbal <vadud3@xxxxxxxxx>
>>> Subject: Re: problem with HostbasedAuthentication
>>> To: "Mahmood Naderan" <nt_mahmood@xxxxxxxxx>
>>> Cc: "secureshell@xxxxxxxxxxxxxxxxx"
>> <secureshell@xxxxxxxxxxxxxxxxx>
>>> Date: Thursday, 28 April, 2011, 12:38 AM
>>> On Wed, Apr 27, 2011 at 1:12 AM,
>>> Mahmood Naderan <nt_mahmood@xxxxxxxxx>
>>> wrote:
>>>>> Change the order method. Have hostbased
>> before
>>> password
>>>> 
>>>> Sorry where should I do that?
>>> 
>>> man ssh_config and look into PreferredAuthentications
>>> 
>>>> 
>>>> // Naderan *Mahmood;
>>>> 
>>>> From: Asif Iqbal <vadud3@xxxxxxxxx>
>>>> To: Mahmood Naderan <nt_mahmood@xxxxxxxxx>
>>>> Cc: "secureshell@xxxxxxxxxxxxxxxxx"
>>> <secureshell@xxxxxxxxxxxxxxxxx>
>>>> Sent: Wednesday, April 27, 2011 9:17 AM
>>>> Subject: Re: problem with
>> HostbasedAuthentication
>>>> 
>>>> 
>>>> Change the order method. Have hostbased before
>>> password
>>>> On Apr 26, 2011 11:52 PM, "Mahmood Naderan"
>> <nt_mahmood@xxxxxxxxx>
>>> wrote:
>>>>> 
>>>>> 
>>>>> Hi,
>>>>> I am trying to setup a hostbased passwrodless
>> ssh
>>> from a client to a server using this guide http://www.ehow.com/how_7621307_set-up-hostbased-authentication.html.
>>>>> 
>>>>> The client looks like:
>>>>> 
>>>>> mahmood@client:~$ cat /etc/ssh/ssh_config  |
>> grep
>>> "HostbasedAuthentication"
>>>>>    HostbasedAuthentication yes
>>>>> mahmood@client:~$ cat /etc/ssh/ssh_config  |
>> grep
>>> "EnableSSHKeysign"
>>>>>    EnableSSHKeysign yes
>>>>> 
>>>>> 
>>>>> and the server looks like:
>>>>> mahmood@server:~$ cat /etc/ssh/sshd_config 
>> |
>>> grep "HostbasedAuthentication"
>>>>> HostbasedAuthentication yes
>>>>> mahmood@server:~$ cat /etc/ssh/sshd_config 
>> |
>>> grep "IgnoreRhosts"
>>>>> IgnoreRhosts no
>>>>> 
>>>>> also the server has the key for client:
>>>>> 
>>>>> mahmood@server:~$ cat
>> /etc/ssh/ssh_known_hosts
>>>>> client ssh-rsa AAAAB3Nz.....
>>>>> 
>>>>> the ~/.shosts file on the server contains:
>>>>> mahmood@server:~$ cat .shosts
>>>>> client.domain mahmood
>>>>> 
>>>>> Then on both server and client, the ssh
>> service is
>>> restarted:
>>>>> mahmood@client:~$ sudo service ssh restart
>>>>> ssh start/running, process 1355
>>>>> mahmood@server:~$ sudo service ssh restart
>>>>> ssh start/running, process 28982
>>>>> 
>>>>> How, when I run "ssh -vvv server" from client
>> (to
>>> show the verbose messages), I still get the password
>>> prompt.
>>>>> 
>>>>> mahmood@client:~$ ssh -vvv server
>>>>> OpenSSH_5.3p1 Debian-3ubuntu6, OpenSSL 0.9.8k
>> 25
>>> Mar 2009
>>>>> debug1: Reading configuration data
>>> /etc/ssh/ssh_config
>>>>> debug1: Applying options for *
>>>>> debug2: ssh_connect: needpriv 0
>>>>> debug1: Connecting to server [192.168.1.1]
>> port
>>> 22.
>>>>> debug1: Connection established.
