Secure Shell
Re: problem with HostbasedAuthentication Apr 29 2011 08:38AM
Mahmood Naderan (nt_mahmood yahoo com)
This is what I get
 
mahmood@server:~$ sudo /usr/sbin/sshd -ddd
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 686
debug2: parse_server_config: config /etc/ssh/sshd_config len 686
debug3: /etc/ssh/sshd_config:5 setting Port 22
debug3: /etc/ssh/sshd_config:9 setting Protocol 2
debug3: /etc/ssh/sshd_config:11 setting HostKey /etc/ssh/ssh_host_rsa_key
debug3: /etc/ssh/sshd_config:12 setting HostKey /etc/ssh/ssh_host_dsa_key
debug3: /etc/ssh/sshd_config:14 setting UsePrivilegeSeparation yes
debug3: /etc/ssh/sshd_config:17 setting KeyRegenerationInterval 3600
debug3: /etc/ssh/sshd_config:18 setting ServerKeyBits 768
debug3: /etc/ssh/sshd_config:20 setting UseDns no
debug3: /etc/ssh/sshd_config:21 setting VerifyReverseMapping No
/etc/ssh/sshd_config line 21: Deprecated option VerifyReverseMapping
debug3: /etc/ssh/sshd_config:24 setting SyslogFacility AUTH
debug3: /etc/ssh/sshd_config:25 setting LogLevel INFO
debug3: /etc/ssh/sshd_config:28 setting LoginGraceTime 120
debug3: /etc/ssh/sshd_config:29 setting PermitRootLogin yes
debug3: /etc/ssh/sshd_config:30 setting StrictModes yes
debug3: /etc/ssh/sshd_config:32 setting RSAAuthentication yes
debug3: /etc/ssh/sshd_config:33 setting PubkeyAuthentication yes
debug3: /etc/ssh/sshd_config:37 setting IgnoreRhosts no
debug3: /etc/ssh/sshd_config:39 setting RhostsRSAAuthentication no
debug3: /etc/ssh/sshd_config:41 setting HostbasedAuthentication yes
debug3: /etc/ssh/sshd_config:49 setting PermitEmptyPasswords no
debug3: /etc/ssh/sshd_config:53 setting ChallengeResponseAuthentication no
debug3: /etc/ssh/sshd_config:68 setting X11Forwarding yes
debug3: /etc/ssh/sshd_config:69 setting X11DisplayOffset 10
debug3: /etc/ssh/sshd_config:70 setting PrintMotd no
debug3: /etc/ssh/sshd_config:71 setting PrintLastLog yes
debug3: /etc/ssh/sshd_config:72 setting TCPKeepAlive yes
debug3: /etc/ssh/sshd_config:79 setting AcceptEnv LANG LC_*
debug3: /etc/ssh/sshd_config:81 setting Subsystem sftp /usr/lib/openssh/sftp-server
debug3: /etc/ssh/sshd_config:92 setting UsePAM yes
debug1: sshd version OpenSSH_5.3p1 Debian-3ubuntu4
debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: private host key: #0 type 1 RSA
debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-ddd'
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
Bind to port 22 on 0.0.0.0 failed: Address already in use.
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 22 on ::.
Bind to port 22 on :: failed: Address already in use.
Cannot bind any address.
mahmood@server:~$

// Naderan *Mahmood;

----- Original Message -----
From: Sharad <sharad2011 (at) yahoo (dot) com [email concealed]>
To: Mahmood Naderan <nt_mahmood (at) yahoo (dot) com [email concealed]>
Cc: secureshell (at) securityfocus (dot) com [email concealed]
Sent: Friday, April 29, 2011 1:04 PM
Subject: Re: problem with HostbasedAuthentication

Use the absolute path of sshd as follows:

sudo /etc/ssh/sbin/sshd -ddd

Please ensure that the path is correct. I don't know if ur sshd exists in /etc/ssh/sbin/sshd.

Regards,
sharad
--- On Fri, 29/4/11, Mahmood Naderan <nt_mahmood (at) yahoo (dot) com [email concealed]> wrote:

> From: Mahmood Naderan <nt_mahmood (at) yahoo (dot) com [email concealed]>
> Subject: Re: problem with HostbasedAuthentication
> To: "Sharad" <sharad2011 (at) yahoo (dot) com [email concealed]>
> Cc: "secureshell (at) securityfocus (dot) com [email concealed]" <secureshell (at) securityfocus (dot) com [email concealed]>
> Date: Friday, 29 April, 2011, 12:34 PM
> Sorry what do you mean?
>  
> mahmood@server:~$ sudo sshd -d
> sshd re-exec requires execution with an absolute path
> mahmood@server:~$ sudo sshd -d 3
> sshd re-exec requires execution with an absolute path
> mahmood@server:~$ sudo sshd -ddd
> sshd re-exec requires execution with an absolute path
>
> My last post was the debug information for
> server->client.
