Operating System - OpenVMS
1783199 Members
1668 Online
109144 Solutions
New Discussion юеВ

SSH Hostbased encryption

 
Andreas Aahman
Occasional Advisor

SSH Hostbased encryption

Hi,

I've set up host based encryption between two nodes that allows me to connect without submitting a password if I'm logged in as the userI want to connect as on the other machine.

I.e If I log in as SYSTEM on machine A I can SSH machine B without entering a password.

But if I log in on machine A as SYSUSER and try to connect to machine b witj SSH SYSTEM@machineb it asks me for a password.
The SSH logs tells me this.

Fri 09 12:38:07 WARNING: hostbased-authentication (rhosts) refused: client user
'sysuser', server user 'system', client host 'xxxx'

Any ideas on how to get it to work without having to login as system?
22 REPLIES 22
Kumar_Sanjay
Regular Advisor

Re: SSH Hostbased encryption

Would please send the Debug output here.
looks like some privilege issue somewhere.

Cheers..
Andreas Aahman
Occasional Advisor

Re: SSH Hostbased encryption

Here's the output. Let me know if more information is needed.

SUPERNOVA> ssh -v system@XXXXXX
debug: Ssh2/SSH2.C:1448: CRTL version (SYS$SHARE:DECC$SHR.EXE ident) is V7.3-2-1
debug: hostname is 'XXXXXX'.
debug: Unable to open ssh2/ssh2_config
debug: connecting to XXXXXX, port 22...
debug: entering event loop
debug: ssh_client_wrap: creating transport protocol
debug: SshAuthMethodClient/SSHAUTHMETHODC.C:145: Added "hostbased" to usable me.
debug: SshAuthMethodClient/SSHAUTHMETHODC.C:145: Added "publickey" to usable me.
debug: SshAuthMethodClient/SSHAUTHMETHODC.C:145: Added "password" to usable met.
debug: Ssh2Client/SSHCLIENT.C:1356: creating userauth protocol
debug: Ssh2Common/SSHCOMMON.C:517: local ip = 10.x.x.x, local port = 64459
debug: Ssh2Common/SSHCOMMON.C:519: remote ip = 10.x.x.x, remote port = 22
debug: SshConnection/SSHCONN.C:2092: Wrapping...
debug: Ssh2Transport/TRCOMMON.C:643: Remote version: SSH-2.0-3.2.0 SSH Secure S3
debug: Ssh2Transport/TRCOMMON.C:1167: c_to_s: cipher 3des-cbc, mac hmac-sha1, ce
debug: Ssh2Transport/TRCOMMON.C:1170: s_to_c: cipher 3des-cbc, mac hmac-sha1, ce
debug: Ssh2Client/SSHCLIENT.C:508: Host key found from database.
debug: Ssh2Common/SSHCOMMON.C:321: Received SSH_CROSS_STARTUP packet from conne.
debug: Ssh2Common/SSHCOMMON.C:371: Received SSH_CROSS_ALGORITHMS packet from co.
debug: SshUnixTcp/SSHUNIXTCP.C:1019: using local hostname orion.ikea.com
debug: Ssh2AuthHostBasedClient/AUTHC-HOSTBASED.C:803: Child: Execing ssh-signer)
debug: Ssh2AuthHostBasedClient/AUTHC-HOSTBASED.C:407: ssh-signer returned SSH_AE
debug: ssh_pipe_stream_destroy
debug: ssh_sigchld_real_callback
debug: ssh_sigchld_process_pid: no handler for pid 1585471 code 0
debug: Unable to open ssh2/identification
debug: Ssh2AuthClient/SSHAUTHC.C:347: Method 'publickey' disabled.
debug: Ssh2AuthPasswdClient/AUTHC-PASSWD.C:197: Starting password query...
system's password:





XXXXXX> ty SYS$SYSDEVICE:[TCPIP$SSH]TCPIP$SSH_RUN.LOG
$ Set NoOn
$ VERIFY = F$VERIFY(F$TRNLNM("SYLOGIN_VERIFY"))
Mon 12 07:53:31 INFORMATIONAL: Starting image in auxiliary server mode.
Mon 12 07:53:31 INFORMATIONAL: connection from "10.x.x.x"
Mon 12 07:53:31 WARNING: hostbased-authentication (rhosts) refused: client user
'sysuser', server user 'system', client host 'SUPERNOVA.xxx.xxx'.
XXXXXX>
marsh_1
Honored Contributor

Re: SSH Hostbased encryption

hi,

check that your setup agrees with the guidelines in the openvms ssh manual for v7.3-2 (page 27 for host based auth) here :-

http://h71000.www7.hp.com/doc/732final/aa-rvbua-te/aa-rvbua-te.pdf


Jim_McKinney
Honored Contributor

Re: SSH Hostbased encryption

> debug: Unable to open ssh2/identification

Are there IDENTIFICATION. and AUTHORIZATION. files present and containing pointers to the appropriate key files in the [.SSH2] directories on each node?