>>>>> debug1: identity file
>> /home/mahmood/.ssh/identity
>>> type -1
>>>>> debug1: identity file
>> /home/mahmood/.ssh/id_rsa
>>> type -1
>>>>> debug1: identity file
>> /home/mahmood/.ssh/id_dsa
>>> type -1
>>>>> debug1: Remote protocol version 2.0, remote
>>> software version OpenSSH_5.3p1 Debian-3ubuntu4
>>>>> debug1: match: OpenSSH_5.3p1 Debian-3ubuntu4
>> pat
>>> OpenSSH*
>>>>> debug1: Enabling compatibility mode for
>> protocol
>>> 2.0
>>>>> debug1: Local version string
>> SSH-2.0-OpenSSH_5.3p1
>>> Debian-3ubuntu6
>>>>> debug2: fd 3 setting O_NONBLOCK
>>>>> debug1: SSH2_MSG_KEXINIT sent
>>>>> debug3: Wrote 792 bytes for a total of 831
>>>>> debug1: SSH2_MSG_KEXINIT received
>>>>> debug2: kex_parse_kexinit:
>>> 
>> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-
>>>>> group1-sha1
>>>>> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
>>>>> debug2: kex_parse_kexinit:
>>> 
>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
>>>>> cbc,aes256-cbc,arcfour,rijndael-cbc@xxxxxxxxxxxxxx
>>>>> debug2: kex_parse_kexinit:
>>> 
>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
>>>>> cbc,aes256-cbc,arcfour,rijndael-cbc@xxxxxxxxxxxxxx
>>>>> debug2: kex_parse_kexinit:
>> hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-
>>>>> md5-96
>>>>> debug2: kex_parse_kexinit:
>> hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-
>>>>> md5-96
>>>>> debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx,zlib
>>>>> debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx,zlib
>>>>> debug2: kex_parse_kexinit:
>>>>> debug2: kex_parse_kexinit:
>>>>> debug2: kex_parse_kexinit: first_kex_follows
>> 0
>>>>> debug2: kex_parse_kexinit: reserved 0
>>>>> debug2: kex_parse_kexinit:
>>> 
>> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-
>>>>> group1-sha1
>>>>> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
>>>>> debug2: kex_parse_kexinit:
>>> 
>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
>>>>> cbc,aes256-cbc,arcfour,rijndael-cbc@xxxxxxxxxxxxxx
>>>>> debug2: kex_parse_kexinit:
>>> 
>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
>>>>> cbc,aes256-cbc,arcfour,rijndael-cbc@xxxxxxxxxxxxxx
>>>>> debug2: kex_parse_kexinit:
>> hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-
>>>>> md5-96
>>>>> debug2: kex_parse_kexinit:
>> hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-
>>>>> md5-96
>>>>> debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx
>>>>> debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx
>>>>> debug2: kex_parse_kexinit:
>>>>> debug2: kex_parse_kexinit:
>>>>> debug2: kex_parse_kexinit: first_kex_follows
>> 0
>>>>> debug2: kex_parse_kexinit: reserved 0
>>>>> debug2: mac_setup: found hmac-md5
>>>>> debug1: kex: server->client aes128-ctr
>> hmac-md5
>>> none
>>>>> debug2: mac_setup: found hmac-md5
>>>>> debug1: kex: client->server aes128-ctr
>> hmac-md5
>>> none
>>>>> debug1:
>>> SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192)
>> sent
>>>>> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
>>>>> debug3: Wrote 24 bytes for a total of 855
>>>>> debug2: dh_gen_key: priv key bits set:
>> 124/256
>>>>> debug2: bits set: 507/1024
>>>>> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
>>>>> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
>>>>> debug3: Wrote 144 bytes for a total of 999
>>>>> debug3: check_host_in_hostfile: filename
>>> /home/mahmood/.ssh/known_hosts
>>>>> debug3: check_host_in_hostfile: match line 1
>>>>> debug3: check_host_in_hostfile: filename
>>> /home/mahmood/.ssh/known_hosts
>>>>> debug3: check_host_in_hostfile: match line 2
>>>>> debug1: Host 'server' is known and matches
>> the RSA
>>> host key.
