Secure Shell
Re: problem with HostbasedAuthentication Apr 28 2011 08:46AM
Sharad (sharad2011 yahoo com) (1 replies)
Re: problem with HostbasedAuthentication Apr 28 2011 10:24AM
Mahmood Naderan (nt_mahmood yahoo com) (1 replies)
Re: problem with HostbasedAuthentication Apr 28 2011 12:50PM
Sharad (sharad2011 yahoo com) (1 replies)
Re: problem with HostbasedAuthentication Apr 28 2011 05:42PM
Mahmood Naderan (nt_mahmood yahoo com) (2 replies)
Re: problem with HostbasedAuthentication Apr 29 2011 12:54PM
Silvers, Timothy (tsilver indiana edu)
Re: problem with HostbasedAuthentication Apr 29 2011 06:49AM
Sharad (sharad2011 yahoo com) (1 replies)
Hi Mahmood,

This line looks out of place. Check that host name is getting resolved:

get_socket_address: getnameinfo 8 failed: Name or service not known

I am sure you would have performed the same steps on both hosts. Try establishing connection with IP Address instead of hostname.

Regards,
Sharad
--- On Thu, 28/4/11, Mahmood Naderan <nt_mahmood (at) yahoo (dot) com [email concealed]> wrote:

> From: Mahmood Naderan <nt_mahmood (at) yahoo (dot) com [email concealed]>
> Subject: Re: problem with HostbasedAuthentication
> To: "Sharad" <sharad2011 (at) yahoo (dot) com [email concealed]>
> Cc: "secureshell (at) securityfocus (dot) com [email concealed]" <secureshell (at) securityfocus (dot) com [email concealed]>
> Date: Thursday, 28 April, 2011, 11:12 PM
> Dear Sharad,
> I am now trying to setup a hostbased ssh from server to
> client (previously client->server worked fine based on
> your help). I want it to be bidirectional.
>  
> I did the same thing in reverse (now the client becomes
> server and the server becoms client). However this is what I
> get while trying to ssh from server to client:
>  
>  
> debug3: Wrote 48 bytes for a total of 1063
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug2: key: /home/mahmood/.ssh/identity ((nil))
> debug2: key: /home/mahmood/.ssh/id_rsa ((nil))
> debug2: key: /home/mahmood/.ssh/id_dsa ((nil))
> debug3: Wrote 64 bytes for a total of 1127
> debug1: Authentications that can continue:
> publickey,password,hostbased
> debug3: start over, passed a different list
> publickey,password,hostbased
> debug3: preferred
> gssapi-keyex,gssapi-with-mic,gssapi,hostbased,publickey,keyboard-interac
tive,password
> debug3: authmethod_lookup hostbased
> debug3: remaining preferred:
> publickey,keyboard-interactive,password
> debug3: authmethod_is_enabled hostbased
> debug1: Next authentication method: hostbased
> get_socket_address: getnameinfo 8 failed: Name or service
> not known
> debug2: userauth_hostbased: chost server.
> debug2: ssh_keysign called
> debug3: ssh_msg_send: type 2
> debug3: ssh_msg_recv entering
> debug1: permanently_drop_suid: 1000
> get_socket_address: getnameinfo 8 failed: Name or service
> not known
> cannot get sockname for fd
> ssh_keysign: no reply
> key_sign failed
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_is_enabled publickey
> debug1: Next authentication method: publickey
> debug1: Trying private key: /home/mahmood/.ssh/identity
> debug3: no such identity: /home/mahmood/.ssh/identity
> debug1: Trying private key: /home/mahmood/.ssh/id_rsa
> debug3: no such identity: /home/mahmood/.ssh/id_rsa
> debug1: Trying private key: /home/mahmood/.ssh/id_dsa
> debug3: no such identity: /home/mahmood/.ssh/id_dsa
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup password
> debug3: remaining preferred: ,password
> debug3: authmethod_is_enabled password
> debug1: Next authentication method: password
> mahmood (at) 192.168.1 (dot) 3 [email concealed]'s password:
>
>  
> What is your suggestion?
