OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?
Iain Morgan
imorgan at nas.nasa.gov
Sat Jan 10 08:40:48 AEDT 2015
On Fri, Jan 09, 2015 at 12:22:00 -0800, grantksupport at operamail.com wrote:
> @client
>
> as root (as before)
>
> ssh server.DOMAIN.COM
> Permission denied (hostbased).
>
> instead, as my user, fails differently for some reason,
>
> ssh server.DOMAIN.COM
> ...
> no matching hostkey found for key ED25519 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
> ssh_keysign: no reply
> key_sign failed
> Permission denied (hostbased).
>
So, that indicates that you have a problem with your client setup. Since
you are trying to use ssh from /usr/local/bin, I take it that it is a
local build. As such, some of the files may not be properly located.
You can check the location of the ssh-keysign binary by running strings
on the ssh executable and grep'ing for ssh-keysign. I expect that it
will be /usr/local/libexec/ssh-keysign. Make sure that it is setuid
root.
You can then run strings on the ssh-keysign executable and grep for
ssh_host ed25519 to confirm the expected location for the host key. Make
sure that the key can be found in the expected location, and that the
public key is world-readable, but that the private key is readable only
by root.
Note, if you do not see a reference to ssh_host_ed25519 in the above
strings output, the ssh-keysign executable is from an older distribution
that does not support ED25519.
Given that possibility, you might try adding the ECDSA key for the
client to the ssh_known_hosts file on the server.
--
Iain Morgan
More information about the openssh-unix-dev
mailing list