>>>>> debug1: Found key in
>>> /home/mahmood/.ssh/known_hosts:1
>>>>> debug2: bits set: 503/1024
>>>>> debug1: ssh_rsa_verify: signature correct
>>>>> debug2: kex_derive_keys
>>>>> debug2: set_newkeys: mode 1
>>>>> debug1: SSH2_MSG_NEWKEYS sent
>>>>> debug1: expecting SSH2_MSG_NEWKEYS
>>>>> debug3: Wrote 16 bytes for a total of 1015
>>>>> debug2: set_newkeys: mode 0
>>>>> debug1: SSH2_MSG_NEWKEYS received
>>>>> debug1: SSH2_MSG_SERVICE_REQUEST sent
>>>>> debug3: Wrote 48 bytes for a total of 1063
>>>>> debug2: service_accept: ssh-userauth
>>>>> debug1: SSH2_MSG_SERVICE_ACCEPT received
>>>>> debug2: key: /home/mahmood/.ssh/identity
>> ((nil))
>>>>> debug2: key: /home/mahmood/.ssh/id_rsa
>> ((nil))
>>>>> debug2: key: /home/mahmood/.ssh/id_dsa
>> ((nil))
>>>>> debug3: Wrote 64 bytes for a total of 1127
>>>>> debug1: Authentications that can continue:
>>> publickey,password,hostbased
>>>>> debug3: start over, passed a different list
>>> publickey,password,hostbased
>>>>> debug3: preferred
>>> 
>> gssapi-keyex,gssapi-with-mic,gssapi,hostbased,publickey,keyboard-interactive,password
>>>>> debug3: authmethod_lookup hostbased
>>>>> debug3: remaining preferred:
>>> publickey,keyboard-interactive,password
>>>>> debug3: authmethod_is_enabled hostbased
>>>>> debug1: Next authentication method:
>> hostbased
>>>>> debug2: userauth_hostbased: chost client.
>>>>> debug2: ssh_keysign called
>>>>> debug3: ssh_msg_send: type 2
>>>>> debug3: ssh_msg_recv entering
>>>>> debug1: permanently_drop_suid: 1000
>>>>> debug2: we sent a hostbased packet, wait for
>>> reply
>>>>> debug3: Wrote 608 bytes for a total of 1735
>>>>> debug1: Authentications that can continue:
>>> publickey,password,hostbased
>>>>> debug2: userauth_hostbased: chost client.
>>>>> debug2: ssh_keysign called
>>>>> debug3: ssh_msg_send: type 2
>>>>> debug3: ssh_msg_recv entering
>>>>> debug1: permanently_drop_suid: 1000
>>>>> debug2: we sent a hostbased packet, wait for
>>> reply
>>>>> debug3: Wrote 672 bytes for a total of 2407
>>>>> debug1: Authentications that can continue:
>>> publickey,password,hostbased
>>>>> debug1: No more client hostkeys for
>> hostbased
>>> authentication.
>>>>> debug2: we did not send a packet, disable
>> method
>>>>> debug3: authmethod_lookup publickey
>>>>> debug3: remaining preferred:
>>> keyboard-interactive,password
>>>>> debug3: authmethod_is_enabled publickey
>>>>> debug1: Next authentication method:
>> publickey
>>>>> debug1: Trying private key:
>>> /home/mahmood/.ssh/identity
>>>>> debug3: no such identity:
>>> /home/mahmood/.ssh/identity
>>>>> debug1: Trying private key:
>>> /home/mahmood/.ssh/id_rsa
>>>>> debug3: no such identity:
>>> /home/mahmood/.ssh/id_rsa
>>>>> debug1: Trying private key:
>>> /home/mahmood/.ssh/id_dsa
>>>>> debug3: no such identity:
>>> /home/mahmood/.ssh/id_dsa
>>>>> debug2: we did not send a packet, disable
>> method
>>>>> debug3: authmethod_lookup password
>>>>> debug3: remaining preferred: ,password
>>>>> debug3: authmethod_is_enabled password
>>>>> debug1: Next authentication method: password
>>>>> mahmood@server's password:
>>>>> 
>>>>> 
>>>>> Any idea about that?
>>>>> 
>>>>> // Naderan *Mahmood;
>>>>> 
>>>> 
>>> 
>>> 
>>> 
>>> -- 
>>> Asif Iqbal
>>> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
>>> A: Because it messes up the order in which people
>> normally
>>> read text.
>>> Q: Why is top-posting such a bad thing?
>>> 
>> 
> 




[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux