- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- ssh host based authentication.
Operating System - HP-UX
1820136
Members
3201
Online
109619
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-13-2004 07:18 AM
тАО07-13-2004 07:18 AM
ssh host based authentication.
Hi there,
I have the HPUX Secure shell installed (package T1471AA - version A.03.71.000) on a couple of 11i servers.
I have generated keys (using ssh-keygen) for protocol 1 and 2 and those keys are in the ~/.ssh/authorized_keys file.
ssh, scp and sftp are able to connect using this authorization method without entering a password.
The same has been done for the root account between these servers from one specific server to allow administrative cron jobs to run.
What I need to be able to do is not ask the users to set up an authorized_keys file.
I have 8 nodes, each node is the same and a hosts.equiv is in place on each node. If a user logs into this node, they need to be able to start a job which will spawn children (using ssh) on each of the other nodes.
The users do not need to know if there are 8, 9, 4 or 20 nodes. They only need to know the first node.
In various parts of the documentation I've read about "host based authentication" as opposed to "user based authentication" - parts of the man pages suggest things like using protocol 1 with an shosts.equiv file, setting "UsePAM no" in the sshd_config, etc.
As of yet, I've been unable to get it to work. What I have noticed is that there is a reference to a PAM_RHOST setting during the ssh debug. How can this be set up to have clear connection for the user?
Here is an example output from sshd -d:
(note, the server names, username and IP addresses have been changed)
server2 # sshd -d
debug1: sshd version OpenSSH_3.7.1p2-pwexp26 [ HP-UX_Secure_Shell-A.03.71.000 ]
debug1: private host key: #0 type 0 RSA1
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: Server will not fork when running in debugging mode.
Connection from 192.168.12.39 port 57114
debug1: Client protocol version 2.0; client software version OpenSSH_3.7.1p2-pwexp26
debug1: match: OpenSSH_3.7.1p2-pwexp26 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.7.1p2-pwexp26
debug1: permanently_set_uid: 110/110
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user username service ssh-connection method none
debug1: attempt 0 failures 0
debug1: allowed_user: entering
debug1: PAM: initializing for "username"
debug1: PAM: setting PAM_RHOST to "server1.domain.ca"
Failed none for username from 192.168.12.39 port 57114 ssh2
Failed none for username from 192.168.12.39 port 57114 ssh2
debug1: userauth-request for user username service ssh-connection method publickey
debug1: attempt 1 failures 1
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 77767/4009 (e=0/3)
debug1: trying public key file /home/username/.ssh/authorized_keys
debug1: restore_uid: 0/3
debug1: temporarily_use_uid: 77767/4009 (e=0/3)
debug1: trying public key file /home/username/.ssh/authorized_keys2
debug1: restore_uid: 0/3
Failed publickey for username from 192.168.12.39 port 57114 ssh2
debug1: userauth-request for user username service ssh-connection method publickey
debug1: attempt 2 failures 2
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 77767/4009 (e=0/3)
debug1: trying public key file /home/username/.ssh/authorized_keys
debug1: restore_uid: 0/3
debug1: temporarily_use_uid: 77767/4009 (e=0/3)
debug1: trying public key file /home/username/.ssh/authorized_keys2
debug1: restore_uid: 0/3
Failed publickey for username from 192.168.12.39 port 57114 ssh2
debug1: userauth-request for user username service ssh-connection method keyboard-interactive
debug1: attempt 3 failures 3
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=username devs=
debug1: kbdint_alloc: devices 'pam'
debug1: auth2_challenge_start: trying authentication method 'pam'
Postponed keyboard-interactive for username from 192.168.12.39 port 57114 ssh2
Connection closed by 192.168.12.39
debug1: Calling cleanup 0x40014832(0x0)
debug1: Calling cleanup 0x40014b1a(0x40028b48)
debug1: Calling cleanup 0x40014b0a(0x0)
debug1: PAM: cleanup
This is the source ssh -v server2:
username@server1 /home/username $ ssh -v server2
OpenSSH_3.7.1p2-pwexp26, SSH protocols 1.5/2.0, OpenSSL 0.9.7c 30 Sep 2003
HP-UX_Secure_Shell-A.03.71.000, HP_UX Secure Shell version
debug1: Reading configuration data /opt/ssh/etc/ssh_config
debug1: Connecting to server2 [192.168.15.232] port 22.
debug1: Connection established.
debug1: identity file /home/username/.ssh/id_rsa type 1
debug1: identity file /home/username/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.7.1p2-pwexp26
debug1: match: OpenSSH_3.7.1p2-pwexp26 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.7.1p2-pwexp26
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'server2' is known and matches the RSA host key.
debug1: Found key in /opt/ssh/etc/ssh_known_hosts:26
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive,hostbased
debug1: Next authentication method: publickey
debug1: Offering public key: /home/username/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive,hostbased
debug1: Offering public key: /home/username/.ssh/id_dsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive,hostbased
debug1: Next authentication method: keyboard-interactive
Password:
Keyboard-interactive authentication does work at this point.
Does anyone have any suggestions?
I have the HPUX Secure shell installed (package T1471AA - version A.03.71.000) on a couple of 11i servers.
I have generated keys (using ssh-keygen) for protocol 1 and 2 and those keys are in the ~/.ssh/authorized_keys file.
ssh, scp and sftp are able to connect using this authorization method without entering a password.
The same has been done for the root account between these servers from one specific server to allow administrative cron jobs to run.
What I need to be able to do is not ask the users to set up an authorized_keys file.
I have 8 nodes, each node is the same and a hosts.equiv is in place on each node. If a user logs into this node, they need to be able to start a job which will spawn children (using ssh) on each of the other nodes.
The users do not need to know if there are 8, 9, 4 or 20 nodes. They only need to know the first node.
In various parts of the documentation I've read about "host based authentication" as opposed to "user based authentication" - parts of the man pages suggest things like using protocol 1 with an shosts.equiv file, setting "UsePAM no" in the sshd_config, etc.
As of yet, I've been unable to get it to work. What I have noticed is that there is a reference to a PAM_RHOST setting during the ssh debug. How can this be set up to have clear connection for the user?
Here is an example output from sshd -d:
(note, the server names, username and IP addresses have been changed)
server2 # sshd -d
debug1: sshd version OpenSSH_3.7.1p2-pwexp26 [ HP-UX_Secure_Shell-A.03.71.000 ]
debug1: private host key: #0 type 0 RSA1
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: Server will not fork when running in debugging mode.
Connection from 192.168.12.39 port 57114
debug1: Client protocol version 2.0; client software version OpenSSH_3.7.1p2-pwexp26
debug1: match: OpenSSH_3.7.1p2-pwexp26 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.7.1p2-pwexp26
debug1: permanently_set_uid: 110/110
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user username service ssh-connection method none
debug1: attempt 0 failures 0
debug1: allowed_user: entering
debug1: PAM: initializing for "username"
debug1: PAM: setting PAM_RHOST to "server1.domain.ca"
Failed none for username from 192.168.12.39 port 57114 ssh2
Failed none for username from 192.168.12.39 port 57114 ssh2
debug1: userauth-request for user username service ssh-connection method publickey
debug1: attempt 1 failures 1
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 77767/4009 (e=0/3)
debug1: trying public key file /home/username/.ssh/authorized_keys
debug1: restore_uid: 0/3
debug1: temporarily_use_uid: 77767/4009 (e=0/3)
debug1: trying public key file /home/username/.ssh/authorized_keys2
debug1: restore_uid: 0/3
Failed publickey for username from 192.168.12.39 port 57114 ssh2
debug1: userauth-request for user username service ssh-connection method publickey
debug1: attempt 2 failures 2
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 77767/4009 (e=0/3)
debug1: trying public key file /home/username/.ssh/authorized_keys
debug1: restore_uid: 0/3
debug1: temporarily_use_uid: 77767/4009 (e=0/3)
debug1: trying public key file /home/username/.ssh/authorized_keys2
debug1: restore_uid: 0/3
Failed publickey for username from 192.168.12.39 port 57114 ssh2
debug1: userauth-request for user username service ssh-connection method keyboard-interactive
debug1: attempt 3 failures 3
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=username devs=
debug1: kbdint_alloc: devices 'pam'
debug1: auth2_challenge_start: trying authentication method 'pam'
Postponed keyboard-interactive for username from 192.168.12.39 port 57114 ssh2
Connection closed by 192.168.12.39
debug1: Calling cleanup 0x40014832(0x0)
debug1: Calling cleanup 0x40014b1a(0x40028b48)
debug1: Calling cleanup 0x40014b0a(0x0)
debug1: PAM: cleanup
This is the source ssh -v server2:
username@server1 /home/username $ ssh -v server2
OpenSSH_3.7.1p2-pwexp26, SSH protocols 1.5/2.0, OpenSSL 0.9.7c 30 Sep 2003
HP-UX_Secure_Shell-A.03.71.000, HP_UX Secure Shell version
debug1: Reading configuration data /opt/ssh/etc/ssh_config
debug1: Connecting to server2 [192.168.15.232] port 22.
debug1: Connection established.
debug1: identity file /home/username/.ssh/id_rsa type 1
debug1: identity file /home/username/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.7.1p2-pwexp26
debug1: match: OpenSSH_3.7.1p2-pwexp26 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.7.1p2-pwexp26
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'server2' is known and matches the RSA host key.
debug1: Found key in /opt/ssh/etc/ssh_known_hosts:26
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive,hostbased
debug1: Next authentication method: publickey
debug1: Offering public key: /home/username/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive,hostbased
debug1: Offering public key: /home/username/.ssh/id_dsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive,hostbased
debug1: Next authentication method: keyboard-interactive
Password:
Keyboard-interactive authentication does work at this point.
Does anyone have any suggestions?
4 REPLIES 4
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-13-2004 11:14 AM
тАО07-13-2004 11:14 AM
Re: ssh host based authentication.
You can enable host based authentication by copying the public DSA key of the client to the server's /opt/ssh/etc/ssh_known_hosts file
For ex, for Node1 users to be able to logon to Node2 without supplying password
1) Copy Node1's /opt/ssh/etc/ssh_host_dsa_key.pub append to Node2's /opt/ssh/etc/ssh_known_hosts
2) Edit Node1 /opt/ssh/etc/ssh_config (client configuration file)and makesure HostBasedAuthentication Yes line is uncommented
3) do the same in Node2 with the server configuration file /opt/ssh/etc/sshd_config
4) It is preferred to use shosts.equiv with SSH than hosts.equiv file
node2> vi /opt/ssh/etc/shosts.equiv
node1
#
5) Send HUP signal to the sshd daemon running in node2
If node1 has to act the server then repeat the same process for Node1.
-- Sundar
For ex, for Node1 users to be able to logon to Node2 without supplying password
1) Copy Node1's /opt/ssh/etc/ssh_host_dsa_key.pub append to Node2's /opt/ssh/etc/ssh_known_hosts
2) Edit Node1 /opt/ssh/etc/ssh_config (client configuration file)and makesure HostBasedAuthentication Yes line is uncommented
3) do the same in Node2 with the server configuration file /opt/ssh/etc/sshd_config
4) It is preferred to use shosts.equiv with SSH than hosts.equiv file
node2> vi /opt/ssh/etc/shosts.equiv
node1
#
5) Send HUP signal to the sshd daemon running in node2
If node1 has to act the server then repeat the same process for Node1.
-- Sundar
Learn What to do ,How to do and more importantly When to do ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-14-2004 01:50 AM
тАО07-14-2004 01:50 AM
Re: ssh host based authentication.
Thanks for the suggestions, but no go.
