grantksupport at operamail.com
2015-Jan-09 16:05 UTC
OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?
I run OpenSSH on linux @ client which ssh /usr/local/bin/ssh ssh -v OpenSSH_6.7p1, OpenSSL 1.0.1j 15 Oct 2014 @ server which sshd /usr/local/bin/sshd sshd -v unknown option -- V OpenSSH_6.7p1, OpenSSL 1.0.1j 15 Oct 2014 usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file] [-E log_file] [-f config_file] [-g login_grace_time] [-h host_key_file] [-k key_gen_time] [-o option] [-p port] I have configured for hostbased authentication client ssh_config ... PreferredAuthentications hostbased,publickey HostbasedAuthentication yes PubkeyAuthentication yes PasswordAuthentication no ... server sshd_config ... AuthenticationMethods hostbased,publickey HostbasedAuthentication yes HostbasedUsesNameFromPacketOnly yes PubkeyAuthentication yes PasswordAuthentication no ... on the server, because I'm not entirely sure where to put it yet echo "client.DOMAIN.COM" > /etc/shosts.equiv echo "client.DOMAIN.COM" > /usr/local/etc/shosts.equiv when I try to connect ssh -vvv server.DOMAIN.COM hostname auth fails ... Permission denied (hostbased). debug logs return client log ... debug1: Authentications that can continue: hostbased debug3: start over, passed a different list hostbased debug3: preferred hostbased,publickey debug3: authmethod_lookup hostbased debug3: remaining preferred: publickey,password debug3: authmethod_is_enabled hostbased debug1: Next authentication method: hostbased debug2: userauth_hostbased: chost client.DOMAIN.COM. debug2: we sent a hostbased packet, wait for reply debug1: Authentications that can continue: hostbased debug2: userauth_hostbased: chost client.DOMAIN.COM. debug2: we sent a hostbased packet, wait for reply debug1: Authentications that can continue: hostbased debug2: userauth_hostbased: chost client.DOMAIN.COM. debug2: we sent a hostbased packet, wait for reply debug1: Authentications that can continue: hostbased debug2: userauth_hostbased: chost client.DOMAIN.COM. debug2: we sent a hostbased packet, wait for reply debug1: Authentications that can continue: hostbased debug1: No more client hostkeys for hostbased authentication. debug2: we did not send a packet, disable method debug1: No more authentication methods to try. Permission denied (hostbased). server log ... Jan 9 07:37:31 server sshd[19835]: debug2: input_userauth_request: try method hostbased [preauth] Jan 9 07:37:31 server sshd[19835]: debug1: userauth_hostbased: cuser root chost client.DOMAIN.COM. pkalg ssh-ed25519 slen 83 [preauth] Jan 9 07:37:31 server sshd[19835]: debug3: mm_key_allowed entering [preauth] Jan 9 07:37:31 server sshd[19835]: debug3: mm_request_send entering: type 22 [preauth] Jan 9 07:37:31 server sshd[19835]: debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth] Jan 9 07:37:31 server sshd[19835]: debug3: mm_request_receive_expect entering: type 23 [preauth] Jan 9 07:37:31 server sshd[19835]: debug3: mm_request_receive entering [preauth] Jan 9 07:37:31 server sshd[19835]: debug3: mm_request_receive entering Jan 9 07:37:31 server sshd[19835]: debug3: monitor_read: checking request 22 Jan 9 07:37:31 server sshd[19835]: debug3: mm_answer_keyallowed entering Jan 9 07:37:31 server sshd[19835]: debug3: mm_answer_keyallowed: key_from_blob: 