Secure Shell
Re: problem with HostbasedAuthentication Apr 28 2011 08:46AM
Sharad (sharad2011 yahoo com) (1 replies)
Re: problem with HostbasedAuthentication Apr 28 2011 10:24AM
Mahmood Naderan (nt_mahmood yahoo com) (1 replies)
Re: problem with HostbasedAuthentication Apr 28 2011 12:50PM
Sharad (sharad2011 yahoo com) (1 replies)
Re: problem with HostbasedAuthentication Apr 28 2011 05:42PM
Mahmood Naderan (nt_mahmood yahoo com) (2 replies)
Re: problem with HostbasedAuthentication Apr 29 2011 12:54PM
Silvers, Timothy (tsilver indiana edu)
I may have missed some of the details, so I apologize if this has been covered, but if you want to do a host-based authentication, the SSH config's (client and server).

HostbasedAuthentication yes

If you need to change the config's, restart SSHD.

service sshd restart

The server has to allow the connections from the remote host. So the remote host's public key, from /etc/ssh/ssh_host_(r|d)sa_key.pub, has to be in /etc/ssh/ssh_known_hosts2, and as stated, you may want to place a comma-separated list of shortname, FQDN and IP before the start of the key so it matches any of those iterations.

Finally, you also need to include the hostname in the user's .shosts file on the server. You said you have this:

mahmood@server:~$ cat .shosts
client.domain mahmood

That doesn't look right to me. It should just be hostname followed by a user, unless you just want to allow in connections as the user.

mahmood@server:~$ cat .shosts
mahmood.domain.com

OR

mahmood@server:~$ cat .shosts
mahmood.domain.com myaccount
mahmood.domain.com anotheruser

Good luck.

Tim

On Apr 28, 2011, at 1:42 PM, Mahmood Naderan wrote:

