Secure Shell
Re: problem with HostbasedAuthentication Apr 30 2011 04:57AM
Mahmood Naderan (nt_mahmood yahoo com)
>Try disabling KeySign and set it to no in the config files and restart SSHD. Try it again.
Seems to be solved. Thanks Sharad. It is now bidirectional.

// Naderan *Mahmood;

----- Original Message -----
From: Sharad <sharad2011 (at) yahoo (dot) com [email concealed]>
To: Mahmood Naderan <nt_mahmood (at) yahoo (dot) com [email concealed]>
Cc:
Sent: Friday, April 29, 2011 9:41 PM
Subject: Re: problem with HostbasedAuthentication

Hello Mahmood,

Try disabling KeySign and set it to no in the config files and restart SSHD. Try it again.

Regards,
Sharad
--- On Fri, 29/4/11, Mahmood Naderan <nt_mahmood (at) yahoo (dot) com [email concealed]> wrote:

> From: Mahmood Naderan <nt_mahmood (at) yahoo (dot) com [email concealed]>
> Subject: Re: problem with HostbasedAuthentication
> To: "Sharad" <sharad2011 (at) yahoo (dot) com [email concealed]>
> Cc: "secureshell (at) securityfocus (dot) com [email concealed]" <secureshell (at) securityfocus (dot) com [email concealed]>
> Date: Friday, 29 April, 2011, 5:31 PM
> On the client:
>  
> mahmood@client:~$ sudo service ssh stop
> [sudo] password for mahmood:
> ssh stop/waiting
>  
> mahmood@client:~$ sudo /usr/sbin/sshd -ddd
> debug2: load_server_config: filename /etc/ssh/sshd_config
> debug2: load_server_config: done config len = 649
> debug2: parse_server_config: config /etc/ssh/sshd_config
> len 649
> debug3: /etc/ssh/sshd_config:5 setting Port 22
> debug3: /etc/ssh/sshd_config:9 setting Protocol 2
> debug3: /etc/ssh/sshd_config:11 setting HostKey
> /etc/ssh/ssh_host_rsa_key
> debug3: /etc/ssh/sshd_config:12 setting HostKey
> /etc/ssh/ssh_host_dsa_key
> debug3: /etc/ssh/sshd_config:14 setting
> UsePrivilegeSeparation yes
> debug3: /etc/ssh/sshd_config:17 setting
> KeyRegenerationInterval 3600
> debug3: /etc/ssh/sshd_config:18 setting ServerKeyBits 768
> debug3: /etc/ssh/sshd_config:21 setting SyslogFacility
> AUTH
> debug3: /etc/ssh/sshd_config:22 setting LogLevel INFO
> debug3: /etc/ssh/sshd_config:25 setting LoginGraceTime 120
> debug3: /etc/ssh/sshd_config:26 setting PermitRootLogin
> yes
> debug3: /etc/ssh/sshd_config:27 setting StrictModes yes
> debug3: /etc/ssh/sshd_config:29 setting RSAAuthentication
> yes
> debug3: /etc/ssh/sshd_config:30 setting
> PubkeyAuthentication yes
> debug3: /etc/ssh/sshd_config:34 setting IgnoreRhosts no
> debug3: /etc/ssh/sshd_config:36 setting
> RhostsRSAAuthentication no
> debug3: /etc/ssh/sshd_config:38 setting
> HostbasedAuthentication yes
> debug3: /etc/ssh/sshd_config:43 setting
> PermitEmptyPasswords no
> debug3: /etc/ssh/sshd_config:47 setting
> ChallengeResponseAuthentication no
> debug3: /etc/ssh/sshd_config:62 setting X11Forwarding yes
> debug3: /etc/ssh/sshd_config:63 setting X11DisplayOffset
> 10
> debug3: /etc/ssh/sshd_config:64 setting PrintMotd no
> debug3: /etc/ssh/sshd_config:65 setting PrintLastLog yes
> debug3: /etc/ssh/sshd_config:66 setting TCPKeepAlive yes
> debug3: /etc/ssh/sshd_config:73 setting AcceptEnv LANG
> LC_*
> debug3: /etc/ssh/sshd_config:75 setting Subsystem sftp
> /usr/lib/openssh/sftp-server
> debug3: /etc/ssh/sshd_config:86 setting UsePAM yes
> debug1: sshd version OpenSSH_5.3p1 Debian-3ubuntu6
> debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
> debug1: read PEM private key done: type RSA
> debug1: Checking blacklist file
> /usr/share/ssh/blacklist.RSA-2048