0x7cd1262cbc76 Jan 9 07:37:31 server sshd[19835]: debug2: userauth_hostbased: chost client.DOMAIN.COM. resolvedname xxxx:xxx:xxxx:xxx::10 ipaddr xxxx:xxx:xxxx:xxx::10 Jan 9 07:37:31 server sshd[19835]: debug2: stripping trailing dot from chost client.DOMAIN.COM. Jan 9 07:37:31 server sshd[19835]: debug2: auth_rhosts2: clientuser root hostname client.DOMAIN.COM ipaddr client.DOMAIN.COM Jan 9 07:37:31 server sshd[19835]: debug1: temporarily_use_uid: 0/0 (e=0/0) Jan 9 07:37:31 server sshd[19835]: debug1: restore_uid: 0/0 Jan 9 07:37:31 server sshd[19835]: debug1: temporarily_use_uid: 0/0 (e=0/0) Jan 9 07:37:31 server sshd[19835]: debug1: restore_uid: 0/0 Jan 9 07:37:31 server sshd[19835]: Failed hostbased for root from xxxx:xxx:xxxx:xxx::10 port 40452 ssh2: ED25519 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx, client user "root", client host "client.DOMAIN.COM" Jan 9 07:37:31 server sshd[19835]: debug3: mm_answer_keyallowed: key 0x7cd1262cbc76 is not allowed Jan 9 07:37:31 server sshd[19835]: debug3: mm_request_send entering: type 23 Jan 9 07:37:31 server sshd[19835]: debug2: userauth_hostbased: authenticated 0 [preauth] Jan 9 07:37:31 server sshd[19835]: debug3: userauth_finish: failure partial=0 next methods="hostbased" [preauth] ... I see that mm_answer_keyallowed: key 0x7cd1262cbc76 is not allowed but am not clear what key that is. grep'ing for '7cd1262cbc76' turns up nothing. What's wrong or missing in my config?
Tim Rice
2015-Jan-09 18:48 UTC
OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?
On Fri, 9 Jan 2015, grantksupport at operamail.com wrote: | OpenSSH_6.7p1, OpenSSL 1.0.1j 15 Oct 2014 | I have configured for hostbased authentication | | client ssh_config | ... | PreferredAuthentications hostbased,publickey | HostbasedAuthentication yes | PubkeyAuthentication yes | PasswordAuthentication no | ... | | server sshd_config | ... | AuthenticationMethods hostbased,publickey | HostbasedAuthentication yes | HostbasedUsesNameFromPacketOnly yes | PubkeyAuthentication yes | PasswordAuthentication no | ... | | on the server, because I'm not entirely sure where to put it yet | | echo "client.DOMAIN.COM" > /etc/shosts.equiv | echo "client.DOMAIN.COM" > /usr/local/etc/shosts.equiv | What's wrong or missing in my config? My ssh_config has Host * HostbasedAuthentication yes EnableSSHKeysign yes NoHostAuthenticationForLocalhost yes NoHostAuthenticationForLocalhost is not necessary. The one you are missing is EnableSSHKeysign. Additionally, you made no mention of your ssh_known_hosts files. Make sure the client's public keys are in the server's ssh_known_hosts file. -- Tim Rice Multitalents tim at multitalents.net
Iain Morgan
2015-Jan-09 19:40 UTC
OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?
To begin with, don't complicate the situation by requiring two forms of authentication before you've gotten a single form of authentication working. In addition, root is too much of a special case for useful debugging; try your tests as a regular user. As Tim Rice noted, you will need to set EnableSSHKeysign in the system--wide client configuration for hostbased authentication to work for non-root users. -- Iain Morgan
grantksupport at operamail.com
2015-Jan-09 20:07 UTC
OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?
