jeff at ntcor.com
2000-Jul-03 20:37 UTC
rhostsauthentication fails. (Or why I hate poorly documented software.)
I have a ssh enabled server and client machine (we'll call them "server" and "client" respectively...) They both have proper RSA and DSA keys,using protocol version 2 works fine between them. (so ssh itself and the network is working fine) However, I want to get something that will work with rsync without having to manually enter passwords, passphrases, or enter such information hardcoded in scripts. I figured I'ld first get rhosts authentication working and then move to rhosts/RSA authentication (if that doesn't require passphrase.) first things first... rhosts authentication... Here's the sshd_config from the server... Protocol 1 RSAAuthentication no PasswordAuthentication no RhostsAuthentication yes IgnoreRhosts no I have "client" listed in the /etc/hosts.equiv file and... (for testing purposes.) "rlogin server" from the client works fine, login is granted without a password. So I know rhosts authentication is configured correctly for at least rsh. However here's what "ssh -v server" on the client gives me... SSH Version OpenSSH-2.1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). debug: Reading configuration data /etc/ssh/ssh_config debug: Applying options for * debug: Seeding random number generator debug: ssh_connect: getuid 500 geteuid 500 anon 1 debug: Connecting to server [servers ip] port 22. debug: Connection established. debug: Remote protocol version 1.5, remote software version OpenSSH_2.1.1 debug: Local version string SSH-1.5-OpenSSH-2.1 debug: Waiting for server public key. debug: Received server public key (768 bits) and host key (1024 bits). debug: Host 'server' is known and matches the RSA host key. debug: Seeding random number generator debug: Encryption type: 3des debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. ssh_userauth: server supports no auth methods debug: Calling cleanup 0x8059c34(0x0) Notice that the client thinks the server doesn't support any authentication methods. Which should not be true because the last line of sshd_config specifically allows RhostsAuthentication and does not ignore the rhosts files. Anybody have a clue what I've done wrong? For some reason it appears that the sshd server ignores the "RhostsAuthentication yes" line and doesn't add rhosts authentication to its list of authentication methods to support. Which isn't what the sshd/ssh man pages document the behavior to be. - Jeff
jeff at ntcor.com
2000-Jul-03 21:18 UTC
rhostsauthentication fails. (Or why I hate poorly documented software.)
Ok after a bit of work. I've done the following: created a new RSA key with blank passphrase. copied the .pub RSA key to the $HOME/.ssh/authorized_keys file. Set RhostsRSAAuthentication and RSAAuthentication to yes on the server and client. and it works fine. But this doesn't seem to provide RhostsRSAauthentication. It only provided RSAAuthentication. If I change RSAAuthentication to no (keeping RhostsRSAAuthentication as yes) on the server everything breaks again. I guess I don't get this whole thing. I would think somebody besides me would need a secure method of remote login/shell capabilities without having to enter passwords all the time. Tons of people need daily rsync abilities. However, If I use RSA Authentication with a blank passphrase then I wouldn't consider this anymore secure than plain rhosts authentication because as soon as somebody steals my private key (which isn't really private because its got a blank passphrase) then they have the same level of security as rhosts. And then why should I be using protocol 1 at all? why not use DSAauthentication with a blank passphrase? So then I guess my question is... Why have rhosts/RSA authentication implemented at all? it doesn't seem to work (because ssh doesn't seem to really support rhosts authentication) and furthermore DSAAuthentication is exactly the same as RhostsRSAAuth. if used with /etc/hosts.allow and /etc/hosts.deny. Even better because I can disable Protocol 1. Any thoughts on the subject are appreciated. Maybe I'm missing something fundamental. Does anybody else *just* rhosts authentication in OpenSSH working? Is it something that needs to be explicitly enabled/included during compile time? - Jeff John Hardin wrote:> > jeff at ntcor.com wrote: > > > > However, I want to get something that will work with rsync without having > > to manually enter passwords, passphrases, or enter such information hardcoded > > in scripts. > > Try an RSA authenticated connection, without a passphrase on the key... > (explicitly set a blank passphrase) > > -- > John Hardin > Internal Systems Administrator > Apropos Retail Management Systems, Inc. > <johnh at aproposretail.com>
Apparently Analagous Threads
- AW: rhostsauthentication fails. (Or why I hate poorly documented software.)
- Non-root hostname auth problem
- [Bug 774] banner is displaying twice (/etc/issue)
- Possible problem with hostbased protocol 1 rhosts authentication
- RhostsAuthentication + nondefault port doesn't work?