OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?

grantksupport at operamail.com grantksupport at operamail.com
Sat Jan 10 09:03:02 AEDT 2015


Hi,

On Fri, Jan 9, 2015, at 01:40 PM, Iain Morgan wrote:
> So, that indicates that you have a problem with your client setup. Since
> you are trying to use ssh from /usr/local/bin, I take it that it is a
> local build. As such, some of the files may not be properly located.

Yes.  Built as

	./configure \
	 --prefix="/usr/local" \
	 --sysconfdir="/usr/local/etc/ssh" \
	 --libdir="/usr/local/lib64" \
	 --with-ssl-dir="/usr/local/ssl" \
	 --with-md5-passwords \
	 --with-xauth=/usr/bin/xauth \
	 --with-pam


> You can check the location of the ssh-keysign binary by running strings
> on the ssh executable and grep'ing for ssh-keysign. I expect that it
> will be /usr/local/libexec/ssh-keysign. Make sure that it is setuid
> root.

ls -al $( strings `which ssh` | grep ssh-keysign )
	-rwsr-xr-x+ 1 root root 459K Oct 11 06:51 /usr/local/libexec/ssh-keysign*

> You can then run strings on the ssh-keysign executable and grep for
> ssh_host ed25519 to confirm the expected location for the host key. Make
> sure that the key can be found in the expected location, and that the
> public key is world-readable, but that the private key is readable only
> by root.

	strings /usr/local/libexec/ssh-keysign | grep ssh_host | grep ed25519
		/usr/local/etc/ssh/ssh_host_ed25519_key

That's NOT the name/location of the key.

On the client

	grep Identity /usr/local/etc/ssh/ssh_config
		IdentityFile /usr/local/etc/ssh/ssh.client.ed25519

and on the server

	grep HostKey /usr/local/etc/ssh/sshd_config
		HostKey  /usr/local/etc/ssh/ssh.server.ed25519

As reported above

	client

		ls -al /usr/local/etc/ssh/ssh.client.ed25519*
			-rw-------+ 1 root root 517 May  9  2014 /usr/local/etc/ssh/ssh.client.ed25519
			-rw-r--r--+ 1 root root 107 May  9  2014 /usr/local/etc/ssh/ssh.client.ed25519.pub


	server

		ls -al /usr/local/etc/ssh/ssh.server.ed25519*
			-rw-------+ 1 root root 464 May 10  2014 /usr/local/etc/ssh/ssh.server.ed25519
			-rw-r--r--+ 1 root root 107 May 10  2014 /usr/local/etc/ssh/ssh.server.ed25519.pub

With pubkey/password these keys work as expected.


> Note, if you do not see a reference to ssh_host_ed25519 in the above
> strings output, the ssh-keysign executable is from an older distribution
> that does not support ED25519.

My 'locally installed' openssh is

	ssh -V
		OpenSSH_6.7p1, OpenSSL 1.0.1j 15 Oct 2014

the distro's ssh -- not used by me, but not removable is

	/usr/bin/ssh -V
		OpenSSH_6.6.1p1, OpenSSL 1.0.1j-fips 15 Oct 2014


> Given that possibility, you might try adding the ECDSA key for the
> client to the ssh_known_hosts file on the server.

It already is.


More information about the openssh-unix-dev mailing list