>
> // Naderan *Mahmood;
>
>
> ----- Original Message -----
> From: Sharad <sharad2011 (at) yahoo (dot) com [email concealed]>
> To: Mahmood Naderan <nt_mahmood (at) yahoo (dot) com [email concealed]>
> Cc: "secureshell (at) securityfocus (dot) com [email concealed]"
> <secureshell (at) securityfocus (dot) com [email concealed]>
> Sent: Thursday, April 28, 2011 5:20 PM
> Subject: Re: problem with HostbasedAuthentication
>
> Mahmood,
>
> The files are /home/username/.ssh/known_hosts on both
> server and client.
>
> By FQDN, I meant host's fully qualified domain name.
>
> Following is the example:
>
> Assuming both client and server are linux hosts:
>
> Server IP: 192.168.1.1
> Client IP: 192.168.1.101
>
> Server Name: lnx_srvr_1.domain.com
> Client Name: lnx_clnt_101.domain.com
>
> User name on each host is mahmood.
>
> Following would be the entries in .shosts on lnx_srvr_1
>
>
> lnx_srvr_1:/home/mahmood $ cat .shosts
>
> lnx_clnt_101.domain.com mahmood
> 192.168.1.101 mahmood
> lnx_clnt_101 mahmood
>
> Following should exist in /home/mahmood/.ssh/known_hosts
> file on the server side:
> 192.168.1.101,lnx_clnt_101,lnx_clnt_101.domain.com 
> ssh-rsa AAAAB3Nz...
>
> Following should also exist in
> /home/mahmood/.ssh/known_hosts file on the client side:
> 192.168.1.1,lnx_srvr_1,lnx_srvr_1.domain.com  ssh-rsa
> AAAAB3Nz...
>
> Ensure that .ssh directory on both client and server are
> rwx for owner only and group/rest of world is 000.
>
> Hope this helps! Good Luck! :)
>
> Regards,
> Sharad 
> --- On Thu, 28/4/11, Mahmood Naderan <nt_mahmood (at) yahoo (dot) com [email concealed]>
> wrote:
>
> > From: Mahmood Naderan <nt_mahmood (at) yahoo (dot) com [email concealed]>
> > Subject: Re: problem with HostbasedAuthentication
> > To: "Sharad" <sharad2011 (at) yahoo (dot) com [email concealed]>
> > Cc: "secureshell (at) securityfocus (dot) com [email concealed]"
> <secureshell (at) securityfocus (dot) com [email concealed]>
> > Date: Thursday, 28 April, 2011, 3:54 PM
> > Can you explain exactly which file I
> > should edit? What is FQDN? By 'hostname', Do you mean
> server
> > hostname of client hostname.
> > Should I do that on both side or server side?...
> >
> > // Naderan *Mahmood;
> >
> >
> > ----- Original Message -----
> > From: Sharad <sharad2011 (at) yahoo (dot) com [email concealed]>
> > To: Mahmood Naderan <nt_mahmood (at) yahoo (dot) com [email concealed]>;
> > Asif Iqbal <vadud3 (at) gmail (dot) com [email concealed]>
> > Cc: "secureshell (at) securityfocus (dot) com [email concealed]"
> > <secureshell (at) securityfocus (dot) com [email concealed]>
> > Sent: Thursday, April 28, 2011 1:16 PM
> > Subject: Re: problem with HostbasedAuthentication
> >
> > Sometimes the issue lies with hostname as well. What I
> mean
> > with that is the known_hosts may have just the host
> name
> > where as when the connection is established, the debug
> shows
> > the FQDN. I faced this issue so to be sure, I edited
> the
> > known_hosts file and inserted the hostname, hostname's
> FQDN
> > and it's IP address (all comma separated).
