Iain Morgan
2015-Jan-09 22:26 UTC
OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?
On Fri, Jan 09, 2015 at 13:00:10 -0800, grantksupport at operamail.com wrote:> Hi > > On Fri, Jan 9, 2015, at 12:34 PM, Mark Hahn wrote: > > >> The one you are missing is EnableSSHKeysign. > > > > I suppose it's worth asking: is your ssh-keysign suid root > > (and are the permissions on your host keys sufficiently tight)? > > Note that everything works correctly with other auth methods: pubkey, password, ... > I suspect key perms issues would've come up there.Not so, only hostbased authentication uses the client's host keys, and it is likewise the only method that uses ssh-keysign. Further, ssh-keysign is only used for non-root users.> > Here's also the ssk-keysign perms > > client > > ls -al /usr/local/libexec/ssh-keysign > -rwsr-xr-x+ 1 root root 459K Oct 11 06:51 /usr/local/libexec/ssh-keysign* > > ls -al /usr/local/etc/ssh/ssh.client.ed25519* > -rw-------+ 1 root root 517 May 9 2014 /usr/local/etc/ssh/ssh.client.ed25519 > -rw-r--r--+ 1 root root 107 May 9 2014 /usr/local/etc/ssh/ssh.client.ed25519.pub >Err, those _should_ be ssh_host_ed25519 and ssh_host_ed25519.pub.> > server > > ls -al /usr/local/libexec/ssh-keysign > -rwsr-xr-x+ 1 root root 455K Oct 11 06:51 /usr/local/libexec/ssh-keysign* > > ls -al /usr/local/etc/ssh/ssh.server.ed25519* > -rw-------+ 1 root root 464 May 10 2014 /usr/local/etc/ssh/ssh.server.ed25519 > -rw-r--r--+ 1 root root 107 May 10 2014 /usr/local/etc/ssh/ssh.server.ed25519.pub >Renaming the keys in your output only serves to complicate matters for those who are taking time to try to help you. Further, ssh-keysign plays no role on the server and the server's keys are not a factor in the problem you are facing.> > > > ssh-keyscan -t ed25519 server.DOMAIN.COM >> /usr/local/etc/ssh/ssh_known_hosts > > > > fine, though it's worth verifying that these are the files being used > > by the (non-default, right) sshd and ssh (client) that you're using. > > i have > > @ server > > which sshd > /usr/local/sbin/sshd > > systemctl status sshd > sshd.service - OpenSSH Daemon > Loaded: loaded (/etc/systemd/system/sshd.service; enabled) > Active: active (running) since Fri 2015-01-09 12:57:12 PST; 2s ago > Main PID: 21534 (sshd) > CGroup: /system.slice/sshd.service > ?? 4662 sshd: root at pts/0 > ?? 4664 -bash > ??21534 /usr/local/sbin/sshd -D -f /usr/local/etc/ssh/sshd_config > ??21541 systemctl status sshd > > ps ax | grep sshd_config > 20989 ? Ss 0:00 /usr/local/sbin/sshd -D -f /usr/local/etc/ssh/sshd_config > > and > > @ client > > which ssh > /usr/local/bin/ssh > > ssh server.DOMAIN.COM -vvv > ... > debug3: load_hostkeys: loading entries for host "server.DOMAIN.COM" from file "/usr/local/etc/ssh/ssh_known_hosts" > debug3: load_hostkeys: found key type ED25519 in file /usr/local/etc/ssh/ssh_known_hosts:2 > debug3: load_hostkeys: loaded 1 keys > debug3: load_hostkeys: loading entries for host "server.DOMAIN.COM" from file "/usr/local/etc/ssh/ssh_known_hosts" > debug3: load_hostkeys: found key type ED25519 in file /usr/local/etc/ssh/ssh_known_hosts:2 > debug3: load_hostkeys: loaded 1 keys > ... > > > > Permission denied (hostbased). > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev-- Iain Morgan
grantksupport at operamail.com
2015-Jan-09 22:42 UTC
OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?
On Fri, Jan 9, 2015, at 02:26 PM, Iain Morgan wrote:> > server > > > > ls -al /usr/local/libexec/ssh-keysign > > -rwsr-xr-x+ 1 root root 455K Oct 11 06:51 /usr/local/libexec/ssh-keysign* > > > > ls -al /usr/local/etc/ssh/ssh.server.ed25519* > > -rw-------+ 1 root root 464 May 10 2014 /usr/local/etc/ssh/ssh.server.ed25519 > > -rw-r--r--+ 1 root root 107 May 10 2014 /usr/local/etc/ssh/ssh.server.ed25519.pub > > > > Renaming the keys in your output only serves to complicate matters for > those who are taking time to try to help you.How so? What's being complicated? I haven't renamed anything "in my output". Those are the actual keynames, and locations, that I've been using for years, renewed, as you can see by the date, just last May
Iain Morgan
2015-Jan-09 23:13 UTC
OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?
On Fri, Jan 09, 2015 at 14:42:59 -0800, grantksupport at operamail.com wrote:> > > On Fri, Jan 9, 2015, at 02:26 PM, Iain Morgan wrote: > > > server > > > > > > ls -al /usr/local/libexec/ssh-keysign > > > -rwsr-xr-x+ 1 root root 455K Oct 11 06:51 /usr/local/libexec/ssh-keysign* > > > > > > ls -al /usr/local/etc/ssh/ssh.server.ed25519* > > > -rw-------+ 1 root root 464 May 10 2014 /usr/local/etc/ssh/ssh.server.ed25519 > > > -rw-r--r--+ 1 root root 107 May 10 2014 /usr/local/etc/ssh/ssh.server.ed25519.pub > > > > > > > Renaming the keys in your output only serves to complicate matters for > > those who are taking time to try to help you. > > How so? What's being complicated? I haven't renamed anything "in my output". > > Those are the actual keynames, and locations, that I've been using for years, renewed, as you can see by the date, just last MaySo, how many barrels do you have in that shotgun pointed at your foot? It looks like you need to read the manual files. While the server permits you to specify the names and locations of the host keys, the client does NOT. The locations are hard-coded into ssh and ssh-keysign at build time; using IdentitryFile does not alter this. As noted before, only hostbased authentication uses the client's host keys, so renaming the keys would not have impacted other authentication methods. -- Iain Morgan