Secure Shell
Re: problem with HostbasedAuthentication Apr 28 2011 08:46AM
Sharad (sharad2011 yahoo com) (1 replies)
Sometimes the issue lies with hostname as well. What I mean with that is the known_hosts may have just the host name where as when the connection is established, the debug shows the FQDN. I faced this issue so to be sure, I edited the known_hosts file and inserted the hostname, hostname's FQDN and it's IP address (all comma separated).

Also ensure that you both the hosts' known_hosts files have opposite servers names (as prescribed above).

All the above checks makes it work for me.

Hope this solves.

Kind regards,
Sharad
--- On Thu, 28/4/11, Asif Iqbal <vadud3 (at) gmail (dot) com [email concealed]> wrote:

> From: Asif Iqbal <vadud3 (at) gmail (dot) com [email concealed]>
> Subject: Re: problem with HostbasedAuthentication
> To: "Mahmood Naderan" <nt_mahmood (at) yahoo (dot) com [email concealed]>
> Cc: "secureshell (at) securityfocus (dot) com [email concealed]" <secureshell (at) securityfocus (dot) com [email concealed]>
> Date: Thursday, 28 April, 2011, 12:38 AM
> On Wed, Apr 27, 2011 at 1:12 AM,
> Mahmood Naderan <nt_mahmood (at) yahoo (dot) com [email concealed]>
> wrote:
> >>Change the order method. Have hostbased before
> password
> >
> > Sorry where should I do that?
>
> man ssh_config and look into PreferredAuthentications
>
> >
> > // Naderan *Mahmood;
> >
> > From: Asif Iqbal <vadud3 (at) gmail (dot) com [email concealed]>
> > To: Mahmood Naderan <nt_mahmood (at) yahoo (dot) com [email concealed]>
> > Cc: "secureshell (at) securityfocus (dot) com [email concealed]"
> <secureshell (at) securityfocus (dot) com [email concealed]>
> > Sent: Wednesday, April 27, 2011 9:17 AM
> > Subject: Re: problem with HostbasedAuthentication
> >
> >
> > Change the order method. Have hostbased before
> password
> > On Apr 26, 2011 11:52 PM, "Mahmood Naderan" <nt_mahmood (at) yahoo (dot) com [email concealed]>
> wrote:
> >>
> >>
> >> Hi,
> >> I am trying to setup a hostbased passwrodless ssh
> from a client to a server using this guide http://www.ehow.com/how_7621307_set-up-hostbased-authentication.html.
> >>
> >> The client looks like:
> >>
> >> mahmood@client:~$ cat /etc/ssh/ssh_config  | grep
> "HostbasedAuthentication"
> >>    HostbasedAuthentication yes
> >> mahmood@client:~$ cat /etc/ssh/ssh_config  | grep
> "EnableSSHKeysign"
> >>    EnableSSHKeysign yes
> >>
> >>
> >> and the server looks like:
> >> mahmood@server:~$ cat /etc/ssh/sshd_config  |
> grep "HostbasedAuthentication"
> >> HostbasedAuthentication yes
> >> mahmood@server:~$ cat /etc/ssh/sshd_config  |
> grep "IgnoreRhosts"
> >> IgnoreRhosts no
> >>
> >> also the server has the key for client:
> >>
> >> mahmood@server:~$ cat /etc/ssh/ssh_known_hosts
> >> client ssh-rsa AAAAB3Nz.....
> >>
> >> the ~/.shosts file on the server contains:
> >> mahmood@server:~$ cat .shosts
> >> client.domain mahmood
> >>
> >> Then on both server and client, the ssh service is
> restarted:
> >> mahmood@client:~$ sudo service ssh restart
> >> ssh start/running, process 1355
> >> mahmood@server:~$ sudo service ssh restart
> >> ssh start/running, process 28982
> >>
> >> How, when I run "ssh -vvv server" from client (to
> show the verbose messages), I still get the password
> prompt.
> >>
> >> mahmood@client:~$ ssh -vvv server
> >> OpenSSH_5.3p1 Debian-3ubuntu6, OpenSSL 0.9.8k 25
> Mar 2009
> >> debug1: Reading configuration data
> /etc/ssh/ssh_config
> >> debug1: Applying options for *
> >> debug2: ssh_connect: needpriv 0
> >> debug1: Connecting to server [192.168.1.1] port
> 22.
> >> debug1: Connection established.
> >> debug1: identity file /home/mahmood/.ssh/identity
> type -1
> >> debug1: identity file /home/mahmood/.ssh/id_rsa
> type -1
> >> debug1: identity file /home/mahmood/.ssh/id_dsa
> type -1
> >> debug1: Remote protocol version 2.0, remote
> software version OpenSSH_5.3p1 Debian-3ubuntu4
> >> debug1: match: OpenSSH_5.3p1 Debian-3ubuntu4 pat
> OpenSSH*
> >> debug1: Enabling compatibility mode for protocol
> 2.0
> >> debug1: Local version string SSH-2.0-OpenSSH_5.3p1
> Debian-3ubuntu6
> >> debug2: fd 3 setting O_NONBLOCK
> >> debug1: SSH2_MSG_KEXINIT sent
> >> debug3: Wrote 792 bytes for a total of 831
> >> debug1: SSH2_MSG_KEXINIT received
> >> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha1,diffie-hellman-
> >> group1-sha1
> >> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> >> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-
> >> cbc,aes256-cbc,arcfour,rijndael-cbc (at) lysator.liu (dot) se [email concealed]
> >> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-
> >> cbc,aes256-cbc,arcfour,rijndael-cbc (at) lysator.liu (dot) se [email concealed]
> >> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 (at) openssh (dot) com [email concealed],hmac-ripemd160,hmac-ripemd160@ope
nssh.com,hmac-sha1-96,hmac-
> >> md5-96
> >> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 (at) openssh (dot) com [email concealed],hmac-ripemd160,hmac-ripemd160@ope
nssh.com,hmac-sha1-96,hmac-
> >> md5-96
> >> debug2: kex_parse_kexinit: none,zlib (at) openssh (dot) com [email concealed],zlib
> >> debug2: kex_parse_kexinit: none,zlib (at) openssh (dot) com [email concealed],zlib
> >> debug2: kex_parse_kexinit:
> >> debug2: kex_parse_kexinit:
> >> debug2: kex_parse_kexinit: first_kex_follows 0
