Re: ssh2 hostbased auth fails

From: Shahrizal Shaari (shahrizal_at_advi.co.jp)
Date: 08/12/03

  • Next message: Becerril, Mario Henley: "OpenSSH fatal error" 
    To: "Alberto Guglielmo" <a.guglielmo@tcpsas.com>, <secureshell@securityfocus.com>
Date: Tue, 12 Aug 2003 09:30:41 +0900

    HI,

    Actually the ssh client works fine,the problem is the scp and sftp client.
    i kept getting the connection failed message.
    Here is my configuration file.

    # $OpenBSD: sshd_config,v 1.38 2001/04/15 21:41:29 deraadt Exp $

    # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

    # This is the sshd server system-wide configuration file. See sshd(8)
    # for more information.

    Port 22
    Protocol 2,1
    #ListenAddress 0.0.0.0
    #ListenAddress ::
    HostKey /etc/ssh/ssh_host_key
    HostKey /etc/ssh/ssh_host_rsa_key
    HostKey /etc/ssh/ssh_host_dsa_key
    ServerKeyBits 768
    LoginGraceTime 600
    KeyRegenerationInterval 3600
    PermitRootLogin yes
    #
    # Don't read ~/.rhosts and ~/.shosts files
    IgnoreRhosts yes
    # Uncomment if you don't trust ~/.ssh/known_hosts for
    RhostsRSAAuthentication
    #IgnoreUserKnownHosts yes
    StrictModes yes
    X11Forwarding yes
    X11DisplayOffset 10
    PrintMotd yes
    #PrintLastLog no
    KeepAlive yes

    # Logging
    SyslogFacility AUTHPRIV
    LogLevel INFO
    #obsoletes QuietMode and FascistLogging

    RhostsAuthentication no
    #
    # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
    RhostsRSAAuthentication no
    # similar for protocol version 2
    HostbasedAuthentication no
    #
    RSAAuthentication yes
    # To disable tunneled clear text passwords, change to no here!
    PasswordAuthentication no
    PermitEmptyPasswords no

    # Uncomment to disable s/key passwords
    #ChallengeResponseAuthentication no

    # Uncomment to enable PAM keyboard-interactive authentication
    # Warning: enabling this may bypass the setting of 'PasswordAuthentication'
    #PAMAuthenticationViaKbdInt yes

    # To change Kerberos options
    #KerberosAuthentication no
    #KerberosOrLocalPasswd yes
    #AFSTokenPassing no
    #KerberosTicketCleanup no

    # Kerberos TGT Passing does only work with the AFS kaserver
    #KerberosTgtPassing yes

    #CheckMail yes
    #UseLogin no
    #MaxStartups 10:30:60
    #Banner /etc/issue.net
    #ReverseMappingCheck yes

    Subsystem sftp /usr/libexec/openssh/sftp-server

    ----- Original Message -----
    From: "Alberto Guglielmo" <a.guglielmo@tcpsas.com>
    To: <secureshell@securityfocus.com>
    Sent: Monday, August 11, 2003 3:21 PM
    Subject: Re: ssh2 hostbased auth fails

