[Bug 3507] Cannot get host-based authentication to work

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Dec 8 11:32:13 AEDT 2022


https://bugzilla.mindrot.org/show_bug.cgi?id=3507

--- Comment #20 from Thomas Koeller <thomas at koeller.dyndns.org> ---
(In reply to Iain Morgan from comment #19)
> This looks like a client-side issue to me.
> 
> The client logs indicate that no host based authentication packet
> was sent.  Since EnableSSHKeysign is set in the ssh_config, this
> probably means that the permissions are incorrect on either the
> ssh-keyskgn executable or the private host keys.
> 
> Note that on Red Hat, ssh-keyskgn is normally setgid to group
> ssh_keys, and the private keys are expected to be readable by that
> group.  Whereas, stock OpenSSH expects the private keys to be
> readable only by root and thus ssh-keyskgn should be setuid root.


This is correct, I figured that out, too:
[root at sarkovy ssh]# ls -l /usr/libexec/openssh/ssh-keysign
-r-xr-sr-x. 1 root ssh_keys 326064 29. Sep 13:45
/usr/libexec/openssh/ssh-keysign

So I reset the permissions on the key accordingly:

[root at sarkovy ssh]# ls -l /etc/ssh/ssh_host_ed25519_key
-rw-r-----. 1 root ssh_keys 419  6. Dez 23:11
/etc/ssh/ssh_host_ed25519_key

This did not help, and anyway, a fresh build of OpenSSH 9.1p1 exhibits
the same behavior.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list