OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?

grantksupport at operamail.com grantksupport at operamail.com
Sat Jan 10 07:07:38 AEDT 2015


Hi,

On Fri, Jan 9, 2015, at 10:48 AM, Tim Rice wrote:
> My ssh_config has
> Host *
>   HostbasedAuthentication yes
>   EnableSSHKeysign yes
>   NoHostAuthenticationForLocalhost yes
> 
> NoHostAuthenticationForLocalhost is not necessary.
> The one you are missing is EnableSSHKeysign.
> 
> Additionally, you made no mention of your ssh_known_hosts files. Make
> sure the client's public keys are in the server's ssh_known_hosts file.


On Fri, Jan 9, 2015, at 11:40 AM, Iain Morgan wrote:
> To begin with, don't complicate the situation by requiring two forms of
> authentication before you've gotten a single form of authentication
> working. In addition, root is too much of a special case for useful
> debugging; try your tests as a regular user.
> 
> As Tim Rice noted, you will need to set EnableSSHKeysign in the
> system--wide client configuration for hostbased authentication to work
> for non-root users.

I edited configs to

	client ssh_config
		...
-		PreferredAuthentications           hostbased,publickey
+		PreferredAuthentications           hostbased
		HostbasedAuthentication            yes
		PubkeyAuthentication               yes
+		PubkeyAuthentication               no
		PasswordAuthentication             no
		...
		EnableSSHKeysign                   yes      (note: this had already been 'in there' --- just further down in the config)
		...

	server sshd_config
		...
-		AuthenticationMethods              hostbased,publickey
+		AuthenticationMethods              hostbased
		HostbasedAuthentication            yes
-		HostbasedUsesNameFromPacketOnly    yes
+		#HostbasedUsesNameFromPacketOnly    yes
-		PubkeyAuthentication               yes
+		PubkeyAuthentication               no
		PasswordAuthentication             no
		...

I already have the server's key in the known hosts file on the client.

@ client

	cat ssh_config
		...
		GlobalKnownHostsFile /usr/local/etc/ssh/ssh_known_hosts
		UserKnownHostsFile   /usr/local/etc/ssh/ssh_known_hosts
		...

	ssh-keyscan -t ed25519 server.DOMAIN.COM >> /usr/local/etc/ssh/ssh_known_hosts

and @server

	ssh-keyscan -t ed25519 client.DOMAIN.COM >> /usr/local/etc/ssh/ssh_known_hosts

with all of the above, the hostbased auth connnect still fails just as before,

	ssh server.DOMAIN.COM
		...
		Permission denied (hostbased).


More information about the openssh-unix-dev mailing list