topic Re: ssh host based authentication. in Operating System - HP-UX

ssh host based authentication.

Don Mallory — Tue, 13 Jul 2004 14:18:12 GMT

Hi there,

I have the HPUX Secure shell installed (package T1471AA - version A.03.71.000) on a couple of 11i servers.

I have generated keys (using ssh-keygen) for protocol 1 and 2 and those keys are in the ~/.ssh/authorized_keys file.

ssh, scp and sftp are able to connect using this authorization method without entering a password.

The same has been done for the root account between these servers from one specific server to allow administrative cron jobs to run.

What I need to be able to do is not ask the users to set up an authorized_keys file.

I have 8 nodes, each node is the same and a hosts.equiv is in place on each node. If a user logs into this node, they need to be able to start a job which will spawn children (using ssh) on each of the other nodes.

The users do not need to know if there are 8, 9, 4 or 20 nodes. They only need to know the first node.

In various parts of the documentation I've read about "host based authentication" as opposed to "user based authentication" - parts of the man pages suggest things like using protocol 1 with an shosts.equiv file, setting "UsePAM no" in the sshd_config, etc.

As of yet, I've been unable to get it to work. What I have noticed is that there is a reference to a PAM_RHOST setting during the ssh debug. How can this be set up to have clear connection for the user?

Here is an example output from sshd -d:

(note, the server names, username and IP addresses have been changed)

server2 # sshd -d
debug1: sshd version OpenSSH_3.7.1p2-pwexp26 [ HP-UX_Secure_Shell-A.03.71.000 ]
debug1: private host key: #0 type 0 RSA1
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: Server will not fork when running in debugging mode.
Connection from 192.168.12.39 port 57114
debug1: Client protocol version 2.0; client software version OpenSSH_3.7.1p2-pwexp26
debug1: match: OpenSSH_3.7.1p2-pwexp26 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.7.1p2-pwexp26
debug1: permanently_set_uid: 110/110
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user username service ssh-connection method none
debug1: attempt 0 failures 0
debug1: allowed_user: entering
debug1: PAM: initializing for "username"
debug1: PAM: setting PAM_RHOST to "server1.domain.ca"
Failed none for username from 192.168.12.39 port 57114 ssh2
Failed none for username from 192.168.12.39 port 57114 ssh2
debug1: userauth-request for user username service ssh-connection method publickey
debug1: attempt 1 failures 1
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 77767/4009 (e=0/3)
debug1: trying public key file /home/username/.ssh/authorized_keys
debug1: restore_uid: 0/3
debug1: temporarily_use_uid: 77767/4009 (e=0/3)
debug1: trying public key file /home/username/.ssh/authorized_keys2
debug1: restore_uid: 0/3
Failed publickey for username from 192.168.12.39 port 57114 ssh2
debug1: userauth-request for user username service ssh-connection method publickey
debug1: attempt 2 failures 2
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 77767/4009 (e=0/3)
debug1: trying public key file /home/username/.ssh/authorized_keys
debug1: restore_uid: 0/3
debug1: temporarily_use_uid: 77767/4009 (e=0/3)
debug1: trying public key file /home/username/.ssh/authorized_keys2
debug1: restore_uid: 0/3
Failed publickey for username from 192.168.12.39 port 57114 ssh2
debug1: userauth-request for user username service ssh-connection method keyboard-interactive
debug1: attempt 3 failures 3
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=username devs=
debug1: kbdint_alloc: devices 'pam'
debug1: auth2_challenge_start: trying authentication method 'pam'
Postponed keyboard-interactive for username from 192.168.12.39 port 57114 ssh2
Connection closed by 192.168.12.39
debug1: Calling cleanup 0x40014832(0x0)
debug1: Calling cleanup 0x40014b1a(0x40028b48)
debug1: Calling cleanup 0x40014b0a(0x0)
debug1: PAM: cleanup

This is the source ssh -v server2:

username@server1 /home/username $ ssh -v server2
OpenSSH_3.7.1p2-pwexp26, SSH protocols 1.5/2.0, OpenSSL 0.9.7c 30 Sep 2003
HP-UX_Secure_Shell-A.03.71.000, HP_UX Secure Shell version
debug1: Reading configuration data /opt/ssh/etc/ssh_config
debug1: Connecting to server2 [192.168.15.232] port 22.
debug1: Connection established.
debug1: identity file /home/username/.ssh/id_rsa type 1
debug1: identity file /home/username/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.7.1p2-pwexp26
debug1: match: OpenSSH_3.7.1p2-pwexp26 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.7.1p2-pwexp26
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'server2' is known and matches the RSA host key.
debug1: Found key in /opt/ssh/etc/ssh_known_hosts:26
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive,hostbased
debug1: Next authentication method: publickey
debug1: Offering public key: /home/username/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive,hostbased
debug1: Offering public key: /home/username/.ssh/id_dsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive,hostbased
debug1: Next authentication method: keyboard-interactive
Password:

Keyboard-interactive authentication does work at this point.

Does anyone have any suggestions?

Re: ssh host based authentication.

