[gentoo-user] how to get ssh host based authentication working?

[gentoo-user] how to get ssh host based authentication working?

[John Blinka]

Hi, folks,

I'd like to get host based ssh authentication working within
all the gentoo boxes on my home network.  I've had no
success yet - I hope someone can enlighten me!

What I've done so far on the server side is:

       set HostbasedAuthentication yes in sshd_config
       set HostbasedAuthentication yes in ssh_config
       added /etc/ssh/shosts.equiv containing names of client boxes
       added /etc/ssh/ssh_known_hosts containing public host keys of
client boxes

Client boxes are configured similarly.

When I try to ssh from one box to another, I always get a request
for a password, which is what I'm trying to avoid.

Below is an excerpt from an attempt to ssh from one box to another
while requesting the maximum amount of debugging info.  It looks
like ssh is trying to use host based authentication, but for some
reason it fails.  I'd appreciate any ideas about what might be
going wrong.

John Blinka




debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 5
debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 5
debug1: Host 'tobey' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:5
debug2: bits set: 469/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /root/.ssh/identity ((nil))
debug2: key: /root/.ssh/id_rsa (0x8095528)
debug2: key: /root/.ssh/id_dsa (0x80964c0)
debug1: Authentications that can continue:
publickey,keyboard-interactive,hostbased
debug3: start over, passed a different list
publickey,keyboard-interactive,hostbased
debug3: preferred hostbased,publickey,keyboard-interactive,password
debug3: authmethod_lookup hostbased
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled hostbased
debug1: Next authentication method: hostbased
debug2: userauth_hostbased: chost lotus.bluebar.org.
debug2: we sent a hostbased packet, wait for reply
debug1: Authentications that can continue:
publickey,keyboard-interactive,hostbased
debug2: userauth_hostbased: chost lotus.bluebar.org.
debug2: we sent a hostbased packet, wait for reply
debug1: Authentications that can continue:
publickey,keyboard-interactive,hostbased
debug1: No more client hostkeys for hostbased authentication.
debug2: we did not send a packet, disable method

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] how to get ssh host based authentication working?

[gentuxx]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

John Blinka wrote:
> Hi, folks,
>
> I'd like to get host based ssh authentication working within
> all the gentoo boxes on my home network.  I've had no
> success yet - I hope someone can enlighten me!
>
> What I've done so far on the server side is:
>
>        set HostbasedAuthentication yes in sshd_config
>        set HostbasedAuthentication yes in ssh_config
>        added /etc/ssh/shosts.equiv containing names of client boxes
>        added /etc/ssh/ssh_known_hosts containing public host keys of
> client boxes
>
> Client boxes are configured similarly.
>
> When I try to ssh from one box to another, I always get a request
> for a password, which is what I'm trying to avoid.

If you just want to be able to log into each system without using a
password, why not set up publickey authentication instead of
hostbased?  The principle is essentially the same, except the
authentication key is tied to the user instead of the system.
>
> Below is an excerpt from an attempt to ssh from one box to another
> while requesting the maximum amount of debugging info.  It looks
> like ssh is trying to use host based authentication, but for some
> reason it fails.  I'd appreciate any ideas about what might be
> going wrong.
[ .... SNIP SSH DEBUG INFO .... ]

I haven't done too much hostbased authentication, because it's
historically insecure.  But if I understand the man page correctly,
the following needs to be in place:

1.  Assumption:  "myserver" is the ssh server, and "tobey" is the ssh
client.
2.  "tobey" must be in /etc/hosts.equiv or /etc/ssh/shosts.equiv on
"myserver"
3.  a.  The current user attempting to login to myserver from tobey
must exist on myserver and is the account being logged into through
the ssh session OR
     b.  the account being logged into on myserver must have a
~/.rhosts or ~/.shosts file containing the name of the ssh client
(tobey) in its home directory
4.  tobey's host key must be located in /etc/ssh/ssh_known_hosts
and/or ~/.ssh/known_hosts on myserver

Please verify that you have all of the above set up for each client
and server pair.  You might be better off trying one system as the
server and one system as the client until you are able to get a
successful connection.

