Hostbased Authentication Question
Jason P Holland
jholland at cs.selu.edu
Sat Mar 1 14:49:33 EST 2003
Finally!! That was the one thing I had not tried, AND IT WORKED! If that
is documented somewhere, then I missed it or didn't realize it was the
problem. Philippe, many, many thanks for your help!
Jason
> Did you try with a different account ?
>
> I believe root logins do not use (s)hosts.equiv but require
> an explicit .[sr]hosts file (which, in turn, requires you to
> set "IgnoreRhosts no").
>
> Philippe.
>
> ---
> Philippe Levan | Systems Engineering
> levan at epix.net | epix Internet Services
>
> On Fri, 28 Feb 2003, Jason P Holland wrote:
>
> > Hi,
> > I am still working on getting hostbased authentication working in
> > OpenSSH 3.5p1. I emailed the user list, and got no response. It seems so
> > simple, yet I have continued to have problems getting it working properly.
> > I've read posts about it on this list, and the openssh-unix-dev list, and
> > nothing I have tried seems to work. My question is this, does it matter
> > which key, either ssh_host_key.pub or ssh_host_rsa_key.pub or
> > ssh_host_dsa_key.pub, you put in /etc/ssh/ssh_known_hosts??? I have tried
> > all three, and continue to get this error from sshd -d -d -d
> >
> > debug1: userauth_hostbased: cuser root chost mckinley. pkalg ssh-dss slen
> > 55
> > debug3: mm_key_allowed entering
> > debug3: mm_request_send entering: type 20
> > debug3: monitor_read: checking request 20
> > debug3: mm_answer_keyallowed entering
> > debug3: mm_answer_keyallowed: key_from_blob: 0x80a4e88
> > debug2: userauth_hostbased: chost mckinley. resolvedname mckinley ipaddr
> > 192.168.10.1
> > debug2: stripping trailing dot from chost mckinley.
> > debug2: auth_rhosts2: clientuser root hostname mckinley ipaddr
> > 192.168.10.1
> > debug1: temporarily_use_uid: 0/0 (e=0/0)
> > debug1: restore_uid: 0/0
> > debug1: temporarily_use_uid: 0/0 (e=0/0)
> > debug1: restore_uid: 0/0
> > debug3: mm_answer_keyallowed: key 0x80a4e88 is disallowed
> > debug3: mm_request_send entering: type 21
> > debug3: mm_request_receive entering
> > debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
> > debug3: mm_request_receive_expect entering: type 21
> > debug3: mm_request_receive entering
> > debug2: userauth_hostbased: authenticated 0
> >
> > notice the "key 0x80a4e88 is disallowed" line. If I have all my host keys
> > in /etc/ssh/ssh_known_hosts on the server I'm trying to connect to, it
> > should allow me in. Right? I've tried all 3 at the same time, then
> > seperately, and nothing. I've also tried generating new keys, that didn't
> > work either.
> >
> > Yes I have HostbasedAuthentication set to yes in /etc/ssh/sshd_config on
> > the server i'm connecting to.
> >
> > I do have HostbasedAuthentication set to yes in /etc/ssh/ssh_config on the
> > client i'm coming from.
> >
> > I also have an /etc/ssh/shosts.equiv file on the server.
> >
> > My DSN is setup correctly on both systems, there are no problems doing a
> > reverse looking on either box. I am using fully qualified hostnames, but
> > I removed them from the debug output for security reasons.
> >
> > I have double checked my keys in /etc/ssh/ssh_known_hosts, they are not
> > mangled.
> >
> > Is there anyone on this planet that actually has sshv2 hostbased
> > authentication working in openssh 3.5? I see numerous posts about it, and
> > I cannot seem to get it working.
> >
> > Perhaps this should be in the FAQ?
> >
> > Can anyone help? thanks
> >
> > Jason
> >
> >
> >
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev at mindrot.org
> > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> >
>
More information about the openssh-unix-dev
mailing list