Sundar_7 — Tue, 13 Jul 2004 18:14:16 GMT

You can enable host based authentication by copying the public DSA key of the client to the server's /opt/ssh/etc/ssh_known_hosts file

For ex, for Node1 users to be able to logon to Node2 without supplying password

1) Copy Node1's /opt/ssh/etc/ssh_host_dsa_key.pub append to Node2's /opt/ssh/etc/ssh_known_hosts

2) Edit Node1 /opt/ssh/etc/ssh_config (client configuration file)and makesure HostBasedAuthentication Yes line is uncommented

3) do the same in Node2 with the server configuration file /opt/ssh/etc/sshd_config

4) It is preferred to use shosts.equiv with SSH than hosts.equiv file

node2> vi /opt/ssh/etc/shosts.equiv
node1
#

5) Send HUP signal to the sshd daemon running in node2

If node1 has to act the server then repeat the same process for Node1.

-- Sundar

Re: ssh host based authentication.

Don Mallory — Wed, 14 Jul 2004 08:50:40 GMT

Thanks for the suggestions, but no go.

There was a ssh_known_hosts on both systems that was from a cat *pub >> ssh_known_hosts.

The "HostbasedAuthentication yes" was there in the sshd_config, but was not commented out in the ssh_config, it is now.

I re-created it, but ended up with the followng: (sshd -d)

server2 # sshd -d
debug1: sshd version OpenSSH_3.7.1p2-pwexp26 [ HP-UX_Secure_Shell-A.03.71.000 ]
debug1: private host key: #0 type 0 RSA1
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: Server will not fork when running in debugging mode.
Connection from 192.168.12.39 port 57346
debug1: Client protocol version 2.0; client software version OpenSSH_3.7.1p2-pwexp26
debug1: match: OpenSSH_3.7.1p2-pwexp26 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.7.1p2-pwexp26
debug1: permanently_set_uid: 110/110
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user username service ssh-connection method none
debug1: attempt 0 failures 0
debug1: allowed_user: entering
debug1: PAM: initializing for "username"
debug1: PAM: setting PAM_RHOST to "server1.domain.ca"
Failed none for username from 192.168.12.39 port 57346 ssh2
Failed none for username from 192.168.12.39 port 57346 ssh2
debug1: userauth-request for user username service ssh-connection method publickey
debug1: attempt 1 failures 1
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 77767/4009 (e=0/3)
debug1: trying public key file /home/username/.ssh/authorized_keys
debug1: restore_uid: 0/3
debug1: temporarily_use_uid: 77767/4009 (e=0/3)
debug1: trying public key file /home/username/.ssh/authorized_keys2
debug1: restore_uid: 0/3
Failed publickey for username from 192.168.12.39 port 57346 ssh2
debug1: userauth-request for user username service ssh-connection method publickey
debug1: attempt 2 failures 2
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 77767/4009 (e=0/3)
debug1: trying public key file /home/username/.ssh/authorized_keys
debug1: restore_uid: 0/3
debug1: temporarily_use_uid: 77767/4009 (e=0/3)
debug1: trying public key file /home/username/.ssh/authorized_keys2
debug1: restore_uid: 0/3
Failed publickey for username from 192.168.12.39 port 57346 ssh2
debug1: userauth-request for user username service ssh-connection method keyboard-interactive
debug1: attempt 3 failures 3
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=username devs=
debug1: kbdint_alloc: devices 'pam'
debug1: auth2_challenge_start: trying authentication method 'pam'
Postponed keyboard-interactive for username from 192.168.12.39 port 57346 ssh2
Connection closed by 192.168.12.39
debug1: Calling cleanup 0x40014832(0x0)
debug1: Calling cleanup 0x40014b1a(0x40028b70)
debug1: Calling cleanup 0x40014b0a(0x0)
debug1: PAM: cleanup

ssh server2:

username@server1 /home/username $ ssh server2
The authenticity of host 'server2 (192.168.15.232)' can't be established.
RSA key fingerprint is 2f:b8:5c:8f:96:93:4d:56:69:c8:67:60:b1:0f:cc:2a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server2,192.168.15.232' (RSA) to the list of known hosts.
ssh-keysign not enabled in /opt/ssh/etc/ssh_config
ssh_keysign: no reply
key_sign failed
Password:
username@server1 /home/username $

Re: ssh host based authentication.

Sundar_7 — Thu, 15 Jul 2004 12:53:48 GMT

Try this

From the client

# ssh -vvv server

From the server

# sshd -ddd -e

in the sshd output, debug level of 3 will tell you if there any problems with using
authorized_keys.

Remember, SSH is sensitive about the ownership/permissions of the authrorized_keys file.

sshd -ddd will tell you if SSH is ignoring this file becoz of improper permissions/ownership.

Re: ssh host based authentication.

Don Mallory — Thu, 15 Jul 2004 13:14:05 GMT

Thanks again.

Okay, I've attached the two files for the ssh -vvv and ssh -ddd -e

I also checked the permissions. The /opt/ssh/etc dir was set to 775 on server2.