ssh2 hostbased auth in 3.4
From: Jackson, Jonah (jjackson_at_iknowmed.com)
Date: 06/18/03
- Previous message: Anurag Bhatia: "PAM based authentication?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 17 Jun 2003 17:46:53 -0700 To: <secureshell@securityfocus.com>
I'm using the Redhat rpm for 3.4p1 and am right on the edge of getting hostbased auth to work, but I'm getting an error message that I'm not able to track down.
I've done the following
-----------------------
Server Side:
- created /etc/ssh/ssh_known_hosts and put added entry for client rsa public key.
- added entry for client in $HOME/.shosts of user I want to enable hostbased auth for
- edited /etc/sshd_config:
HostbasedAuthentication yes
IgnoreRhosts no
Client Side
- enabled HostbasedAuthentication in /etc/ssh_config
Everything looks like it's working except at the very end, the server side reports the following:
debug3: monitor_read: checking request 22
mm_answer_keyverify: bad signature data blob
debug1: Calling cleanup 0x80549c0(0x0)
debug1: Calling cleanup 0x8071110(0x0)
debug1: Calling cleanup 0x8071110(0x0)
I've looked through this mailing list and the developer list and I can't find anything that refers to this particular error message. I know there are a bunch of threads on hostbased auth so I'm probably missing something very obvious here, but any help would be appreciated.
Thanks.
Jonah Jackson
Senior Network Engineer
iKnowMed
jjackson@iknowmed.com
Full Server Side Debug (you'll have to forgive me for the *replaced ip* and *replaced hostname* bits, but rest assured that they are the correct name and address):
Connection from *replaced ip* port 38593
debug1: Client protocol version 2.0; client software version OpenSSH_3.4p1
debug1: match: OpenSSH_3.4p1 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.4p1
debug2: Network child is on pid 18275
debug3: preauth child monitor started
debug3: mm_request_receive entering
debug3: privsep user:group 74:74
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug3: mm_request_send entering: type 0
debug3: monitor_read: checking request 0
debug3: mm_answer_moduli: got parameters: 1024 2048 8192
debug3: mm_request_send entering: type 1
debug2: monitor_read: 0 used once, disabling now
debug3: mm_request_receive entering
debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI
debug3: mm_request_receive_expect entering: type 1
debug3: mm_request_receive entering
debug3: mm_choose_dh: remaining 0
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: dh_gen_key: priv key bits set: 122/256
debug1: bits set: 1607/3191
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: bits set: 1575/3191
debug3: mm_key_sign entering
debug3: mm_request_send entering: type 4
debug3: monitor_read: checking request 4
debug3: mm_answer_sign
debug3: mm_answer_sign: signature 0x80a4c68(143)
debug3: mm_request_send entering: type 5
debug2: monitor_read: 4 used once, disabling now
debug3: mm_request_receive entering
debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN
debug3: mm_request_receive_expect entering: type 5
debug3: mm_request_receive entering
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user ******* service ssh-connection method none
debug1: attempt 0 failures 0
debug3: mm_getpwnamallow entering
debug3: mm_request_send entering: type 6
debug3: monitor_read: checking request 6
debug3: mm_answer_pwnamallow
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send entering: type 7
debug2: monitor_read: 6 used once, disabling now
debug3: mm_request_receive entering
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
debug3: mm_request_receive_expect entering: type 7
debug3: mm_request_receive entering
debug2: input_userauth_request: setting up authctxt for *******
debug3: mm_start_pam entering
debug3: mm_request_send entering: type 37
debug3: monitor_read: checking request 37
debug1: Starting up PAM with username "*******"
debug3: Trying to reverse map address *replaced ip*.
