Operating System - OpenVMS
1748183 Members
3356 Online
108759 Solutions
New Discussion юеВ

Re: SSH Hostbased encryption

 
Andreas Aahman
Occasional Advisor

SSH Hostbased encryption

Hi,

I've set up host based encryption between two nodes that allows me to connect without submitting a password if I'm logged in as the userI want to connect as on the other machine.

I.e If I log in as SYSTEM on machine A I can SSH machine B without entering a password.

But if I log in on machine A as SYSUSER and try to connect to machine b witj SSH SYSTEM@machineb it asks me for a password.
The SSH logs tells me this.

Fri 09 12:38:07 WARNING: hostbased-authentication (rhosts) refused: client user
'sysuser', server user 'system', client host 'xxxx'

Any ideas on how to get it to work without having to login as system?
22 REPLIES 22
Kumar_Sanjay
Regular Advisor

Re: SSH Hostbased encryption

Would please send the Debug output here.
looks like some privilege issue somewhere.

Cheers..
Andreas Aahman
Occasional Advisor

Re: SSH Hostbased encryption

Here's the output. Let me know if more information is needed.

SUPERNOVA> ssh -v system@XXXXXX
debug: Ssh2/SSH2.C:1448: CRTL version (SYS$SHARE:DECC$SHR.EXE ident) is V7.3-2-1
debug: hostname is 'XXXXXX'.
debug: Unable to open ssh2/ssh2_config
debug: connecting to XXXXXX, port 22...
debug: entering event loop
debug: ssh_client_wrap: creating transport protocol
debug: SshAuthMethodClient/SSHAUTHMETHODC.C:145: Added "hostbased" to usable me.
debug: SshAuthMethodClient/SSHAUTHMETHODC.C:145: Added "publickey" to usable me.
debug: SshAuthMethodClient/SSHAUTHMETHODC.C:145: Added "password" to usable met.
debug: Ssh2Client/SSHCLIENT.C:1356: creating userauth protocol
debug: Ssh2Common/SSHCOMMON.C:517: local ip = 10.x.x.x, local port = 64459
debug: Ssh2Common/SSHCOMMON.C:519: remote ip = 10.x.x.x, remote port = 22
debug: SshConnection/SSHCONN.C:2092: Wrapping...
debug: Ssh2Transport/TRCOMMON.C:643: Remote version: SSH-2.0-3.2.0 SSH Secure S3
debug: Ssh2Transport/TRCOMMON.C:1167: c_to_s: cipher 3des-cbc, mac hmac-sha1, ce
debug: Ssh2Transport/TRCOMMON.C:1170: s_to_c: cipher 3des-cbc, mac hmac-sha1, ce
debug: Ssh2Client/SSHCLIENT.C:508: Host key found from database.
debug: Ssh2Common/SSHCOMMON.C:321: Received SSH_CROSS_STARTUP packet from conne.
debug: Ssh2Common/SSHCOMMON.C:371: Received SSH_CROSS_ALGORITHMS packet from co.
debug: SshUnixTcp/SSHUNIXTCP.C:1019: using local hostname orion.ikea.com
debug: Ssh2AuthHostBasedClient/AUTHC-HOSTBASED.C:803: Child: Execing ssh-signer)
debug: Ssh2AuthHostBasedClient/AUTHC-HOSTBASED.C:407: ssh-signer returned SSH_AE
debug: ssh_pipe_stream_destroy
debug: ssh_sigchld_real_callback
debug: ssh_sigchld_process_pid: no handler for pid 1585471 code 0
debug: Unable to open ssh2/identification
debug: Ssh2AuthClient/SSHAUTHC.C:347: Method 'publickey' disabled.
debug: Ssh2AuthPasswdClient/AUTHC-PASSWD.C:197: Starting password query...
system's password:





XXXXXX> ty SYS$SYSDEVICE:[TCPIP$SSH]TCPIP$SSH_RUN.LOG
$ Set NoOn
$ VERIFY = F$VERIFY(F$TRNLNM("SYLOGIN_VERIFY"))
Mon 12 07:53:31 INFORMATIONAL: Starting image in auxiliary server mode.
Mon 12 07:53:31 INFORMATIONAL: connection from "10.x.x.x"
Mon 12 07:53:31 WARNING: hostbased-authentication (rhosts) refused: client user
'sysuser', server user 'system', client host 'SUPERNOVA.xxx.xxx'.
XXXXXX>
marsh_1
Honored Contributor

Re: SSH Hostbased encryption

hi,

check that your setup agrees with the guidelines in the openvms ssh manual for v7.3-2 (page 27 for host based auth) here :-

http://h71000.www7.hp.com/doc/732final/aa-rvbua-te/aa-rvbua-te.pdf


Jim_McKinney
Honored Contributor

Re: SSH Hostbased encryption

> debug: Unable to open ssh2/identification

Are there IDENTIFICATION. and AUTHORIZATION. files present and containing pointers to the appropriate key files in the [.SSH2] directories on each node?

Steven Schweda
Honored Contributor

Re: SSH Hostbased encryption

> Are there IDENTIFICATION. and
> AUTHORIZATION. files [...]

Aren't those for publickey (not hostbased)?

(I use only publickey, so for hostbased
authentication I'd be forced to read the
docs.)
Andreas Aahman
Occasional Advisor

Re: SSH Hostbased encryption

Hi,

mark might have a point.
Never thought of checking that all components are fully complient which they're not.

One of the systems is 7.3-2 with an OLD tcpip version.
Will upgrade and return with information.
Andreas Aahman
Occasional Advisor

Re: SSH Hostbased encryption

Hi,

I've now upgraded the Client system to OpenVMS 8.3 and Tcpip 5.6 but I am still not able to used hostbased authentication when logged in as a different user.

ie.. I'm logged onto the client as sysuser and want to connect to the remote system as system.

attached is the verbose output from the client. In that attachment in the bottom is also the logfile from the server.
Wim Van den Wyngaert
Honored Contributor

Re: SSH Hostbased encryption

Don't have SSH of HP but is your client host known in DNS of the server ?
Try ucx sho ho x.x.x.x on the server.

Wim
Wim
marsh_1
Honored Contributor

Re: SSH Hostbased encryption

hi,

do you have the public key files 'fully-qualified-host-name'_ssh-dss.pub in place ?