Hi, On Fri, Jan 9, 2015, at 10:48 AM, Tim Rice wrote:> My ssh_config has > Host * > HostbasedAuthentication yes > EnableSSHKeysign yes > NoHostAuthenticationForLocalhost yes > > NoHostAuthenticationForLocalhost is not necessary. > The one you are missing is EnableSSHKeysign. > > Additionally, you made no mention of your ssh_known_hosts files. Make > sure the client's public keys are in the server's ssh_known_hosts file.On Fri, Jan 9, 2015, at 11:40 AM, Iain Morgan wrote:> To begin with, don't complicate the situation by requiring two forms of > authentication before you've gotten a single form of authentication > working. In addition, root is too much of a special case for useful > debugging; try your tests as a regular user. > > As Tim Rice noted, you will need to set EnableSSHKeysign in the > system--wide client configuration for hostbased authentication to work > for non-root users.I edited configs to client ssh_config ... - PreferredAuthentications hostbased,publickey + PreferredAuthentications hostbased HostbasedAuthentication yes PubkeyAuthentication yes + PubkeyAuthentication no PasswordAuthentication no ... EnableSSHKeysign yes (note: this had already been 'in there' --- just further down in the config) ... server sshd_config ... - AuthenticationMethods hostbased,publickey + AuthenticationMethods hostbased HostbasedAuthentication yes - HostbasedUsesNameFromPacketOnly yes + #HostbasedUsesNameFromPacketOnly yes - PubkeyAuthentication yes + PubkeyAuthentication no PasswordAuthentication no ... I already have the server's key in the known hosts file on the client. @ client cat ssh_config ... GlobalKnownHostsFile /usr/local/etc/ssh/ssh_known_hosts UserKnownHostsFile /usr/local/etc/ssh/ssh_known_hosts ... ssh-keyscan -t ed25519 server.DOMAIN.COM >> /usr/local/etc/ssh/ssh_known_hosts and @server ssh-keyscan -t ed25519 client.DOMAIN.COM >> /usr/local/etc/ssh/ssh_known_hosts with all of the above, the hostbased auth connnect still fails just as before, ssh server.DOMAIN.COM ... Permission denied (hostbased).
grantksupport at operamail.com
2015-Jan-09 21:00 UTC
OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?
Hi On Fri, Jan 9, 2015, at 12:34 PM, Mark Hahn wrote:> >> The one you are missing is EnableSSHKeysign. > > I suppose it's worth asking: is your ssh-keysign suid root > (and are the permissions on your host keys sufficiently tight)?Note that everything works correctly with other auth methods: pubkey, password, ... I suspect key perms issues would've come up there. Here's also the ssk-keysign perms client ls -al /usr/local/libexec/ssh-keysign -rwsr-xr-x+ 1 root root 459K Oct 11 06:51 /usr/local/libexec/ssh-keysign* ls -al /usr/local/etc/ssh/ssh.client.ed25519* -rw-------+ 1 root root 517 May 9 2014 /usr/local/etc/ssh/ssh.client.ed25519 -rw-r--r--+ 1 root root 107 May 9 2014 /usr/local/etc/ssh/ssh.client.ed25519.pub server ls -al /usr/local/libexec/ssh-keysign -rwsr-xr-x+ 1 root root 455K Oct 11 06:51 /usr/local/libexec/ssh-keysign* ls -al /usr/local/etc/ssh/ssh.server.ed25519* -rw-------+ 1 root root 464 May 10 2014 /usr/local/etc/ssh/ssh.server.ed25519 -rw-r--r--+ 1 root root 107 May 10 2014 /usr/local/etc/ssh/ssh.server.ed25519.pub> > ssh-keyscan -t ed25519 server.DOMAIN.COM >> /usr/local/etc/ssh/ssh_known_hosts > > fine, though it's worth verifying that these are the files being used > by the (non-default, right) sshd and ssh (client) that you're using.i have @ server which sshd /usr/local/sbin/sshd systemctl status sshd sshd.service - OpenSSH Daemon Loaded: loaded (/etc/systemd/system/sshd.service; enabled) Active: active (running) since Fri 2015-01-09 12:57:12 PST; 2s ago Main PID: 21534 (sshd) CGroup: /system.slice/sshd.service ?? 4662 sshd: root at pts/0 ?? 4664 -bash ??21534 /usr/local/sbin/sshd -D -f /usr/local/etc/ssh/sshd_config ??21541 systemctl status sshd ps ax | grep sshd_config 20989 ? Ss 0:00 /usr/local/sbin/sshd -D -f /usr/local/etc/ssh/sshd_config and @ client which ssh /usr/local/bin/ssh ssh server.DOMAIN.COM -vvv ... debug3: load_hostkeys: loading entries for host "server.DOMAIN.COM" from file "/usr/local/etc/ssh/ssh_known_hosts" debug3: load_hostkeys: found key type ED25519 in file /usr/local/etc/ssh/ssh_known_hosts:2 debug3: load_hostkeys: loaded 1 keys debug3: load_hostkeys: loading entries for host "server.DOMAIN.COM" from file "/usr/local/etc/ssh/ssh_known_hosts" debug3: load_hostkeys: found key type ED25519 in file /usr/local/etc/ssh/ssh_known_hosts:2 debug3: load_hostkeys: loaded 1 keys ...> > Permission denied (hostbased).
