[Bug 3615] Host Based Authentication is failing
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Fri Sep 22 12:34:07 AEST 2023
https://bugzilla.mindrot.org/show_bug.cgi?id=3615
--- Comment #14 from Darren Tucker <dtucker at dtucker.net> ---
(In reply to Richard Kreutzer from comment #12)
> OK, for the sake of simplicity, I have tested with rsa only...
>
> Here is basement-gentoo:/etc/ssh/ssh_host_rsa_key.pub
> basement-gentoo.krautclan.com ssh-rsa [...]
That's wrong, the host public keys don't have the name in them, only
when you add them to known_hosts. I'm not sure if that'll actually
cause a problem since the public key can be derived from the private
key, but still I'd change it back...
> Here is gemini:/etc/ssh/ssh_known_hosts
>
> basement-gentoo.krautclan.com ssh-rsa [...]
This format is right.
It's hard to tell what happened without the client side debugging, but
it looks like the client did not try hostbased for some reason.
> debug3: append_hostkey_type: ssh-rsa key not permitted by
> HostkeyAlgorithms [preauth]
That's a wrinkle: ssh-rsa *keys* are also usable by the SHA2-based RSA
*algorithms* such as rsa-sha2-512 which are enabled by default. It is
one more variable though.
Here's what I suggest to reduce the number of variables:
- test only with ssh-ed25519 keys since those have only one algorithm
- keep HostbasedUsesNameFromPacketOnly yes and
PreferredAuthentications=hostbased
- put two entries in ssh_known_hosts for your FQDN both with and
without a trailing dot
- always use the FQDN on the SSH command line, since "ssh ... gemini"
would likely mean you're sending it without the domain name, and since
you have HostBasedUsesNameFromPacket that won't match the
ssh_known_hosts entry (again, without the client side debugging it's
hard to tell).
then once you get it working, start changing one thing at a time until
you get it to the config you want (eg by adding "Hostname $your_fqdn"
to your ~/.ssh/config).
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list