Re: I am having serious difficulty getting host based authenication working with ssh

From: Brett (brett@peakcomm.org)
Date: 03/03/03

  • Next message: Mark Ellison: "Entropy"
    Date: Mon, 03 Mar 2003 00:12:49 -0500
    From: Brett <brett@peakcomm.org>
    To: Roger <securityfocus@north-row.com>
    
    

    Thanks,

    I am getting closer but I am still having some problems even using ssh
    to localhost. I have learned that for some mysterious reason, not all
    of the options in the ssh_config file are not being read when I excute
    ssh, even though they are under the section "*". I have had to placed
    of your recommended options on the command line to get them to work.
    The command I am running is..

    ssh -v -o "HostbasedAuthentication yes" -o "PreferredAuthentications
    hostbased" -o "RhostsRSAAuthentication no" -o "RhostsAuthentication yes"
    -o "StrictHostKeyChecking no" -o "CheckHostIP no" -o "UsePrivilegedPort
    yes" -o "RSAAuthentication no" localhost -2

    It seems like rhost authenication is working all the way until the last
    checking when I am getting an "debug1: userauth_hostbased: no more
    client hostkeys" in the client debug. On the server the error is
    "check_key_in_hostfiles: key not found for xxxx". Does anyone have any
    idea why this is happening?? I have disabled RSAAuthencation. The error
    looks like it is checking the host key.

    Attached is the dump of the client and server during this failed
    communications. Thanks in advance for any help you can give me. I am
    really getting frustrated. Hopefully, this can be resolved but I end up
    in the mental hospital. :)

    Thanks

    Brett

    Server dump

    debian.peakcomm.org.
    Mar 3 00:00:12 debian sshd[7511]: debug2: auth_rhosts2: clientuser root
    hostname debian.peakcomm.org ipaddr 127.0.0.1
    Mar 3 00:00:12 debian sshd[7511]: debug1: temporarily_use_uid: 0/0 (e=0)
    Mar 3 00:00:12 debian sshd[7511]: debug1: restore_uid
    Mar 3 00:00:12 debian sshd[7511]: debug1: temporarily_use_uid: 0/0 (e=0)
    Mar 3 00:00:12 debian sshd[7511]: debug1: restore_uid
    Mar 3 00:00:12 debian sshd[7511]: debug2: userauth_hostbased: access
    allowed by auth_rhosts2
    Mar 3 00:00:12 debian sshd[7511]: debug1: temporarily_use_uid: 0/0 (e=0)
    Mar 3 00:00:12 debian sshd[7511]: debug2: key_type_from_name: unknown
    key type '1024'
    Mar 3 00:00:12 debian sshd[7511]: debug1: restore_uid
    Mar 3 00:00:12 debian sshd[7511]: debug2: check_key_in_hostfiles: key
    not found for debian.peakcomm.org
    Mar 3 00:00:12 debian sshd[7511]: debug1: temporarily_use_uid: 0/0 (e=0)
    Mar 3 00:00:12 debian sshd[7511]: debug1: restore_uid
    Mar 3 00:00:12 debian sshd[7511]: debug2: check_key_in_hostfiles: key
    not found for debian.peakcomm.org
    Mar 3 00:00:12 debian sshd[7511]: debug1: Calling cleanup 0x8052b48(0x0)
    Mar 3 00:00:12 debian sshd[7511]: debug1: Calling cleanup 0x806be4c(0x0)

    Client dump
    ebug1: next auth method to try is hostbased
    debug1: Remote: Accepted by .shosts.
    debug1: Remote: Accepted host debian.peakcomm.org ip 127.0.0.1
    client_user root server_user root
    debug1: authentications that can continue:
    publickey,password,keyboard-interactive,hostbased
    debug1: Remote: Accepted by .shosts.
    debug1: Remote: Accepted host debian.peakcomm.org ip 127.0.0.1
    client_user root server_user root
    debug1: authentications that can continue:
    publickey,password,keyboard-interactive,hostbased
    debug1: userauth_hostbased: no more client hostkeys
    debug1: no more auth methods to try
    Permission denied (publickey,password,keyboard-interactive,hostbased).
    debug1: Calling cleanup 0x8063a9c(0x0)

    Roger wrote:

