Re: SSH: trying the simplest configuration with no success

From: Chris Skelsey (chris.skelsey_at_esands.com)
Date: 02/20/04 

Date: Fri, 20 Feb 2004 10:07:58 +1100

I should also add that PAM appears to be enabled:

strings /usr/sbin/sshd | fgrep auth-pam.c
@(#)$Id: auth-pam.c,v 1.46 2002/05/08 02:27:56 djm Exp $

and the file /etc/pam.d/sshd exists, as instructed in
http://www.snailbook.com/faq/password-pam.auto.html

Chris.

Richard E. Silverman wrote:
>>Here's the situation. I'm starting off with SSH, and am trying to get a
>>very basic configuration working: RhostsRSAAuthentication.
>
>
> 1) This is not "very basic;" trusted-host authentication is the trickiest
> standard SSH authentication method to set up.
>
> 2) SSH protocol version 1 is deprecated; you would be better off using the
> analogous "hostbased" authentication method with protocol 2.
>
> 3) If all you want is automatic interactive authentication, why not just
> use publickey with ssh-agent? There are legitimate reasons to use
> trusted-host authentication, but usually it involves the administration
> of larger collections of hosts and non-technical users. There are
> security tradeoffs involved here; have you thought them through?
>
>
>>I can't set it up to avoid password-less logins.
>
>
> Presumably this is a typo.
>
>
>>To get to a clean slate/known state, I setup /etc/hosts.equiv and .rhosts
>>and make sure I can rsh from one host to the other. Works.
>
>
> This is irrelevant; rsh has nothing to do with ssh. The trusted-host
> method is analogous to that used by rsh; that's all.
>
>
>>Then, I get rid of ~/.ssh on both hosts.
>
>
> Why?
>
>
>>debug1: Rhosts with RSA host authentication denied: unknown or invalid host key
>>Failed rhosts-rsa for ess from 172.16.2.30 port 32866 ruser ess
>
>
> This is quite explicit: the server cannot find the client's host key,
> which must be present in either ~/.ssh/known_hosts or /etc/ssh_known_hosts
> on the server under the client's canonical name as found by the server
> (which here is the client's IP address since the serverfailed to find a
> name for the address via DNS).
>
> http://www.snailbook.com/faq/trusted-host-howto.auto.html
> 

-- 
  - Chris Skelsey ------------------------------------
|  Environmental Systems & Services, Australia
|  chris.skelsey@esands.com     +61 3 8420 8926
|  www.esands.com

Relevant Pages

  • understanding chkrootkit: sshd section
    ... Rhosts Authentication disabled, originating port will not be trusted. ... Secure connection to %.100s on port %hu refused%.100s. ... Warning: Remote host refused compression. ... Received RSA challenge from server. ...
    (comp.os.linux.security)
  • understanding chkrootkit: sshd section
    ... Rhosts Authentication disabled, originating port will not be trusted. ... Secure connection to %.100s on port %hu refused%.100s. ... Warning: Remote host refused compression. ... Received RSA challenge from server. ...
    (comp.security.unix)
  • Re: Delphi implementation of Secure Remote Password (SRP)?
    ... > the unknown host is sinister and deliberate, the spoofing host which has the ... In SSL/TLS you use certificates for authenticating that the server that ... With SRP you can't do better than inform the user that DNS ... authentication you would get without any cryptographic security at all. ...
    (borland.public.delphi.non-technical)
  • X11 tunnel over ssh and then rsh
    ... host B with ssh server but without X server ... host C with rsh server and X client programs but without X server ... (on host C there's also an ssh server, but in our case, users ...
    (freebsd-questions)
  • Re: rsh --Invalid ID
    ... I would check the .rhosts-file on the server (the host you are trying to log ... Also make sure that the client's hostname is known to the server. ... > I can rlogin no problem the run the command, but I can not rsh... ...
    (comp.security.unix)