Steven Schweda
Honored Contributor

Re: SSH Hostbased encryption

> Are there IDENTIFICATION. and
> AUTHORIZATION. files [...]

Aren't those for publickey (not hostbased)?

(I use only publickey, so for hostbased
authentication I'd be forced to read the
docs.)
Andreas Aahman
Occasional Advisor

Re: SSH Hostbased encryption

Hi,

mark might have a point.
Never thought of checking that all components are fully complient which they're not.

One of the systems is 7.3-2 with an OLD tcpip version.
Will upgrade and return with information.
Andreas Aahman
Occasional Advisor

Re: SSH Hostbased encryption

Hi,

I've now upgraded the Client system to OpenVMS 8.3 and Tcpip 5.6 but I am still not able to used hostbased authentication when logged in as a different user.

ie.. I'm logged onto the client as sysuser and want to connect to the remote system as system.

attached is the verbose output from the client. In that attachment in the bottom is also the logfile from the server.
Wim Van den Wyngaert
Honored Contributor

Re: SSH Hostbased encryption

Don't have SSH of HP but is your client host known in DNS of the server ?
Try ucx sho ho x.x.x.x on the server.

Wim
Wim
marsh_1
Honored Contributor

Re: SSH Hostbased encryption

hi,

do you have the public key files 'fully-qualified-host-name'_ssh-dss.pub in place ?
Duncan Morris
Honored Contributor

Re: SSH Hostbased encryption

Andreas,

is there maybe an SHOSTS file on the server side?

On my test systems, I have set up hostbased authentication thus:

on the server (DEVT02)

DEVT02> ty sys$manager:shosts.
ISE216.CPWPLC.NET system
ISE216.CPWPLC.NET morrisd

DEVT02> ty sys$sysdevice:[tcpip$ssh.ssh2]shosts.equiv
ISE216.CPWPLC.NET

DEVT02> dir/sec sys$sysdevice:[tcpip$ssh.ssh2.knownhosts]

Directory SYS$SYSDEVICE:[TCPIP$SSH.SSH2.KNOWNHOSTS]

ISE216_CPWPLC_NET_SSH-DSS.PUB;1
[TCPIP$AUX,TCPIP$SSH] (RWED,RWED,RE,RE)

Within sshd2_config:

IgnoreRhosts no


This combination allows me log into SYSTEM on the server, from either SYSTEM or MORRISD on the client.


Duncan
Steven Schweda
Honored Contributor

Re: SSH Hostbased encryption

I'm with them. In my SSH2_CONFIG file, I
already had:

[...]
AllowedAuthentications hostbased, publickey, password
[...]
IgnoreRhosts no
[...]

I created
SYS$SYSDEVICE:[TCPIP$SSH.SSH2]SHOSTS.EQUIV,
and put the wrong (simple, unqualified) name
("it") into it, and got so far as:

alp $ type ALP$DKA0:[TCPIP$SSH]TCPIP$SSH_RUN.LOG;-1
[...]
Tue 20 14:17:55 INFORMATIONAL: connection from "10.0.0.16"
Tue 20 14:17:56 WARNING: Error trying to access file /sys$sysroot/sysmgr/ssh2/kn
ownhosts/it_antinode_info_ssh-dss.pub.
[...]

On the client side, "ssh -v" mentioned:

debug: SshUnixTcp/SSHUNIXTCP.C:1390: using local hostname it.antinode.info

so I figured that I should change "it" to the
fully qualified "it.antinode.info" in the
SHOSTS.EQUIV file.

I had already copied IT's (the client's)
SYS$SYSDEVICE:[TCPIP$SSH.SSH2]hostkey.pub,
and put it into the server's
SYS$SYSDEVICE:[TCPIP$SSH.SSH2.KNOWNHOSTS]
directory, but apparently someone's fussy
about the name. After I renamed that file to
what seemed to be sought,
IT_ANTINODE_INFO_SSH-DSS.PUB, things worked.
The server log said:

[...]
Tue 20 14:19:11 WARNING: Error trying to access file /sys$sysroot/sysmgr/ssh2/kn
ownhosts/it_antinode_info_ssh-dss.pub.
Tue 20 14:19:11 NOTICE: Hostbased authentication for user system accepted.
[...]

Which was not entirely pleasing, but the
"accepted" part was.

If anyone thinks that this stuff is well
documented, he's kidding himself.

("IT" seemed, at the time, like a good name
for my first Itanium system, and I've always
wanted to use "it's" as a possessive, but I
can see how it (or "it") might get
confusing.)

