Iain Morgan
2015-Jan-09 21:40 UTC
OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?
On Fri, Jan 09, 2015 at 12:22:00 -0800, grantksupport at operamail.com wrote:> @client > > as root (as before) > > ssh server.DOMAIN.COM > Permission denied (hostbased). > > instead, as my user, fails differently for some reason, > > ssh server.DOMAIN.COM > ... > no matching hostkey found for key ED25519 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx > ssh_keysign: no reply > key_sign failed > Permission denied (hostbased). >So, that indicates that you have a problem with your client setup. Since you are trying to use ssh from /usr/local/bin, I take it that it is a local build. As such, some of the files may not be properly located. You can check the location of the ssh-keysign binary by running strings on the ssh executable and grep'ing for ssh-keysign. I expect that it will be /usr/local/libexec/ssh-keysign. Make sure that it is setuid root. You can then run strings on the ssh-keysign executable and grep for ssh_host ed25519 to confirm the expected location for the host key. Make sure that the key can be found in the expected location, and that the public key is world-readable, but that the private key is readable only by root. Note, if you do not see a reference to ssh_host_ed25519 in the above strings output, the ssh-keysign executable is from an older distribution that does not support ED25519. Given that possibility, you might try adding the ECDSA key for the client to the ssh_known_hosts file on the server. -- Iain Morgan
grantksupport at operamail.com
2015-Jan-09 22:03 UTC
OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?
Hi, On Fri, Jan 9, 2015, at 01:40 PM, Iain Morgan wrote:> So, that indicates that you have a problem with your client setup. Since > you are trying to use ssh from /usr/local/bin, I take it that it is a > local build. As such, some of the files may not be properly located.Yes. Built as ./configure \ --prefix="/usr/local" \ --sysconfdir="/usr/local/etc/ssh" \ --libdir="/usr/local/lib64" \ --with-ssl-dir="/usr/local/ssl" \ --with-md5-passwords \ --with-xauth=/usr/bin/xauth \ --with-pam> You can check the location of the ssh-keysign binary by running strings > on the ssh executable and grep'ing for ssh-keysign. I expect that it > will be /usr/local/libexec/ssh-keysign. Make sure that it is setuid > root.ls -al $( strings `which ssh` | grep ssh-keysign ) -rwsr-xr-x+ 1 root root 459K Oct 11 06:51 /usr/local/libexec/ssh-keysign*> You can then run strings on the ssh-keysign executable and grep for > ssh_host ed25519 to confirm the expected location for the host key. Make > sure that the key can be found in the expected location, and that the > public key is world-readable, but that the private key is readable only > by root.strings /usr/local/libexec/ssh-keysign | grep ssh_host | grep ed25519 /usr/local/etc/ssh/ssh_host_ed25519_key That's NOT the name/location of the key. On the client grep Identity /usr/local/etc/ssh/ssh_config IdentityFile /usr/local/etc/ssh/ssh.client.ed25519 and on the server grep HostKey /usr/local/etc/ssh/sshd_config HostKey /usr/local/etc/ssh/ssh.server.ed25519 As reported above client ls -al /usr/local/etc/ssh/ssh.client.ed25519* -rw-------+ 1 root root 517 May 9 2014 /usr/local/etc/ssh/ssh.client.ed25519 -rw-r--r--+ 1 root root 107 May 9 2014 /usr/local/etc/ssh/ssh.client.ed25519.pub server ls -al /usr/local/etc/ssh/ssh.server.ed25519* -rw-------+ 1 root root 464 May 10 2014 /usr/local/etc/ssh/ssh.server.ed25519 -rw-r--r--+ 1 root root 107 May 10 2014 /usr/local/etc/ssh/ssh.server.ed25519.pub With pubkey/password these keys work as expected.> Note, if you do not see a reference to ssh_host_ed25519 in the above > strings output, the ssh-keysign executable is from an older distribution > that does not support ED25519.My 'locally installed' openssh is ssh -V OpenSSH_6.7p1, OpenSSL 1.0.1j 15 Oct 2014 the distro's ssh -- not used by me, but not removable is /usr/bin/ssh -V OpenSSH_6.6.1p1, OpenSSL 1.0.1j-fips 15 Oct 2014> Given that possibility, you might try adding the ECDSA key for the > client to the ssh_known_hosts file on the server.It already is.
grantksupport at operamail.com
2015-Jan-09 23:11 UTC
OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?
On Fri, Jan 9, 2015, at 03:06 PM, Mark Hahn wrote:> > On the client > > > > grep Identity /usr/local/etc/ssh/ssh_config > > IdentityFile /usr/local/etc/ssh/ssh.client.ed25519 > > shouldn't this be HostKey in sshd_config? > presumably that's what ssh-keysign is looking for, > not a *user* key.That's on the *client*. note that it's in ssh_config cat /usr/local/etc/ssh/ssh_config ... Host * IdentityFile /usr/local/etc/ssh/ssh.client.ed25519 ... On the *server*, in sshd_config it's cat /usr/local/etc/ssh/sshd_config ... HostKey /usr/local/etc/ssh/ssh.server.ed25519 ...
Mark Hahn
2015-Jan-09 23:15 UTC
OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?
>>> On the client >>> grep Identity /usr/local/etc/ssh/ssh_config >>> IdentityFile /usr/local/etc/ssh/ssh.client.ed25519 >> >> shouldn't this be HostKey in sshd_config? >> presumably that's what ssh-keysign is looking for, >> not a *user* key. > > That's on the *client*. note that it's in ssh_configexactly. how else is ssh-keysign going to know about your non-default (client) host key's location?> cat /usr/local/etc/ssh/ssh_config > ... > Host * > IdentityFile /usr/local/etc/ssh/ssh.client.ed25519again, IdentityFile is a user key.> On the *server*, in sshd_config it's > > cat /usr/local/etc/ssh/sshd_config > ... > HostKey /usr/local/etc/ssh/ssh.server.ed25519sure, that's great. the problem is on the client side... regards, mark hahn
Mark Hahn
2015-Jan-09 23:25 UTC
OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?
>>> shouldn't this be HostKey in sshd_config?apologies, I didn't check the source, and indeed ssh-keysign has the hostkey paths hardcoded. would it be bad if this were runtime-configurable?