topic Re: SSH Hostbased encryption in Operating System - OpenVMS

SSH Hostbased encryption

Andreas Aahman — Mon, 12 Jan 2009 08:42:58 GMT

Hi,

I've set up host based encryption between two nodes that allows me to connect without submitting a password if I'm logged in as the userI want to connect as on the other machine.

I.e If I log in as SYSTEM on machine A I can SSH machine B without entering a password.

But if I log in on machine A as SYSUSER and try to connect to machine b witj SSH SYSTEM@machineb it asks me for a password.
The SSH logs tells me this.

Fri 09 12:38:07 WARNING: hostbased-authentication (rhosts) refused: client user
'sysuser', server user 'system', client host 'xxxx'

Any ideas on how to get it to work without having to login as system?

Re: SSH Hostbased encryption

Kumar_Sanjay — Mon, 12 Jan 2009 09:38:43 GMT

Would please send the Debug output here.
looks like some privilege issue somewhere.

Cheers..

Re: SSH Hostbased encryption

Andreas Aahman — Mon, 12 Jan 2009 10:04:27 GMT

Here's the output. Let me know if more information is needed.

SUPERNOVA> ssh -v system@XXXXXX
debug: Ssh2/SSH2.C:1448: CRTL version (SYS$SHARE:DECC$SHR.EXE ident) is V7.3-2-1
debug: hostname is 'XXXXXX'.
debug: Unable to open ssh2/ssh2_config
debug: connecting to XXXXXX, port 22...
debug: entering event loop
debug: ssh_client_wrap: creating transport protocol
debug: SshAuthMethodClient/SSHAUTHMETHODC.C:145: Added "hostbased" to usable me.
debug: SshAuthMethodClient/SSHAUTHMETHODC.C:145: Added "publickey" to usable me.
debug: SshAuthMethodClient/SSHAUTHMETHODC.C:145: Added "password" to usable met.
debug: Ssh2Client/SSHCLIENT.C:1356: creating userauth protocol
debug: Ssh2Common/SSHCOMMON.C:517: local ip = 10.x.x.x, local port = 64459
debug: Ssh2Common/SSHCOMMON.C:519: remote ip = 10.x.x.x, remote port = 22
debug: SshConnection/SSHCONN.C:2092: Wrapping...
debug: Ssh2Transport/TRCOMMON.C:643: Remote version: SSH-2.0-3.2.0 SSH Secure S3
debug: Ssh2Transport/TRCOMMON.C:1167: c_to_s: cipher 3des-cbc, mac hmac-sha1, ce
debug: Ssh2Transport/TRCOMMON.C:1170: s_to_c: cipher 3des-cbc, mac hmac-sha1, ce
debug: Ssh2Client/SSHCLIENT.C:508: Host key found from database.
debug: Ssh2Common/SSHCOMMON.C:321: Received SSH_CROSS_STARTUP packet from conne.
debug: Ssh2Common/SSHCOMMON.C:371: Received SSH_CROSS_ALGORITHMS packet from co.
debug: SshUnixTcp/SSHUNIXTCP.C:1019: using local hostname orion.ikea.com
debug: Ssh2AuthHostBasedClient/AUTHC-HOSTBASED.C:803: Child: Execing ssh-signer)
debug: Ssh2AuthHostBasedClient/AUTHC-HOSTBASED.C:407: ssh-signer returned SSH_AE
debug: ssh_pipe_stream_destroy
debug: ssh_sigchld_real_callback
debug: ssh_sigchld_process_pid: no handler for pid 1585471 code 0
debug: Unable to open ssh2/identification
debug: Ssh2AuthClient/SSHAUTHC.C:347: Method 'publickey' disabled.
debug: Ssh2AuthPasswdClient/AUTHC-PASSWD.C:197: Starting password query...
system's password:

XXXXXX> ty SYS$SYSDEVICE:[TCPIP$SSH]TCPIP$SSH_RUN.LOG
$ Set NoOn
$ VERIFY = F$VERIFY(F$TRNLNM("SYLOGIN_VERIFY"))
Mon 12 07:53:31 INFORMATIONAL: Starting image in auxiliary server mode.
Mon 12 07:53:31 INFORMATIONAL: connection from "10.x.x.x"
Mon 12 07:53:31 WARNING: hostbased-authentication (rhosts) refused: client user
'sysuser', server user 'system', client host 'SUPERNOVA.xxx.xxx'.
XXXXXX>

Re: SSH Hostbased encryption

marsh_1 — Mon, 12 Jan 2009 13:00:25 GMT

hi,

check that your setup agrees with the guidelines in the openvms ssh manual for v7.3-2 (page 27 for host based auth) here :-

http://h71000.www7.hp.com/doc/732final/aa-rvbua-te/aa-rvbua-te.pdf

Re: SSH Hostbased encryption

Jim_McKinney — Mon, 12 Jan 2009 15:47:40 GMT

> debug: Unable to open ssh2/identification

Are there IDENTIFICATION. and AUTHORIZATION. files present and containing pointers to the appropriate key files in the [.SSH2] directories on each node?

