OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?

Iain Morgan imorgan at
Sat Jan 10 08:02:55 AEDT 2015

On Fri, Jan 09, 2015 at 12:07:38 -0800, grantksupport at wrote:
> Hi,
> On Fri, Jan 9, 2015, at 10:48 AM, Tim Rice wrote:
> > My ssh_config has
> > Host *
> >   HostbasedAuthentication yes
> >   EnableSSHKeysign yes
> >   NoHostAuthenticationForLocalhost yes
> > 
> > NoHostAuthenticationForLocalhost is not necessary.
> > The one you are missing is EnableSSHKeysign.
> > 
> > Additionally, you made no mention of your ssh_known_hosts files. Make
> > sure the client's public keys are in the server's ssh_known_hosts file.
> On Fri, Jan 9, 2015, at 11:40 AM, Iain Morgan wrote:
> > To begin with, don't complicate the situation by requiring two forms of
> > authentication before you've gotten a single form of authentication
> > working. In addition, root is too much of a special case for useful
> > debugging; try your tests as a regular user.
> > 
> > As Tim Rice noted, you will need to set EnableSSHKeysign in the
> > system--wide client configuration for hostbased authentication to work
> > for non-root users.
> I edited configs to
> 	client ssh_config
> 		...
> -		PreferredAuthentications           hostbased,publickey
> +		PreferredAuthentications           hostbased
> 		HostbasedAuthentication            yes
> 		PubkeyAuthentication               yes
> +		PubkeyAuthentication               no
> 		PasswordAuthentication             no
> 		...

I suppose I wan't specific enough; I was recommending that you should
first get each of the two authentication methods working separately
before you set AuthenticationMethods in sshd_config to require both
hostbased and public-key authentication. While you are debugging your
issue, I would recommend leaving PreferredAuthentications at the default
and leaving the various authentication methods enabled.

When you invoke ssh with the -v option and an authentication method
(such as hostbased authentication) fails, the client can display some
diagnostic information from the server -- provided that you are able to
successfully authenticate by some other method, such as public-key

> 		EnableSSHKeysign                   yes      (note: this had already been 'in there' --- just further down in the config)
> 		...
> 	server sshd_config
> 		...
> -		AuthenticationMethods              hostbased,publickey
> +		AuthenticationMethods              hostbased
> 		HostbasedAuthentication            yes
> -		HostbasedUsesNameFromPacketOnly    yes
> +		#HostbasedUsesNameFromPacketOnly    yes
> -		PubkeyAuthentication               yes
> +		PubkeyAuthentication               no
> 		PasswordAuthentication             no
> 		...
> I already have the server's key in the known hosts file on the client.

But, for hostbased authentication, the _server_ must have the key for
the _client_ in the ssh_known_hosts file (or potentially in the user's
~/.ssh/known_hosts file).
> @ client
> 	cat ssh_config
> 		...
> 		GlobalKnownHostsFile /usr/local/etc/ssh/ssh_known_hosts
> 		UserKnownHostsFile   /usr/local/etc/ssh/ssh_known_hosts
> 		...
> 	ssh-keyscan -t ed25519 server.DOMAIN.COM >> /usr/local/etc/ssh/ssh_known_hosts
> and @server
> 	ssh-keyscan -t ed25519 client.DOMAIN.COM >> /usr/local/etc/ssh/ssh_known_hosts
> with all of the above, the hostbased auth connnect still fails just as before,
> 	ssh server.DOMAIN.COM
> 		...
> 		Permission denied (hostbased).

You may want to check that you are using the right location for your
shosts.equiv and that the ssh-keysign binary is setuid root (assuming
that you are now trying as a regular user). 

Damien recently added some additional debugging messages for hostbased
authentication, so if you continue to have problems you could try
building a recent snapshot for the server.

Hostbased authentication can be a bit thorny to get right since it
depends upon multiple files being correct. Try to keep things simple
initially to avoid unnecessary complications: Only change those options
in the client and server that are necessary to enable hostbased
authentication. make sure that you are using the right location for the
shosts.equiv file and that the entry in the file matches the hostname
(ususally teh fully-qualified hostname) that the client uses. The server
must have the clients public-key in the ssh_known_hosts file, and the
name must also match the client.

In most cases, problems with hostbased authentication end up being due
to either a typo or an inconsistency between the name claimed by the
client and the name that the server associates with the client's IP

Iain Morgan

More information about the openssh-unix-dev mailing list