There was a ssh_known_hosts on both systems that was from a cat *pub >> ssh_known_hosts.
The "HostbasedAuthentication yes" was there in the sshd_config, but was not commented out in the ssh_config, it is now.
I re-created it, but ended up with the followng: (sshd -d)
server2 # sshd -d
debug1: sshd version OpenSSH_3.7.1p2-pwexp26 [ HP-UX_Secure_Shell-A.03.71.000 ]
debug1: private host key: #0 type 0 RSA1
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: Server will not fork when running in debugging mode.
Connection from 192.168.12.39 port 57346
debug1: Client protocol version 2.0; client software version OpenSSH_3.7.1p2-pwexp26
debug1: match: OpenSSH_3.7.1p2-pwexp26 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.7.1p2-pwexp26
debug1: permanently_set_uid: 110/110
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user username service ssh-connection method none
debug1: attempt 0 failures 0
debug1: allowed_user: entering
debug1: PAM: initializing for "username"
debug1: PAM: setting PAM_RHOST to "server1.domain.ca"
Failed none for username from 192.168.12.39 port 57346 ssh2
Failed none for username from 192.168.12.39 port 57346 ssh2
debug1: userauth-request for user username service ssh-connection method publickey
debug1: attempt 1 failures 1
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 77767/4009 (e=0/3)
debug1: trying public key file /home/username/.ssh/authorized_keys
debug1: restore_uid: 0/3
debug1: temporarily_use_uid: 77767/4009 (e=0/3)
debug1: trying public key file /home/username/.ssh/authorized_keys2
debug1: restore_uid: 0/3
Failed publickey for username from 192.168.12.39 port 57346 ssh2
debug1: userauth-request for user username service ssh-connection method publickey
debug1: attempt 2 failures 2
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 77767/4009 (e=0/3)
debug1: trying public key file /home/username/.ssh/authorized_keys
debug1: restore_uid: 0/3
debug1: temporarily_use_uid: 77767/4009 (e=0/3)
debug1: trying public key file /home/username/.ssh/authorized_keys2
debug1: restore_uid: 0/3
Failed publickey for username from 192.168.12.39 port 57346 ssh2
debug1: userauth-request for user username service ssh-connection method keyboard-interactive
debug1: attempt 3 failures 3
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=username devs=
debug1: kbdint_alloc: devices 'pam'
debug1: auth2_challenge_start: trying authentication method 'pam'
Postponed keyboard-interactive for username from 192.168.12.39 port 57346 ssh2
Connection closed by 192.168.12.39
debug1: Calling cleanup 0x40014832(0x0)
debug1: Calling cleanup 0x40014b1a(0x40028b70)
debug1: Calling cleanup 0x40014b0a(0x0)
debug1: PAM: cleanup
ssh server2:
username@server1 /home/username $ ssh server2
The authenticity of host 'server2 (192.168.15.232)' can't be established.
RSA key fingerprint is 2f:b8:5c:8f:96:93:4d:56:69:c8:67:60:b1:0f:cc:2a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server2,192.168.15.232' (RSA) to the list of known hosts.
ssh-keysign not enabled in /opt/ssh/etc/ssh_config
ssh_keysign: no reply
key_sign failed
Password:
username@server1 /home/username $
There was a ssh_known_hosts on both systems that was from a cat *pub >> ssh_known_hosts.
The "HostbasedAuthentication yes" was there in the sshd_config, but was not commented out in the ssh_config, it is now.
I re-created it, but ended up with the followng: (sshd -d)
server2 # sshd -d
debug1: sshd version OpenSSH_3.7.1p2-pwexp26 [ HP-UX_Secure_Shell-A.03.71.000 ]
debug1: private host key: #0 type 0 RSA1
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: Server will not fork when running in debugging mode.
