openssh 3.5p1 hostbased authentication

Jason P Holland jholland at cs.selu.edu
Thu Feb 6 04:49:39 EST 2003


hello,
  i did some debugging today, here is the weird portion form sshd -d -d -d

debug1: userauth-request for user jholland service ssh-connection method 
hostbased
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method hostbased
debug1: userauth_hostbased: cuser jholland chost i2-0. pkalg ssh-dss slen 
55
debug3: mm_key_allowed entering
debug3: mm_request_send entering: type 20
debug3: monitor_read: checking request 20
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 0x6000000000022cd0
debug2: userauth_hostbased: chost i2-0. resolvedname i2-0 ipaddr 
192.168.100.10
debug2: stripping trailing dot from chost i2-0.
debug2: auth_rhosts2: clientuser jholland hostname i2-0 ipaddr 
192.168.100.10
debug1: temporarily_use_uid: 500/100 (e=0/0)
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
debug3: mm_request_receive_expect entering: type 21
debug3: mm_request_receive entering
debug1: restore_uid: 0/0
debug2: userauth_hostbased: access allowed by auth_rhosts2
debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts
debug3: key_read: type mismatch
debug1: temporarily_use_uid: 500/100 (e=0/0)
debug3: check_host_in_hostfile: filename /home/jholland/.ssh/known_hosts
debug3: key_read: type mismatch
debug1: restore_uid: 0/0
debug2: check_key_in_hostfiles: key not found for i2-0
debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts2
debug1: temporarily_use_uid: 500/100 (e=0/0)
debug3: check_host_in_hostfile: filename /home/jholland/.ssh/known_hosts2
debug1: restore_uid: 0/0
debug2: check_key_in_hostfiles: key not found for i2-0
debug3: mm_answer_keyallowed: key 0x6000000000022cd0 is disallowed
debug3: mm_append_debug: Appending debug messages for child
debug3: mm_request_send entering: type 21
debug3: mm_request_receive entering
debug3: mm_send_debug: Sending debug: Accepted for i2-0 [192.168.100.10] 
by /etc/hosts.equiv.
debug2: userauth_hostbased: authenticated 0
Failed hostbased for jholland from 192.168.100.10 port 32965 ssh2

what in the world is the "key_read: type mismatch" all about?  I'm using 
rsa pub key 
in my ssh_known_hosts file.

can someone help me out?  thanks

jason

> 
> hello all,
>   i know this question has been asked before, i have read the posts, but i
> just cannot figure out how to get hostbased authentication working.  i am
> running openssh 3.5p1 on some redhat advanced workstation 2.1 for ia64
> architecture systems.  i have enabled HostbasedAuthentication in both my 
> /etc/ssh/ssh_config file and /etc/ssh/sshd_config file.  I have all my 
> known hosts listed in /etc/ssh/ssh_known_hosts.  I also have my 
> /etc/ssh/shosts.equiv file setup as well.  However, after all that, i'm 
> still prompted for a password.
> 
> [root at i2-1 ssh]# ssh -v -v i2-0
> OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug1: Rhosts Authentication disabled, originating port will not be 
> trusted.
> debug1: ssh_connect: needpriv 0
> debug1: Connecting to i2-0 [192.168.100.10] port 22.
> debug1: Connection established.
> debug1: read PEM private key done: type DSA
> debug1: read PEM private key done: type RSA
> debug1: identity file /root/.ssh/identity type -1
> debug1: identity file /root/.ssh/id_rsa type -1
> debug2: key_type_from_name: unknown key type '-----BEGIN'
> debug2: key_type_from_name: unknown key type '-----END'
> debug1: identity file /root/.ssh/id_dsa type 2
> debug1: Remote protocol version 1.99, remote software version 
> OpenSSH_3.5p1
> debug1: match: OpenSSH_3.5p1 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_3.5p1
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit: 
> diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit: 
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit: 
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit: 
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: 
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit: 
> debug2: kex_parse_kexinit: 
> debug2: kex_parse_kexinit: first_kex_follows 0 
> debug2: kex_parse_kexinit: reserved 0 
> debug2: kex_parse_kexinit: 
> diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit: 
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit: 
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit: 
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: 
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit: 
> debug2: kex_parse_kexinit: 
> debug2: kex_parse_kexinit: first_kex_follows 0 
> debug2: kex_parse_kexinit: reserved 0 
> debug2: mac_init: found hmac-md5
> debug1: kex: server->client aes128-cbc hmac-md5 none
> debug2: mac_init: found hmac-md5
> debug1: kex: client->server aes128-cbc hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug1: dh_gen_key: priv key bits set: 137/256
> debug1: bits set: 1614/3191
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug1: Host 'i2-0' is known and matches the RSA host key.
> debug1: Found key in /etc/ssh/ssh_known_hosts:1
> debug1: bits set: 1587/3191
> debug1: ssh_rsa_verify: signature correct
> debug1: kex_derive_keys
> debug1: newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: waiting for SSH2_MSG_NEWKEYS
> debug1: newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: done: ssh_kex2.
> debug1: send SSH2_MSG_SERVICE_REQUEST
> debug1: service_accept: ssh-userauth
> debug1: got SSH2_MSG_SERVICE_ACCEPT
> debug1: authentications that can continue: 
> publickey,password,keyboard-interactive,hostbased
> debug1: next auth method to try is hostbased
> debug2: userauth_hostbased: chost i2-1.
> debug2: we sent a hostbased packet, wait for reply
> debug1: authentications that can continue: 
> publickey,password,keyboard-interactive,hostbased
> debug2: userauth_hostbased: chost i2-1.
> debug2: we sent a hostbased packet, wait for reply
> debug1: authentications that can continue: 
> publickey,password,keyboard-interactive,hostbased
> debug1: userauth_hostbased: no more client hostkeys
> debug2: we did not send a packet, disable method
> debug1: next auth method to try is publickey
> debug1: try privkey: /root/.ssh/identity
> debug1: try privkey: /root/.ssh/id_rsa
> debug1: try pubkey: /root/.ssh/id_dsa
> debug2: we sent a publickey packet, wait for reply
> debug1: authentications that can continue: 
> publickey,password,keyboard-interactive,hostbased
> debug2: we did not send a packet, disable method
> debug1: next auth method to try is keyboard-interactive
> debug2: userauth_kbdint
> debug2: we sent a keyboard-interactive packet, wait for reply
> debug1: authentications that can continue: 
> publickey,password,keyboard-interactive,hostbased
> debug2: we did not send a packet, disable method
> debug1: next auth method to try is password
> root at i2-0's password: 
> 
> 
> seems like it is stuck waiting for a hostbased packet reply, but never
> gets it.  i have no clue where to go from here.  there are no firewalls on
> these machines either.  and i have tried priveledge and unpriv ports.  
> any help would be greatly appreciated.  thanks!
> 
> Jason
> 
> ps  please cc me, i'm not subscribed to the list, thanks
> 
> 




More information about the openssh-unix-dev mailing list