> debug1: Checking blacklist file
> /etc/ssh/blacklist.RSA-2048
> debug1: private host key: #0 type 1 RSA
> debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
> debug1: read PEM private key done: type DSA
> debug1: Checking blacklist file
> /usr/share/ssh/blacklist.DSA-1024
> debug1: Checking blacklist file
> /etc/ssh/blacklist.DSA-1024
> debug1: private host key: #1 type 2 DSA
> debug1: rexec_argv[0]='/usr/sbin/sshd'
> debug1: rexec_argv[1]='-ddd'
> debug2: fd 3 setting O_NONBLOCK
> debug1: Bind to port 22 on 0.0.0.0.
> Server listening on 0.0.0.0 port 22.
> debug2: fd 4 setting O_NONBLOCK
> debug1: Bind to port 22 on ::.
> Server listening on :: port 22.
>  
>  
>
> While it is listenning, in another shell I ran
>
> mahmood@server:~$ ssh -vvv 192.168.1.3
>  
> Then in the first terminal (which -ddd is on) I see
> debug3: fd 5 is not O_NONBLOCK
> debug1: Server will not fork when running in debugging
> mode.
> debug3: send_rexec_state: entering fd = 8 config len 649
> debug3: ssh_msg_send: type 0
> debug3: send_rexec_state: done
> debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
> debug1: inetd sockets after dupping: 3, 3
> Connection from 192.168.1.1 port 42036
> debug1: Client protocol version 2.0; client software
> version OpenSSH_5.3p1 Debian-3ubuntu4
> debug1: match: OpenSSH_5.3p1 Debian-3ubuntu4 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.3p1
> Debian-3ubuntu6
> debug2: fd 3 setting O_NONBLOCK
> debug2: Network child is on pid 2829
> debug3: preauth child monitor started
> debug3: mm_request_receive entering
> debug3: privsep user:group 103:65534
> debug1: permanently_set_uid: 103/65534
> debug1: list_hostkey_types: ssh-rsa,ssh-dss
> debug1: SSH2_MSG_KEXINIT sent
> debug3: Wrote 784 bytes for a total of 823
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@l
ysator.liu.se
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@l
ysator.liu.se
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 (at) openssh (dot) com [email concealed],hmac-ripemd160,hmac-ripemd160@ope
nssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 (at) openssh (dot) com [email concealed],hmac-ripemd160,hmac-ripemd160@ope
nssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib (at) openssh (dot) com [email concealed]
> debug2: kex_parse_kexinit: none,zlib (at) openssh (dot) com [email concealed]
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@l
ysator.liu.se
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@l
ysator.liu.se
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 (at) openssh (dot) com [email concealed],hmac-ripemd160,hmac-ripemd160@ope
nssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 (at) openssh (dot) com [email concealed],hmac-ripemd160,hmac-ripemd160@ope
nssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib (at) openssh (dot) com [email concealed],zlib
> debug2: kex_parse_kexinit: none,zlib (at) openssh (dot) com [email concealed],zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: mac_setup: found hmac-md5
> debug1: kex: client->server aes128-ctr hmac-md5 none
> debug2: mac_setup: found hmac-md5
> debug1: kex: server->client aes128-ctr hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
> debug3: mm_request_send entering: type 0
> debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI
> debug3: mm_request_receive_expect entering: type 1
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 0
> debug3: mm_answer_moduli: got parameters: 1024 1024 8192
