Dear All, I am trying to use the hostcertificate to do the hostbaed authentication with the steps in the regress/cert-hostkey.sh But it seems that it can not login with the hostcertificate.: Here is debug message from the ssh client : ssh -2 -oUserKnownHostsFile=/opt/ssh/etc/known_hosts-cert \> -oGlobalKnownHostsFile=/opt/ssh/etc/known_hosts-cert sshia3 -p 1111 -vvvdebug1: checking without port identifier debug3: check_host_in_hostfile: host sshia3 filename /opt/ssh/etc/known_hosts-cert debug3: check_host_in_hostfile: host sshia3 filename /opt/ssh/etc/known_hosts-cert debug3: check_host_in_hostfile: CA match line 1 debug1: Host 'sshia3' is known and matches the RSA-CERT host certificate. debug1: Found certificate in /opt/ssh/etc/known_hosts-cert:1 debug1: found matching key w/out port debug2: bits set: 503/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /.ssh/id_rsa (40057810) debug2: key: /.ssh/id_dsa (0) debug3: input_userauth_banner debug1: Authentications that can continue: password,keyboard-interactive,hostbased debug3: start over, passed a different list password,keyboard-interactive,hostbased debug3: preferred hostbased,publickey,keyboard-interactive,password debug3: authmethod_lookup hostbased debug3: remaining preferred: publickey,keyboard-interactive,password debug3: authmethod_is_enabled hostbased debug1: Next authentication method: hostbased debug2: userauth_hostbased: chost sshia3 debug2: we sent a hostbased packet, wait for reply debug1: Authentications that can continue: password,keyboard-interactive,hostbased debug2: userauth_hostbased: chost sshia3 debug2: we sent a hostbased packet, wait for reply debug1: Authentications that can continue: password,keyboard-interactive,hostbased debug1: No more client hostkeys for hostbased authentication. debug2: we did not send a packet, disable method debug3: authmethod_lookup keyboard-interactive debug3: remaining preferred: password debug3: authmethod_is_enabled keyboard-interactive debug1: Next authentication method: keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 1 Password: And here is the debug message of ssh server: ................... ebug2: check_key_in_hostfiles: key not found for sshia3 Failed hostbased for root from fe80::217:8ff:fe7c:d9f4 port 57500 ssh2 debug1: Entering record_failed_login uid 0 debug1: audit event euid 0 user root event 7 (AUTH_FAIL_HOSTBASED) ........................... So could anyone has some idea about this?Please cc me. Thanks! Best regards, Kevin
On Wed, May 26, 2010 at 04:42:04 -0500, kai_yang2008 wrote:> Dear All, > > I am trying to use the hostcertificate to do the hostbaed authentication with the steps in the regress/cert-hostkey.sh > But it seems that it can not login with the hostcertificate.:Right. As has been previously noted on this list, hostbased authentication does not currently take advantage of host certificates. The are only used by the client to validate the server. I've been working on a patch that would add certificate support for hostbased authentication and hope to submit it fairly soon. Thus far, it looks like fairly minimal changes would be needed to support it. In fact, it looks like no changes need to be made to the server. But I may have overlooked something and haven't tested the code yet. The one awkward thing that I have been wrestling with is the number of hostbased authentication attempts that a client might try. Currently, if a server offers hostbased authentication but does not trust the client system, the client will try hostbased authentication twice. If certificate support is added and the client has both an RSA and DSA cert, it could try as many as four times. It seems that some strategy is needed to either limit the number of hostbased authentication attempts or to customize the order in which keys and certs will be tried. -- Iain Morgan
Hi Morgan, Oh, thank you for you explanation. Due to the times of the client try to do the host-basedauthentication with the certificate support, then you may follow the principle of the certificate for the user. Best regards, Kevin ?2010-05-27 00:20:44?"Iain Morgan" <imorgan at nas.nasa.gov> ???>On Wed, May 26, 2010 at 04:42:04 -0500, kai_yang2008 wrote: >> Dear All, >> >> I am trying to use the hostcertificate to do the hostbaed authentication with the steps in the regress/cert-hostkey.sh >> But it seems that it can not login with the hostcertificate.: > >Right. As has been previously noted on this list, hostbased >authentication does not currently take advantage of host certificates. >The are only used by the client to validate the server. > >I've been working on a patch that would add certificate support for >hostbased authentication and hope to submit it fairly soon. Thus far, it >looks like fairly minimal changes would be needed to support it. In >fact, it looks like no changes need to be made to the server. But I may >have overlooked something and haven't tested the code yet. > >The one awkward thing that I have been wrestling with is the number of >hostbased authentication attempts that a client might try. Currently, if >a server offers hostbased authentication but does not trust the client >system, the client will try hostbased authentication twice. If >certificate support is added and the client has both an RSA and DSA >cert, it could try as many as four times. > >It seems that some strategy is needed to either limit the number of >hostbased authentication attempts or to customize the order in which >keys and certs will be tried. > >-- >Iain Morgan
Maybe Matching Threads
- hostbased authentication problem in 3.4
- [Bug 356] New: 3.4p1 hostbased authentication between Linux and Solaris
- Possible problem with hostbased protocol 1 rhosts authentication
- openssh 3.5p1 hostbased authentication
- OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?