> >> debug2: kex_parse_kexinit: reserved 0
> >> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha1,diffie-hellman-
> >> group1-sha1
> >> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> >> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-
> >> cbc,aes256-cbc,arcfour,rijndael-cbc (at) lysator.liu (dot) se [email concealed]
> >> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-
> >> cbc,aes256-cbc,arcfour,rijndael-cbc (at) lysator.liu (dot) se [email concealed]
> >> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 (at) openssh (dot) com [email concealed],hmac-ripemd160,hmac-ripemd160@ope
nssh.com,hmac-sha1-96,hmac-
> >> md5-96
> >> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 (at) openssh (dot) com [email concealed],hmac-ripemd160,hmac-ripemd160@ope
nssh.com,hmac-sha1-96,hmac-
> >> md5-96
> >> debug2: kex_parse_kexinit: none,zlib (at) openssh (dot) com [email concealed]
> >> debug2: kex_parse_kexinit: none,zlib (at) openssh (dot) com [email concealed]
> >> debug2: kex_parse_kexinit:
> >> debug2: kex_parse_kexinit:
> >> debug2: kex_parse_kexinit: first_kex_follows 0
> >> debug2: kex_parse_kexinit: reserved 0
> >> debug2: mac_setup: found hmac-md5
> >> debug1: kex: server->client aes128-ctr hmac-md5
> none
> >> debug2: mac_setup: found hmac-md5
> >> debug1: kex: client->server aes128-ctr hmac-md5
> none
> >> debug1:
> SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> >> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> >> debug3: Wrote 24 bytes for a total of 855
> >> debug2: dh_gen_key: priv key bits set: 124/256
> >> debug2: bits set: 507/1024
> >> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> >> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> >> debug3: Wrote 144 bytes for a total of 999
> >> debug3: check_host_in_hostfile: filename
> /home/mahmood/.ssh/known_hosts
> >> debug3: check_host_in_hostfile: match line 1
> >> debug3: check_host_in_hostfile: filename
> /home/mahmood/.ssh/known_hosts
> >> debug3: check_host_in_hostfile: match line 2
> >> debug1: Host 'server' is known and matches the RSA
> host key.
> >> debug1: Found key in
> /home/mahmood/.ssh/known_hosts:1
> >> debug2: bits set: 503/1024
> >> debug1: ssh_rsa_verify: signature correct
> >> debug2: kex_derive_keys
> >> debug2: set_newkeys: mode 1
> >> debug1: SSH2_MSG_NEWKEYS sent
> >> debug1: expecting SSH2_MSG_NEWKEYS
> >> debug3: Wrote 16 bytes for a total of 1015
> >> debug2: set_newkeys: mode 0
> >> debug1: SSH2_MSG_NEWKEYS received
> >> debug1: SSH2_MSG_SERVICE_REQUEST sent
> >> debug3: Wrote 48 bytes for a total of 1063
> >> debug2: service_accept: ssh-userauth
> >> debug1: SSH2_MSG_SERVICE_ACCEPT received
> >> debug2: key: /home/mahmood/.ssh/identity ((nil))
> >> debug2: key: /home/mahmood/.ssh/id_rsa ((nil))
> >> debug2: key: /home/mahmood/.ssh/id_dsa ((nil))
> >> debug3: Wrote 64 bytes for a total of 1127
> >> debug1: Authentications that can continue:
> publickey,password,hostbased
> >> debug3: start over, passed a different list
> publickey,password,hostbased
> >> debug3: preferred
> gssapi-keyex,gssapi-with-mic,gssapi,hostbased,publickey,keyboard-interac
tive,password
> >> debug3: authmethod_lookup hostbased
> >> debug3: remaining preferred:
> publickey,keyboard-interactive,password
> >> debug3: authmethod_is_enabled hostbased
> >> debug1: Next authentication method: hostbased
> >> debug2: userauth_hostbased: chost client.
> >> debug2: ssh_keysign called
> >> debug3: ssh_msg_send: type 2
> >> debug3: ssh_msg_recv entering
> >> debug1: permanently_drop_suid: 1000
> >> debug2: we sent a hostbased packet, wait for
> reply
> >> debug3: Wrote 608 bytes for a total of 1735
> >> debug1: Authentications that can continue:
> publickey,password,hostbased
> >> debug2: userauth_hostbased: chost client.
> >> debug2: ssh_keysign called
> >> debug3: ssh_msg_send: type 2
> >> debug3: ssh_msg_recv entering
> >> debug1: permanently_drop_suid: 1000
> >> debug2: we sent a hostbased packet, wait for
> reply
> >> debug3: Wrote 672 bytes for a total of 2407
> >> debug1: Authentications that can continue:
> publickey,password,hostbased
> >> debug1: No more client hostkeys for hostbased
> authentication.
> >> debug2: we did not send a packet, disable method
> >> debug3: authmethod_lookup publickey
> >> debug3: remaining preferred:
> keyboard-interactive,password
> >> debug3: authmethod_is_enabled publickey
> >> debug1: Next authentication method: publickey
> >> debug1: Trying private key:
> /home/mahmood/.ssh/identity
> >> debug3: no such identity:
> /home/mahmood/.ssh/identity
> >> debug1: Trying private key:
> /home/mahmood/.ssh/id_rsa
> >> debug3: no such identity:
> /home/mahmood/.ssh/id_rsa
> >> debug1: Trying private key:
> /home/mahmood/.ssh/id_dsa
> >> debug3: no such identity:
> /home/mahmood/.ssh/id_dsa
> >> debug2: we did not send a packet, disable method
> >> debug3: authmethod_lookup password
> >> debug3: remaining preferred: ,password
> >> debug3: authmethod_is_enabled password
> >> debug1: Next authentication method: password
> >> mahmood@server's password:
> >>
> >>
> >> Any idea about that?
> >>
> >> // Naderan *Mahmood;
> >>
> >
>
>
>
> --
> Asif Iqbal
> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> A: Because it messes up the order in which people normally
> read text.
> Q: Why is top-posting such a bad thing?
>

