hostbased: key xxxx is disallowed - why?

From: Kai Schaetzl (ng_at_conactive.com)
Date: 10/28/03 

Date: Tue, 28 Oct 2003 20:31:24 +0100

I'm trying to use hostbased authentication between two Suse 8.0/8.1
machines with OpenSSH (OpenSSH_3.4p1, patched with all Suse security
patches). I doesn't work in any direction, I get the same error from both.

I'm getting a "no more client keys" with ssh -v from the first try until
now. I changed several settings, worked along the lines of the snailbook,
checked latest man pages at openssh.org, used Google and Deja (there are a
lot of cries for help about this, but most weren't resolved), but it boils
down to the same failure again and again: no more client keys. I also
stopped the firewall, just in case.

I skip quoting here all the ssh config files since it's obvious that
hostbased authentication *is* getting used - but fails. The host is
correctly identified:

debug2: userauth_hostbased: chost nh12.domain.de. resolvedname
nh12.domain.de ipaddr ::ffff:IP no.
debug2: stripping trailing dot from chost nh12.domain.de.
debug2: auth_rhosts2: clientuser root hostname nh12.domain.de ipaddr
::ffff:IP no.

then:

debug1: temporarily_use_uid: 0/0 (e=0)
debug1: restore_uid
debug1: temporarily_use_uid: 0/0 (e=0)
debug1: restore_uid
debug3: mm_answer_keyallowed: key 0x80ad9d8 is disallowed

But this doesn't help, since I don't know why it shouldn't be allowed.

The question is: why is this key disallowed? And does this indicate that
it finds a key matching the hostname in known_hosts and "disallows" it or
doesn't it find one at all?

The relevant config file portions are (real domain name changed):

/etc/shosts.equiv:
nh12.domain.de root
nh12 root

/root/.ssh/known_hosts:
nh12,nh12.domain.de,IP no. ssh-rsa <key hash here>

(known_hosts was made up by hand because OpenSSH adds the key twice for
each hostname "version")

Kai 

-- 
Conactive Internet Services, Berlin, Germany

Relevant Pages

  • Re: [Full-disclosure] [Rumor] SSH (non)0-day
    ... released the patches for a security issue that was not yet in the wild then ... I am worried that if it is an OpenSSH 0day how much damage should I expect. ... Get started using Google Reader to easily keep up with all your favorite ... Hosted and sponsored by Secunia - http://secunia.com/ ...
    (Full-Disclosure)
  • Re: updates and version numbers
    ... 4.9-RELEASE + security patches. ... It is quite possible that OpenSSH 3.7.x will be imported to 4-STABLE, ... If there are any security problems ... The last OpenSSH security advisory was ...
    (freebsd-stable)
  • Re: GSSAPI Key Exchange in sshd?
    ... Kevin Way wrote: ... FreeBSD from adding RFC 4462 (GSSAPI Key Exchange) support to sshd. ... The author of those patches has offered to allow integration of the patches into the openssh source distribution, so I don't think licensing would be an issue. ...
    (FreeBSD-Security)
  • Re: GSSAPI Key Exchange in sshd?
    ... Kevin Way wrote: ... FreeBSD from adding RFC 4462 (GSSAPI Key Exchange) support to sshd. ... The author of those patches has offered to allow integration of the patches into the openssh source distribution, so I don't think licensing would be an issue. ...
    (freebsd-hackers)
  • Re: HostBased Authentication issues : OpenSSH 3.4p1
    ... I had it working at openssh 3.1 but it seems to fail now. ... >>The client recognizes the server host key and the server tries host ... I have hostbased authentication working using that, ...
    (comp.security.ssh)