Re: SSH Hostbased encryption

Steven Schweda — Mon, 12 Jan 2009 17:02:12 GMT

> Are there IDENTIFICATION. and
> AUTHORIZATION. files [...]

Aren't those for publickey (not hostbased)?

(I use only publickey, so for hostbased
authentication I'd be forced to read the
docs.)

Re: SSH Hostbased encryption

Andreas Aahman — Tue, 13 Jan 2009 07:50:01 GMT

Hi,

mark might have a point.
Never thought of checking that all components are fully complient which they're not.

One of the systems is 7.3-2 with an OLD tcpip version.
Will upgrade and return with information.

Re: SSH Hostbased encryption

Andreas Aahman — Tue, 20 Jan 2009 12:57:34 GMT

Hi,

I've now upgraded the Client system to OpenVMS 8.3 and Tcpip 5.6 but I am still not able to used hostbased authentication when logged in as a different user.

ie.. I'm logged onto the client as sysuser and want to connect to the remote system as system.

attached is the verbose output from the client. In that attachment in the bottom is also the logfile from the server.

Re: SSH Hostbased encryption

Wim Van den Wyngaert — Tue, 20 Jan 2009 14:01:07 GMT

Don't have SSH of HP but is your client host known in DNS of the server ?
Try ucx sho ho x.x.x.x on the server.

Wim

Re: SSH Hostbased encryption

marsh_1 — Tue, 20 Jan 2009 15:55:50 GMT

hi,

do you have the public key files 'fully-qualified-host-name'_ssh-dss.pub in place ?

Re: SSH Hostbased encryption

Duncan Morris — Tue, 20 Jan 2009 16:57:50 GMT

Andreas,

is there maybe an SHOSTS file on the server side?

On my test systems, I have set up hostbased authentication thus:

on the server (DEVT02)

DEVT02> ty sys$manager:shosts.
ISE216.CPWPLC.NET system
ISE216.CPWPLC.NET morrisd

DEVT02> ty sys$sysdevice:[tcpip$ssh.ssh2]shosts.equiv
ISE216.CPWPLC.NET

DEVT02> dir/sec sys$sysdevice:[tcpip$ssh.ssh2.knownhosts]

Directory SYS$SYSDEVICE:[TCPIP$SSH.SSH2.KNOWNHOSTS]

ISE216_CPWPLC_NET_SSH-DSS.PUB;1
[TCPIP$AUX,TCPIP$SSH] (RWED,RWED,RE,RE)

Within sshd2_config:

IgnoreRhosts no

This combination allows me log into SYSTEM on the server, from either SYSTEM or MORRISD on the client.

Duncan

Re: SSH Hostbased encryption

Steven Schweda — Tue, 20 Jan 2009 20:49:05 GMT

I'm with them. In my SSH2_CONFIG file, I
already had:

[...]
AllowedAuthentications hostbased, publickey, password
[...]
IgnoreRhosts no
[...]

I created
SYS$SYSDEVICE:[TCPIP$SSH.SSH2]SHOSTS.EQUIV,
and put the wrong (simple, unqualified) name
("it") into it, and got so far as:

alp $ type ALP$DKA0:[TCPIP$SSH]TCPIP$SSH_RUN.LOG;-1
[...]
Tue 20 14:17:55 INFORMATIONAL: connection from "10.0.0.16"
Tue 20 14:17:56 WARNING: Error trying to access file /sys$sysroot/sysmgr/ssh2/kn
ownhosts/it_antinode_info_ssh-dss.pub.
[...]

On the client side, "ssh -v" mentioned:

debug: SshUnixTcp/SSHUNIXTCP.C:1390: using local hostname it.antinode.info

so I figured that I should change "it" to the
fully qualified "it.antinode.info" in the
SHOSTS.EQUIV file.

I had already copied IT's (the client's)
SYS$SYSDEVICE:[TCPIP$SSH.SSH2]hostkey.pub,
and put it into the server's
SYS$SYSDEVICE:[TCPIP$SSH.SSH2.KNOWNHOSTS]
directory, but apparently someone's fussy
about the name. After I renamed that file to
what seemed to be sought,
IT_ANTINODE_INFO_SSH-DSS.PUB, things worked.
The server log said:

[...]
Tue 20 14:19:11 WARNING: Error trying to access file /sys$sysroot/sysmgr/ssh2/kn
ownhosts/it_antinode_info_ssh-dss.pub.
Tue 20 14:19:11 NOTICE: Hostbased authentication for user system accepted.
[...]

Which was not entirely pleasing, but the
"accepted" part was.

If anyone thinks that this stuff is well
documented, he's kidding himself.