>
> // Naderan *Mahmood;
>
>
> ----- Original Message -----
> From: Sharad <sharad2011 (at) yahoo (dot) com [email concealed]>
> To: Mahmood Naderan <nt_mahmood (at) yahoo (dot) com [email concealed]>
> Cc: "secureshell (at) securityfocus (dot) com [email concealed]"
> <secureshell (at) securityfocus (dot) com [email concealed]>
> Sent: Friday, April 29, 2011 11:31 AM
> Subject: Re: problem with HostbasedAuthentication
>
> Can you run debug on server as well using sshd -d. More
> -d's mean more debug information (you can use at the max 3
> d's) :D
>
> Regards,
> Sharad
> --- On Fri, 29/4/11, Mahmood Naderan <nt_mahmood (at) yahoo (dot) com [email concealed]>
> wrote:
>
> > From: Mahmood Naderan <nt_mahmood (at) yahoo (dot) com [email concealed]>
> > Subject: Re: problem with HostbasedAuthentication
> > To: "Sharad" <sharad2011 (at) yahoo (dot) com [email concealed]>
> > Cc: "secureshell (at) securityfocus (dot) com [email concealed]"
> <secureshell (at) securityfocus (dot) com [email concealed]>
> > Date: Friday, 29 April, 2011, 12:23 PM
> > The same thing happens with IP
> > address
> >  
> >  
> > mahmood@server:~$ ssh -vvv 192.168.1.3
> > OpenSSH_5.3p1 Debian-3ubuntu4, OpenSSL 0.9.8k 25 Mar
> 2009
> > debug1: Reading configuration data
> /etc/ssh/ssh_config
> > debug1: Applying options for *
> > debug2: ssh_connect: needpriv 0
> > debug1: Connecting to 192.168.1.3 [192.168.1.3] port
> 22.
> > debug1: Connection established.
> > debug1: identity file /home/mahmood/.ssh/identity type
> -1
> > debug1: identity file /home/mahmood/.ssh/id_rsa type
> -1
> > debug1: identity file /home/mahmood/.ssh/id_dsa type
> -1
> > debug1: Remote protocol version 2.0, remote software
> > version OpenSSH_5.3p1 Debian-3ubuntu6
> > debug1: match: OpenSSH_5.3p1 Debian-3ubuntu6 pat
> OpenSSH*
> > debug1: Enabling compatibility mode for protocol 2.0
> > debug1: Local version string SSH-2.0-OpenSSH_5.3p1
> > Debian-3ubuntu4
> > debug2: fd 3 setting O_NONBLOCK
> > debug1: SSH2_MSG_KEXINIT sent
> > debug3: Wrote 792 bytes for a total of 831
> > debug1: SSH2_MSG_KEXINIT received
> > debug2: kex_parse_kexinit:
> >
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> > debug2: kex_parse_kexinit:
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@l
ysator.liu.se
> > debug2: kex_parse_kexinit:
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@l
ysator.liu.se
> > debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 (at) openssh (dot) com [email concealed],hmac-ripemd160,hmac-ripemd160@ope
nssh.com,hmac-sha1-96,hmac-md5-96
> > debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 (at) openssh (dot) com [email concealed],hmac-ripemd160,hmac-ripemd160@ope
nssh.com,hmac-sha1-96,hmac-md5-96
> > debug2: kex_parse_kexinit: none,zlib (at) openssh (dot) com [email concealed],zlib
> > debug2: kex_parse_kexinit: none,zlib (at) openssh (dot) com [email concealed],zlib
> > debug2: kex_parse_kexinit:
> > debug2: kex_parse_kexinit:
> > debug2: kex_parse_kexinit: first_kex_follows 0
> > debug2: kex_parse_kexinit: reserved 0
> > debug2: kex_parse_kexinit:
> >
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> > debug2: kex_parse_kexinit:
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@l
ysator.liu.se
> > debug2: kex_parse_kexinit:
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@l
ysator.liu.se
> > debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 (at) openssh (dot) com [email concealed],hmac-ripemd160,hmac-ripemd160@ope
nssh.com,hmac-sha1-96,hmac-md5-96
> > debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 (at) openssh (dot) com [email concealed],hmac-ripemd160,hmac-ripemd160@ope
nssh.com,hmac-sha1-96,hmac-md5-96
> > debug2: kex_parse_kexinit: none,zlib (at) openssh (dot) com [email concealed]
> > debug2: kex_parse_kexinit: none,zlib (at) openssh (dot) com [email concealed]
> > debug2: kex_parse_kexinit:
> > debug2: kex_parse_kexinit:
> > debug2: kex_parse_kexinit: first_kex_follows 0
> > debug2: kex_parse_kexinit: reserved 0
> > debug2: mac_setup: found hmac-md5
> > debug1: kex: server->client aes128-ctr hmac-md5
> none
> > debug2: mac_setup: found hmac-md5
> > debug1: kex: client->server aes128-ctr hmac-md5
> none
> > debug1:
> SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192)
> > sent
> > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> > debug3: Wrote 24 bytes for a total of 855
> > debug2: dh_gen_key: priv key bits set: 129/256
> > debug2: bits set: 505/1024
> > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> > debug3: Wrote 144 bytes for a total of 999
> > debug3: check_host_in_hostfile: filename
> > /home/mahmood/.ssh/known_hosts
> > debug3: check_host_in_hostfile: match line 1
> > debug1: Host '192.168.1.3' is known and matches the
> RSA
> > host key.