> Dear Sharad,
> I am now trying to setup a hostbased ssh from server to client (previously client->server worked fine based on your help). I want it to be bidirectional.
>
> I did the same thing in reverse (now the client becomes server and the server becoms client). However this is what I get while trying to ssh from server to client:
>
>
> debug3: Wrote 48 bytes for a total of 1063
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug2: key: /home/mahmood/.ssh/identity ((nil))
> debug2: key: /home/mahmood/.ssh/id_rsa ((nil))
> debug2: key: /home/mahmood/.ssh/id_dsa ((nil))
> debug3: Wrote 64 bytes for a total of 1127
> debug1: Authentications that can continue: publickey,password,hostbased
> debug3: start over, passed a different list publickey,password,hostbased
> debug3: preferred gssapi-keyex,gssapi-with-mic,gssapi,hostbased,publickey,keyboard-interac
tive,password
> debug3: authmethod_lookup hostbased
> debug3: remaining preferred: publickey,keyboard-interactive,password
> debug3: authmethod_is_enabled hostbased
> debug1: Next authentication method: hostbased
> get_socket_address: getnameinfo 8 failed: Name or service not known
> debug2: userauth_hostbased: chost server.
> debug2: ssh_keysign called
> debug3: ssh_msg_send: type 2
> debug3: ssh_msg_recv entering
> debug1: permanently_drop_suid: 1000
> get_socket_address: getnameinfo 8 failed: Name or service not known
> cannot get sockname for fd
> ssh_keysign: no reply
> key_sign failed
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_is_enabled publickey
> debug1: Next authentication method: publickey
> debug1: Trying private key: /home/mahmood/.ssh/identity
> debug3: no such identity: /home/mahmood/.ssh/identity
> debug1: Trying private key: /home/mahmood/.ssh/id_rsa
> debug3: no such identity: /home/mahmood/.ssh/id_rsa
> debug1: Trying private key: /home/mahmood/.ssh/id_dsa
> debug3: no such identity: /home/mahmood/.ssh/id_dsa
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup password
> debug3: remaining preferred: ,password
> debug3: authmethod_is_enabled password
> debug1: Next authentication method: password
> mahmood (at) 192.168.1 (dot) 3 [email concealed]'s password:
>
>
> What is your suggestion?
>
> // Naderan *Mahmood;
>
>
> ----- Original Message -----
> From: Sharad <sharad2011 (at) yahoo (dot) com [email concealed]>
> To: Mahmood Naderan <nt_mahmood (at) yahoo (dot) com [email concealed]>
> Cc: "secureshell (at) securityfocus (dot) com [email concealed]" <secureshell (at) securityfocus (dot) com [email concealed]>
> Sent: Thursday, April 28, 2011 5:20 PM
> Subject: Re: problem with HostbasedAuthentication
>
> Mahmood,
>
> The files are /home/username/.ssh/known_hosts on both server and client.
>
> By FQDN, I meant host's fully qualified domain name.
>
> Following is the example:
>
> Assuming both client and server are linux hosts:
>
> Server IP: 192.168.1.1
> Client IP: 192.168.1.101
>
> Server Name: lnx_srvr_1.domain.com
> Client Name: lnx_clnt_101.domain.com
>
> User name on each host is mahmood.
>
> Following would be the entries in .shosts on lnx_srvr_1
>
>
> lnx_srvr_1:/home/mahmood $ cat .shosts
>
> lnx_clnt_101.domain.com mahmood
> 192.168.1.101 mahmood
> lnx_clnt_101 mahmood
>
> Following should exist in /home/mahmood/.ssh/known_hosts file on the server side:
> 192.168.1.101,lnx_clnt_101,lnx_clnt_101.domain.com ssh-rsa AAAAB3Nz...
>
> Following should also exist in /home/mahmood/.ssh/known_hosts file on the client side:
> 192.168.1.1,lnx_srvr_1,lnx_srvr_1.domain.com ssh-rsa AAAAB3Nz...
>
> Ensure that .ssh directory on both client and server are rwx for owner only and group/rest of world is 000.
>
> Hope this helps! Good Luck! :)
>
> Regards,
> Sharad
> --- On Thu, 28/4/11, Mahmood Naderan <nt_mahmood (at) yahoo (dot) com [email concealed]> wrote:
>
>> From: Mahmood Naderan <nt_mahmood (at) yahoo (dot) com [email concealed]>
>> Subject: Re: problem with HostbasedAuthentication
>> To: "Sharad" <sharad2011 (at) yahoo (dot) com [email concealed]>
>> Cc: "secureshell (at) securityfocus (dot) com [email concealed]" <secureshell (at) securityfocus (dot) com [email concealed]>
>> Date: Thursday, 28 April, 2011, 3:54 PM