Iain Morgan
2015-Jan-09 22:26 UTC
OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?
On Fri, Jan 09, 2015 at 13:00:10 -0800, grantksupport at operamail.com wrote:> Hi > > On Fri, Jan 9, 2015, at 12:34 PM, Mark Hahn wrote: > > >> The one you are missing is EnableSSHKeysign. > > > > I suppose it's worth asking: is your ssh-keysign suid root > > (and are the permissions on your host keys sufficiently tight)? > > Note that everything works correctly with other auth methods: pubkey, password, ... > I suspect key perms issues would've come up there.Not so, only hostbased authentication uses the client's host keys, and it is likewise the only method that uses ssh-keysign. Further, ssh-keysign is only used for non-root users.> > Here's also the ssk-keysign perms > > client > > ls -al /usr/local/libexec/ssh-keysign > -rwsr-xr-x+ 1 root root 459K Oct 11 06:51 /usr/local/libexec/ssh-keysign* > > ls -al /usr/local/etc/ssh/ssh.client.ed25519* > -rw-------+ 1 root root 517 May 9 2014 /usr/local/etc/ssh/ssh.client.ed25519 > -rw-r--r--+ 1 root root 107 May 9 2014 /usr/local/etc/ssh/ssh.client.ed25519.pub >Err, those _should_ be ssh_host_ed25519 and ssh_host_ed25519.pub.> > server > > ls -al /usr/local/libexec/ssh-keysign > -rwsr-xr-x+ 1 root root 455K Oct 11 06:51 /usr/local/libexec/ssh-keysign* > > ls -al /usr/local/etc/ssh/ssh.server.ed25519* > -rw-------+ 1 root root 464 May 10 2014 /usr/local/etc/ssh/ssh.server.ed25519 > -rw-r--r--+ 1 root root 107 May 10 2014 /usr/local/etc/ssh/ssh.server.ed25519.pub >Renaming the keys in your output only serves to complicate matters for those who are taking time to try to help you. Further, ssh-keysign plays no role on the server and the server's keys are not a factor in the problem you are facing.> > > > ssh-keyscan -t ed25519 server.DOMAIN.COM >> /usr/local/etc/ssh/ssh_known_hosts > > > > fine, though it's worth verifying that these are the files being used > > by the (non-default, right) sshd and ssh (client) that you're using. > > i have > > @ server > > which sshd > /usr/local/sbin/sshd > > systemctl status sshd > sshd.service - OpenSSH Daemon > Loaded: loaded (/etc/systemd/system/sshd.service; enabled) > Active: active (running) since Fri 2015-01-09 12:57:12 PST; 2s ago > Main PID: 21534 (sshd) > CGroup: /system.slice/sshd.service > ?? 4662 sshd: root at pts/0 > ?? 4664 -bash > ??21534 /usr/local/sbin/sshd -D -f /usr/local/etc/ssh/sshd_config > ??21541 systemctl status sshd > > ps ax | grep sshd_config > 20989 ? Ss 0:00 /usr/local/sbin/sshd -D -f /usr/local/etc/ssh/sshd_config > > and > > @ client > > which ssh > /usr/local/bin/ssh > > ssh server.DOMAIN.COM -vvv > ... > debug3: load_hostkeys: loading entries for host "server.DOMAIN.COM" from file "/usr/local/etc/ssh/ssh_known_hosts" > debug3: load_hostkeys: found key type ED25519 in file /usr/local/etc/ssh/ssh_known_hosts:2 > debug3: load_hostkeys: loaded 1 keys > debug3: load_hostkeys: loading entries for host "server.DOMAIN.COM" from file "/usr/local/etc/ssh/ssh_known_hosts" > debug3: load_hostkeys: found key type ED25519 in file /usr/local/etc/ssh/ssh_known_hosts:2 > debug3: load_hostkeys: loaded 1 keys > ... > > > > Permission denied (hostbased). > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev-- Iain Morgan