> > debug1: Found key in /home/mahmood/.ssh/known_hosts:1
> > debug2: bits set: 517/1024
> > debug1: ssh_rsa_verify: signature correct
> > debug2: kex_derive_keys
> > debug2: set_newkeys: mode 1
> > debug1: SSH2_MSG_NEWKEYS sent
> > debug1: expecting SSH2_MSG_NEWKEYS
> > debug3: Wrote 16 bytes for a total of 1015
> > debug2: set_newkeys: mode 0
> > debug1: SSH2_MSG_NEWKEYS received
> > debug1: SSH2_MSG_SERVICE_REQUEST sent
> > debug3: Wrote 48 bytes for a total of 1063
> > debug2: service_accept: ssh-userauth
> > debug1: SSH2_MSG_SERVICE_ACCEPT received
> > debug2: key: /home/mahmood/.ssh/identity ((nil))
> > debug2: key: /home/mahmood/.ssh/id_rsa ((nil))
> > debug2: key: /home/mahmood/.ssh/id_dsa ((nil))
> > debug3: Wrote 64 bytes for a total of 1127
> > debug1: Authentications that can continue:
> > publickey,password,hostbased
> > debug3: start over, passed a different list
> > publickey,password,hostbased
> > debug3: preferred
> >
> gssapi-keyex,gssapi-with-mic,gssapi,hostbased,publickey,keyboard-interac
tive,password
> > debug3: authmethod_lookup hostbased
> > debug3: remaining preferred:
> > publickey,keyboard-interactive,password
> > debug3: authmethod_is_enabled hostbased
> > debug1: Next authentication method: hostbased
> > get_socket_address: getnameinfo 8 failed: Name or
> service
> > not known
> > debug2: userauth_hostbased: chost server.
> > debug2: ssh_keysign called
> > debug3: ssh_msg_send: type 2
> > debug3: ssh_msg_recv entering
> > debug1: permanently_drop_suid: 1000
> > get_socket_address: getnameinfo 8 failed: Name or
> service
> > not known
> > cannot get sockname for fd
> > ssh_keysign: no reply
> > key_sign failed
> > debug2: we did not send a packet, disable method
> > debug3: authmethod_lookup publickey
> > debug3: remaining preferred:
> keyboard-interactive,password
> > debug3: authmethod_is_enabled publickey
> > debug1: Next authentication method: publickey
> > debug1: Trying private key:
> /home/mahmood/.ssh/identity
> > debug3: no such identity: /home/mahmood/.ssh/identity
> > debug1: Trying private key: /home/mahmood/.ssh/id_rsa
> > debug3: no such identity: /home/mahmood/.ssh/id_rsa
> > debug1: Trying private key: /home/mahmood/.ssh/id_dsa
> > debug3: no such identity: /home/mahmood/.ssh/id_dsa
> > debug2: we did not send a packet, disable method
> > debug3: authmethod_lookup password
> > debug3: remaining preferred: ,password
> > debug3: authmethod_is_enabled password
> > debug1: Next authentication method: password
> > mahmood (at) 192.168.1 (dot) 3 [email concealed]'s password:
> >
> >
> > // Naderan *Mahmood;
> >
> >
> > ----- Original Message -----
> > From: Sharad <sharad2011 (at) yahoo (dot) com [email concealed]>
> > To: Mahmood Naderan <nt_mahmood (at) yahoo (dot) com [email concealed]>
> > Cc: "secureshell (at) securityfocus (dot) com [email concealed]"
> > <secureshell (at) securityfocus (dot) com [email concealed]>
> > Sent: Friday, April 29, 2011 11:19 AM
> > Subject: Re: problem with HostbasedAuthentication
> >
> > Hi Mahmood,
> >
> > This line looks out of place. Check that host name is
> > getting resolved:
> >
> > get_socket_address: getnameinfo 8 failed: Name or
> service
> > not known
> >
> > I am sure you would have performed the same steps on
> both
> > hosts. Try establishing connection with IP Address
> instead
> > of hostname.
> >
> > Regards,
> > Sharad
> > --- On Thu, 28/4/11, Mahmood Naderan <nt_mahmood (at) yahoo (dot) com [email concealed]>
> > wrote:
> >
> > > From: Mahmood Naderan <nt_mahmood (at) yahoo (dot) com [email concealed]>
> > > Subject: Re: problem with
> HostbasedAuthentication
> > > To: "Sharad" <sharad2011 (at) yahoo (dot) com [email concealed]>
> > > Cc: "secureshell (at) securityfocus (dot) com [email concealed]"
> > <secureshell (at) securityfocus (dot) com [email concealed]>
> > > Date: Thursday, 28 April, 2011, 11:12 PM
> > > Dear Sharad,
> > > I am now trying to setup a hostbased ssh from
> server
> > to
> > > client (previously client->server worked fine
> based
> > on
> > > your help). I want it to be bidirectional.