> >
> > Also ensure that you both the hosts' known_hosts files
> have
> > opposite servers names (as prescribed above).
> >
> > All the above checks makes it work for me.
> >
> > Hope this solves.
> >
> > Kind regards,
> > Sharad
> > --- On Thu, 28/4/11, Asif Iqbal <vadud3 (at) gmail (dot) com [email concealed]>
> > wrote:
> >
> > > From: Asif Iqbal <vadud3 (at) gmail (dot) com [email concealed]>
> > > Subject: Re: problem with
> HostbasedAuthentication
> > > To: "Mahmood Naderan" <nt_mahmood (at) yahoo (dot) com [email concealed]>
> > > Cc: "secureshell (at) securityfocus (dot) com [email concealed]"
> > <secureshell (at) securityfocus (dot) com [email concealed]>
> > > Date: Thursday, 28 April, 2011, 12:38 AM
> > > On Wed, Apr 27, 2011 at 1:12 AM,
> > > Mahmood Naderan <nt_mahmood (at) yahoo (dot) com [email concealed]>
> > > wrote:
> > > >>Change the order method. Have hostbased
> > before
> > > password
> > > >
> > > > Sorry where should I do that?
> > >
> > > man ssh_config and look into
> PreferredAuthentications
> > >
> > > >
> > > > // Naderan *Mahmood;
> > > >
> > > > From: Asif Iqbal <vadud3 (at) gmail (dot) com [email concealed]>
> > > > To: Mahmood Naderan <nt_mahmood (at) yahoo (dot) com [email concealed]>
> > > > Cc: "secureshell (at) securityfocus (dot) com [email concealed]"
> > > <secureshell (at) securityfocus (dot) com [email concealed]>
> > > > Sent: Wednesday, April 27, 2011 9:17 AM
> > > > Subject: Re: problem with
> > HostbasedAuthentication
> > > >
> > > >
> > > > Change the order method. Have hostbased
> before
> > > password
> > > > On Apr 26, 2011 11:52 PM, "Mahmood Naderan"
> > <nt_mahmood (at) yahoo (dot) com [email concealed]>
> > > wrote:
> > > >>
> > > >>
> > > >> Hi,
> > > >> I am trying to setup a hostbased
> passwrodless
> > ssh
> > > from a client to a server using this guide http://www.ehow.com/how_7621307_set-up-hostbased-authentication.html.
> > > >>
> > > >> The client looks like:
> > > >>
> > > >> mahmood@client:~$ cat
> /etc/ssh/ssh_config  |
> > grep
> > > "HostbasedAuthentication"
> > > >>    HostbasedAuthentication yes
> > > >> mahmood@client:~$ cat
> /etc/ssh/ssh_config  |
> > grep
> > > "EnableSSHKeysign"
> > > >>    EnableSSHKeysign yes
> > > >>
> > > >>
> > > >> and the server looks like:
> > > >> mahmood@server:~$ cat
> /etc/ssh/sshd_config 
> > |
> > > grep "HostbasedAuthentication"
> > > >> HostbasedAuthentication yes
> > > >> mahmood@server:~$ cat
> /etc/ssh/sshd_config 
> > |
> > > grep "IgnoreRhosts"
> > > >> IgnoreRhosts no
> > > >>
> > > >> also the server has the key for client:
> > > >>
> > > >> mahmood@server:~$ cat
> > /etc/ssh/ssh_known_hosts
> > > >> client ssh-rsa AAAAB3Nz.....
> > > >>
> > > >> the ~/.shosts file on the server
> contains:
> > > >> mahmood@server:~$ cat .shosts
> > > >> client.domain mahmood
> > > >>
> > > >> Then on both server and client, the ssh
> > service is
> > > restarted:
> > > >> mahmood@client:~$ sudo service ssh
> restart
> > > >> ssh start/running, process 1355
> > > >> mahmood@server:~$ sudo service ssh
> restart
> > > >> ssh start/running, process 28982
> > > >>
> > > >> How, when I run "ssh -vvv server" from
> client
> > (to
> > > show the verbose messages), I still get the
> password
> > > prompt.
