Re: SSH: trying the simplest configuration with no success

• Previous message: Richard E. Silverman: "Re: restricting access for users that don't have a homedir"
• In reply to: Richard E. Silverman: "Re: SSH: trying the simplest configuration with no success"
• Next in thread: Richard E. Silverman: "Re: SSH: trying the simplest configuration with no success"
• Reply: Richard E. Silverman: "Re: SSH: trying the simplest configuration with no success"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 20 Feb 2004 09:54:24 +1100

Richard,

thanks for that.

> 1) This is not "very basic;" trusted-host authentication is the trickiest
> standard SSH authentication method to set up.

Ok. I actually started off trying to get rhosts/shosts working, with no
success either. Let me describe what happens when I try this.

First, my understanding is that if rsh is password-less between the
hosts and the ssh client and server is configured to utilise rhosts, the
ssh connection should be password-less.

I've setup /etc/hosts.equiv (and /etc/ssh/shosts.equiv as well) and
confirmed I can rsh between the hosts without being asked for a
password. I have the following settings in ssh_config on the client:

Host *
         ForwardX11 yes
         RhostsAuthentication yes
         RhostsRSAAuthentication no
         RSAAuthentication no
         PasswordAuthentication yes
         Port 22
         Protocol 1,2

and these in sshd_config on the server:

RSAAuthentication no
PubkeyAuthentication no
RhostsAuthentication yes
IgnoreRhosts no
RhostsRSAAuthentication no
HostbasedAuthentication no

Before I provide the debug output from the client and server:

> 2) SSH protocol version 1 is deprecated; you would be better off
using the
> analogous "hostbased" authentication method with protocol 2.

Ok, I'll try that.

> 3) If all you want is automatic interactive authentication, why not just
> use publickey with ssh-agent? There are legitimate reasons to use
> trusted-host authentication, but usually it involves the
administration
> of larger collections of hosts and non-technical users. There are
> security tradeoffs involved here; have you thought them through?

I need to establish basic non-interactive encrypted transfer. The client
is subsequently free to employ their own in-house policies, as long as
non-interactive authentication is used.

>>I can't set it up to avoid password-less logins.
>
> Presumably this is a typo.

Indeed.

Client output:

debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: restore_uid
debug1: ssh_connect: getuid 500 geteuid 0 anon 1
debug1: Connecting to hurricane [172.16.2.18] port 22.
debug1: temporarily_use_uid: 500/500 (e=0)
debug1: restore_uid
debug1: temporarily_use_uid: 500/500 (e=0)
debug1: restore_uid
debug1: Connection established.
debug1: identity file /home/ess/.ssh/identity type -1
debug1: identity file /home/ess/.ssh/id_rsa type -1
debug1: identity file /home/ess/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.4p1
debug1: match: OpenSSH_3.4p1 pat OpenSSH*
debug1: Local version string SSH-1.5-OpenSSH_3.1p1
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (1024 bits).
debug1: Host 'hurricane' is known and matches the RSA1 host key.
debug1: Found key in /home/ess/.ssh/known_hosts:1
debug1: Encryption type: 3des
debug1: Sent encrypted session key.
debug1: cipher_init: set keylen (16 -> 32)
debug1: cipher_init: set keylen (16 -> 32)
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug1: Doing challenge response authentication.
debug1: No challenge.
debug1: Doing password authentication.

server:

debug1: sshd version OpenSSH_3.4p1
debug1: private host key: #0 type 0 RSA1
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
socket: Address family not supported by protocol
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from 172.16.2.30 port 32894
debug1: Client protocol version 1.5; client software version OpenSSH_3.1p1
debug1: match: OpenSSH_3.1p1 pat OpenSSH_2.*,OpenSSH_3.0*,OpenSSH_3.1*
debug1: Local version string SSH-1.99-OpenSSH_3.4p1
debug1: Rhosts Authentication disabled, originating port 32894 not trusted.
debug2: Network child is on pid 26825
debug1: Sent 768 bit server key and 1024 bit host key.
debug1: Encryption type: 3des
debug2: monitor_read: 28 used once, disabling now
debug1: cipher_init: set keylen (16 -> 32)
debug1: cipher_init: set keylen (16 -> 32)
debug1: Received session key; encryption turned on.
debug2: monitor_read: 30 used once, disabling now
debug1: Installing crc compensation attack detector.
debug2: monitor_read: 6 used once, disabling now
debug1: Attempting authentication for ess.
debug1: Starting up PAM with username "ess"
debug1: PAM setting rhost to "ows1.esands.com"
debug2: monitor_read: 37 used once, disabling now
Failed none for ess from 172.16.2.30 port 32894
debug1: rcvd SSH_CMSG_AUTH_TIS
Failed challenge-response for ess from 172.16.2.30 port 32894

The Failed none line: is this a warning, or the source of the problem.

Thanks in advance,

Chris.

  - Chris Skelsey ------------------------------------
| Environmental Systems & Services, Australia
| chris.skelsey@esands.com +61 3 8420 8926
| www.esands.com

• Previous message: Richard E. Silverman: "Re: restricting access for users that don't have a homedir"
• In reply to: Richard E. Silverman: "Re: SSH: trying the simplest configuration with no success"
• Next in thread: Richard E. Silverman: "Re: SSH: trying the simplest configuration with no success"
• Reply: Richard E. Silverman: "Re: SSH: trying the simplest configuration with no success"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]