> > >  
> > > I did the same thing in reverse (now the client
> > becomes
> > > server and the server becoms client). However
> this is
> > what I
> > > get while trying to ssh from server to client:
> > >  
> > >  
> > > debug3: Wrote 48 bytes for a total of 1063
> > > debug2: service_accept: ssh-userauth
> > > debug1: SSH2_MSG_SERVICE_ACCEPT received
> > > debug2: key: /home/mahmood/.ssh/identity ((nil))
> > > debug2: key: /home/mahmood/.ssh/id_rsa ((nil))
> > > debug2: key: /home/mahmood/.ssh/id_dsa ((nil))
> > > debug3: Wrote 64 bytes for a total of 1127
> > > debug1: Authentications that can continue:
> > > publickey,password,hostbased
> > > debug3: start over, passed a different list
> > > publickey,password,hostbased
> > > debug3: preferred
> > >
> >
> gssapi-keyex,gssapi-with-mic,gssapi,hostbased,publickey,keyboard-interac
tive,password
> > > debug3: authmethod_lookup hostbased
> > > debug3: remaining preferred:
> > > publickey,keyboard-interactive,password
> > > debug3: authmethod_is_enabled hostbased
> > > debug1: Next authentication method: hostbased
> > > get_socket_address: getnameinfo 8 failed: Name
> or
> > service
> > > not known
> > > debug2: userauth_hostbased: chost server.
> > > debug2: ssh_keysign called
> > > debug3: ssh_msg_send: type 2
> > > debug3: ssh_msg_recv entering
> > > debug1: permanently_drop_suid: 1000
> > > get_socket_address: getnameinfo 8 failed: Name
> or
> > service
> > > not known
> > > cannot get sockname for fd
> > > ssh_keysign: no reply
> > > key_sign failed
> > > debug2: we did not send a packet, disable method
> > > debug3: authmethod_lookup publickey
> > > debug3: remaining preferred:
> > keyboard-interactive,password
> > > debug3: authmethod_is_enabled publickey
> > > debug1: Next authentication method: publickey
> > > debug1: Trying private key:
> > /home/mahmood/.ssh/identity
> > > debug3: no such identity:
> /home/mahmood/.ssh/identity
> > > debug1: Trying private key:
> /home/mahmood/.ssh/id_rsa
> > > debug3: no such identity:
> /home/mahmood/.ssh/id_rsa
> > > debug1: Trying private key:
> /home/mahmood/.ssh/id_dsa
> > > debug3: no such identity:
> /home/mahmood/.ssh/id_dsa
> > > debug2: we did not send a packet, disable method
> > > debug3: authmethod_lookup password
> > > debug3: remaining preferred: ,password
> > > debug3: authmethod_is_enabled password
> > > debug1: Next authentication method: password
> > > mahmood (at) 192.168.1 (dot) 3 [email concealed]'s password:
> > >
> > >  
> > > What is your suggestion?
> > >
> > > // Naderan *Mahmood;
> > >
> > >
> > > ----- Original Message -----
> > > From: Sharad <sharad2011 (at) yahoo (dot) com [email concealed]>
> > > To: Mahmood Naderan <nt_mahmood (at) yahoo (dot) com [email concealed]>
> > > Cc: "secureshell (at) securityfocus (dot) com [email concealed]"
> > > <secureshell (at) securityfocus (dot) com [email concealed]>
> > > Sent: Thursday, April 28, 2011 5:20 PM
> > > Subject: Re: problem with
> HostbasedAuthentication
> > >
> > > Mahmood,
> > >
> > > The files are /home/username/.ssh/known_hosts on
> both
> > > server and client.
> > >
> > > By FQDN, I meant host's fully qualified domain
> name.
> > >
> > > Following is the example:
> > >
> > > Assuming both client and server are linux hosts:
> > >
> > > Server IP: 192.168.1.1
> > > Client IP: 192.168.1.101
> > >
> > > Server Name: lnx_srvr_1.domain.com
> > > Client Name: lnx_clnt_101.domain.com
> > >
> > > User name on each host is mahmood.
> > >
> > > Following would be the entries in .shosts on
> > lnx_srvr_1
> > >
> > >
> > > lnx_srvr_1:/home/mahmood $ cat .shosts
> > >
> > > lnx_clnt_101.domain.com mahmood
> > > 192.168.1.101 mahmood
> > > lnx_clnt_101 mahmood
> > >
> > > Following should exist in
> > /home/mahmood/.ssh/known_hosts
> > > file on the server side:
> > >
> 192.168.1.101,lnx_clnt_101,lnx_clnt_101.domain.com 
> > > ssh-rsa AAAAB3Nz...
> > >
> > > Following should also exist in
> > > /home/mahmood/.ssh/known_hosts file on the
> client
> > side:
> > > 192.168.1.1,lnx_srvr_1,lnx_srvr_1.domain.com 
> > ssh-rsa
> > > AAAAB3Nz...