>> Can you explain exactly which file I
>> should edit? What is FQDN? By 'hostname', Do you mean server
>> hostname of client hostname.
>> Should I do that on both side or server side?...
>>
>> // Naderan *Mahmood;
>>
>>
>> ----- Original Message -----
>> From: Sharad <sharad2011 (at) yahoo (dot) com [email concealed]>
>> To: Mahmood Naderan <nt_mahmood (at) yahoo (dot) com [email concealed]>;
>> Asif Iqbal <vadud3 (at) gmail (dot) com [email concealed]>
>> Cc: "secureshell (at) securityfocus (dot) com [email concealed]"
>> <secureshell (at) securityfocus (dot) com [email concealed]>
>> Sent: Thursday, April 28, 2011 1:16 PM
>> Subject: Re: problem with HostbasedAuthentication
>>
>> Sometimes the issue lies with hostname as well. What I mean
>> with that is the known_hosts may have just the host name
>> where as when the connection is established, the debug shows
>> the FQDN. I faced this issue so to be sure, I edited the
>> known_hosts file and inserted the hostname, hostname's FQDN
>> and it's IP address (all comma separated).
>>
>> Also ensure that you both the hosts' known_hosts files have
>> opposite servers names (as prescribed above).
>>
>> All the above checks makes it work for me.
>>
>> Hope this solves.
>>
>> Kind regards,
>> Sharad
>> --- On Thu, 28/4/11, Asif Iqbal <vadud3 (at) gmail (dot) com [email concealed]>
>> wrote:
>>
>>> From: Asif Iqbal <vadud3 (at) gmail (dot) com [email concealed]>
>>> Subject: Re: problem with HostbasedAuthentication
>>> To: "Mahmood Naderan" <nt_mahmood (at) yahoo (dot) com [email concealed]>
>>> Cc: "secureshell (at) securityfocus (dot) com [email concealed]"
>> <secureshell (at) securityfocus (dot) com [email concealed]>
>>> Date: Thursday, 28 April, 2011, 12:38 AM
>>> On Wed, Apr 27, 2011 at 1:12 AM,
>>> Mahmood Naderan <nt_mahmood (at) yahoo (dot) com [email concealed]>
>>> wrote:
>>>>> Change the order method. Have hostbased
>> before
>>> password
>>>>
>>>> Sorry where should I do that?
>>>
>>> man ssh_config and look into PreferredAuthentications
>>>
>>>>
>>>> // Naderan *Mahmood;
>>>>
>>>> From: Asif Iqbal <vadud3 (at) gmail (dot) com [email concealed]>
>>>> To: Mahmood Naderan <nt_mahmood (at) yahoo (dot) com [email concealed]>
>>>> Cc: "secureshell (at) securityfocus (dot) com [email concealed]"
>>> <secureshell (at) securityfocus (dot) com [email concealed]>
>>>> Sent: Wednesday, April 27, 2011 9:17 AM
>>>> Subject: Re: problem with
>> HostbasedAuthentication
>>>>
>>>>
>>>> Change the order method. Have hostbased before
>>> password
>>>> On Apr 26, 2011 11:52 PM, "Mahmood Naderan"
>> <nt_mahmood (at) yahoo (dot) com [email concealed]>
>>> wrote:
>>>>>
>>>>>
>>>>> Hi,
>>>>> I am trying to setup a hostbased passwrodless
>> ssh
>>> from a client to a server using this guide http://www.ehow.com/how_7621307_set-up-hostbased-authentication.html.
>>>>>
>>>>> The client looks like:
>>>>>
>>>>> mahmood@client:~$ cat /etc/ssh/ssh_config |
>> grep
>>> "HostbasedAuthentication"
>>>>> HostbasedAuthentication yes
>>>>> mahmood@client:~$ cat /etc/ssh/ssh_config |
>> grep
>>> "EnableSSHKeysign"
>>>>> EnableSSHKeysign yes
>>>>>
>>>>>
>>>>> and the server looks like:
>>>>> mahmood@server:~$ cat /etc/ssh/sshd_config
>> |
>>> grep "HostbasedAuthentication"
>>>>> HostbasedAuthentication yes
>>>>> mahmood@server:~$ cat /etc/ssh/sshd_config
>> |
>>> grep "IgnoreRhosts"
>>>>> IgnoreRhosts no
>>>>>
>>>>> also the server has the key for client:
>>>>>
>>>>> mahmood@server:~$ cat
>> /etc/ssh/ssh_known_hosts
>>>>> client ssh-rsa AAAAB3Nz.....
>>>>>
>>>>> the ~/.shosts file on the server contains:
>>>>> mahmood@server:~$ cat .shosts
>>>>> client.domain mahmood
>>>>>
>>>>> Then on both server and client, the ssh
>> service is
>>> restarted:
>>>>> mahmood@client:~$ sudo service ssh restart
>>>>> ssh start/running, process 1355
>>>>> mahmood@server:~$ sudo service ssh restart
>>>>> ssh start/running, process 28982
>>>>>
>>>>> How, when I run "ssh -vvv server" from client
>> (to
>>> show the verbose messages), I still get the password
>>> prompt.
>>>>>
>>>>> mahmood@client:~$ ssh -vvv server
>>>>> OpenSSH_5.3p1 Debian-3ubuntu6, OpenSSL 0.9.8k
>> 25
>>> Mar 2009
>>>>> debug1: Reading configuration data
