HPE Community
Operating System - HP-UX
1831137 Members
2616 Online
110020 Solutions
New Discussion

ssh problems with HostbasedAuthentication

 
SOLVED
Go to solution
Jdamian
Respected Contributor

‎02-05-2003 06:34 AM

‎02-05-2003 06:34 AM

ssh problems with HostbasedAuthentication

I'm trying to configure sshd to allow secure connections with no prompting for password using .shosts file.

sshd_config contains:

Protocol 2
IgnoreRhosts no
HostbasedAuthentication yes
X11Forwarding yes
X11UseLocalhost no
Subsystem sftp /opt/ssh/libexec/sftp-server

.shosts file contains:

mysys user

/etc/hosts file contains:

10.10.10.10 mysys

Then I run:

ssh -o HostbasedAuthentication=yes user@mysys

and it logins fine.

Now superuser adds another IP (20.20.20.20) to the system in other LAN connector and updates /etc/hosts:

10.10.10.10 mysys
20.20.20.20 mysys2

but if I run

ssh -o HostbasedAuthentication=yes user@mysys2

password is required always to login.

why ?
can anyone help me ?

thanx a lot
0 Kudos
Reply
7 REPLIES 7
Jdamian
Respected Contributor

‎02-05-2003 06:36 AM

‎02-05-2003 06:36 AM

Re: ssh problems with HostbasedAuthentication

I forgot to say that I also updated .shosts files:

mysys user
mysys2 user
0 Kudos
Reply
Christian Gebhardt
Honored Contributor

‎02-05-2003 07:01 AM

‎02-05-2003 07:01 AM

Re: ssh problems with HostbasedAuthentication

Hi

if you are using openssh the shosts/rhosts authentification will only work with protocol version 1, you have set
Protocol 2
look at "man ssh" for more information.

Chris
0 Kudos
Reply
Ralph Grothe
Honored Contributor

‎02-05-2003 07:09 AM

‎02-05-2003 07:09 AM

Re: ssh problems with HostbasedAuthentication

Were you careful with the permission bits for .shosts?
ssh is (for good reason) very picky that file owner is the account that wants to login without password, and that .shosts ist only readable to them.
Otherwise ssh will ignore the file altogether

Have you tried the -v switch to make ssh a bit more verbose.
In most cases it will give you clues why it failed.

Is the hostkey in $HOME/.ssh/known_hosts still valid?
Madness, thy name is system administration
0 Kudos
Reply
Chris Wong
Trusted Contributor

‎02-05-2003 08:43 AM

‎02-05-2003 08:43 AM

Re: ssh problems with HostbasedAuthentication

Using .shosts with SSH provides an encrypted connection, but using .shosts has some of the same security ramifications as using .rhosts and isn't recommended unless you really, really need it. If you have an all HP-UX environment, you can use the SSH agent (See http://newfdawg.com/SHP-SSHpart2.htm) and will only need to enter the passphrase once.

- Chris
0 Kudos
Reply
Jdamian
Respected Contributor

‎02-06-2003 08:22 AM

‎02-06-2003 08:22 AM

Re: ssh problems with HostbasedAuthentication

Thanks for everthing.

Now my system accepts ssh-login without password from itself.

The problem now is a hostA accepts ssh-login without password from hostB but not from hostC... and I cannot find why ?

I added -vvv option in command line for debugging...

ssh -vvv -o HostbasedAuthentication=yes user@hostC

the following lines are a extract from all debug info:

debug1: authentications that can continue: publickey,password,keyboard-interactive,hostbased
debug3: start over, passed a different list publickey,password,keyboard-interactive,hostbased
debug3: preferred hostbased,publickey,keyboard-interactive,password
debug3: authmethod_lookup hostbased
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled hostbased
debug1: next auth method to try is hostbased
debug2: userauth_hostbased: chost hostC.
debug2: we sent a hostbased packet, wait for reply
debug1: Remote: Accepted by .shosts.
debug1: authentications that can continue: publickey,password,keyboard-interactive,hostbased
debug2: userauth_hostbased: chost hostC.
debug2: we sent a hostbased packet, wait for reply
debug1: Remote: Accepted by .shosts.
debug1: authentications that can continue: publickey,password,keyboard-interactive,hostbased
debug1: userauth_hostbased: no more client hostkeys
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: next auth method to try is publickey
debug1: try privkey: /.ssh/id_rsa
debug3: no such identity: /.ssh/id_rsa
debug1: try privkey: /.ssh/id_dsa
debug3: no such identity: /.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password

Compare with the messages reported by command:

ssh -vvv -o HostbasedAuthentication=yes user@hostA


debug1: authentications that can continue: publickey,password,keyboard-interactive,hostbased
debug3: start over, passed a different list publickey,password,keyboard-interactive,hostbased
debug3: preferred hostbased,publickey,keyboard-interactive,password
debug3: authmethod_lookup hostbased
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled hostbased
debug1: next auth method to try is hostbased
debug2: userauth_hostbased: chost in_bckup.
debug2: we sent a hostbased packet, wait for reply
debug1: Remote: Accepted by .shosts.
debug1: authentications that can continue: publickey,password,keyboard-interactive,hostbased
debug2: userauth_hostbased: chost in_bckup.
debug2: we sent a hostbased packet, wait for reply
debug1: Remote: Accepted by .shosts.
debug1: ssh-userauth2 successful: method hostbased
debug3: clear hostkey 0
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug1: send channel open 0
debug1: Entering interactive session.



Can anyone help me ?
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎02-06-2003 08:30 AM

‎02-06-2003 08:30 AM

Solution

Re: ssh problems with HostbasedAuthentication

Here is a cookbook that should work. It tells how to generate and distribute public keys.

It worked for me.

P
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Jdamian
Respected Contributor

‎02-07-2003 01:07 AM

‎02-07-2003 01:07 AM

Re: ssh problems with HostbasedAuthentication

Thank you Steven.

Your doc helped me to solve my problems with SSH.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.