> > >
> > > Ensure that .ssh directory on both client and
> server
> > are
> > > rwx for owner only and group/rest of world is
> 000.
> > >
> > > Hope this helps! Good Luck! :)
> > >
> > > Regards,
> > > Sharad 
> > > --- On Thu, 28/4/11, Mahmood Naderan <nt_mahmood (at) yahoo (dot) com [email concealed]>
> > > wrote:
> > >
> > > > From: Mahmood Naderan <nt_mahmood (at) yahoo (dot) com [email concealed]>
> > > > Subject: Re: problem with
> > HostbasedAuthentication
> > > > To: "Sharad" <sharad2011 (at) yahoo (dot) com [email concealed]>
> > > > Cc: "secureshell (at) securityfocus (dot) com [email concealed]"
> > > <secureshell (at) securityfocus (dot) com [email concealed]>
> > > > Date: Thursday, 28 April, 2011, 3:54 PM
> > > > Can you explain exactly which file I
> > > > should edit? What is FQDN? By 'hostname', Do
> you
> > mean
> > > server
> > > > hostname of client hostname.
> > > > Should I do that on both side or server
> side?...
> > > >
> > > > // Naderan *Mahmood;
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: Sharad <sharad2011 (at) yahoo (dot) com [email concealed]>
> > > > To: Mahmood Naderan <nt_mahmood (at) yahoo (dot) com [email concealed]>;
> > > > Asif Iqbal <vadud3 (at) gmail (dot) com [email concealed]>
> > > > Cc: "secureshell (at) securityfocus (dot) com [email concealed]"
> > > > <secureshell (at) securityfocus (dot) com [email concealed]>
> > > > Sent: Thursday, April 28, 2011 1:16 PM
> > > > Subject: Re: problem with
> > HostbasedAuthentication
> > > >
> > > > Sometimes the issue lies with hostname as
> well.
> > What I
> > > mean
> > > > with that is the known_hosts may have just
> the
> > host
> > > name
> > > > where as when the connection is established,
> the
> > debug
> > > shows
> > > > the FQDN. I faced this issue so to be sure,
> I
> > edited
> > > the
> > > > known_hosts file and inserted the hostname,
> > hostname's
> > > FQDN
> > > > and it's IP address (all comma separated).
> > > >
> > > > Also ensure that you both the hosts'
> known_hosts
> > files
> > > have
> > > > opposite servers names (as prescribed
> above).
> > > >
> > > > All the above checks makes it work for me.
> > > >
> > > > Hope this solves.
> > > >
> > > > Kind regards,
> > > > Sharad
> > > > --- On Thu, 28/4/11, Asif Iqbal <vadud3 (at) gmail (dot) com [email concealed]>
> > > > wrote:
> > > >
> > > > > From: Asif Iqbal <vadud3 (at) gmail (dot) com [email concealed]>
> > > > > Subject: Re: problem with
> > > HostbasedAuthentication
> > > > > To: "Mahmood Naderan" <nt_mahmood (at) yahoo (dot) com [email concealed]>
> > > > > Cc: "secureshell (at) securityfocus (dot) com [email concealed]"
> > > > <secureshell (at) securityfocus (dot) com [email concealed]>
> > > > > Date: Thursday, 28 April, 2011, 12:38
> AM
> > > > > On Wed, Apr 27, 2011 at 1:12 AM,
> > > > > Mahmood Naderan <nt_mahmood (at) yahoo (dot) com [email concealed]>
> > > > > wrote:
> > > > > >>Change the order method. Have
> > hostbased
> > > > before
> > > > > password
> > > > > >
> > > > > > Sorry where should I do that?
> > > > >
> > > > > man ssh_config and look into
> > > PreferredAuthentications
> > > > >
> > > > > >
> > > > > > // Naderan *Mahmood;
> > > > > >
> > > > > > From: Asif Iqbal <vadud3 (at) gmail (dot) com [email concealed]>
> > > > > > To: Mahmood Naderan <nt_mahmood (at) yahoo (dot) com [email concealed]>
> > > > > > Cc: "secureshell (at) securityfocus (dot) com [email concealed]"
> > > > > <secureshell (at) securityfocus (dot) com [email concealed]>
> > > > > > Sent: Wednesday, April 27, 2011
> 9:17
> > AM
> > > > > > Subject: Re: problem with
> > > > HostbasedAuthentication
> > > > > >
> > > > > >
> > > > > > Change the order method. Have
> > hostbased
> > > before
> > > > > password
> > > > > > On Apr 26, 2011 11:52 PM,
> "Mahmood
> > Naderan"
> > > > <nt_mahmood (at) yahoo (dot) com [email concealed]>
> > > > > wrote:
> > > > > >>
> > > > > >>
> > > > > >> Hi,
> > > > > >> I am trying to setup a
> hostbased
> > > passwrodless
> > > > ssh
> > > > > from a client to a server using this
> guide
> > http://www.ehow.com/how_7621307_set-up-hostbased-authentication.html.