("IT" seemed, at the time, like a good name
for my first Itanium system, and I've always
wanted to use "it's" as a possessive, but I
can see how it (or "it") might get
confusing.)

For the record, on the client ("it"):

IT $ tcpip show version

HP TCP/IP Services for OpenVMS Industry Standard 64 Version V5.6 - ECO 2
on an HP zx2000 (1.50GHz/6.0MB) running OpenVMS V8.3-1H1

IT $ ssh "-V"
it$dka0:[sys0.syscommon.][sysexe]tcpip$ssh_ssh2.exe: SSH Secure Shell OpenVMS (V
5.5) 3.2.0 on HP zx2000 (1.50GHz/6.0MB) - VMS V8.3-1H1

and on the server ("alp"):

alp $ tcpip show version

HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 7
on a COMPAQ Professional Workstation XP1000 running OpenVMS V7.3-2

alp $ ssh "-V"
alp$dka0:[sys0.syscommon.][sysexe]tcpip$ssh_ssh2.exe: SSH Secure Shell OpenVMS (
V5.5) 3.2.0 on COMPAQ Professional Workstation - VMS V7.3-2

Re: SSH Hostbased encryption

Andreas Aahman — Wed, 21 Jan 2009 09:21:28 GMT

It works if I add sysuser to sys$manager:shosts.

Which ofcourse is a solution and I guess there's no other way to solve it. It would be best if we could solve it without havind to specify the users in the shosts. file.

Is it at all possible to solve this without using shosts.?

Re: SSH Hostbased encryption

Duncan Morris — Wed, 21 Jan 2009 09:52:12 GMT

Andreas,

I suspect that this is simply how "hostbased" authentication was designed.

In general, I use publickey authentication internally, with a common public key for my personal account on several systems.

Duncan

Re: SSH Hostbased encryption

marsh_1 — Wed, 21 Jan 2009 12:38:45 GMT

hi,

putting in a user name is optional for hostbased authentication as stated in the documentation, reread the manual and double check you are not getting confused about TCPIP$SSH_DEVICE:[TCPIP$SSH]SHOSTS.EQUIV and SYS$LOGIN:SHOSTS.

HTH

Re: SSH Hostbased encryption

Andreas Aahman — Fri, 30 Jan 2009 08:05:28 GMT

I cannot find in the manual as why it should not work.

But it's good enough. We can easily add users to the shosts file.

Thanx everyone for the help.

Re: SSH Hostbased encryption

Steven Schweda — Fri, 30 Jan 2009 11:02:08 GMT

> [...] We can easily add users to the shosts
> file.

As I said/showed, you don't seem to need to
add _users_ to
"SYS$SYSDEVICE:[TCPIP$SSH.SSH2]SHOSTS.EQUIV".
Adding the (fully-qualified) client host name
was all I needed. I assume that you _can_
add user names, too, but I didn't try that.
(I figured that the whole point of using
"hostbased" was _not_ to worry about
individual users. But what do I know?)

> Jan 20, 2009 20:49:05 GMT 0 pts

> Thanx everyone for the help.

Make up your mind?

Re: SSH Hostbased encryption

Andreas Aahman — Fri, 30 Jan 2009 11:13:54 GMT

Adding the users to "SYS$SYSDEVICE:[TCPIP$SSH.SSH2]SHOSTS.EQUIV".
did not solve it.
SSH still did not allow hostbased authentication.

However adding the users to sys$manager:shosts do solve my problem. It still does not take me all the way but it's a good enough solution.

br,
Andreas

Re: SSH Hostbased encryption

marsh_1 — Fri, 30 Jan 2009 12:07:05 GMT

hi,

what do/did you have in the shosts.equiv file ?

from the manual :-

2. Edit the systemwide trusted hosts file, TCPIP$SSH_DEVICE:[TCPIP$SSH]SHOSTS.EQUIV, to add the fully
qualified name of every SSH client host that will communicate with the server. You can also enter a
specific user name to limit access to that user. For example:
MYHOST.MYLAB.COM
or
MYHOST.MYLAB.COM smith
If the IgnoreRhosts parameter is set to no as in step 1, you can also add the client host and optional user
names to the file SYS$LOGIN:SHOSTS. for a specific user.
If user names are used, those associated with OpenVMS client hosts must be in lowercase; those
associated wih UNIX client hosts must match the account name case as it exists on the UNIX host.

Re: SSH Hostbased encryption

Andreas Aahman — Fri, 30 Jan 2009 12:29:09 GMT

The shosts.equiv file contains the host that will connect to the servers.

If I add a username to the shosts.equiv file I still am not allowed to login as system on the remote system, if I'm not logged in as system on the client.

IgnoreRhosts is set to no and if I enter usernames in SYS$LOGIN:SHOSTS.
Everything if fine and dandy.

So to sum it up. If I do not add users in the sys$login:shosts file I cannot log on as system if I'm not logged on as system on the client side aswell.