Hosting Provided By

I am having serious difficulty getting host based authenication working with ssh

From: Miller Brett <miller_brett(at)bah.com>
Date: Fri Feb 28 2003 - 15:37:15 EST

Please help (I will give you my first born child!! :) ), I have been working on getting host based authenication using .rhosts, .rhosts, hosts.equiv, shosts.equiv and nothing seems to be working correctly. I do not want to use Rhostsauthencation, not RhostsRsaAutheniction, I want ssh to function just like the "r" protocols. I have rsh and rlogin working great but for some reason I cannot get ssh work like rsh or rlogin. I have searched the internet looking for posted on the subject and the other seem very straightforward but I my setup will not work. My system is debian 3.0 but I have also tried to get this working on a Red Hat box with the same results.

This is the auth log of sshd when I try to connect from another host. It seems like PAM always try to authicate through a password and does not allow the client to authenicate with a rhosts file. How do I tell PAM not to require a password for .rhosts authenication? I have tried to copy the /etc/pam.d/rlogin authinication method to the /etc/pam.d/ssh authenication page but it does not work The cause may not be PAM but it seems like a possibility.

Any help would be greatly appreciated because I am getting cross-eyed looking at this. Thanks in advance.

Brett

sshd log
Feb 28 14:31:23 debian sshd[11796]: debug3: mm_request_receive entering Feb 28 14:31:23 debian sshd[11796]: debug3: monitor_read: checking request 37
Feb 28 14:31:23 debian sshd[11796]: debug1: Starting up PAM with username "brett"
Feb 28 14:31:23 debian sshd[11796]: debug3: Trying to reverse map address 156.80.128.138.
Feb 28 14:31:23 debian sshd[11796]: debug1: PAM setting rhost to "nitrox.bah.com"
Feb 28 14:31:23 debian sshd[11796]: debug2: monitor_read: 37 used once, disabling now

Feb 28 14:31:23 debian sshd[11796]: debug3: mm_request_receive entering
Feb 28 14:31:23 debian sshd[11796]: debug3: monitor_read: checking request 3
Feb 28 14:31:23 debian sshd[11796]: debug3: mm_answer_authserv:

service=ssh-connection, style=
Feb 28 14:31:23 debian sshd[11796]: debug2: monitor_read: 3 used once, disabling now
Feb 28 14:31:23 debian sshd[11796]: debug3: mm_request_receive entering Feb 28 14:31:23 debian sshd[11796]: debug3: monitor_read: checking request 10
Feb 28 14:31:23 debian PAM_unix[11796]: authentication failure; (uid=0) -> brett for ssh service
Feb 28 14:31:24 debian sshd[10524]: debug2: channel 0: rcvd adjust 4784 Feb 28 14:31:25 debian sshd[11796]: debug1: PAM Password authentication for "brett" failed[7]: Authentication failure Feb 28 14:31:25 debian sshd[11796]: debug3: mm_answer_authpassword: sending result 0
Feb 28 14:31:25 debian sshd[11796]: debug3: mm_request_send entering: type 11
Feb 28 14:31:25 debian sshd[11796]: Failed none for brett from 156.80.128.138 port 815 ssh2
Feb 28 14:31:25 debian sshd[11796]: debug3: mm_request_receive entering Feb 28 14:31:25 debian sshd[11796]: debug1: Calling cleanup 0x8052b48(0x0)

ssh client log

debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: ssh_connect: needpriv 1
debug1: Connecting to test.bah.com [156.80.128.123] port 22.
debug1: Allocated local port 1022.
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version

OpenSSH_3.4p1 Debian 1:3.4p1-2
debug1: match: OpenSSH_3.4p1 Debian 1:3.4p1-2 pat OpenSSH* Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 125/256
debug1: bits set: 1573/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'test.bah.com' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:2
debug1: bits set: 1616/3191
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue:

publickey,password,keyboard-interactive,hostbased debug1: no more auth methods to try
Permission denied (publickey,password,keyboard-interactive,hostbased). debug1: Calling cleanup 0x8063a9c(0x0)
debian:/home/brett#

ssh config file
Host *
#EnableSSHKeysign "yes"