For the record, on the client ("it"):

IT $ tcpip show version

HP TCP/IP Services for OpenVMS Industry Standard 64 Version V5.6 - ECO 2
on an HP zx2000 (1.50GHz/6.0MB) running OpenVMS V8.3-1H1

IT $ ssh "-V"
it$dka0:[sys0.syscommon.][sysexe]tcpip$ssh_ssh2.exe: SSH Secure Shell OpenVMS (V
5.5) 3.2.0 on HP zx2000 (1.50GHz/6.0MB) - VMS V8.3-1H1

and on the server ("alp"):

alp $ tcpip show version

HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 7
on a COMPAQ Professional Workstation XP1000 running OpenVMS V7.3-2

alp $ ssh "-V"
alp$dka0:[sys0.syscommon.][sysexe]tcpip$ssh_ssh2.exe: SSH Secure Shell OpenVMS (
V5.5) 3.2.0 on COMPAQ Professional Workstation - VMS V7.3-2
Andreas Aahman
Occasional Advisor

Re: SSH Hostbased encryption

It works if I add sysuser to sys$manager:shosts.

Which ofcourse is a solution and I guess there's no other way to solve it. It would be best if we could solve it without havind to specify the users in the shosts. file.

Is it at all possible to solve this without using shosts.?
Duncan Morris
Honored Contributor

Re: SSH Hostbased encryption

Andreas,

I suspect that this is simply how "hostbased" authentication was designed.

In general, I use publickey authentication internally, with a common public key for my personal account on several systems.

Duncan
marsh_1
Honored Contributor

Re: SSH Hostbased encryption

hi,

putting in a user name is optional for hostbased authentication as stated in the documentation, reread the manual and double check you are not getting confused about TCPIP$SSH_DEVICE:[TCPIP$SSH]SHOSTS.EQUIV and SYS$LOGIN:SHOSTS.

HTH

Andreas Aahman
Occasional Advisor

Re: SSH Hostbased encryption

I cannot find in the manual as why it should not work.

But it's good enough. We can easily add users to the shosts file.

Thanx everyone for the help.
Steven Schweda
Honored Contributor

Re: SSH Hostbased encryption

> [...] We can easily add users to the shosts
> file.

As I said/showed, you don't seem to need to
add _users_ to
"SYS$SYSDEVICE:[TCPIP$SSH.SSH2]SHOSTS.EQUIV".
Adding the (fully-qualified) client host name
was all I needed. I assume that you _can_
add user names, too, but I didn't try that.
(I figured that the whole point of using
"hostbased" was _not_ to worry about
individual users. But what do I know?)

> Jan 20, 2009 20:49:05 GMT 0 pts

> Thanx everyone for the help.

Make up your mind?
Andreas Aahman
Occasional Advisor

Re: SSH Hostbased encryption

Adding the users to "SYS$SYSDEVICE:[TCPIP$SSH.SSH2]SHOSTS.EQUIV".
did not solve it.
SSH still did not allow hostbased authentication.

However adding the users to sys$manager:shosts do solve my problem. It still does not take me all the way but it's a good enough solution.

br,
Andreas
marsh_1
Honored Contributor

Re: SSH Hostbased encryption

hi,

what do/did you have in the shosts.equiv file ?

from the manual :-

2. Edit the systemwide trusted hosts file, TCPIP$SSH_DEVICE:[TCPIP$SSH]SHOSTS.EQUIV, to add the fully
qualified name of every SSH client host that will communicate with the server. You can also enter a
specific user name to limit access to that user. For example:
MYHOST.MYLAB.COM
or
MYHOST.MYLAB.COM smith
If the IgnoreRhosts parameter is set to no as in step 1, you can also add the client host and optional user
names to the file SYS$LOGIN:SHOSTS. for a specific user.
If user names are used, those associated with OpenVMS client hosts must be in lowercase; those
associated wih UNIX client hosts must match the account name case as it exists on the UNIX host.


Andreas Aahman
Occasional Advisor

Re: SSH Hostbased encryption

The shosts.equiv file contains the host that will connect to the servers.

If I add a username to the shosts.equiv file I still am not allowed to login as system on the remote system, if I'm not logged in as system on the client.

IgnoreRhosts is set to no and if I enter usernames in SYS$LOGIN:SHOSTS.
Everything if fine and dandy.

So to sum it up. If I do not add users in the sys$login:shosts file I cannot log on as system if I'm not logged on as system on the client side aswell.
Steven Schweda
Honored Contributor

Re: SSH Hostbased encryption

> The shosts.equiv file contains [...]

Which do you think is more valuable, your
vague assertion, or actual output from an
actual command on the actual system? For
example:

ALP $ type SYS$SYSDEVICE:[TCPIP$SSH.SSH2]SHOSTS.EQUIV
it.antinode.info
Steven Schweda
Honored Contributor

Re: SSH Hostbased encryption

> Jan 20, 2009 20:49:05 GMT 0 pts
> Jan 30, 2009 11:02:08 GMT 0 pts
> Jan 30, 2009 12:49:48 GMT 0 pts

If you think that the answers are worthless,
try to imagine how much less the _questions_
are worth.
Andreas Aahman
Occasional Advisor

Re: SSH Hostbased encryption

add names to shys$manager:shosts.