> debug3: mm_request_send entering: type 1
> debug2: monitor_read: 0 used once, disabling now
> debug3: mm_request_receive entering
> debug3: mm_choose_dh: remaining 0
> debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
> debug3: Wrote 152 bytes for a total of 975
> debug2: dh_gen_key: priv key bits set: 129/256
> debug2: bits set: 504/1024
> debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
> debug2: bits set: 551/1024
> debug3: mm_key_sign entering
> debug3: mm_request_send entering: type 5
> debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN
> debug3: mm_request_receive_expect entering: type 6
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 5
> debug3: mm_answer_sign
> debug3: mm_answer_sign: signature 0x7f0bb6bdfbf0(271)
> debug3: mm_request_send entering: type 6
> debug2: monitor_read: 5 used once, disabling now
> debug3: mm_request_receive entering
> debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
> debug2: kex_derive_keys
> debug2: set_newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug3: Wrote 720 bytes for a total of 1695
> debug2: set_newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: KEX done
> debug3: Wrote 48 bytes for a total of 1743
> debug1: userauth-request for user mahmood service
> ssh-connection method none
> debug1: attempt 0 failures 0
> debug3: mm_getpwnamallow entering
> debug3: mm_request_send entering: type 7
> debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
> debug3: mm_request_receive_expect entering: type 8
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 7
> debug3: mm_answer_pwnamallow
> debug3: Trying to reverse map address 192.168.1.1.
> debug2: parse_server_config: config reprocess config len
> 649
> debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
> debug3: mm_request_send entering: type 8
> debug2: monitor_read: 7 used once, disabling now
> debug3: mm_request_receive entering
> debug2: input_userauth_request: setting up authctxt for
> mahmood
> debug3: mm_start_pam entering
> debug3: mm_request_send entering: type 50
> debug3: mm_inform_authserv entering
> debug3: monitor_read: checking request 50
> debug3: mm_request_send entering: type 3
> debug1: PAM: initializing for "mahmood"
> debug2: input_userauth_request: try method none
> debug3: mm_auth_password entering
> debug3: mm_request_send entering: type 11
> debug3: mm_auth_password: waiting for
> MONITOR_ANS_AUTHPASSWORD
> debug3: mm_request_receive_expect entering: type 12
> debug3: mm_request_receive entering
> debug1: PAM: setting PAM_RHOST to "server"
> debug1: PAM: setting PAM_TTY to "ssh"
> debug2: monitor_read: 50 used once, disabling now
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 3
> debug3: mm_answer_authserv: service=ssh-connection, style=,
> role=
> debug2: monitor_read: 3 used once, disabling now
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 11
> debug3: mm_answer_authpassword: sending result 0
> debug3: mm_request_send entering: type 12
> Failed none for mahmood from 192.168.1.1 port 42036 ssh2
> debug3: mm_request_receive entering
> debug3: mm_auth_password: user not authenticated
> debug3: Wrote 64 bytes for a total of 1807
>  
>  
>  
>
> and in the second shell that I used -vvv, I see
>  
> OpenSSH_5.3p1 Debian-3ubuntu4, OpenSSL 0.9.8k 25 Mar 2009
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to 192.168.1.3 [192.168.1.3] port 22.
> debug1: Connection established.