> > > > > >>
> > > > > >> The client looks like:
> > > > > >>
> > > > > >> mahmood@client:~$ cat
> > > /etc/ssh/ssh_config  |
> > > > grep
> > > > > "HostbasedAuthentication"
> > > > > >>    HostbasedAuthentication
> yes
> > > > > >> mahmood@client:~$ cat
> > > /etc/ssh/ssh_config  |
> > > > grep
> > > > > "EnableSSHKeysign"
> > > > > >>    EnableSSHKeysign yes
> > > > > >>
> > > > > >>
> > > > > >> and the server looks like:
> > > > > >> mahmood@server:~$ cat
> > > /etc/ssh/sshd_config 
> > > > |
> > > > > grep "HostbasedAuthentication"
> > > > > >> HostbasedAuthentication yes
> > > > > >> mahmood@server:~$ cat
> > > /etc/ssh/sshd_config 
> > > > |
> > > > > grep "IgnoreRhosts"
> > > > > >> IgnoreRhosts no
> > > > > >>
> > > > > >> also the server has the key
> for
> > client:
> > > > > >>
> > > > > >> mahmood@server:~$ cat
> > > > /etc/ssh/ssh_known_hosts
> > > > > >> client ssh-rsa AAAAB3Nz.....
> > > > > >>
> > > > > >> the ~/.shosts file on the
> server
> > > contains:
> > > > > >> mahmood@server:~$ cat .shosts
> > > > > >> client.domain mahmood
> > > > > >>
> > > > > >> Then on both server and
> client, the
> > ssh
> > > > service is
> > > > > restarted:
> > > > > >> mahmood@client:~$ sudo service
> ssh
> > > restart
> > > > > >> ssh start/running, process
> 1355
> > > > > >> mahmood@server:~$ sudo service
> ssh
> > > restart
> > > > > >> ssh start/running, process
> 28982
> > > > > >>
> > > > > >> How, when I run "ssh -vvv
> server"
> > from
> > > client
> > > > (to
> > > > > show the verbose messages), I still get
> the
> > > password
> > > > > prompt.
> > > > > >>
> > > > > >> mahmood@client:~$ ssh -vvv
> server
> > > > > >> OpenSSH_5.3p1
> Debian-3ubuntu6,
> > OpenSSL
> > > 0.9.8k
> > > > 25
> > > > > Mar 2009
> > > > > >> debug1: Reading configuration
> data
> > > > > /etc/ssh/ssh_config
> > > > > >> debug1: Applying options for
> *
> > > > > >> debug2: ssh_connect: needpriv
> 0
> > > > > >> debug1: Connecting to server
> > > [192.168.1.1]
> > > > port
> > > > > 22.
> > > > > >> debug1: Connection
> established.
> > > > > >> debug1: identity file
> > > > /home/mahmood/.ssh/identity
> > > > > type -1
> > > > > >> debug1: identity file
> > > > /home/mahmood/.ssh/id_rsa
> > > > > type -1
> > > > > >> debug1: identity file
> > > > /home/mahmood/.ssh/id_dsa
> > > > > type -1
> > > > > >> debug1: Remote protocol
> version
> > 2.0,
> > > remote
> > > > > software version OpenSSH_5.3p1
> > Debian-3ubuntu4
> > > > > >> debug1: match: OpenSSH_5.3p1
> > > Debian-3ubuntu4
> > > > pat
> > > > > OpenSSH*
> > > > > >> debug1: Enabling compatibility
> mode
> > for
> > > > protocol
> > > > > 2.0
> > > > > >> debug1: Local version string
> > > > SSH-2.0-OpenSSH_5.3p1
> > > > > Debian-3ubuntu6
> > > > > >> debug2: fd 3 setting
> O_NONBLOCK
> > > > > >> debug1: SSH2_MSG_KEXINIT sent
> > > > > >> debug3: Wrote 792 bytes for a
> total
> > of
> > > 831
> > > > > >> debug1: SSH2_MSG_KEXINIT
> received
> > > > > >> debug2: kex_parse_kexinit:
> > > > >
> > > >
> > >
> >
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha1,diffie-hellman-
> > > > > >> group1-sha1
> > > > > >> debug2: kex_parse_kexinit:
> > > ssh-rsa,ssh-dss
> > > > > >> debug2: kex_parse_kexinit:
> > > > >
> > > >
> > >
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-
> > > > > >> cbc,aes256-cbc,arcfour,rijndael-cbc (at) lysator.liu (dot) se [email concealed]
> > > > > >> debug2: kex_parse_kexinit:
> > > > >
> > > >
> > >
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-
> > > > > >> cbc,aes256-cbc,arcfour,rijndael-cbc (at) lysator.liu (dot) se [email concealed]