PreferredAuthentications host-based,password RhostsAuthentication yes
RhostsRSAAuthentication yes
RSAAuthentication yes
PasswordAuthentication no
UsePrivilegedPort yes

sshd config fileHost *

                      xine-lib-0.9.12
iatf.eth                                     xine-lib-0.9.12.tar.gz
iatfnew.eth                                  xine-ui-0.9.12
Do you need more help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
install-crossover-plugin-1.1.2-demo.sh       xine-ui-0.9.12.tar.gz
ipsec.conf                                   xine_d4d_plugin-0.3.2
itt                                          xine_d4d_plugin-0.3.2.tar.gz
itt_scan_6_27                                xmmsarts.dpkg

kdiradm_0.2_i386.deb
debian:/home/brett# ssh -v brett@test.bah.com OpenSSH_3.4p1 Debian 1:3.4p1-2, SSH protocols 1.5/2.0, OpenSSL 0x0090605f

debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: ssh_connect: needpriv 1
debug1: Connecting to test.bah.com [156.80.128.123] port 22.
debug1: Allocated local port 1021.
debug1: Connection established.
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version

OpenSSH_3.4p1 Debian 1:3.4p1-2
debug1: match: OpenSSH_3.4p1 Debian 1:3.4p1-2 pat OpenSSH* Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 129/256
debug1: bits set: 1555/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'test.bah.com' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:2
debug1: bits set: 1574/3191
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: 
Can we help you? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek

publickey,password,keyboard-interactive,hostbased debug1: no more auth methods to try
Permission denied (publickey,password,keyboard-interactive,hostbased). debug1: Calling cleanup 0x8063a9c(0x0)

debian:/home/brett# vim /etc/ssh/sshd_config                              
c                      xine-lib-0.9.12
iatf.eth                                     xine-lib-0.9.12.tar.gz
iatfnew.eth                                  xine-ui-0.9.12
install-crossover-plugin-1.1.2-demo.sh       xine-ui-0.9.12.tar.gz
ipsec.conf                                   xine_d4d_plugin-0.3.2
itt                                          xine_d4d_plugin-0.3.2.tar.gz
itt_scan_6_27                                xmmsarts.dpkg

kdiradm_0.2_i386.deb
debian:/home/brett# ssh -v brett@test.bah.com OpenSSH_3.4p1 Debian 1:3.4p1-2, SSH protocols 1.5/2.0, OpenSSL 0x0090605f

debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: ssh_connect: needpriv 1
debug1: Connecting to test.bah.com [156.80.128.123] port 22.
debug1: Allocated local port 1021.
debug1: Connection established.
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version

OpenSSH_3.4p1 Debian 1:3.4p1-2
debug1: match: OpenSSH_3.4p1 Debian 1:3.4p1-2 pat OpenSSH* Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 129/256
debug1: bits set: 1555/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'test.bah.com' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:2
debug1: bits set: 1574/3191
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
Can't find what you're looking for? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue:

publickey,password,keyboard-interactive,hostbased debug1: no more auth methods to try
Permission denied (publickey,password,keyboard-interactive,hostbased). debug1: Calling cleanup 0x8063a9c(0x0)

debian:/home/brett# vim /etc/ssh/sshd_config Port 22
# Uncomment the next entry to accept IPv6 traffic.
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2,1
# HostKeys for protocol version 1
HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
#PreferredAuthentications host-based
# Logging

SyslogFacility AUTH
LogLevel debug3 Received on Fri Feb 28 22:16:07 2003

Do you need help?

This message: [ Message body ]
Next message: Edgardo Mina: "Re: ssh connection with localhost.6010"
Previous message: Rick Patrick: "Need Help with sftp logging in chroot env"
In reply to Philip Le Riche: "Re: Cygwin and SSH"
Next in thread: Roger: "Re: I am having serious difficulty getting host based authenication working with ssh"
Reply: Roger: "Re: I am having serious difficulty getting host based authenication working with ssh"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:55 EDT