debug3: mm_inform_authserv entering
debug3: mm_request_send entering: type 3
debug2: input_userauth_request: try method none
debug3: mm_auth2_read_banner entering
debug3: mm_request_send entering: type 8
debug3: mm_request_receive_expect entering: type 9
debug3: mm_request_receive entering
debug1: PAM setting rhost to "colo-manage02.ikmcolo.com"
debug2: monitor_read: 37 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 3
debug3: mm_answer_authserv: service=ssh-connection, style=
debug2: monitor_read: 3 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 8
debug3: mm_request_send entering: type 9
debug2: monitor_read: 8 used once, disabling now
debug3: mm_request_receive entering
debug1: userauth_banner: sent
debug3: mm_auth_password entering
debug3: mm_request_send entering: type 10
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
debug3: mm_request_receive_expect entering: type 11
debug3: mm_request_receive entering
debug3: monitor_read: checking request 10
debug3: mm_answer_authpassword: sending result 0
debug3: mm_request_send entering: type 11
Failed none for ******* from *replaced ip* port 38593 ssh2
debug3: mm_request_receive entering
debug3: mm_auth_password: user not authenticated
Failed none for ******* from *replaced ip* port 38593 ssh2
debug1: userauth-request for user ******* service ssh-connection method hostbased
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method hostbased
debug1: userauth_hostbased: cuser ******* chost *replaced hostname* pkalg ssh-dss slen 55
debug3: mm_key_allowed entering
debug3: mm_request_send entering: type 20
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
debug3: mm_request_receive_expect entering: type 21
debug3: mm_request_receive entering
debug3: monitor_read: checking request 20
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 0x80a8640
debug2: userauth_hostbased: chost *replaced hostname* resolvedname *replaced hostname* ipaddr *replaced ip*
debug2: auth_rhosts2: clientuser ******* hostname *replaced hostname* ipaddr *replaced hostname*
debug1: temporarily_use_uid: 510/510 (e=0)
debug1: restore_uid
debug1: temporarily_use_uid: 510/510 (e=0)
debug1: restore_uid
debug2: userauth_hostbased: access allowed by auth_rhosts2
debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts
debug3: key_read: type mismatch
debug1: temporarily_use_uid: 510/510 (e=0)
debug3: check_host_in_hostfile: filename /home/*******/.ssh/known_hosts
debug1: restore_uid
debug2: check_key_in_hostfiles: key not found for *replaced hostname*
debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts2
debug1: temporarily_use_uid: 510/510 (e=0)
debug3: check_host_in_hostfile: filename /home/*******/.ssh/known_hosts2
debug1: restore_uid
debug2: check_key_in_hostfiles: key not found for *replaced hostname*
debug3: mm_answer_keyallowed: key 0x80a8640 is disallowed
debug3: mm_append_debug: Appending debug messages for child
debug3: mm_request_send entering: type 21
debug3: mm_request_receive entering
debug3: mm_send_debug: Sending debug: Accepted by .shosts.
debug3: mm_send_debug: Sending debug: Accepted host *replaced hostname* ip *replaced hostname* client_user ******* server_user *******
debug2: userauth_hostbased: authenticated 0
Failed hostbased for ******* from *replaced ip* port 38593 ssh2
debug1: userauth-request for user ******* service ssh-connection method hostbased
debug1: attempt 2 failures 2
debug2: input_userauth_request: try method hostbased
debug1: userauth_hostbased: cuser ******* chost *replaced hostname* pkalg ssh-rsa slen 143
debug3: mm_key_allowed entering
debug3: mm_request_send entering: type 20
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
debug3: mm_request_receive_expect entering: type 21
debug3: mm_request_receive entering
debug3: monitor_read: checking request 20
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 0x80a8b58
debug2: userauth_hostbased: chost *replaced hostname* resolvedname *replaced hostname* ipaddr *replaced ip*
debug2: auth_rhosts2: clientuser ******* hostname *replaced hostname* ipaddr *replaced hostname*
debug1: temporarily_use_uid: 510/510 (e=0)
debug1: restore_uid
debug1: temporarily_use_uid: 510/510 (e=0)
debug1: restore_uid
debug2: userauth_hostbased: access allowed by auth_rhosts2
debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts
debug3: check_host_in_hostfile: match line 1
debug2: check_key_in_hostfiles: key ok for *replaced hostname*
debug3: mm_answer_keyallowed: key 0x80a8b58 is allowed
debug3: mm_append_debug: Appending debug messages for child
debug3: mm_request_send entering: type 21
debug3: mm_request_receive entering
debug3: mm_send_debug: Sending debug: Accepted by .shosts.
debug3: mm_send_debug: Sending debug: Accepted host *replaced hostname* ip *replaced hostname* client_user ******* server_user *******
debug3: mm_key_verify entering
debug3: mm_request_send entering: type 22
debug3: mm_key_verify: waiting for MONITOR_ANS_KEYVERIFY
debug3: mm_request_receive_expect entering: type 23
debug3: mm_request_receive entering
debug3: monitor_read: checking request 22
mm_answer_keyverify: bad signature data blob
debug1: Calling cleanup 0x80549c0(0x0)
debug1: Calling cleanup 0x8071110(0x0)
debug1: Calling cleanup 0x8071110(0x0)
- Previous message: Anurag Bhatia: "PAM based authentication?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