> > > > > >> debug2: kex_parse_kexinit:
> > > > hmac-md5,hmac-sha1,umac-64 (at) openssh (dot) com [email concealed],hmac-ripemd160,hmac-ripemd160@ope
nssh.com,hmac-sha1-96,hmac-
> > > > > >> md5-96
> > > > > >> debug2: kex_parse_kexinit:
> > > > hmac-md5,hmac-sha1,umac-64 (at) openssh (dot) com [email concealed],hmac-ripemd160,hmac-ripemd160@ope
nssh.com,hmac-sha1-96,hmac-
> > > > > >> md5-96
> > > > > >> debug2: kex_parse_kexinit:
> none,zlib (at) openssh (dot) com [email concealed],zlib
> > > > > >> debug2: kex_parse_kexinit:
> none,zlib (at) openssh (dot) com [email concealed],zlib
> > > > > >> debug2: kex_parse_kexinit:
> > > > > >> debug2: kex_parse_kexinit:
> > > > > >> debug2: kex_parse_kexinit:
> > > first_kex_follows
> > > > 0
> > > > > >> debug2: kex_parse_kexinit:
> reserved
> > 0
> > > > > >> debug2: kex_parse_kexinit:
> > > > >
> > > >
> > >
> >
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha1,diffie-hellman-
> > > > > >> group1-sha1
> > > > > >> debug2: kex_parse_kexinit:
> > > ssh-rsa,ssh-dss
> > > > > >> debug2: kex_parse_kexinit:
> > > > >
> > > >
> > >
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-
> > > > > >> cbc,aes256-cbc,arcfour,rijndael-cbc (at) lysator.liu (dot) se [email concealed]
> > > > > >> debug2: kex_parse_kexinit:
> > > > >
> > > >
> > >
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-
> > > > > >> cbc,aes256-cbc,arcfour,rijndael-cbc (at) lysator.liu (dot) se [email concealed]
> > > > > >> debug2: kex_parse_kexinit:
> > > > hmac-md5,hmac-sha1,umac-64 (at) openssh (dot) com [email concealed],hmac-ripemd160,hmac-ripemd160@ope
nssh.com,hmac-sha1-96,hmac-
> > > > > >> md5-96
> > > > > >> debug2: kex_parse_kexinit:
> > > > hmac-md5,hmac-sha1,umac-64 (at) openssh (dot) com [email concealed],hmac-ripemd160,hmac-ripemd160@ope
nssh.com,hmac-sha1-96,hmac-
> > > > > >> md5-96
> > > > > >> debug2: kex_parse_kexinit:
> none,zlib (at) openssh (dot) com [email concealed]
> > > > > >> debug2: kex_parse_kexinit:
> none,zlib (at) openssh (dot) com [email concealed]
> > > > > >> debug2: kex_parse_kexinit:
> > > > > >> debug2: kex_parse_kexinit:
> > > > > >> debug2: kex_parse_kexinit:
> > > first_kex_follows
> > > > 0
> > > > > >> debug2: kex_parse_kexinit:
> reserved
> > 0
> > > > > >> debug2: mac_setup: found
> hmac-md5
> > > > > >> debug1: kex:
> server->client
> > > aes128-ctr
> > > > hmac-md5
> > > > > none
> > > > > >> debug2: mac_setup: found
> hmac-md5
> > > > > >> debug1: kex:
> client->server
> > > aes128-ctr
> > > > hmac-md5
> > > > > none
> > > > > >> debug1:
> > > > >
> > >
> SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192)
> > > > sent
> > > > > >> debug1: expecting
> > > SSH2_MSG_KEX_DH_GEX_GROUP
> > > > > >> debug3: Wrote 24 bytes for a
> total
> > of
> > > 855
> > > > > >> debug2: dh_gen_key: priv key
> bits
> > set:
> > > > 124/256
> > > > > >> debug2: bits set: 507/1024
> > > > > >> debug1:
> SSH2_MSG_KEX_DH_GEX_INIT
> > sent
> > > > > >> debug1: expecting
> > > SSH2_MSG_KEX_DH_GEX_REPLY
> > > > > >> debug3: Wrote 144 bytes for a
> total
> > of
> > > 999
> > > > > >> debug3:
> check_host_in_hostfile:
> > > filename
> > > > > /home/mahmood/.ssh/known_hosts
> > > > > >> debug3:
> check_host_in_hostfile:
> > match
> > > line 1
> > > > > >> debug3:
> check_host_in_hostfile:
> > > filename
> > > > > /home/mahmood/.ssh/known_hosts
> > > > > >> debug3:
> check_host_in_hostfile:
> > match
> > > line 2
> > > > > >> debug1: Host 'server' is known
> and
> > > matches
> > > > the RSA
> > > > > host key.