> > > >>
> > > >> mahmood@client:~$ ssh -vvv server
> > > >> OpenSSH_5.3p1 Debian-3ubuntu6, OpenSSL
> 0.9.8k
> > 25
> > > Mar 2009
> > > >> debug1: Reading configuration data
> > > /etc/ssh/ssh_config
> > > >> debug1: Applying options for *
> > > >> debug2: ssh_connect: needpriv 0
> > > >> debug1: Connecting to server
> [192.168.1.1]
> > port
> > > 22.
> > > >> debug1: Connection established.
> > > >> debug1: identity file
> > /home/mahmood/.ssh/identity
> > > type -1
> > > >> debug1: identity file
> > /home/mahmood/.ssh/id_rsa
> > > type -1
> > > >> debug1: identity file
> > /home/mahmood/.ssh/id_dsa
> > > type -1
> > > >> debug1: Remote protocol version 2.0,
> remote
> > > software version OpenSSH_5.3p1 Debian-3ubuntu4
> > > >> debug1: match: OpenSSH_5.3p1
> Debian-3ubuntu4
> > pat
> > > OpenSSH*
> > > >> debug1: Enabling compatibility mode for
> > protocol
> > > 2.0
> > > >> debug1: Local version string
> > SSH-2.0-OpenSSH_5.3p1
> > > Debian-3ubuntu6
> > > >> debug2: fd 3 setting O_NONBLOCK
> > > >> debug1: SSH2_MSG_KEXINIT sent
> > > >> debug3: Wrote 792 bytes for a total of
> 831
> > > >> debug1: SSH2_MSG_KEXINIT received
> > > >> debug2: kex_parse_kexinit:
> > >
> >
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha1,diffie-hellman-
> > > >> group1-sha1
> > > >> debug2: kex_parse_kexinit:
> ssh-rsa,ssh-dss
> > > >> debug2: kex_parse_kexinit:
> > >
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-
> > > >> cbc,aes256-cbc,arcfour,rijndael-cbc (at) lysator.liu (dot) se [email concealed]
> > > >> debug2: kex_parse_kexinit:
> > >
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-
> > > >> cbc,aes256-cbc,arcfour,rijndael-cbc (at) lysator.liu (dot) se [email concealed]
> > > >> debug2: kex_parse_kexinit:
> > hmac-md5,hmac-sha1,umac-64 (at) openssh (dot) com [email concealed],hmac-ripemd160,hmac-ripemd160@ope
nssh.com,hmac-sha1-96,hmac-
> > > >> md5-96
> > > >> debug2: kex_parse_kexinit:
> > hmac-md5,hmac-sha1,umac-64 (at) openssh (dot) com [email concealed],hmac-ripemd160,hmac-ripemd160@ope
nssh.com,hmac-sha1-96,hmac-
> > > >> md5-96
> > > >> debug2: kex_parse_kexinit: none,zlib (at) openssh (dot) com [email concealed],zlib
> > > >> debug2: kex_parse_kexinit: none,zlib (at) openssh (dot) com [email concealed],zlib
> > > >> debug2: kex_parse_kexinit:
> > > >> debug2: kex_parse_kexinit:
> > > >> debug2: kex_parse_kexinit:
> first_kex_follows
> > 0
> > > >> debug2: kex_parse_kexinit: reserved 0
> > > >> debug2: kex_parse_kexinit:
> > >
> >
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha1,diffie-hellman-
> > > >> group1-sha1
> > > >> debug2: kex_parse_kexinit:
> ssh-rsa,ssh-dss
> > > >> debug2: kex_parse_kexinit:
> > >
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-
> > > >> cbc,aes256-cbc,arcfour,rijndael-cbc (at) lysator.liu (dot) se [email concealed]
> > > >> debug2: kex_parse_kexinit:
> > >
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-
> > > >> cbc,aes256-cbc,arcfour,rijndael-cbc (at) lysator.liu (dot) se [email concealed]
> > > >> debug2: kex_parse_kexinit:
> > hmac-md5,hmac-sha1,umac-64 (at) openssh (dot) com [email concealed],hmac-ripemd160,hmac-ripemd160@ope
