HPE Community
Operating System - OpenVMS
1752800 Members
5954 Online
108789 Solutions
New Discussion юеВ

SSH: no shosts.equiv found?

 
Thomas A. Williams
Regular Advisor

тАО12-07-2005 11:57 PM

тАО12-07-2005 11:57 PM

SSH: no shosts.equiv found?

I'm stumped - I can't get host based ssh authentication to work. I've narrowed it down to the following error in the TCPIP$SSH_RUN.LOG file on the server:

Thu 08 07:26:57 WARNING: hostbased-authentication (rhosts and shosts) refused for jl: no shosts. or rhosts. files and no system-wide files (e.g., ETC:shosts.equiv)

But the file:

SYS$SYSDEVICE:[TCPIP$SSH]SHOSTS.EQUIV

Does exist on the server.

These are the entries in the server sshd2_config:

AllowedAuthentications hostbased, publickey, password
# IgnoreRhosts no
# AllowSHosts trusted\.host\.org
# DenySHosts not\.quite\.trusted\.org

i.e. the bottom 3 are all commented out - not sure if I should uncomment any of these (didn't think I had to based on the admin guide).

Anyone have an idea?

Thanks in advance.

0 Kudos
Reply
7 REPLIES 7
Arch_Muthiah
Honored Contributor

тАО12-08-2005 06:09 AM

тАО12-08-2005 06:09 AM

Re: SSH: no shosts.equiv found?

Thomas,
HP├в s TCP/IP services do not use the traditional UNIX rhosts and hosts.equiv files.

The file you have is systemwide trusted hosts file, TCPIP$SSH_DEVICE:[TCPIP$SSH]SHOSTS.EQUIV. In this file, you would add the fully qualified name of every SSH client host that will communicate with the server. You can also enter a specific user name to limit access to that user. For example:
MYHOST.MYLAB.COM
or
MYHOST.MYLAB.COM smith

There are other client and server config file on client config file, you will have to include this entry
--- AllowedAuthentications hostbased
--- DefaultDomain [fqdn of thelocal host]

on the server config file,
--- AllowedAuthentications hostbased
--- IgnoreRhosts no /* to enable use of the user-specific SHOSTS. files */

In host-based authentication, the client and server hosts authenticate each other. Therefore, the server host must have the client's host public key. Copy the client's host public-key file, CLIENTHOST::TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2]HOSTKEY.PUB, to the server directory SERVERHOST::TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2.KNOWNHOSTS], naming the key file name, using the format fully-qualified-hostname_ssh-dss.pub. For example, if the host name is green and its domain name is color.art.com, copy it as follows:
$COPY SYS$LOGIN:[SSH2.KNOWNHOSTS]green_color_art_com_ssh-dss.pub -
_$ SERVERHOST::TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2.KNOWNHOSTS]-
_$ green_color_art_com_ssh-dss.pub/PROTECTION=(W=RE)


Archunan
Regards
Archie
0 Kudos
Reply
Steven Schweda
Honored Contributor

тАО12-08-2005 10:12 AM

тАО12-08-2005 10:12 AM

Re: SSH: no shosts.equiv found?

I seem to be using "publickey", and my
SYS$SYSDEVICE:[TCPIP$SSH]SHOSTS.EQUIV also
exists, but is empty, so I don't know much
about this, but have you tried "ssh -v [...]"?
Perhaps the "debug:" output will offer a clue.

You do need to adjust mentally the file specs
like "/etc/ssh2/hostkey.pub", and so on, of
course.
0 Kudos
Reply
Thomas A. Williams
Regular Advisor

тАО12-08-2005 10:10 PM

тАО12-08-2005 10:10 PM

Re: SSH: no shosts.equiv found?


>The file you have is systemwide trusted hosts file,
>TCPIP$SSH_DEVICE:[TCPIP$SSH]SHOSTS.EQUIV.
>In this file, you would add the fully qualified
>name of every SSH client host that will
>communicate with the server.

Yes, I already have that.


>You can also enter a specific user name to limit
>access to that user. For example:
>MYHOST.MYLAB.COM
>or
>MYHOST.MYLAB.COM smith

Yes, I also have that.