[ reply ]
Re: problem with HostbasedAuthentication Apr 28 2011 10:24AM
Mahmood Naderan (nt_mahmood yahoo com) (1 replies)
Re: problem with HostbasedAuthentication Apr 28 2011 12:50PM
Sharad (sharad2011 yahoo com) (1 replies)
Re: problem with HostbasedAuthentication Apr 28 2011 05:42PM
Mahmood Naderan (nt_mahmood yahoo com) (2 replies)
Re: problem with HostbasedAuthentication Apr 29 2011 12:54PM
Silvers, Timothy (tsilver indiana edu)
Re: problem with HostbasedAuthentication Apr 29 2011 06:49AM
Sharad (sharad2011 yahoo com) (1 replies)
Re: problem with HostbasedAuthentication Apr 29 2011 06:53AM
Mahmood Naderan (nt_mahmood yahoo com) (1 replies)
Re: problem with HostbasedAuthentication Apr 29 2011 07:01AM
Sharad (sharad2011 yahoo com) (1 replies)
Re: problem with HostbasedAuthentication Apr 29 2011 07:04AM
Mahmood Naderan (nt_mahmood yahoo com) (1 replies)
Re: problem with HostbasedAuthentication Apr 29 2011 08:34AM
Sharad (sharad2011 yahoo com)


 

Privacy Statement
Copyright 2010, SecurityFocus