OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?
grantksupport at operamail.com
grantksupport at operamail.com
Sat Jan 10 09:03:02 AEDT 2015
Hi,
On Fri, Jan 9, 2015, at 01:40 PM, Iain Morgan wrote:
> So, that indicates that you have a problem with your client setup. Since
> you are trying to use ssh from /usr/local/bin, I take it that it is a
> local build. As such, some of the files may not be properly located.
Yes. Built as
./configure \
--prefix="/usr/local" \
--sysconfdir="/usr/local/etc/ssh" \
--libdir="/usr/local/lib64" \
--with-ssl-dir="/usr/local/ssl" \
--with-md5-passwords \
--with-xauth=/usr/bin/xauth \
--with-pam
> You can check the location of the ssh-keysign binary by running strings
> on the ssh executable and grep'ing for ssh-keysign. I expect that it
> will be /usr/local/libexec/ssh-keysign. Make sure that it is setuid
> root.
ls -al $( strings `which ssh` | grep ssh-keysign )
-rwsr-xr-x+ 1 root root 459K Oct 11 06:51 /usr/local/libexec/ssh-keysign*
> You can then run strings on the ssh-keysign executable and grep for
> ssh_host ed25519 to confirm the expected location for the host key. Make
> sure that the key can be found in the expected location, and that the
> public key is world-readable, but that the private key is readable only
> by root.
strings /usr/local/libexec/ssh-keysign | grep ssh_host | grep ed25519
/usr/local/etc/ssh/ssh_host_ed25519_key
That's NOT the name/location of the key.
On the client
grep Identity /usr/local/etc/ssh/ssh_config
IdentityFile /usr/local/etc/ssh/ssh.client.ed25519
and on the server
grep HostKey /usr/local/etc/ssh/sshd_config
HostKey /usr/local/etc/ssh/ssh.server.ed25519
As reported above
client
ls -al /usr/local/etc/ssh/ssh.client.ed25519*
-rw-------+ 1 root root 517 May 9 2014 /usr/local/etc/ssh/ssh.client.ed25519
-rw-r--r--+ 1 root root 107 May 9 2014 /usr/local/etc/ssh/ssh.client.ed25519.pub
server
ls -al /usr/local/etc/ssh/ssh.server.ed25519*
-rw-------+ 1 root root 464 May 10 2014 /usr/local/etc/ssh/ssh.server.ed25519
-rw-r--r--+ 1 root root 107 May 10 2014 /usr/local/etc/ssh/ssh.server.ed25519.pub
With pubkey/password these keys work as expected.
> Note, if you do not see a reference to ssh_host_ed25519 in the above
> strings output, the ssh-keysign executable is from an older distribution
> that does not support ED25519.
My 'locally installed' openssh is
ssh -V
OpenSSH_6.7p1, OpenSSL 1.0.1j 15 Oct 2014
the distro's ssh -- not used by me, but not removable is
/usr/bin/ssh -V
OpenSSH_6.6.1p1, OpenSSL 1.0.1j-fips 15 Oct 2014
> Given that possibility, you might try adding the ECDSA key for the
> client to the ssh_known_hosts file on the server.
It already is.
More information about the openssh-unix-dev
mailing list