    > Hi Brett,
    >
    > What I would do in this situation is go back to first principles and
    > start simply. How about trying to get it to work from localhost to
    > localhost and then think about host to host?
    >
    > I have Mandrake 9.1RC1. To test host-based auth (after installing the
    > relevant packages and starting sshd which created the host keys for
    > me), I did the following:
    >
    > [root@mandrake root]# echo "localhost root" > ~/.shosts && chmod 0400
    > ~/.shosts
    > [root@mandrake root]# echo "IgnoreRhosts no
    > HostbasedAuthentication yes" >> /etc/ssh/sshd_config
    > [root@mandrake root]# echo "HostbasedAuthentication yes" >>
    > /etc/ssh/ssh_config
    > [root@mandrake root]# service sshd restart
    > [root@mandrake root]# ssh localhost
    >
    > Last login: Sat Mar 1 13:23:21 2003 from localhost
    > [root@mandrake root]#
    >
    > So now I can log in locally using host-based authentication. Next I
    > introduced another machine, the server I was going to ssh into using
    > host-based auth. This is a RedHat 8 server.
    >
    > RedHat servers tend to come with sshd already up and running by
    > default. This was my plan of action:
    >
    > [root@mandrake root]# scp /etc/ssh/ssh_host_dsa_key.pub
    > redhat:/etc/ssh/ssh_known_hosts
    > Warning: Permanently added 'redhat,192.168.0.1' (DSA) to the list of
    > known hosts.
    > root@redhat's password:
    > ssh_host_dsa_key.pub 100% |*****************************| 590
    > 00:00
    > [root@mandrake root]# echo "192.168.0.2 mandrake" >> /etc/hosts #
    > need to reverse map the ip
    > [root@mandrake ssh]# ssh redhat
    > root@redhat's password:
    > Last login: Sat Mar 1 12:54:33 2003 from mandrake
    > [root@redhat root]# ex -c "s/^/mandrake /|x" /etc/ssh/ssh_known_hosts
    > # need to add the hostname to the key
    > [root@redhat root]# echo "192.168.0.2 mandrake" >> /etc/hosts #
    > need to reverse map the ip
    > [root@redhat root]# echo "mandrake root" > ~/.shosts && chmod 0400
    > ~/.shosts
    > [root@redhat root]# echo "IgnoreRhosts no
    > HostbasedAuthentication yes" >> /etc/ssh/sshd_config
    > [root@redhat root]# echo "HostbasedAuthentication yes" >>
    > /etc/ssh/ssh_config
    > [root@redhat root]# service sshd restart
    > [root@redhat root]# exit
    > Connection to redhat closed.
    > [root@mandrake root]# ssh redhat
    > Last login: Sat Mar 1 13:04:15 2003 from mandrake
    > [root@redhat root]#
    >
    > So now I can log into a remote machine using host-based auth. I hope
    > some of this helps you in your quest to get host-based auth working.
    >
    > Regards,
    >
    > Roger
    >
    > Miller Brett wrote:
    >
    >> Please help (I will give you my first born child!! :) ),
    >> I have been working on getting host based authenication using
    >> .rhosts, .rhosts, hosts.equiv, shosts.equiv and nothing seems to be
    >> working correctly. I do not want to use Rhostsauthencation, not
    >> RhostsRsaAutheniction, I want ssh to function just like the "r"
    >> protocols. I have rsh and rlogin working great but for some reason I
    >> cannot get ssh work like rsh or rlogin. I have searched the internet
    >> looking for posted on the subject and the other seem very
    >> straightforward but I my setup will not work. My system is debian
    >> 3.0 but I have also tried to get this working on a Red Hat box with
    >> the same results.
    >>
    >> This is the auth log of sshd when I try to connect from another
    >> host. It seems like PAM always try to authicate through a password
    >> and does not allow the client to authenicate with a rhosts file. How
    >> do I tell PAM not to require a password for .rhosts authenication? I
    >> have tried to copy the /etc/pam.d/rlogin authinication method to the
    >> /etc/pam.d/ssh authenication page but it does not work The cause may
    >> not be PAM but it seems like a possibility.
    >>
    >> Any help would be greatly appreciated because I am getting cross-eyed
    >> looking at this. Thanks in advance.
    >>
    >> Brett
    >>
    > <snip>
    >


  • Next message: Mark Ellison: "Entropy"

    Relevant Pages