Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > secureshell > 03 > 030482.html (Request Expert securityfocus.com Support)

Re: I am having serious difficulty getting host based authenication working with ssh

From: Roger <securityfocus(at)north-row.com>
Date: Mon Mar 03 2003 - 07:29:02 EST

Hi Brett,

I was getting the 'no more client hostkeys' when either end of the connection was having trouble looking up the reverse IP of the client and matching it against the key.
 From your degug output, it looks like the exchange cannot find the key for debian.peakcomm.org but you're connecting to localhost. Do you have:

/etc/hosts


127.0.0.1 debian.peakcomm.org localhost

in your hosts file? The localhost must come first before any aliases.

Here is my /etc/ssh/ssh_config on the client:

Host *

   Protocol 2
   StrictHostKeyChecking no
   HostbasedAuthentication yes 

---

and my /etc/ssh/sshd_config:

Protocol 2
HostKey /etc/ssh/ssh_host_dsa_key
IgnoreRhosts no
HostbasedAuthentication yes
---

My guess is that it's the IP lookup somewhere along the way.

Keep plugging away!

Cheers,

Roger.



Brett wrote:

> Thanks,


>> Hi Brett,
>>
>> What I would do in this situation is go back to first principles and 
>> start simply. How about trying to get it to work from localhost to 
>> localhost and then think about host to host?
>>
>> I have Mandrake 9.1RC1. To test host-based auth (after installing the 
>> relevant packages and starting sshd which created the host keys for 
>> me), I did the following:
>>
>> [root@mandrake root]# echo "localhost root" > ~/.shosts && chmod 0400 
>> ~/.shosts
>> [root@mandrake root]# echo "IgnoreRhosts no
>>  HostbasedAuthentication yes" >> /etc/ssh/sshd_config
>> [root@mandrake root]# echo "HostbasedAuthentication yes" >> 
>> /etc/ssh/ssh_config
>> [root@mandrake root]# service sshd restart
>> [root@mandrake root]# ssh localhost
>>
>> Last login: Sat Mar  1 13:23:21 2003 from localhost
>> [root@mandrake root]#
>>
>> So now I can log in locally using host-based authentication. Next I 
>> introduced another machine, the server I was going to ssh into using 
>> host-based auth. This is a RedHat 8 server.
>>
>> RedHat servers tend to come with sshd already up and running by 
>> default. This was my plan of action:
>>
>> [root@mandrake root]# scp /etc/ssh/ssh_host_dsa_key.pub 
>> redhat:/etc/ssh/ssh_known_hosts
>> Warning: Permanently added 'redhat,192.168.0.1' (DSA) to the list of 
>> known hosts.
>> root@redhat's password:
>> ssh_host_dsa_key.pub 100% |*****************************|   590       
>> 00:00
>> [root@mandrake root]# echo "192.168.0.2    mandrake" >> /etc/hosts # 
>> need to reverse map the ip

Do you need more help?X

>> [root@mandrake ssh]# ssh redhat
>> root@redhat's password:
>> Last login: Sat Mar  1 12:54:33 2003 from mandrake
>> [root@redhat root]# ex -c "s/^/mandrake /|x" /etc/ssh/ssh_known_hosts 
>> # need to add the hostname to the key
>> [root@redhat root]# echo "192.168.0.2    mandrake" >> /etc/hosts # 
>> need to reverse map the ip
>> [root@redhat root]# echo "mandrake root" > ~/.shosts && chmod 0400 
>> ~/.shosts
>> [root@redhat root]# echo "IgnoreRhosts no
>>  HostbasedAuthentication yes" >> /etc/ssh/sshd_config
>> [root@redhat root]# echo "HostbasedAuthentication yes" >> 
>> /etc/ssh/ssh_config
>> [root@redhat root]# service sshd restart
>> [root@redhat root]# exit
>> Connection to redhat closed.
>> [root@mandrake root]# ssh redhat
>> Last login: Sat Mar  1 13:04:15 2003 from mandrake
>> [root@redhat root]#
>>
>> So now I can log into a remote machine using host-based auth. I hope 
>> some of this helps you in your quest to get host-based auth working.
>>
>> Regards,
>>
>> Roger
>>
>> Miller Brett wrote:
>>
>>> Please help (I will give you my first born child!! :) ),
>>> I have been working on getting host based authenication using 
>>> .rhosts, .rhosts, hosts.equiv, shosts.equiv and nothing seems to be 
>>> working correctly. I do not want to use Rhostsauthencation, not 
>>> RhostsRsaAutheniction, I want ssh to function just like the "r" 
>>> protocols. I have rsh and rlogin working great but for some reason I 
>>> cannot get ssh work like rsh or rlogin.  I have searched the internet 
>>> looking for posted on the subject and the other seem very 
>>> straightforward but I my setup will not work.  My system is debian 
>>> 3.0 but I have also tried to get this working on a Red Hat box with 
>>> the same results.

Can we help you?X

>>>
>>> This is the auth log of sshd when I try to connect from another 
>>> host.  It seems like PAM always try to authicate through a password 
>>> and does not allow the client to authenicate with a rhosts file.  How 
>>> do I tell PAM not to require a password for .rhosts authenication?  I 
>>> have tried to copy the /etc/pam.d/rlogin authinication method to the 
>>> /etc/pam.d/ssh authenication page but it does not work  The cause may 
>>> not be PAM but it seems like a possibility.
>>>
>>> Any help would be greatly appreciated because I am getting cross-eyed 
>>> looking at this. Thanks in advance.
>>>
>>> Brett
>>>
>> 
>>

>
Received on Mon Mar 3 14:31:43 2003
Do you need help?X

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:55 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library