OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?

grantksupport at operamail.com grantksupport at operamail.com
Sat Jan 10 08:00:10 AEDT 2015 

Hi

On Fri, Jan 9, 2015, at 12:34 PM, Mark Hahn wrote:
> >> The one you are missing is EnableSSHKeysign.
> 
> I suppose it's worth asking: is your ssh-keysign suid root
> (and are the permissions on your host keys sufficiently tight)?

Note that everything works correctly with other auth methods: pubkey, password, ...
I suspect key perms issues would've come up there.

Here's also the ssk-keysign perms

	client

		ls -al /usr/local/libexec/ssh-keysign
			-rwsr-xr-x+ 1 root root 459K Oct 11 06:51 /usr/local/libexec/ssh-keysign*

		ls -al /usr/local/etc/ssh/ssh.client.ed25519*
			-rw-------+ 1 root root 517 May  9  2014 /usr/local/etc/ssh/ssh.client.ed25519
			-rw-r--r--+ 1 root root 107 May  9  2014 /usr/local/etc/ssh/ssh.client.ed25519.pub


	server

		ls -al /usr/local/libexec/ssh-keysign
			-rwsr-xr-x+ 1 root root 455K Oct 11 06:51 /usr/local/libexec/ssh-keysign*

		ls -al /usr/local/etc/ssh/ssh.server.ed25519*
			-rw-------+ 1 root root 464 May 10  2014 /usr/local/etc/ssh/ssh.server.ed25519
			-rw-r--r--+ 1 root root 107 May 10  2014 /usr/local/etc/ssh/ssh.server.ed25519.pub


> > 	ssh-keyscan -t ed25519 server.DOMAIN.COM >> /usr/local/etc/ssh/ssh_known_hosts
> 
> fine, though it's worth verifying that these are the files being used
> by the (non-default, right) sshd and ssh (client) that you're using.

i have

	@ server

	which sshd
		/usr/local/sbin/sshd

	systemctl status sshd
		sshd.service - OpenSSH Daemon
		   Loaded: loaded (/etc/systemd/system/sshd.service; enabled)
		   Active: active (running) since Fri 2015-01-09 12:57:12 PST; 2s ago
		 Main PID: 21534 (sshd)
		   CGroup: /system.slice/sshd.service
		           ├─ 4662 sshd: root at pts/0
		           ├─ 4664 -bash
		           ├─21534 /usr/local/sbin/sshd -D -f /usr/local/etc/ssh/sshd_config
		           └─21541 systemctl status sshd

	ps ax | grep sshd_config
		20989 ?        Ss     0:00 /usr/local/sbin/sshd -D -f /usr/local/etc/ssh/sshd_config

and

	@ client

		which ssh
			/usr/local/bin/ssh

		ssh server.DOMAIN.COM -vvv
			...
			debug3: load_hostkeys: loading entries for host "server.DOMAIN.COM" from file "/usr/local/etc/ssh/ssh_known_hosts"
			debug3: load_hostkeys: found key type ED25519 in file /usr/local/etc/ssh/ssh_known_hosts:2
			debug3: load_hostkeys: loaded 1 keys
			debug3: load_hostkeys: loading entries for host "server.DOMAIN.COM" from file "/usr/local/etc/ssh/ssh_known_hosts"
			debug3: load_hostkeys: found key type ED25519 in file /usr/local/etc/ssh/ssh_known_hosts:2
			debug3: load_hostkeys: loaded 1 keys
			...

> > 		Permission denied (hostbased).

More information about the openssh-unix-dev mailing list