>>There are other client and server config file on
>client config file, you will have to include this entry
>--- AllowedAuthentications hostbased
>--- DefaultDomain [fqdn of thelocal host]

Yes, both are done.

>on the server config file,
>--- AllowedAuthentications hostbased
>--- IgnoreRhosts no /* to enable use of the user-specific SHOSTS. files */

I left IgnoreRhosts commented, as the manual said it
was equivelant to no.

>In host-based authentication, the client and
>server hosts authenticate each other.
> Therefore, the server host must have the
>client's host public key. Copy the client's
>host public-key file,
>CLIENTHOST::TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2]HOSTKEY.PUB,
>to the server directory
>SERVERHOST::TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2.KNOWNHOSTS],
>naming the key file name, using the format
>fully-qualified-hostname_ssh-dss.pub.
>For example, if the host name is green and its
>domain name is color.art.com, copy it as follows:
>$COPY SYS$LOGIN:[SSH2.KNOWNHOSTS]green_color_art_com_ssh-dss.pub -
>_$ SERVERHOST::TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2.KNOWNHOSTS]-
>_$ green_color_art_com_ssh-dss.pub/PROTECTION=(W=RE)

Yes, done.

Is there anything you could suggest that isn't already in
or pasted from the admin guide?

Thanks,

Tom


--------------------------------------------------------------------------------
>I seem to be using "publickey", and my
>SYS$SYSDEVICE:[TCPIP$SSH]SHOSTS.EQUIV also
>exists, but is empty, so I don't know much
>about this, but have you tried "ssh -v [...]"?
>Perhaps the "debug:" output will offer a clue.

I had already done that. The below debug output from
the client side connect attempt caused me to look
for clues on the server, at which point I found the
output from the TCPIP$SSH_RUN.LOG
as indicated in my original post.

debug: server offers auth methods 'hostbased,publickey,password'.
debug: Ssh2AuthHostBasedClient/AUTHC-HOSTBASED.C:720: Server rejected the signature.


>You do need to adjust mentally the file specs
>like "/etc/ssh2/hostkey.pub", and so on, of
>course.

Yes, I realize that...


Thanks both for the suggestions. Please keep em coming.

Tom
0 Kudos
Reply
Thomas A. Williams
Regular Advisor

тАО12-08-2005 10:57 PM

тАО12-08-2005 10:57 PM

Re: SSH: no shosts.equiv found?

BTW, I just tried copying SHOSTS.EQUIV to the directory

TCPIP$ETC

And that had no effect also.
0 Kudos
Reply
Thomas A. Williams
Regular Advisor

тАО12-09-2005 02:52 AM

тАО12-09-2005 02:52 AM

Re: SSH: no shosts.equiv found?

Well, I gave a call to HP support - they figured out that when using hostbased authentication you need BOTH:

TCPIP$SSH_DEVICE:[TCPIP$SSH]SHOSTS.EQUIV

AND

SYS$LOGIN:SHOSTS.

for each user.

It doesn't say this in the admin guide.

Thanks for your help.

0 Kudos
Reply
Thomas A. Williams
Regular Advisor

тАО12-09-2005 04:00 AM

тАО12-09-2005 04:00 AM

Re: SSH: no shosts.equiv found?

Actually my previous explanation was wrong.

It turns out the problem is this:


the file SHOSTS.EQUIV belongs in the

[TCPIP$SSH.SSH2] directory, not the

[TCPIP$SSH] directory

as the admin guide says. It's a mistake in the admin guide.
0 Kudos
Reply
Arch_Muthiah
Honored Contributor

тАО12-09-2005 04:49 AM

тАО12-09-2005 04:49 AM

Re: SSH: no shosts.equiv found?

Yes willium, you are correct, I observed the manual has no correct file path info.

The systemwide trusted hosts file will be in TCPIP$SSH_DEVICE:[TCPIP$SSH], but user specfic SHOSTS.EQUIV file will be in [TCPIP$SSH.SSH2] directory.

Please let us know the summary of what you have done to made it to work; will be helpfull.


Archunan
Regards
Archie
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.