openssh unix dev - Jul 2000 - AW: rhostsauthentication fails. (Or why I hate poorly documented software.)

> jeff at ntcor.com [SMTP:jeff at ntcor.com] wrote:
> 
> I have a ssh enabled server and client machine (we'll call them
"server"
> and "client" respectively...)
OK :-)
> They both have proper RSA and DSA keys,using protocol version 2 works
> fine between them. (so ssh itself and the network is working fine)
OK.
> However, I want to get something that will work with rsync without having
> to manually enter passwords, passphrases, or enter such information
hardcoded
> in scripts.
We are in a similar situation, executing remote commands
from a script.
> I figured I'ld first get rhosts authentication working and then move to
> rhosts/RSA authentication (if that doesn't require passphrase.)
May be it works, may be it doesn't.

What I have done to get it to work is:

	1. Create private keys on client (~/.ssh/identity und identity.pub)
	2. Put identity.pub on server in ~/.ssh/authorized_keys
	3. Added host/user on server in ~/.shosts

[...]
> Here's the sshd_config from the server...
Compared to the same part of the sshd_config on our
server:
>  Protocol 1
No such entry in my sshd_config on server, does it matter for this case
?
>  RSAAuthentication no
"yes" on our server
> PasswordAuthentication no
"yes" on our server
>  RhostsAuthentication yes
"no" on our server
>  IgnoreRhosts no
Same here, i.e. "no", just to read .shosts (comment in the sshd_config
example)
> I have "client" listed in the /etc/hosts.equiv file and...
> (for testing purposes.) "rlogin server" from the client works
fine,
> login is granted without a password. So I know rhosts authentication
> is configured correctly for at least rsh.
No entries in /etc/hosts.equiv (we really don't want rhosts
authentication).
With the above setup the command
	slogin server
works without asking any passwords or passphrases.
The same for "ssh" or "scp".
We don't have any .rhosts file either.

I think we'll set the "PasswordAuthentication no"
in our server sshd_config file, later.

HTH,

Norbert Bladt.

-- 
Norbert Bladt
ATAG debis Informatik, ISM-TZ1 / Z302
Industriestrasse 1, CH 3052-Zollikofen
E-Mail: norbert.bladt at adi.ch Tel.: +41 31 915 3964 Fax: +41 31 915 3640

> However here's what "ssh -v server" on the client gives me...
> 
>   SSH Version OpenSSH-2.1, protocol versions 1.5/2.0.
>   Compiled with SSL (0x0090581f).
>   debug: Reading configuration data /etc/ssh/ssh_config
>   debug: Applying options for *
>   debug: Seeding random number generator
>   debug: ssh_connect: getuid 500 geteuid 500 anon 1
>   debug: Connecting to server [servers ip] port 22.
>   debug: Connection established.
>   debug: Remote protocol version 1.5, remote software version
> OpenSSH_2.1.1
>   debug: Local version string SSH-1.5-OpenSSH-2.1
>   debug: Waiting for server public key.
>   debug: Received server public key (768 bits) and host key (1024 bits).
>   debug: Host 'server' is known and matches the RSA host key.
>   debug: Seeding random number generator
>   debug: Encryption type: 3des
>   debug: Sent encrypted session key.
>   debug: Installing crc compensation attack detector.
>   debug: Received encrypted confirmation.
>   ssh_userauth: server supports no auth methods
>   debug: Calling cleanup 0x8059c34(0x0)
> 
> Notice that the client thinks the server doesn't support any
> authentication
> methods.  Which should not be true because the last line of sshd_config
> specifically allows RhostsAuthentication and does not ignore the rhosts
> files.
> 
> Anybody have a clue what I've done wrong? For some reason it appears
that
> the sshd server ignores the "RhostsAuthentication yes" line and
doesn't
> add rhosts authentication to its list of authentication methods to
> support.
> 
> Which isn't what the sshd/ssh man pages document the behavior to be.
> 
> - Jeff