nssh.com,hmac-sha1-96,hmac-
> > > >> md5-96
> > > >> debug2: kex_parse_kexinit:
> > hmac-md5,hmac-sha1,umac-64 (at) openssh (dot) com [email concealed],hmac-ripemd160,hmac-ripemd160@ope
nssh.com,hmac-sha1-96,hmac-
> > > >> md5-96
> > > >> debug2: kex_parse_kexinit: none,zlib (at) openssh (dot) com [email concealed]
> > > >> debug2: kex_parse_kexinit: none,zlib (at) openssh (dot) com [email concealed]
> > > >> debug2: kex_parse_kexinit:
> > > >> debug2: kex_parse_kexinit:
> > > >> debug2: kex_parse_kexinit:
> first_kex_follows
> > 0
> > > >> debug2: kex_parse_kexinit: reserved 0
> > > >> debug2: mac_setup: found hmac-md5
> > > >> debug1: kex: server->client
> aes128-ctr
> > hmac-md5
> > > none
> > > >> debug2: mac_setup: found hmac-md5
> > > >> debug1: kex: client->server
> aes128-ctr
> > hmac-md5
> > > none
> > > >> debug1:
> > >
> SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192)
> > sent
> > > >> debug1: expecting
> SSH2_MSG_KEX_DH_GEX_GROUP
> > > >> debug3: Wrote 24 bytes for a total of
> 855
> > > >> debug2: dh_gen_key: priv key bits set:
> > 124/256
> > > >> debug2: bits set: 507/1024
> > > >> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> > > >> debug1: expecting
> SSH2_MSG_KEX_DH_GEX_REPLY
> > > >> debug3: Wrote 144 bytes for a total of
> 999
> > > >> debug3: check_host_in_hostfile:
> filename
> > > /home/mahmood/.ssh/known_hosts
> > > >> debug3: check_host_in_hostfile: match
> line 1
> > > >> debug3: check_host_in_hostfile:
> filename
> > > /home/mahmood/.ssh/known_hosts
> > > >> debug3: check_host_in_hostfile: match
> line 2
> > > >> debug1: Host 'server' is known and
> matches
> > the RSA
> > > host key.
> > > >> debug1: Found key in
> > > /home/mahmood/.ssh/known_hosts:1
> > > >> debug2: bits set: 503/1024
> > > >> debug1: ssh_rsa_verify: signature
> correct
> > > >> debug2: kex_derive_keys
> > > >> debug2: set_newkeys: mode 1
> > > >> debug1: SSH2_MSG_NEWKEYS sent
> > > >> debug1: expecting SSH2_MSG_NEWKEYS
> > > >> debug3: Wrote 16 bytes for a total of
> 1015
> > > >> debug2: set_newkeys: mode 0
> > > >> debug1: SSH2_MSG_NEWKEYS received
> > > >> debug1: SSH2_MSG_SERVICE_REQUEST sent
> > > >> debug3: Wrote 48 bytes for a total of
> 1063
> > > >> debug2: service_accept: ssh-userauth
> > > >> debug1: SSH2_MSG_SERVICE_ACCEPT
> received
> > > >> debug2: key:
> /home/mahmood/.ssh/identity
> > ((nil))
> > > >> debug2: key: /home/mahmood/.ssh/id_rsa
> > ((nil))
> > > >> debug2: key: /home/mahmood/.ssh/id_dsa
> > ((nil))
> > > >> debug3: Wrote 64 bytes for a total of
> 1127
> > > >> debug1: Authentications that can
> continue:
> > > publickey,password,hostbased
> > > >> debug3: start over, passed a different
> list
> > > publickey,password,hostbased
> > > >> debug3: preferred
> > >
> >
> gssapi-keyex,gssapi-with-mic,gssapi,hostbased,publickey,keyboard-interac
tive,password
> > > >> debug3: authmethod_lookup hostbased
> > > >> debug3: remaining preferred:
> > > publickey,keyboard-interactive,password
> > > >> debug3: authmethod_is_enabled hostbased
> > > >> debug1: Next authentication method:
> > hostbased
> > > >> debug2: userauth_hostbased: chost
> client.
