OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?

grantksupport at operamail.com grantksupport at operamail.com
Sat Jan 10 08:50:25 AEDT 2015 

Hi,

On Fri, Jan 9, 2015, at 01:02 PM, Iain Morgan wrote:
> I suppose I wan't specific enough; I was recommending that you should
> first get each of the two authentication methods working separately
> before you set AuthenticationMethods in sshd_config to require both
> hostbased and public-key authentication. While you are debugging your
> issue, I would recommend leaving PreferredAuthentications at the default
> and leaving the various authentication methods enabled.

Sorry, perhaps I'm being thick.  I don't get it.

	pubkey auth works fine.
	password auth works fine.
	pubkey,password works fine
	hostbased &/or hostbased,anything_else does not.

What config would you like me to try?

> When you invoke ssh with the -v option and an authentication method
> (such as hostbased authentication) fails, the client can display some
> diagnostic information from the server -- provided that you are able to
> successfully authenticate by some other method, such as public-key
> authentication.

As above, if hostbased is enabled, NOTHING works.

> > I already have the server's key in the known hosts file on the client.
> > 
> 
> But, for hostbased authentication, the _server_ must have the key for
> the _client_ in the ssh_known_hosts file (or potentially in the user's
> ~/.ssh/known_hosts file).

I've now done @ both server & @client

	ssh-keyscan -t ed25519 client.DOMAIN.COM >  /usr/local/etc/ssh/ssh_known_hosts
	ssh-keyscan -t ed25519 server.DOMAIN.COM >> /usr/local/etc/ssh/ssh_known_hosts

It makes no difference; failure as reported.

> You may want to check that you are using the right location for your
> shosts.equiv and that the ssh-keysign binary is setuid root (assuming
> that you are now trying as a regular user). 

already done

	man 5 sshd_config | grep shosts
		Specifies whether or not the server will attempt to perform a reverse name lookup when matching the name in the ~/.shosts, ~/.rhosts, and /etc/hosts.equiv files during HostbasedAuthentication.  A setting of “yes” means
		Specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication.
--->		/etc/hosts.equiv and /usr/local/etc/ssh/shosts.equiv are still used.  The default is “yes”.

@ both server & client

	cat /usr/local/etc/ssh/shosts.equiv
		client.DOMAIN.COM
		server.DOMAIN.COM


> Damien recently added some additional debugging messages for hostbased
> authentication, so if you continue to have problems you could try
> building a recent snapshot for the server.

how recently?  these are tarball builds

	-rw-rwxr--+   1 root    root      1.3M Oct  6 15:34 openssh-6.7p1.tar.gz*

newer that the release, I presume?

> Hostbased authentication can be a bit thorny to get right since it
> depends upon multiple files being correct. Try to keep things simple
> initially to avoid unnecessary complications: Only change those options
> in the client and server that are necessary to enable hostbased
> authentication. 

I start with a KNOWN TO WORK pubkey,password config, then ONLY change to add the hostbased auth.

And then it fails.

Reverse JUST those changes, and it succeeds.

> make sure that you are using the right location for the
> shosts.equiv file and that the entry in the file matches the hostname
> (ususally teh fully-qualified hostname) that the client uses. The server
> must have the clients public-key in the ssh_known_hosts file, and the
> name must also match the client.

all hostnames a FQDNs.

all have correct/verified forward & reverse DNS entries.

both IPv4 & IPv6 ssh, from any to all machines works using pubkey/password auth.  In all cases, on alll machines, hostbased auth fails, as above.

> In most cases, problems with hostbased authentication end up being due
> to either a typo or an inconsistency between the name claimed by the
> client and the name that the server associates with the client's IP
> address.

everything matches afaict

@ client

	hostname
		client.DOMAIN.COM
	hostname -s
		client
	hostname -f
		client.DOMAIN.COM
	dig A `hostname` +short
		192.168.1.65
	dig AAAA `hostname` +short
		xxxx:xxx:xxxx:xxx::65
	host 192.168.1.65
		65.1.168.192.in-addr.arpa domain name pointer client.DOMAIN.COM.
	host xxxx:xxx:xxxx:xxx::65
		65.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.1.0.0.2.ip6.arpa domain name pointer client.DOMAIN.COM.
	dig A server.DOMAIN.COM +short
		192.168.1.68
	dig AAAA server.DOMAIN.COM +short
		xxxx:xxx:xxxx:xxx::68
	host 192.168.1.68
		68.1.168.192.in-addr.arpa domain name pointer server.DOMAIN.COM.
	host xxxx:xxx:xxxx:xxx::68
		68.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.1.0.0.2.ip6.arpa domain name pointer server.DOMAIN.COM.
	host client.DOMAIN.COM                                     
		client.DOMAIN.COM has address 192.168.1.65                                                                 
		client.DOMAIN.COM has IPv6 address xxxx:xxx:xxxx:xxx::65                                                   
	host server.DOMAIN.COM                        
		server.DOMAIN.COM has address 192.168.1.68                                                                 
		server.DOMAIN.COM has IPv6 address xxxx:xxx:xxxx:xxx::68         
	ssh-keyscan -t ed25519 client.DOMAIN.COM
		# client.DOMAIN.COM SSH-2.0-OpenSSH_6.7
		client.DOMAIN.COM ssh-ed25519 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
	ssh-keyscan -t ed25519 server.DOMAIN.COM
		# server.DOMAIN.COM SSH-2.0-OpenSSH_6.7
		server.DOMAIN.COM ssh-ed25519 BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB

@ server

	hostname
		server.DOMAIN.COM
	hostname -s
		server
	hostname -f
		server.DOMAIN.COM
	dig A `hostname` +short
		192.168.1.68
	dig AAAA `hostname` +short
		xxxx:xxx:xxxx:xxx::68
	host 192.168.1.68
		68.1.168.192.in-addr.arpa domain name pointer server.DOMAIN.COM.
	host xxxx:xxx:xxxx:xxx::68
		68.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.1.0.0.2.ip6.arpa domain name pointer server.DOMAIN.COM.
	dig A client.DOMAIN.COM +short
		192.168.1.65
	dig AAAA client.DOMAIN.COM +short
		xxxx:xxx:xxxx:xxx::65
	host 192.168.1.65                   
		65.1.168.192.in-addr.arpa domain name pointer client.DOMAIN.COM.     
	host xxxx:xxx:xxxx:xxx::65
		65.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.1.0.0.2.ip6.arpa domain name pointer desk.DOMAIN.COM.
	host client.DOMAIN.COM                                     
		client.DOMAIN.COM has address 192.168.1.65                                                                 
		client.DOMAIN.COM has IPv6 address xxxx:xxx:xxxx:xxx::65                                                   
	host server.DOMAIN.COM                        
		server.DOMAIN.COM has address 192.168.1.68                                                                 
		server.DOMAIN.COM has IPv6 address xxxx:xxx:xxxx:xxx::68         
	ssh-keyscan -t ed25519 client.DOMAIN.COM
		# client.DOMAIN.COM SSH-2.0-OpenSSH_6.7
		client.DOMAIN.COM ssh-ed25519 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
	ssh-keyscan -t ed25519 server.DOMAIN.COM
		# server.DOMAIN.COM SSH-2.0-OpenSSH_6.7
		server.DOMAIN.COM ssh-ed25519 BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB

More information about the openssh-unix-dev mailing list