[Bug 3507] Cannot get host-based authentication to work

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed Dec 7 22:18:59 AEDT 2022


https://bugzilla.mindrot.org/show_bug.cgi?id=3507

--- Comment #8 from Darren Tucker <dtucker at dtucker.net> ---
(In reply to Thomas Koeller from comment #5)
> (In reply to Darren Tucker from comment #3)
> > Also, what's in sshd_config?  Unless you have your DNS forward and
> > reverse exactly right, you probably want
> > "HostbasedUsesNameFromPacketOnly yes" in sshd_config.
> 
> Attaching the sever configuration.
> 
> Here is the result of a forward/reverse lookup of the host name in
> used, I think that should be o.k.?

Hard to tell from here but I don't see anything obvious.  Setting
HostbasedUsesNameFromPacketOnly would remove name resolution as a
variable, though.

I note from the logs that this is a vendor-modified version of OpenSSH
8.8.  Can you reproduce the problem with a current version of stock
openssh from openssh.com?

There were a couple of fixes to hostbased in 8.9, but I think only RSA
keys were affected and you're not using those:

 * ssh(1): unbreak hostbased auth using RSA keys. Allow ssh(1) to
   select RSA keys when only RSA/SHA2 signature algorithms are
   configured (this is the default case). Previously RSA keys were
   not being considered in the default case.

 * ssh-keysign(1): make ssh-keysign use the requested signature
   algorithm and not the default for the key type. Part of unbreaking
   hostbased auth for RSA/SHA2 keys.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list