topic Re: ssh problems with HostbasedAuthentication in Operating System - HP-UX

ssh problems with HostbasedAuthentication

Jdamian — Wed, 05 Feb 2003 14:34:07 GMT

I'm trying to configure sshd to allow secure connections with no prompting for password using .shosts file.

sshd_config contains:

Protocol 2
IgnoreRhosts no
HostbasedAuthentication yes
X11Forwarding yes
X11UseLocalhost no
Subsystem sftp /opt/ssh/libexec/sftp-server

.shosts file contains:

mysys user

/etc/hosts file contains:

10.10.10.10 mysys

Then I run:

ssh -o HostbasedAuthentication=yes user@mysys

and it logins fine.

Now superuser adds another IP (20.20.20.20) to the system in other LAN connector and updates /etc/hosts:

10.10.10.10 mysys
20.20.20.20 mysys2

but if I run

ssh -o HostbasedAuthentication=yes user@mysys2

password is required always to login.

why ?
can anyone help me ?

thanx a lot

Re: ssh problems with HostbasedAuthentication

Jdamian — Wed, 05 Feb 2003 14:36:03 GMT

I forgot to say that I also updated .shosts files:

mysys user
mysys2 user

Re: ssh problems with HostbasedAuthentication

Christian Gebhardt — Wed, 05 Feb 2003 15:01:08 GMT

Hi

if you are using openssh the shosts/rhosts authentification will only work with protocol version 1, you have set
Protocol 2
look at "man ssh" for more information.

Chris

Re: ssh problems with HostbasedAuthentication

Ralph Grothe — Wed, 05 Feb 2003 15:09:14 GMT

Were you careful with the permission bits for .shosts?
ssh is (for good reason) very picky that file owner is the account that wants to login without password, and that .shosts ist only readable to them.
Otherwise ssh will ignore the file altogether

Have you tried the -v switch to make ssh a bit more verbose.
In most cases it will give you clues why it failed.

Is the hostkey in $HOME/.ssh/known_hosts still valid?

Re: ssh problems with HostbasedAuthentication

Chris Wong — Wed, 05 Feb 2003 16:43:52 GMT

Using .shosts with SSH provides an encrypted connection, but using .shosts has some of the same security ramifications as using .rhosts and isn't recommended unless you really, really need it. If you have an all HP-UX environment, you can use the SSH agent (See http://newfdawg.com/SHP-SSHpart2.htm) and will only need to enter the passphrase once.

- Chris

Re: ssh problems with HostbasedAuthentication

Jdamian — Thu, 06 Feb 2003 16:22:46 GMT

Thanks for everthing.

Now my system accepts ssh-login without password from itself.

The problem now is a hostA accepts ssh-login without password from hostB but not from hostC... and I cannot find why ?

I added -vvv option in command line for debugging...

ssh -vvv -o HostbasedAuthentication=yes user@hostC

the following lines are a extract from all debug info:

debug1: authentications that can continue: publickey,password,keyboard-interactive,hostbased
debug3: start over, passed a different list publickey,password,keyboard-interactive,hostbased
debug3: preferred hostbased,publickey,keyboard-interactive,password
debug3: authmethod_lookup hostbased
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled hostbased
debug1: next auth method to try is hostbased
debug2: userauth_hostbased: chost hostC.
debug2: we sent a hostbased packet, wait for reply
debug1: Remote: Accepted by .shosts.
debug1: authentications that can continue: publickey,password,keyboard-interactive,hostbased
debug2: userauth_hostbased: chost hostC.
debug2: we sent a hostbased packet, wait for reply
debug1: Remote: Accepted by .shosts.
debug1: authentications that can continue: publickey,password,keyboard-interactive,hostbased
debug1: userauth_hostbased: no more client hostkeys
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: next auth method to try is publickey
debug1: try privkey: /.ssh/id_rsa
debug3: no such identity: /.ssh/id_rsa
debug1: try privkey: /.ssh/id_dsa
debug3: no such identity: /.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password

Compare with the messages reported by command:

ssh -vvv -o HostbasedAuthentication=yes user@hostA

debug1: authentications that can continue: publickey,password,keyboard-interactive,hostbased
debug3: start over, passed a different list publickey,password,keyboard-interactive,hostbased
debug3: preferred hostbased,publickey,keyboard-interactive,password
debug3: authmethod_lookup hostbased
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled hostbased
debug1: next auth method to try is hostbased
debug2: userauth_hostbased: chost in_bckup.
debug2: we sent a hostbased packet, wait for reply
debug1: Remote: Accepted by .shosts.
debug1: authentications that can continue: publickey,password,keyboard-interactive,hostbased
debug2: userauth_hostbased: chost in_bckup.
debug2: we sent a hostbased packet, wait for reply
debug1: Remote: Accepted by .shosts.
debug1: ssh-userauth2 successful: method hostbased
debug3: clear hostkey 0
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug1: send channel open 0
debug1: Entering interactive session.

Can anyone help me ?

Re: ssh problems with HostbasedAuthentication

Steven E. Protter — Thu, 06 Feb 2003 16:30:47 GMT

Here is a cookbook that should work. It tells how to generate and distribute public keys.

It worked for me.

P

Re: ssh problems with HostbasedAuthentication

Jdamian — Fri, 07 Feb 2003 09:07:41 GMT

Thank you Steven.

Your doc helped me to solve my problems with SSH.