> > > >> debug2: ssh_keysign called
> > > >> debug3: ssh_msg_send: type 2
> > > >> debug3: ssh_msg_recv entering
> > > >> debug1: permanently_drop_suid: 1000
> > > >> debug2: we sent a hostbased packet, wait
> for
> > > reply
> > > >> debug3: Wrote 608 bytes for a total of
> 1735
> > > >> debug1: Authentications that can
> continue:
> > > publickey,password,hostbased
> > > >> debug2: userauth_hostbased: chost
> client.
> > > >> debug2: ssh_keysign called
> > > >> debug3: ssh_msg_send: type 2
> > > >> debug3: ssh_msg_recv entering
> > > >> debug1: permanently_drop_suid: 1000
> > > >> debug2: we sent a hostbased packet, wait
> for
> > > reply
> > > >> debug3: Wrote 672 bytes for a total of
> 2407
> > > >> debug1: Authentications that can
> continue:
> > > publickey,password,hostbased
> > > >> debug1: No more client hostkeys for
> > hostbased
> > > authentication.
> > > >> debug2: we did not send a packet,
> disable
> > method
> > > >> debug3: authmethod_lookup publickey
> > > >> debug3: remaining preferred:
> > > keyboard-interactive,password
> > > >> debug3: authmethod_is_enabled publickey
> > > >> debug1: Next authentication method:
> > publickey
> > > >> debug1: Trying private key:
> > > /home/mahmood/.ssh/identity
> > > >> debug3: no such identity:
> > > /home/mahmood/.ssh/identity
> > > >> debug1: Trying private key:
> > > /home/mahmood/.ssh/id_rsa
> > > >> debug3: no such identity:
> > > /home/mahmood/.ssh/id_rsa
> > > >> debug1: Trying private key:
> > > /home/mahmood/.ssh/id_dsa
> > > >> debug3: no such identity:
> > > /home/mahmood/.ssh/id_dsa
> > > >> debug2: we did not send a packet,
> disable
> > method
> > > >> debug3: authmethod_lookup password
> > > >> debug3: remaining preferred: ,password
> > > >> debug3: authmethod_is_enabled password
> > > >> debug1: Next authentication method:
> password
> > > >> mahmood@server's password:
> > > >>
> > > >>
> > > >> Any idea about that?
> > > >>
> > > >> // Naderan *Mahmood;
> > > >>
> > > >
> > >
> > >
> > >
> > > --
> > > Asif Iqbal
> > > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> > > A: Because it messes up the order in which
> people
> > normally
> > > read text.
> > > Q: Why is top-posting such a bad thing?
> > >
> >
>
>

[ reply ]
Re: problem with HostbasedAuthentication Apr 29 2011 06:53AM
Mahmood Naderan (nt_mahmood yahoo com) (1 replies)
Re: problem with HostbasedAuthentication Apr 29 2011 07:01AM
Sharad (sharad2011 yahoo com) (1 replies)
Re: problem with HostbasedAuthentication Apr 29 2011 07:04AM
Mahmood Naderan (nt_mahmood yahoo com) (1 replies)
Re: problem with HostbasedAuthentication Apr 29 2011 08:34AM
Sharad (sharad2011 yahoo com)


 

Privacy Statement
Copyright 2010, SecurityFocus