OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?
Iain Morgan
imorgan at nas.nasa.gov
Sat Jan 10 09:26:41 AEDT 2015
On Fri, Jan 09, 2015 at 13:00:10 -0800, grantksupport at operamail.com wrote:
> Hi
>
> On Fri, Jan 9, 2015, at 12:34 PM, Mark Hahn wrote:
> > >> The one you are missing is EnableSSHKeysign.
> >
> > I suppose it's worth asking: is your ssh-keysign suid root
> > (and are the permissions on your host keys sufficiently tight)?
>
> Note that everything works correctly with other auth methods: pubkey, password, ...
> I suspect key perms issues would've come up there.
Not so, only hostbased authentication uses the client's host keys, and
it is likewise the only method that uses ssh-keysign. Further,
ssh-keysign is only used for non-root users.
>
> Here's also the ssk-keysign perms
>
> client
>
> ls -al /usr/local/libexec/ssh-keysign
> -rwsr-xr-x+ 1 root root 459K Oct 11 06:51 /usr/local/libexec/ssh-keysign*
>
> ls -al /usr/local/etc/ssh/ssh.client.ed25519*
> -rw-------+ 1 root root 517 May 9 2014 /usr/local/etc/ssh/ssh.client.ed25519
> -rw-r--r--+ 1 root root 107 May 9 2014 /usr/local/etc/ssh/ssh.client.ed25519.pub
>
Err, those _should_ be ssh_host_ed25519 and ssh_host_ed25519.pub.
>
> server
>
> ls -al /usr/local/libexec/ssh-keysign
> -rwsr-xr-x+ 1 root root 455K Oct 11 06:51 /usr/local/libexec/ssh-keysign*
>
> ls -al /usr/local/etc/ssh/ssh.server.ed25519*
> -rw-------+ 1 root root 464 May 10 2014 /usr/local/etc/ssh/ssh.server.ed25519
> -rw-r--r--+ 1 root root 107 May 10 2014 /usr/local/etc/ssh/ssh.server.ed25519.pub
>
Renaming the keys in your output only serves to complicate matters for
those who are taking time to try to help you. Further, ssh-keysign plays
no role on the server and the server's keys are not a factor in the
problem you are facing.
>
> > > ssh-keyscan -t ed25519 server.DOMAIN.COM >> /usr/local/etc/ssh/ssh_known_hosts
> >
> > fine, though it's worth verifying that these are the files being used
> > by the (non-default, right) sshd and ssh (client) that you're using.
>
> i have
>
> @ server
>
> which sshd
> /usr/local/sbin/sshd
>
> systemctl status sshd
> sshd.service - OpenSSH Daemon
> Loaded: loaded (/etc/systemd/system/sshd.service; enabled)
> Active: active (running) since Fri 2015-01-09 12:57:12 PST; 2s ago
> Main PID: 21534 (sshd)
> CGroup: /system.slice/sshd.service
> ├─ 4662 sshd: root at pts/0
> ├─ 4664 -bash
> ├─21534 /usr/local/sbin/sshd -D -f /usr/local/etc/ssh/sshd_config
> └─21541 systemctl status sshd
>
> ps ax | grep sshd_config
> 20989 ? Ss 0:00 /usr/local/sbin/sshd -D -f /usr/local/etc/ssh/sshd_config
>
> and
>
> @ client
>
> which ssh
> /usr/local/bin/ssh
>
> ssh server.DOMAIN.COM -vvv
> ...
> debug3: load_hostkeys: loading entries for host "server.DOMAIN.COM" from file "/usr/local/etc/ssh/ssh_known_hosts"
> debug3: load_hostkeys: found key type ED25519 in file /usr/local/etc/ssh/ssh_known_hosts:2
> debug3: load_hostkeys: loaded 1 keys
> debug3: load_hostkeys: loading entries for host "server.DOMAIN.COM" from file "/usr/local/etc/ssh/ssh_known_hosts"
> debug3: load_hostkeys: found key type ED25519 in file /usr/local/etc/ssh/ssh_known_hosts:2
> debug3: load_hostkeys: loaded 1 keys
> ...
>
> > > Permission denied (hostbased).
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
--
Iain Morgan
More information about the openssh-unix-dev
mailing list