topic Re: SSH: no shosts.equiv found? in Operating System - OpenVMS

SSH: no shosts.equiv found?

Thomas A. Williams — Thu, 08 Dec 2005 07:57:13 GMT

I'm stumped - I can't get host based ssh authentication to work. I've narrowed it down to the following error in the TCPIP$SSH_RUN.LOG file on the server:

Thu 08 07:26:57 WARNING: hostbased-authentication (rhosts and shosts) refused for jl: no shosts. or rhosts. files and no system-wide files (e.g., ETC:shosts.equiv)

But the file:

SYS$SYSDEVICE:[TCPIP$SSH]SHOSTS.EQUIV

Does exist on the server.

These are the entries in the server sshd2_config:

AllowedAuthentications hostbased, publickey, password
# IgnoreRhosts no
# AllowSHosts trusted\.host\.org
# DenySHosts not\.quite\.trusted\.org

i.e. the bottom 3 are all commented out - not sure if I should uncomment any of these (didn't think I had to based on the admin guide).

Anyone have an idea?

Thanks in advance.

Re: SSH: no shosts.equiv found?

Arch_Muthiah — Thu, 08 Dec 2005 14:09:58 GMT

Thomas,
HPâ s TCP/IP services do not use the traditional UNIX rhosts and hosts.equiv files.

The file you have is systemwide trusted hosts file, TCPIP$SSH_DEVICE:[TCPIP$SSH]SHOSTS.EQUIV. In this file, you would add the fully qualified name of every SSH client host that will communicate with the server. You can also enter a specific user name to limit access to that user. For example:
MYHOST.MYLAB.COM
or
MYHOST.MYLAB.COM smith

There are other client and server config file on client config file, you will have to include this entry
--- AllowedAuthentications hostbased
--- DefaultDomain [fqdn of thelocal host]

on the server config file,
--- AllowedAuthentications hostbased
--- IgnoreRhosts no /* to enable use of the user-specific SHOSTS. files */

In host-based authentication, the client and server hosts authenticate each other. Therefore, the server host must have the client's host public key. Copy the client's host public-key file, CLIENTHOST::TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2]HOSTKEY.PUB, to the server directory SERVERHOST::TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2.KNOWNHOSTS], naming the key file name, using the format fully-qualified-hostname_ssh-dss.pub. For example, if the host name is green and its domain name is color.art.com, copy it as follows:
$COPY SYS$LOGIN:[SSH2.KNOWNHOSTS]green_color_art_com_ssh-dss.pub -
_$ SERVERHOST::TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2.KNOWNHOSTS]-
_$ green_color_art_com_ssh-dss.pub/PROTECTION=(W=RE)

Archunan

Re: SSH: no shosts.equiv found?

Steven Schweda — Thu, 08 Dec 2005 18:12:54 GMT

I seem to be using "publickey", and my
SYS$SYSDEVICE:[TCPIP$SSH]SHOSTS.EQUIV also
exists, but is empty, so I don't know much
about this, but have you tried "ssh -v [...]"?
Perhaps the "debug:" output will offer a clue.

You do need to adjust mentally the file specs
like "/etc/ssh2/hostkey.pub", and so on, of
course.

Re: SSH: no shosts.equiv found?

Thomas A. Williams — Fri, 09 Dec 2005 06:10:25 GMT

>The file you have is systemwide trusted hosts file,
>TCPIP$SSH_DEVICE:[TCPIP$SSH]SHOSTS.EQUIV.
>In this file, you would add the fully qualified
>name of every SSH client host that will
>communicate with the server.

Yes, I already have that.

>You can also enter a specific user name to limit
>access to that user. For example:
>MYHOST.MYLAB.COM
>or
>MYHOST.MYLAB.COM smith

Yes, I also have that.

>>There are other client and server config file on
>client config file, you will have to include this entry
>--- AllowedAuthentications hostbased
>--- DefaultDomain [fqdn of thelocal host]

Yes, both are done.

>on the server config file,
>--- AllowedAuthentications hostbased
>--- IgnoreRhosts no /* to enable use of the user-specific SHOSTS. files */

I left IgnoreRhosts commented, as the manual said it
was equivelant to no.

>In host-based authentication, the client and
>server hosts authenticate each other.
> Therefore, the server host must have the
>client's host public key. Copy the client's
>host public-key file,
>CLIENTHOST::TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2]HOSTKEY.PUB,
>to the server directory
>SERVERHOST::TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2.KNOWNHOSTS],
>naming the key file name, using the format
>fully-qualified-hostname_ssh-dss.pub.
>For example, if the host name is green and its
>domain name is color.art.com, copy it as follows:
>$COPY SYS$LOGIN:[SSH2.KNOWNHOSTS]green_color_art_com_ssh-dss.pub -
>_$ SERVERHOST::TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2.KNOWNHOSTS]-
>_$ green_color_art_com_ssh-dss.pub/PROTECTION=(W=RE)

Yes, done.

Is there anything you could suggest that isn't already in
or pasted from the admin guide?

Thanks,

Tom

--------------------------------------------------------------------------------
>I seem to be using "publickey", and my
>SYS$SYSDEVICE:[TCPIP$SSH]SHOSTS.EQUIV also
>exists, but is empty, so I don't know much
>about this, but have you tried "ssh -v [...]"?
>Perhaps the "debug:" output will offer a clue.

I had already done that. The below debug output from
the client side connect attempt caused me to look
for clues on the server, at which point I found the
output from the TCPIP$SSH_RUN.LOG
as indicated in my original post.

debug: server offers auth methods 'hostbased,publickey,password'.
debug: Ssh2AuthHostBasedClient/AUTHC-HOSTBASED.C:720: Server rejected the signature.

>You do need to adjust mentally the file specs
>like "/etc/ssh2/hostkey.pub", and so on, of
>course.

Yes, I realize that...

Thanks both for the suggestions. Please keep em coming.

Tom

Re: SSH: no shosts.equiv found?

Thomas A. Williams — Fri, 09 Dec 2005 06:57:14 GMT

BTW, I just tried copying SHOSTS.EQUIV to the directory

TCPIP$ETC

And that had no effect also.

Re: SSH: no shosts.equiv found?

Thomas A. Williams — Fri, 09 Dec 2005 10:52:04 GMT

Well, I gave a call to HP support - they figured out that when using hostbased authentication you need BOTH:

TCPIP$SSH_DEVICE:[TCPIP$SSH]SHOSTS.EQUIV

AND

SYS$LOGIN:SHOSTS.

for each user.

It doesn't say this in the admin guide.

Thanks for your help.

Re: SSH: no shosts.equiv found?

Thomas A. Williams — Fri, 09 Dec 2005 12:00:17 GMT

Actually my previous explanation was wrong.

It turns out the problem is this:

the file SHOSTS.EQUIV belongs in the

[TCPIP$SSH.SSH2] directory, not the

[TCPIP$SSH] directory

as the admin guide says. It's a mistake in the admin guide.

Re: SSH: no shosts.equiv found?

Arch_Muthiah — Fri, 09 Dec 2005 12:49:11 GMT

Yes willium, you are correct, I observed the manual has no correct file path info.

The systemwide trusted hosts file will be in TCPIP$SSH_DEVICE:[TCPIP$SSH], but user specfic SHOSTS.EQUIV file will be in [TCPIP$SSH.SSH2] directory.

Please let us know the summary of what you have done to made it to work; will be helpfull.

Archunan