    > I guess your ssh client is unable to read your private key (see 1) because
    > it has the wrong format.
    > Perhaps you exchanged the private with the public key files?
    > If you did generate them by hand you can regenerate with:
    > ssh-keygen -b 1024 -t rsa1 (or "-t rsa" or "-t dsa" for protocol 2
    keys) -C
    > "mykey-comment" -f /home/mariko/.ssh/identity
    > Obviously you have to put in the server's "authorized_keys" file the new
    > public key(s) (and give a passphrase when requested)
    > Regards
    >
    > Alberto Guglielmo
    > mailto:a.guglielmo@tcpsas.com
    > PGP Keys at ldap://keyserver.pgp.com
    > Key fingerprint: 7EAF 9E34 2838 7C6B EE47 E8F0 FFC5 3CBC 90AA 5EEE
    >
    >
    > ----- Original Message -----
    > From: <$BC]%NFb$^$j>; <R (B <t.mariko@k8.dion.ne.jp>)>
    > To: <secureshell@securityfocus.com>
    > Sent: Saturday, August 09, 2003 9:33 AM
    > Subject: ssh2 hostbased auth fails
    >
    >
    > Hello,
    >
    > I am a beginner of software science.
    > But I have to setup SSH2.
    > I had installed OpenSSH_3.6.1p2 on my Solaris9 machine.
    > I want to use hostbased auth.
    > But when I try to ssh to my machine, ssh said enter my password of
    > my machine.
    > Please someone suggest for my question.
    >
    >
    > % ssh -vv mariko@obaQ.sf.kakeibo.co.jp
    > OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090702f
    > debug1: Reading configuration data /opt/local/etc/ssh/ssh_config
    > debug1: Rhosts Authentication disabled, originating port will not be
    > trusted.
    > debug2: ssh_connect: needpriv 0
    > debug1: Connecting to obaQ.sf.kakeibo.co.jp [192.168.0.22] port 22.
    > debug1: Connection established.
    > debug1: identity file /home/mariko/.ssh/identity type -1
    > -------------------- 1 -----------------------------
    > debug2: key_type_from_name: unknown key type '-----BEGIN'
    > debug2: key_type_from_name: unknown key type 'Proc-Type:'
    > debug2: key_type_from_name: unknown key type 'DEK-Info:'
    > debug2: key_type_from_name: unknown key type '-----END'
    > debug1: identity file /home/mariko/.ssh/id_rsa type 1
    > debug1: identity file /home/mariko/.ssh/id_dsa type -1
    > -------------------- 1 -----------------------------
    > debug1: Remote protocol version 2.0, remote software version
    OpenSSH_3.6.1p2
    > debug1: match: OpenSSH_3.6.1p2 pat OpenSSH*
    > debug1: Enabling compatibility mode for protocol 2.0
    > debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2
    > debug1: SSH2_MSG_KEXINIT sent
    > debug1: SSH2_MSG_KEXINIT received
    > debug2: kex_parse_kexinit:
    > diffie-hellman-group-exchange-sha1,diffie-hellman-gro
    > up1-sha1
    > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
    > debug2: kex_parse_kexinit:
    > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
    > aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
    > debug2: kex_parse_kexinit:
    > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
    > aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
    > debug2: kex_parse_kexinit:
    > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@open
    > ssh.com,hmac-sha1-96,hmac-md5-96
    > debug2: kex_parse_kexinit:
    > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@open
    > ssh.com,hmac-sha1-96,hmac-md5-96
    > debug2: kex_parse_kexinit: none,zlib
    > debug2: kex_parse_kexinit: none,zlib
    > debug2: kex_parse_kexinit:
    > debug2: kex_parse_kexinit:
    > debug2: kex_parse_kexinit: first_kex_follows 0
    > debug2: kex_parse_kexinit: reserved 0
    > debug2: kex_parse_kexinit:
    > diffie-hellman-group-exchange-sha1,diffie-hellman-gro
    > up1-sha1
    > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
    > debug2: kex_parse_kexinit:
    > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
    > aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
    > debug2: kex_parse_kexinit:
    > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
    > aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
    > debug2: kex_parse_kexinit:
    > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@open
    > ssh.com,hmac-sha1-96,hmac-md5-96
    > debug2: kex_parse_kexinit:
    > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@open
    > ssh.com,hmac-sha1-96,hmac-md5-96
    > debug2: kex_parse_kexinit: none,zlib
    > debug2: kex_parse_kexinit: none,zlib
    > debug2: kex_parse_kexinit:
    > debug2: kex_parse_kexinit:
    > debug2: kex_parse_kexinit: first_kex_follows 0
    > debug2: kex_parse_kexinit: reserved 0
    > debug2: mac_init: found hmac-md5
    > debug1: kex: server->client aes128-cbc hmac-md5 none
    > debug2: mac_init: found hmac-md5
    > debug1: kex: client->server aes128-cbc hmac-md5 none
    > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
    > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    > debug2: dh_gen_key: priv key bits set: 132/256
    > debug2: bits set: 1545/3191
    > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    > debug1: Host 'obaQ.sf.kakeibo.co.jp' is known and matches the RSA host
    key.
    > debug1: Found key in /home/mariko/.ssh/known_hosts:2
    > debug2: bits set: 1579/3191
    > debug1: ssh_rsa_verify: signature correct
    > debug2: kex_derive_keys
    > debug2: set_newkeys: mode 1
    > debug1: SSH2_MSG_NEWKEYS sent
    > debug1: expecting SSH2_MSG_NEWKEYS
    > debug2: set_newkeys: mode 0
    > debug1: SSH2_MSG_NEWKEYS received
    > debug1: SSH2_MSG_SERVICE_REQUEST sent
    > debug2: service_accept: ssh-userauth
    > debug1: SSH2_MSG_SERVICE_ACCEPT received
    > debug1: Authentications that can continue:
    > publickey,password,keyboard-interacti
    > ve,hostbased
    > debug1: Next authentication method: publickey
    > debug1: Trying private key: /home/mariko/.ssh/identity
    > debug1: Offering public key: /home/mariko/.ssh/id_rsa
    > debug2: we sent a publickey packet, wait for reply
    > debug1: Authentications that can continue:
    > publickey,password,keyboard-interacti
    > ve,hostbased
    > debug1: Trying private key: /home/mariko/.ssh/id_dsa
    > debug2: we did not send a packet, disable method
    > debug1: Next authentication method: keyboard-interactive
    > debug2: userauth_kbdint
    > debug2: we sent a keyboard-interactive packet, wait for reply
    > debug1: Authentications that can continue:
    > publickey,password,keyboard-interacti
    > ve,hostbased
    > debug2: we did not send a packet, disable method
    > debug1: Next authentication method: password
    > mariko@obaQ.sf.kakeibo.co.jp's password:
    >
    > regards,
    >
    > Mariko Takenouchi
    >
    >

