openssh unix dev - Jul 2000 - rhostsauthentication fails. (Or why I hate poorly documented software.)

I have a ssh enabled server and client machine (we'll call them
"server"
and "client" respectively...)

They both have proper RSA and DSA keys,using protocol version 2 works
fine between them. (so ssh itself and the network is working fine)

However, I want to get something that will work with rsync without having
to manually enter passwords, passphrases, or enter such information hardcoded
in scripts.

I figured I'ld first get rhosts authentication working and then move to
rhosts/RSA authentication (if that doesn't require passphrase.)

first things first... rhosts authentication...

Here's the sshd_config from the server...

  Protocol 1
  RSAAuthentication no
  PasswordAuthentication no
  RhostsAuthentication yes
  IgnoreRhosts no

I have "client" listed in the /etc/hosts.equiv file and...
(for testing purposes.) "rlogin server" from the client works fine,
login is granted without a password. So I know rhosts authentication
is configured correctly for at least rsh.

However here's what "ssh -v server" on the client gives me...

  SSH Version OpenSSH-2.1, protocol versions 1.5/2.0.
  Compiled with SSL (0x0090581f).
  debug: Reading configuration data /etc/ssh/ssh_config
  debug: Applying options for *
  debug: Seeding random number generator
  debug: ssh_connect: getuid 500 geteuid 500 anon 1
  debug: Connecting to server [servers ip] port 22.
  debug: Connection established.
  debug: Remote protocol version 1.5, remote software version OpenSSH_2.1.1
  debug: Local version string SSH-1.5-OpenSSH-2.1
  debug: Waiting for server public key.
  debug: Received server public key (768 bits) and host key (1024 bits).
  debug: Host 'server' is known and matches the RSA host key.
  debug: Seeding random number generator
  debug: Encryption type: 3des
  debug: Sent encrypted session key.
  debug: Installing crc compensation attack detector.
  debug: Received encrypted confirmation.
  ssh_userauth: server supports no auth methods
  debug: Calling cleanup 0x8059c34(0x0)

Notice that the client thinks the server doesn't support any authentication
methods.  Which should not be true because the last line of sshd_config
specifically allows RhostsAuthentication and does not ignore the rhosts
files.

Anybody have a clue what I've done wrong? For some reason it appears that
the sshd server ignores the "RhostsAuthentication yes" line and
doesn't
add rhosts authentication to its list of authentication methods to support.

Which isn't what the sshd/ssh man pages document the behavior to be.

- Jeff

Ok after a bit of work. I've done the following:

created a new RSA key with blank passphrase. copied the .pub RSA key
to the $HOME/.ssh/authorized_keys file.

Set RhostsRSAAuthentication and RSAAuthentication to yes on the server
and client.

and it works fine.

But this doesn't seem to provide RhostsRSAauthentication.

It only provided RSAAuthentication.

If I change RSAAuthentication to no (keeping RhostsRSAAuthentication as yes)
on the server everything breaks again.

I guess I don't get this whole thing.  I would think somebody besides me
would need a secure method of remote login/shell capabilities without
having to enter passwords all the time.  Tons of people need daily rsync
abilities.

However, If I use RSA Authentication with a blank passphrase then I
wouldn't consider this anymore secure than plain rhosts authentication
because as soon as somebody steals my private key (which isn't really
private because its got a blank passphrase) then they have the same
level of security as rhosts.

And then why should I be using protocol 1 at all? why not use DSAauthentication
with a blank passphrase?

So then I guess my question is...

Why have rhosts/RSA authentication implemented at all? it doesn't seem to
work (because ssh doesn't seem to really support rhosts authentication) and
furthermore DSAAuthentication is exactly the same as RhostsRSAAuth. if used
with /etc/hosts.allow and /etc/hosts.deny. Even better because I can disable
Protocol 1.

Any thoughts on the subject are appreciated. Maybe I'm missing something
fundamental.

Does anybody else *just* rhosts authentication in OpenSSH working? Is it
something that needs to be explicitly enabled/included during compile time?

- Jeff

John Hardin wrote:
> 
> jeff at ntcor.com wrote:
> >
> > However, I want to get something that will work with rsync without
having
> > to manually enter passwords, passphrases, or enter such information
hardcoded
> > in scripts.
> 
> Try an RSA authenticated connection, without a passphrase on the key...
> (explicitly set a blank passphrase)
> 
> --
>         John Hardin
>         Internal Systems Administrator
>         Apropos Retail Management Systems, Inc.
>         <johnh at aproposretail.com>