Re: SSH: trying the simplest configuration with no success

From: Per Hedeland (per_at_hedeland.org)
Date: 02/23/04 

Date: Mon, 23 Feb 2004 08:36:39 +0000 (UTC)

In article <c1bf7a$t5q$1@perki.connect.com.au> Chris Skelsey
<chris.skelsey@esands.com> writes:
>
>> OK, now I'm very confused. In your first posting, you said you were
>> trying to use RhostsRSA; here, you're trying to use Rhosts (which is an
>> extremely bad idea). What exactly are you, in fact, trying to do?
>
>You're right - I started off trying to get RhostsRSA to work, but I'm
>now trying to get back to basics with the simplest Rhosts setup. Once
>this is working and I've gained some experience with ssh, I'll consider
>alternative configurations.

But using Rhosts is not the "simplest" - it needs things that no other
scheme needs, and as Richard says, it's also a really bad idea. The
"basics" is obviously password authentication which should "just work"
out of the box, from there you might go to RhostsRSA or more usefully
Hostbased which is the version 2 "equivalent" (RhostsRSA is version 1
only).

>The server logs contain:
>
>debug1: Rhosts Authentication disabled, originating port 33006 not trusted.
>
>and yet I've got 'Port 22' in the client config.

Port 22 is obviously not the *originating* port.

> Does this suggest that
>the client is not configured correctly?

Yes, see the ssh_config man page:

     UsePrivilegedPort
             Specifies whether to use a privileged port for outgoing connec-
             tions. The argument must be ``yes'' or ``no''. The default is
             ``no''. If set to ``yes'' ssh must be setuid root. Note that
             this option must be set to ``yes'' if RhostsAuthentication and
             RhostsRSAAuthentication authentications are needed with older
             servers.

An option that is quite unneeded for Hostbased authentication.

--Per Hedeland
per@hedeland.org

Relevant Pages

  • Re: BEFVP41 -2003 SBS Help Please
    ... Couple of things to keep in mind about exposed ports, VPN, and security ... + 1723 is authentication, it doesn't pass the data stream. ... 1723 is an authentication port, if someone authenticated, they get in. ...
    (microsoft.public.windows.server.sbs)
  • Re: [kde-linux] kmail - receiving mail with sbcglobal yahoo
    ... Authentication methods--see, ... Have you tried removing the account and creating it all over again? ... Is Port 110 actually open ... Server requires authentication: Yes ...
    (KDE)
  • Re: Problem with Exchange 2007 SP1 Receive Connector and SMTP
    ... do you have OE set to send Authentication on the ... Just looking at the logs, for the 587 port there is no auth going on there, ... > Protocol: SMTP, Server Response: '530 5.7.1 Client was not> authenticated', ... > The Hub Transport Server sits in a different domain, ...
    (microsoft.public.exchange.connectivity)
  • Re: 802.1x authentication issue
    ... There was nothing wrong with the switch port, ... Yes, we are using IAS for PEAP authentication, I analyzed IAS logs but didn't ... I ended up switching the machine to a NON .1x port, disjoining the Domain, ... If the machine has an APIPA address it means it can't contact the DHCP ...
    (microsoft.public.windows.server.networking)
  • Re: servers address in ntp payload?
    ... >>>I agree that the IP address should not be in the NTP header. ... >>That's the MAC in the NTP packet. ... >>considered unauthenticated until the authentication is established. ... I know you deal with the Windows port, ...
    (comp.protocols.time.ntp)