>>> /etc/ssh/ssh_config
>>>>> debug1: Applying options for *
>>>>> debug2: ssh_connect: needpriv 0
>>>>> debug1: Connecting to server [192.168.1.1]
>> port
>>> 22.
>>>>> debug1: Connection established.
>>>>> debug1: identity file
>> /home/mahmood/.ssh/identity
>>> type -1
>>>>> debug1: identity file
>> /home/mahmood/.ssh/id_rsa
>>> type -1
>>>>> debug1: identity file
>> /home/mahmood/.ssh/id_dsa
>>> type -1
>>>>> debug1: Remote protocol version 2.0, remote
>>> software version OpenSSH_5.3p1 Debian-3ubuntu4
>>>>> debug1: match: OpenSSH_5.3p1 Debian-3ubuntu4
>> pat
>>> OpenSSH*
>>>>> debug1: Enabling compatibility mode for
>> protocol
>>> 2.0
>>>>> debug1: Local version string
>> SSH-2.0-OpenSSH_5.3p1
>>> Debian-3ubuntu6
>>>>> debug2: fd 3 setting O_NONBLOCK
>>>>> debug1: SSH2_MSG_KEXINIT sent
>>>>> debug3: Wrote 792 bytes for a total of 831
>>>>> debug1: SSH2_MSG_KEXINIT received
>>>>> debug2: kex_parse_kexinit:
>>>
>> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha1,diffie-hellman-
>>>>> group1-sha1
>>>>> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
>>>>> debug2: kex_parse_kexinit:
>>>
>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-
>>>>> cbc,aes256-cbc,arcfour,rijndael-cbc (at) lysator.liu (dot) se [email concealed]
>>>>> debug2: kex_parse_kexinit:
>>>
>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-
>>>>> cbc,aes256-cbc,arcfour,rijndael-cbc (at) lysator.liu (dot) se [email concealed]
>>>>> debug2: kex_parse_kexinit:
>> hmac-md5,hmac-sha1,umac-64 (at) openssh (dot) com [email concealed],hmac-ripemd160,hmac-ripemd160@ope
nssh.com,hmac-sha1-96,hmac-
>>>>> md5-96
>>>>> debug2: kex_parse_kexinit:
>> hmac-md5,hmac-sha1,umac-64 (at) openssh (dot) com [email concealed],hmac-ripemd160,hmac-ripemd160@ope
nssh.com,hmac-sha1-96,hmac-
>>>>> md5-96
>>>>> debug2: kex_parse_kexinit: none,zlib (at) openssh (dot) com [email concealed],zlib
>>>>> debug2: kex_parse_kexinit: none,zlib (at) openssh (dot) com [email concealed],zlib
>>>>> debug2: kex_parse_kexinit:
>>>>> debug2: kex_parse_kexinit:
>>>>> debug2: kex_parse_kexinit: first_kex_follows
>> 0
>>>>> debug2: kex_parse_kexinit: reserved 0
>>>>> debug2: kex_parse_kexinit:
>>>
>> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha1,diffie-hellman-
>>>>> group1-sha1
>>>>> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
>>>>> debug2: kex_parse_kexinit:
>>>
>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-
>>>>> cbc,aes256-cbc,arcfour,rijndael-cbc (at) lysator.liu (dot) se [email concealed]
>>>>> debug2: kex_parse_kexinit:
>>>
>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-
>>>>> cbc,aes256-cbc,arcfour,rijndael-cbc (at) lysator.liu (dot) se [email concealed]
>>>>> debug2: kex_parse_kexinit:
>> hmac-md5,hmac-sha1,umac-64 (at) openssh (dot) com [email concealed],hmac-ripemd160,hmac-ripemd160@ope
nssh.com,hmac-sha1-96,hmac-
>>>>> md5-96
>>>>> debug2: kex_parse_kexinit:
>> hmac-md5,hmac-sha1,umac-64 (at) openssh (dot) com [email concealed],hmac-ripemd160,hmac-ripemd160@ope
nssh.com,hmac-sha1-96,hmac-
>>>>> md5-96
>>>>> debug2: kex_parse_kexinit: none,zlib (at) openssh (dot) com [email concealed]
>>>>> debug2: kex_parse_kexinit: none,zlib (at) openssh (dot) com [email concealed]
>>>>> debug2: kex_parse_kexinit:
>>>>> debug2: kex_parse_kexinit:
>>>>> debug2: kex_parse_kexinit: first_kex_follows
>> 0
>>>>> debug2: kex_parse_kexinit: reserved 0
>>>>> debug2: mac_setup: found hmac-md5
>>>>> debug1: kex: server->client aes128-ctr
>> hmac-md5
>>> none
>>>>> debug2: mac_setup: found hmac-md5
>>>>> debug1: kex: client->server aes128-ctr
>> hmac-md5
>>> none
>>>>> debug1:
>>> SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192)
>> sent
>>>>> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
>>>>> debug3: Wrote 24 bytes for a total of 855
>>>>> debug2: dh_gen_key: priv key bits set:
>> 124/256
>>>>> debug2: bits set: 507/1024
>>>>> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
>>>>> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
>>>>> debug3: Wrote 144 bytes for a total of 999
>>>>> debug3: check_host_in_hostfile: filename
>>> /home/mahmood/.ssh/known_hosts
>>>>> debug3: check_host_in_hostfile: match line 1
