HostbasedAuthentication, and my sillyness

J.S.Peatfield at damtp.cam.ac.uk J.S.Peatfield at damtp.cam.ac.uk
Wed May 9 09:38:43 EST 2001


Maybe I just can't read properly, but I just spent the best part of a
day trying to work out why HostbasedAuthentication wouldn't work for
me (with protocol 2 in openssh-2.9p1).

It seems (though maybe there is something wrong with my install), that
after enabling it in the sshd_config it doesn't work, since the client
will not in fact request it (by default).

I was fooled by the statement in the ssh man page about
HostbasedAuthentication that the client supports this by default (well
it is set to "yes").  While it supports it, it seems that the default
value for PreferredAuthentications is set to:

  publickey,password,keyboard-interactive,hostbased

so it starts prompting for a password before getting that far.
Setting the list to:

  publickey,hostbased,password,keyboard-interactive

in ssh_config seems to do the trick, but even having added this I
still can't find anything obvious which I should have seen before.

If nothing else I'd suggest a statement in the ssh man page in the
section for HostbasedAuthentication saying that one needs to alter the
PreferredAuthentications before it is likely to work.

Looking at the code in sshconnect2.c it seems to default to the order
in the authmethods array, is there any reason not to patch that to
place hostbased before password?

Am I missing something, is this a subtle hint that we should not
actually use hostbasedauthentication?

 -- Jon



More information about the openssh-unix-dev mailing list