> > > > > >> debug1: Found key in
> > > > > /home/mahmood/.ssh/known_hosts:1
> > > > > >> debug2: bits set: 503/1024
> > > > > >> debug1: ssh_rsa_verify:
> signature
> > > correct
> > > > > >> debug2: kex_derive_keys
> > > > > >> debug2: set_newkeys: mode 1
> > > > > >> debug1: SSH2_MSG_NEWKEYS sent
> > > > > >> debug1: expecting
> SSH2_MSG_NEWKEYS
> > > > > >> debug3: Wrote 16 bytes for a
> total
> > of
> > > 1015
> > > > > >> debug2: set_newkeys: mode 0
> > > > > >> debug1: SSH2_MSG_NEWKEYS
> received
> > > > > >> debug1:
> SSH2_MSG_SERVICE_REQUEST
> > sent
> > > > > >> debug3: Wrote 48 bytes for a
> total
> > of
> > > 1063
> > > > > >> debug2: service_accept:
> > ssh-userauth
> > > > > >> debug1:
> SSH2_MSG_SERVICE_ACCEPT
> > > received
> > > > > >> debug2: key:
> > > /home/mahmood/.ssh/identity
> > > > ((nil))
> > > > > >> debug2: key:
> > /home/mahmood/.ssh/id_rsa
> > > > ((nil))
> > > > > >> debug2: key:
> > /home/mahmood/.ssh/id_dsa
> > > > ((nil))
> > > > > >> debug3: Wrote 64 bytes for a
> total
> > of
> > > 1127
> > > > > >> debug1: Authentications that
> can
> > > continue:
> > > > > publickey,password,hostbased
> > > > > >> debug3: start over, passed a
> > different
> > > list
> > > > > publickey,password,hostbased
> > > > > >> debug3: preferred
> > > > >
> > > >
> > >
> >
> gssapi-keyex,gssapi-with-mic,gssapi,hostbased,publickey,keyboard-interac
tive,password
> > > > > >> debug3: authmethod_lookup
> > hostbased
> > > > > >> debug3: remaining preferred:
> > > > >
> publickey,keyboard-interactive,password
> > > > > >> debug3: authmethod_is_enabled
> > hostbased
> > > > > >> debug1: Next authentication
> > method:
> > > > hostbased
> > > > > >> debug2: userauth_hostbased:
> chost
> > > client.
> > > > > >> debug2: ssh_keysign called
> > > > > >> debug3: ssh_msg_send: type 2
> > > > > >> debug3: ssh_msg_recv entering
> > > > > >> debug1:
> permanently_drop_suid:
> > 1000
> > > > > >> debug2: we sent a hostbased
> packet,
> > wait
> > > for
> > > > > reply
> > > > > >> debug3: Wrote 608 bytes for a
> total
> > of
> > > 1735
> > > > > >> debug1: Authentications that
> can
> > > continue:
> > > > > publickey,password,hostbased
> > > > > >> debug2: userauth_hostbased:
> chost
> > > client.
> > > > > >> debug2: ssh_keysign called
> > > > > >> debug3: ssh_msg_send: type 2
> > > > > >> debug3: ssh_msg_recv entering
> > > > > >> debug1:
> permanently_drop_suid:
> > 1000
> > > > > >> debug2: we sent a hostbased
> packet,
> > wait
> > > for
> > > > > reply
> > > > > >> debug3: Wrote 672 bytes for a
> total
> > of
> > > 2407
> > > > > >> debug1: Authentications that
> can
> > > continue:
> > > > > publickey,password,hostbased
> > > > > >> debug1: No more client
> hostkeys
> > for
> > > > hostbased
> > > > > authentication.
> > > > > >> debug2: we did not send a
> packet,
> > > disable
> > > > method
> > > > > >> debug3: authmethod_lookup
> > publickey
> > > > > >> debug3: remaining preferred:
> > > > > keyboard-interactive,password
> > > > > >> debug3: authmethod_is_enabled
> > publickey
> > > > > >> debug1: Next authentication
> > method:
> > > > publickey
> > > > > >> debug1: Trying private key:
> > > > > /home/mahmood/.ssh/identity
> > > > > >> debug3: no such identity:
> > > > > /home/mahmood/.ssh/identity
> > > > > >> debug1: Trying private key:
> > > > > /home/mahmood/.ssh/id_rsa
> > > > > >> debug3: no such identity:
> > > > > /home/mahmood/.ssh/id_rsa
> > > > > >> debug1: Trying private key:
> > > > > /home/mahmood/.ssh/id_dsa
> > > > > >> debug3: no such identity:
> > > > > /home/mahmood/.ssh/id_dsa
> > > > > >> debug2: we did not send a
> packet,
> > > disable
> > > > method
> > > > > >> debug3: authmethod_lookup
> password
> > > > > >> debug3: remaining preferred:
> > ,password
> > > > > >> debug3: authmethod_is_enabled
> > password
> > > > > >> debug1: Next authentication
> > method:
> > > password
> > > > > >> mahmood@server's password:
> > > > > >>
> > > > > >>
> > > > > >> Any idea about that?
> > > > > >>
> > > > > >> // Naderan *Mahmood;
> > > > > >>
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Asif Iqbal
> > > > > PGP Key: 0xE62693C5 KeyServer:
> pgp.mit.edu
> > > > > A: Because it messes up the order in
> which
> > > people
> > > > normally
> > > > > read text.
> > > > > Q: Why is top-posting such a bad
> thing?
> > > > >
> > > >
> > >
> > >
> >
> >
>
>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus