OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?

Iain Morgan imorgan at
Sat Jan 10 08:40:48 AEDT 2015

On Fri, Jan 09, 2015 at 12:22:00 -0800, grantksupport at wrote:
> @client
> as root (as before)
> 	ssh server.DOMAIN.COM
> 		Permission denied (hostbased).
> instead, as my user, fails differently for some reason,
> 	ssh server.DOMAIN.COM
> 		...
> 		no matching hostkey found for key ED25519 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
> 		ssh_keysign: no reply
> 		key_sign failed
> 		Permission denied (hostbased).

So, that indicates that you have a problem with your client setup. Since
you are trying to use ssh from /usr/local/bin, I take it that it is a
local build. As such, some of the files may not be properly located.

You can check the location of the ssh-keysign binary by running strings
on the ssh executable and grep'ing for ssh-keysign. I expect that it
will be /usr/local/libexec/ssh-keysign. Make sure that it is setuid

You can then run strings on the ssh-keysign executable and grep for
ssh_host ed25519 to confirm the expected location for the host key. Make
sure that the key can be found in the expected location, and that the
public key is world-readable, but that the private key is readable only
by root.

Note, if you do not see a reference to ssh_host_ed25519 in the above
strings output, the ssh-keysign executable is from an older distribution
that does not support ED25519.

Given that possibility, you might try adding the ECDSA key for the
client to the ssh_known_hosts file on the server.

Iain Morgan

More information about the openssh-unix-dev mailing list