  • Next message: Becerril, Mario Henley: "OpenSSH fatal error"

    Relevant Pages

    • Re: ssh without password does not work
      ... > ssh without password inside this network. ... > # This is the sshd server system-wide configuration file. ... > # RhostsRSAAuthentication and HostbasedAuthentication ... > # Kerberos TGT Passing only works with the AFS kaserver ...
      (comp.security.ssh)
    • SSH failure, putty client log has 2005-10-10 17:19:27 Keyboard-interactive authentication refuse
      ... When i ssh in from my LAN ... i get "access denied" from the console and any passwords for any ... Monitoring includes active attacks by authorized ... # Kerberos TGT Passing does only work with the AFS kaserver ...
      (SSH)
    • First time ssh user needs help, getting authentication failures
      ... I am using Etch completely updated on my home computer and was using the Ubuntu 8.04 live CD at my mothers house. ... On the live cd at my mothers house I used $ssh username@xxxxxxxxxxxxxxxxxxxxx, where username is my username on my home computer. ... # To enable empty passwords, ... # This is the ssh client system-wide configuration file. ...
      (Debian-User)
    • PasswordAuthentication no doesent work
      ... Only passwords should not be allowed at all. ... I'm reading something like that at the book "SSH - the definitive ... RhostsRSAAuthentication no ... # Kerberos TGT Passing does only work with the AFS kaserver ...
      (comp.security.ssh)
    • SSH version 2 "Server refused our key" error
      ... I really need help on how to configure correctly in order to use SSH ... "Server refused our key" error. ... # To disable tunneled clear text passwords, ... # Kerberos TGT Passing does only work with the AFS kaserver ...
      (SSH)