- --
gentux
echo "hfouvyyAhnbjm/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge'

gentux's gpg fingerprint ==> 5495 0388 67FF 0B89 1239  D840 4CF0 39E2
18D3 4A9E
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFEzEB5TPA54hjTSp4RAmQiAJ4sT7GUXAghXG4uqMKMlIkliQWhIACglJNP
PDOWDdzPYguBhPIzbC8vTmM=
=YDMQ
-----END PGP SIGNATURE-----

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] how to get ssh host based authentication working?

[Peter Ruskin]

On Sunday 30 July 2006 03:56, John Blinka wrote:
> Hi, folks,
>
> I'd like to get host based ssh authentication working within
> all the gentoo boxes on my home network.  I've had no
> success yet - I hope someone can enlighten me!
>
> What I've done so far on the server side is:
>
>        set HostbasedAuthentication yes in sshd_config
>        set HostbasedAuthentication yes in ssh_config
>        added /etc/ssh/shosts.equiv containing names of client
> boxes added /etc/ssh/ssh_known_hosts containing public host keys
> of client boxes
>
> Client boxes are configured similarly.
>
> When I try to ssh from one box to another, I always get a request
> for a password, which is what I'm trying to avoid.
>
> Below is an excerpt from an attempt to ssh from one box to
> another while requesting the maximum amount of debugging info. 
> It looks like ssh is trying to use host based authentication, but
> for some reason it fails.  I'd appreciate any ideas about what
> might be going wrong.
>
> John Blinka
>
>
>
>
> debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts
> debug3: check_host_in_hostfile: match line 5
> debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts
> debug3: check_host_in_hostfile: match line 5
> debug1: Host 'tobey' is known and matches the RSA host key.
> debug1: Found key in /root/.ssh/known_hosts:5
> debug2: bits set: 469/1024
> debug1: ssh_rsa_verify: signature correct
> debug2: kex_derive_keys
> debug2: set_newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug2: set_newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug2: key: /root/.ssh/identity ((nil))
> debug2: key: /root/.ssh/id_rsa (0x8095528)
> debug2: key: /root/.ssh/id_dsa (0x80964c0)
> debug1: Authentications that can continue:
> publickey,keyboard-interactive,hostbased
> debug3: start over, passed a different list
> publickey,keyboard-interactive,hostbased
> debug3: preferred
> hostbased,publickey,keyboard-interactive,password debug3:
> authmethod_lookup hostbased
> debug3: remaining preferred:
> publickey,keyboard-interactive,password debug3:
> authmethod_is_enabled hostbased
> debug1: Next authentication method: hostbased
> debug2: userauth_hostbased: chost lotus.bluebar.org.
> debug2: we sent a hostbased packet, wait for reply
> debug1: Authentications that can continue:
> publickey,keyboard-interactive,hostbased
> debug2: userauth_hostbased: chost lotus.bluebar.org.
> debug2: we sent a hostbased packet, wait for reply
> debug1: Authentications that can continue:
> publickey,keyboard-interactive,hostbased
> debug1: No more client hostkeys for hostbased authentication.
> debug2: we did not send a packet, disable method

http://www-106.ibm.com/developerworks/linux/library/l-keyc.html
http://pigtail.net/LRP/printsrv/keygen.html
http://bumblebee.lcs.mit.edu/ssh2/

-- 
Peter
========================================================================
Gentoo Linux: Portage 2.1-r1.		kernel-2.6.17-gentoo-r3-x86.
2006 i686 AMD Athlon(tm) 64.		gcc(GCC): 3.4.4.
KDE: 3.5.3.				Qt: 3.3.6.
========================================================================
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] how to get ssh host based authentication working? [solved]

[John Blinka]

Peter Ruskin wrote:
> http://www-106.ibm.com/developerworks/linux/library/l-keyc.html
> http://pigtail.net/LRP/printsrv/keygen.html
> http://bumblebee.lcs.mit.edu/ssh2/
>   
http://bumblebee.lcs.mit.edu/ssh2/ seems to exist no longer.

I found that http://www.omega.telia.net/vici/openssh/
described exactly what I wanted to do and following it
solved the problem.

John Blinka

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] how to get ssh host based authentication working? [solved]

[Randy Barlow]

John Blinka wrote:
> http://bumblebee.lcs.mit.edu/ssh2/ seems to exist no longer.

Good thing archive.org has it :)
http://web.archive.org/web/20050305213118/http://bumblebee.lcs.mit.edu/ssh2/

R
-- 
gentoo-user@gentoo.org mailing list