>>>>> debug3: check_host_in_hostfile: filename
>>> /home/mahmood/.ssh/known_hosts
>>>>> debug3: check_host_in_hostfile: match line 2
>>>>> debug1: Host 'server' is known and matches
>> the RSA
>>> host key.
>>>>> debug1: Found key in
>>> /home/mahmood/.ssh/known_hosts:1
>>>>> debug2: bits set: 503/1024
>>>>> debug1: ssh_rsa_verify: signature correct
>>>>> debug2: kex_derive_keys
>>>>> debug2: set_newkeys: mode 1
>>>>> debug1: SSH2_MSG_NEWKEYS sent
>>>>> debug1: expecting SSH2_MSG_NEWKEYS
>>>>> debug3: Wrote 16 bytes for a total of 1015
>>>>> debug2: set_newkeys: mode 0
>>>>> debug1: SSH2_MSG_NEWKEYS received
>>>>> debug1: SSH2_MSG_SERVICE_REQUEST sent
>>>>> debug3: Wrote 48 bytes for a total of 1063
>>>>> debug2: service_accept: ssh-userauth
>>>>> debug1: SSH2_MSG_SERVICE_ACCEPT received
>>>>> debug2: key: /home/mahmood/.ssh/identity
>> ((nil))
>>>>> debug2: key: /home/mahmood/.ssh/id_rsa
>> ((nil))
>>>>> debug2: key: /home/mahmood/.ssh/id_dsa
>> ((nil))
>>>>> debug3: Wrote 64 bytes for a total of 1127
>>>>> debug1: Authentications that can continue:
>>> publickey,password,hostbased
>>>>> debug3: start over, passed a different list
>>> publickey,password,hostbased
>>>>> debug3: preferred
>>>
>> gssapi-keyex,gssapi-with-mic,gssapi,hostbased,publickey,keyboard-interac
tive,password
>>>>> debug3: authmethod_lookup hostbased
>>>>> debug3: remaining preferred:
>>> publickey,keyboard-interactive,password
>>>>> debug3: authmethod_is_enabled hostbased
>>>>> debug1: Next authentication method:
>> hostbased
>>>>> debug2: userauth_hostbased: chost client.
>>>>> debug2: ssh_keysign called
>>>>> debug3: ssh_msg_send: type 2
>>>>> debug3: ssh_msg_recv entering
>>>>> debug1: permanently_drop_suid: 1000
>>>>> debug2: we sent a hostbased packet, wait for
>>> reply
>>>>> debug3: Wrote 608 bytes for a total of 1735
>>>>> debug1: Authentications that can continue:
>>> publickey,password,hostbased
>>>>> debug2: userauth_hostbased: chost client.
>>>>> debug2: ssh_keysign called
>>>>> debug3: ssh_msg_send: type 2
>>>>> debug3: ssh_msg_recv entering
>>>>> debug1: permanently_drop_suid: 1000
>>>>> debug2: we sent a hostbased packet, wait for
>>> reply
>>>>> debug3: Wrote 672 bytes for a total of 2407
>>>>> debug1: Authentications that can continue:
>>> publickey,password,hostbased
>>>>> debug1: No more client hostkeys for
>> hostbased
>>> authentication.
>>>>> debug2: we did not send a packet, disable
>> method
>>>>> debug3: authmethod_lookup publickey
>>>>> debug3: remaining preferred:
>>> keyboard-interactive,password
>>>>> debug3: authmethod_is_enabled publickey
>>>>> debug1: Next authentication method:
>> publickey
>>>>> debug1: Trying private key:
>>> /home/mahmood/.ssh/identity
>>>>> debug3: no such identity:
>>> /home/mahmood/.ssh/identity
>>>>> debug1: Trying private key:
>>> /home/mahmood/.ssh/id_rsa
>>>>> debug3: no such identity:
>>> /home/mahmood/.ssh/id_rsa
>>>>> debug1: Trying private key:
>>> /home/mahmood/.ssh/id_dsa
>>>>> debug3: no such identity:
>>> /home/mahmood/.ssh/id_dsa
>>>>> debug2: we did not send a packet, disable
>> method
>>>>> debug3: authmethod_lookup password
>>>>> debug3: remaining preferred: ,password
>>>>> debug3: authmethod_is_enabled password
>>>>> debug1: Next authentication method: password
>>>>> mahmood@server's password:
>>>>>
>>>>>
>>>>> Any idea about that?
>>>>>
>>>>> // Naderan *Mahmood;
>>>>>
>>>>
>>>
>>>
>>>
>>> --
>>> Asif Iqbal
>>> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
>>> A: Because it messes up the order in which people
>> normally
>>> read text.
>>> Q: Why is top-posting such a bad thing?
>>>
>>
>

[ reply ]
Re: problem with HostbasedAuthentication Apr 29 2011 06:49AM
Sharad (sharad2011 yahoo com) (1 replies)
Re: problem with HostbasedAuthentication Apr 29 2011 06:53AM
Mahmood Naderan (nt_mahmood yahoo com) (1 replies)
Re: problem with HostbasedAuthentication Apr 29 2011 07:01AM
Sharad (sharad2011 yahoo com) (1 replies)
Re: problem with HostbasedAuthentication Apr 29 2011 07:04AM
Mahmood Naderan (nt_mahmood yahoo com) (1 replies)
Re: problem with HostbasedAuthentication Apr 29 2011 08:34AM
Sharad (sharad2011 yahoo com)


 

Privacy Statement
Copyright 2010, SecurityFocus