Re: problem with HostbasedAuthentication



Sometimes the issue lies with hostname as well. What I mean with that is the known_hosts may have just the host name where as when the connection is established, the debug shows the FQDN. I faced this issue so to be sure, I edited the known_hosts file and inserted the hostname, hostname's FQDN and it's IP address (all comma separated).

Also ensure that you both the hosts' known_hosts files have opposite servers names (as prescribed above).

All the above checks makes it work for me.

Hope this solves.

Kind regards,
Sharad
--- On Thu, 28/4/11, Asif Iqbal <vadud3@xxxxxxxxx> wrote:

From: Asif Iqbal <vadud3@xxxxxxxxx>
Subject: Re: problem with HostbasedAuthentication
To: "Mahmood Naderan" <nt_mahmood@xxxxxxxxx>
Cc: "secureshell@xxxxxxxxxxxxxxxxx" <secureshell@xxxxxxxxxxxxxxxxx>
Date: Thursday, 28 April, 2011, 12:38 AM
On Wed, Apr 27, 2011 at 1:12 AM,
Mahmood Naderan <nt_mahmood@xxxxxxxxx>
wrote:
Change the order method. Have hostbased before
password

Sorry where should I do that?

man ssh_config and look into PreferredAuthentications


// Naderan *Mahmood;

From: Asif Iqbal <vadud3@xxxxxxxxx>
To: Mahmood Naderan <nt_mahmood@xxxxxxxxx>
Cc: "secureshell@xxxxxxxxxxxxxxxxx"
<secureshell@xxxxxxxxxxxxxxxxx>
Sent: Wednesday, April 27, 2011 9:17 AM
Subject: Re: problem with HostbasedAuthentication


Change the order method. Have hostbased before
password
On Apr 26, 2011 11:52 PM, "Mahmood Naderan" <nt_mahmood@xxxxxxxxx>
wrote:


Hi,
I am trying to setup a hostbased passwrodless ssh
from a client to a server using this guide http://www.ehow.com/how_7621307_set-up-hostbased-authentication.html.

The client looks like:

mahmood@client:~$ cat /etc/ssh/ssh_config  | grep
"HostbasedAuthentication"
   HostbasedAuthentication yes
mahmood@client:~$ cat /etc/ssh/ssh_config  | grep
"EnableSSHKeysign"
   EnableSSHKeysign yes


and the server looks like:
mahmood@server:~$ cat /etc/ssh/sshd_config  |
grep "HostbasedAuthentication"
HostbasedAuthentication yes
mahmood@server:~$ cat /etc/ssh/sshd_config  |
grep "IgnoreRhosts"
IgnoreRhosts no

also the server has the key for client:

mahmood@server:~$ cat /etc/ssh/ssh_known_hosts
client ssh-rsa AAAAB3Nz.....

the ~/.shosts file on the server contains:
mahmood@server:~$ cat .shosts
client.domain mahmood

Then on both server and client, the ssh service is
restarted:
mahmood@client:~$ sudo service ssh restart
ssh start/running, process 1355
mahmood@server:~$ sudo service ssh restart
ssh start/running, process 28982

How, when I run "ssh -vvv server" from client (to
show the verbose messages), I still get the password
prompt.

mahmood@client:~$ ssh -vvv server
OpenSSH_5.3p1 Debian-3ubuntu6, OpenSSL 0.9.8k 25
Mar 2009
debug1: Reading configuration data
/etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to server [192.168.1.1] port
22.
debug1: Connection established.
debug1: identity file /home/mahmood/.ssh/identity
type -1
debug1: identity file /home/mahmood/.ssh/id_rsa
type -1
debug1: identity file /home/mahmood/.ssh/id_dsa
type -1
debug1: Remote protocol version 2.0, remote
software version OpenSSH_5.3p1 Debian-3ubuntu4
debug1: match: OpenSSH_5.3p1 Debian-3ubuntu4 pat
OpenSSH*
debug1: Enabling compatibility mode for protocol
2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3p1
Debian-3ubuntu6
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug3: Wrote 792 bytes for a total of 831
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-
group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
cbc,aes256-cbc,arcfour,rijndael-cbc@xxxxxxxxxxxxxx
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
cbc,aes256-cbc,arcfour,rijndael-cbc@xxxxxxxxxxxxxx
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-
md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-
md5-96
debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx,zlib
debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-
group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
cbc,aes256-cbc,arcfour,rijndael-cbc@xxxxxxxxxxxxxx
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
cbc,aes256-cbc,arcfour,rijndael-cbc@xxxxxxxxxxxxxx
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-
md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@xxxxxxxxxxx,hmac-ripemd160,hmac-ripemd160@xxxxxxxxxxx,hmac-sha1-96,hmac-
md5-96
debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx
debug2: kex_parse_kexinit: none,zlib@xxxxxxxxxxx
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5
none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5
none
debug1:
SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug3: Wrote 24 bytes for a total of 855
debug2: dh_gen_key: priv key bits set: 124/256
debug2: bits set: 507/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: Wrote 144 bytes for a total of 999
debug3: check_host_in_hostfile: filename
/home/mahmood/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug3: check_host_in_hostfile: filename
/home/mahmood/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 2
debug1: Host 'server' is known and matches the RSA
host key.
debug1: Found key in
/home/mahmood/.ssh/known_hosts:1
debug2: bits set: 503/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: Wrote 16 bytes for a total of 1015
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug3: Wrote 48 bytes for a total of 1063
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/mahmood/.ssh/identity ((nil))
debug2: key: /home/mahmood/.ssh/id_rsa ((nil))
debug2: key: /home/mahmood/.ssh/id_dsa ((nil))
debug3: Wrote 64 bytes for a total of 1127
debug1: Authentications that can continue:
publickey,password,hostbased
debug3: start over, passed a different list
publickey,password,hostbased
debug3: preferred
gssapi-keyex,gssapi-with-mic,gssapi,hostbased,publickey,keyboard-interactive,password
debug3: authmethod_lookup hostbased
debug3: remaining preferred:
publickey,keyboard-interactive,password
debug3: authmethod_is_enabled hostbased
debug1: Next authentication method: hostbased
debug2: userauth_hostbased: chost client.
debug2: ssh_keysign called
debug3: ssh_msg_send: type 2
debug3: ssh_msg_recv entering
debug1: permanently_drop_suid: 1000
debug2: we sent a hostbased packet, wait for
reply
debug3: Wrote 608 bytes for a total of 1735
debug1: Authentications that can continue:
publickey,password,hostbased
debug2: userauth_hostbased: chost client.
debug2: ssh_keysign called
debug3: ssh_msg_send: type 2
debug3: ssh_msg_recv entering
debug1: permanently_drop_suid: 1000
debug2: we sent a hostbased packet, wait for
reply
debug3: Wrote 672 bytes for a total of 2407
debug1: Authentications that can continue:
publickey,password,hostbased
debug1: No more client hostkeys for hostbased
authentication.
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred:
keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key:
/home/mahmood/.ssh/identity
debug3: no such identity:
/home/mahmood/.ssh/identity
debug1: Trying private key:
/home/mahmood/.ssh/id_rsa
debug3: no such identity:
/home/mahmood/.ssh/id_rsa
debug1: Trying private key:
/home/mahmood/.ssh/id_dsa
debug3: no such identity:
/home/mahmood/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
mahmood@server's password:


Any idea about that?

// Naderan *Mahmood;





--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally
read text.
Q: Why is top-posting such a bad thing?





Relevant Pages