Connection from 192.168.12.39 port 57346
debug1: Client protocol version 2.0; client software version OpenSSH_3.7.1p2-pwexp26
debug1: match: OpenSSH_3.7.1p2-pwexp26 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.7.1p2-pwexp26
debug1: permanently_set_uid: 110/110
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user username service ssh-connection method none
debug1: attempt 0 failures 0
debug1: allowed_user: entering
debug1: PAM: initializing for "username"
debug1: PAM: setting PAM_RHOST to "server1.domain.ca"
Failed none for username from 192.168.12.39 port 57346 ssh2
Failed none for username from 192.168.12.39 port 57346 ssh2
debug1: userauth-request for user username service ssh-connection method publickey
debug1: attempt 1 failures 1
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 77767/4009 (e=0/3)
debug1: trying public key file /home/username/.ssh/authorized_keys
debug1: restore_uid: 0/3
debug1: temporarily_use_uid: 77767/4009 (e=0/3)
debug1: trying public key file /home/username/.ssh/authorized_keys2
debug1: restore_uid: 0/3
Failed publickey for username from 192.168.12.39 port 57346 ssh2
debug1: userauth-request for user username service ssh-connection method publickey
debug1: attempt 2 failures 2
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 77767/4009 (e=0/3)
debug1: trying public key file /home/username/.ssh/authorized_keys
debug1: restore_uid: 0/3
debug1: temporarily_use_uid: 77767/4009 (e=0/3)
debug1: trying public key file /home/username/.ssh/authorized_keys2
debug1: restore_uid: 0/3
Failed publickey for username from 192.168.12.39 port 57346 ssh2
debug1: userauth-request for user username service ssh-connection method keyboard-interactive
debug1: attempt 3 failures 3
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=username devs=
debug1: kbdint_alloc: devices 'pam'
debug1: auth2_challenge_start: trying authentication method 'pam'
Postponed keyboard-interactive for username from 192.168.12.39 port 57346 ssh2
Connection closed by 192.168.12.39
debug1: Calling cleanup 0x40014832(0x0)
debug1: Calling cleanup 0x40014b1a(0x40028b70)
debug1: Calling cleanup 0x40014b0a(0x0)
debug1: PAM: cleanup
ssh server2:
username@server1 /home/username $ ssh server2
The authenticity of host 'server2 (192.168.15.232)' can't be established.
RSA key fingerprint is 2f:b8:5c:8f:96:93:4d:56:69:c8:67:60:b1:0f:cc:2a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server2,192.168.15.232' (RSA) to the list of known hosts.
ssh-keysign not enabled in /opt/ssh/etc/ssh_config
ssh_keysign: no reply
key_sign failed
Password:
username@server1 /home/username $
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-15-2004 05:53 AM
тАО07-15-2004 05:53 AM
Re: ssh host based authentication.
Try this
From the client
# ssh -vvv server
From the server
# sshd -ddd -e
in the sshd output, debug level of 3 will tell you if there any problems with using
authorized_keys.
Remember, SSH is sensitive about the ownership/permissions of the authrorized_keys file.
sshd -ddd will tell you if SSH is ignoring this file becoz of improper permissions/ownership.
From the client
# ssh -vvv server
From the server
# sshd -ddd -e
in the sshd output, debug level of 3 will tell you if there any problems with using
authorized_keys.
Remember, SSH is sensitive about the ownership/permissions of the authrorized_keys file.
sshd -ddd will tell you if SSH is ignoring this file becoz of improper permissions/ownership.
Learn What to do ,How to do and more importantly When to do ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-15-2004 06:14 AM
тАО07-15-2004 06:14 AM
Re: ssh host based authentication.
Thanks again.
Okay, I've attached the two files for the ssh -vvv and ssh -ddd -e
I also checked the permissions. The /opt/ssh/etc dir was set to 775 on server2.
Okay, I've attached the two files for the ssh -vvv and ssh -ddd -e
I also checked the permissions. The /opt/ssh/etc dir was set to 775 on server2.
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Learn About
News and Events
Support
© Copyright 2025 Hewlett Packard Enterprise Development LP