> debug1: identity file /home/mahmood/.ssh/identity type -1
> debug1: identity file /home/mahmood/.ssh/id_rsa type -1
> debug1: identity file /home/mahmood/.ssh/id_dsa type -1
> debug1: Remote protocol version 2.0, remote software
> version OpenSSH_5.3p1 Debian-3ubuntu6
> debug1: match: OpenSSH_5.3p1 Debian-3ubuntu6 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.3p1
> Debian-3ubuntu4
> debug2: fd 3 setting O_NONBLOCK
> debug1: SSH2_MSG_KEXINIT sent
> debug3: Wrote 792 bytes for a total of 831
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@l
ysator.liu.se
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@l
ysator.liu.se
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 (at) openssh (dot) com [email concealed],hmac-ripemd160,hmac-ripemd160@ope
nssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 (at) openssh (dot) com [email concealed],hmac-ripemd160,hmac-ripemd160@ope
nssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib (at) openssh (dot) com [email concealed],zlib
> debug2: kex_parse_kexinit: none,zlib (at) openssh (dot) com [email concealed],zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@l
ysator.liu.se
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@l
ysator.liu.se
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 (at) openssh (dot) com [email concealed],hmac-ripemd160,hmac-ripemd160@ope
nssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 (at) openssh (dot) com [email concealed],hmac-ripemd160,hmac-ripemd160@ope
nssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib (at) openssh (dot) com [email concealed]
> debug2: kex_parse_kexinit: none,zlib (at) openssh (dot) com [email concealed]
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: mac_setup: found hmac-md5
> debug1: kex: server->client aes128-ctr hmac-md5 none
> debug2: mac_setup: found hmac-md5
> debug1: kex: client->server aes128-ctr hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192)
> sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug3: Wrote 24 bytes for a total of 855
> debug2: dh_gen_key: priv key bits set: 131/256
> debug2: bits set: 551/1024
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug3: Wrote 144 bytes for a total of 999
> debug3: check_host_in_hostfile: filename
> /home/mahmood/.ssh/known_hosts
> debug3: check_host_in_hostfile: match line 1
> debug1: Host '192.168.1.3' is known and matches the RSA
> host key.
> debug1: Found key in /home/mahmood/.ssh/known_hosts:1
> debug2: bits set: 504/1024
> debug1: ssh_rsa_verify: signature correct
> debug2: kex_derive_keys
> debug2: set_newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug3: Wrote 16 bytes for a total of 1015
> debug2: set_newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug3: Wrote 48 bytes for a total of 1063
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug2: key: /home/mahmood/.ssh/identity ((nil))
> debug2: key: /home/mahmood/.ssh/id_rsa ((nil))
> debug2: key: /home/mahmood/.ssh/id_dsa ((nil))
> debug3: Wrote 64 bytes for a total of 1127
> debug1: Authentications that can continue:
> publickey,password,hostbased
> debug3: start over, passed a different list
> publickey,password,hostbased
> debug3: preferred
> gssapi-keyex,gssapi-with-mic,gssapi,hostbased,publickey,keyboard-interac
tive,password
> debug3: authmethod_lookup hostbased
> debug3: remaining preferred:
> publickey,keyboard-interactive,password
> debug3: authmethod_is_enabled hostbased
> debug1: Next authentication method: hostbased
> get_socket_address: getnameinfo 8 failed: Name or service
> not known
> debug2: userauth_hostbased: chost server.
> debug2: ssh_keysign called
> debug3: ssh_msg_send: type 2
> debug3: ssh_msg_recv entering
> debug1: permanently_drop_suid: 1000
> get_socket_address: getnameinfo 8 failed: Name or service
> not known
> cannot get sockname for fd
> ssh_keysign: no reply
> key_sign failed
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_is_enabled publickey
> debug1: Next authentication method: publickey
> debug1: Trying private key: /home/mahmood/.ssh/identity
> debug3: no such identity: /home/mahmood/.ssh/identity
> debug1: Trying private key: /home/mahmood/.ssh/id_rsa
> debug3: no such identity: /home/mahmood/.ssh/id_rsa
> debug1: Trying private key: /home/mahmood/.ssh/id_dsa
> debug3: no such identity: /home/mahmood/.ssh/id_dsa
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup password
> debug3: remaining preferred: ,password
> debug3: authmethod_is_enabled password
> debug1: Next authentication method: password
> mahmood (at) 192.168.1 (dot) 3 [email concealed]'s password:
>  
>
> Hope that is the correct information you need.
> Thanks.
>  
> // Naderan *Mahmood;
>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus