openssh unix dev - Jan 2015 - OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?

On Fri, Jan 09, 2015 at 12:22:00 -0800, grantksupport at operamail.com
wrote:
> @client
> 
> as root (as before)
> 
> 	ssh server.DOMAIN.COM
> 		Permission denied (hostbased).
> 
> instead, as my user, fails differently for some reason,
> 
> 	ssh server.DOMAIN.COM
> 		...
> 		no matching hostkey found for key ED25519
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
> 		ssh_keysign: no reply
> 		key_sign failed
> 		Permission denied (hostbased).
> 
So, that indicates that you have a problem with your client setup. Since
you are trying to use ssh from /usr/local/bin, I take it that it is a
local build. As such, some of the files may not be properly located.

You can check the location of the ssh-keysign binary by running strings
on the ssh executable and grep'ing for ssh-keysign. I expect that it
will be /usr/local/libexec/ssh-keysign. Make sure that it is setuid
root.

You can then run strings on the ssh-keysign executable and grep for
ssh_host ed25519 to confirm the expected location for the host key. Make
sure that the key can be found in the expected location, and that the
public key is world-readable, but that the private key is readable only
by root.

Note, if you do not see a reference to ssh_host_ed25519 in the above
strings output, the ssh-keysign executable is from an older distribution
that does not support ED25519.

Given that possibility, you might try adding the ECDSA key for the
client to the ssh_known_hosts file on the server.

-- 
Iain Morgan

Hi,

On Fri, Jan 9, 2015, at 01:40 PM, Iain Morgan wrote:
> So, that indicates that you have a problem with your client setup. Since
> you are trying to use ssh from /usr/local/bin, I take it that it is a
> local build. As such, some of the files may not be properly located.
Yes.  Built as

	./configure \
	 --prefix="/usr/local" \
	 --sysconfdir="/usr/local/etc/ssh" \
	 --libdir="/usr/local/lib64" \
	 --with-ssl-dir="/usr/local/ssl" \
	 --with-md5-passwords \
	 --with-xauth=/usr/bin/xauth \
	 --with-pam

> You can check the location of the ssh-keysign binary by running strings
> on the ssh executable and grep'ing for ssh-keysign. I expect that it
> will be /usr/local/libexec/ssh-keysign. Make sure that it is setuid
> root.
ls -al $( strings `which ssh` | grep ssh-keysign )
	-rwsr-xr-x+ 1 root root 459K Oct 11 06:51 /usr/local/libexec/ssh-keysign*
> You can then run strings on the ssh-keysign executable and grep for
> ssh_host ed25519 to confirm the expected location for the host key. Make
> sure that the key can be found in the expected location, and that the
> public key is world-readable, but that the private key is readable only
> by root.
	strings /usr/local/libexec/ssh-keysign | grep ssh_host | grep ed25519
		/usr/local/etc/ssh/ssh_host_ed25519_key

That's NOT the name/location of the key.

On the client

	grep Identity /usr/local/etc/ssh/ssh_config
		IdentityFile /usr/local/etc/ssh/ssh.client.ed25519

and on the server

	grep HostKey /usr/local/etc/ssh/sshd_config
		HostKey  /usr/local/etc/ssh/ssh.server.ed25519

As reported above

	client

		ls -al /usr/local/etc/ssh/ssh.client.ed25519*
			-rw-------+ 1 root root 517 May  9  2014
/usr/local/etc/ssh/ssh.client.ed25519
			-rw-r--r--+ 1 root root 107 May  9  2014
/usr/local/etc/ssh/ssh.client.ed25519.pub


	server

		ls -al /usr/local/etc/ssh/ssh.server.ed25519*
			-rw-------+ 1 root root 464 May 10  2014
/usr/local/etc/ssh/ssh.server.ed25519
			-rw-r--r--+ 1 root root 107 May 10  2014
/usr/local/etc/ssh/ssh.server.ed25519.pub

With pubkey/password these keys work as expected.

> Note, if you do not see a reference to ssh_host_ed25519 in the above
> strings output, the ssh-keysign executable is from an older distribution
> that does not support ED25519.
My 'locally installed' openssh is

	ssh -V
		OpenSSH_6.7p1, OpenSSL 1.0.1j 15 Oct 2014

the distro's ssh -- not used by me, but not removable is

	/usr/bin/ssh -V
		OpenSSH_6.6.1p1, OpenSSL 1.0.1j-fips 15 Oct 2014

> Given that possibility, you might try adding the ECDSA key for the
> client to the ssh_known_hosts file on the server.
It already is.

On Fri, Jan 9, 2015, at 03:06 PM, Mark Hahn wrote:
> > On the client
> >
> > 	grep Identity /usr/local/etc/ssh/ssh_config
> > 		IdentityFile /usr/local/etc/ssh/ssh.client.ed25519
> 
> shouldn't this be HostKey in sshd_config?
> presumably that's what ssh-keysign is looking for,
> not a *user* key.
That's on the *client*. note that it's in ssh_config

	cat /usr/local/etc/ssh/ssh_config
		...
		Host *
		IdentityFile /usr/local/etc/ssh/ssh.client.ed25519
		...

On the *server*, in sshd_config it's 

	cat /usr/local/etc/ssh/sshd_config
		...
		HostKey  /usr/local/etc/ssh/ssh.server.ed25519
		...

>>> On the client
>>> 	grep Identity /usr/local/etc/ssh/ssh_config
>>> 		IdentityFile /usr/local/etc/ssh/ssh.client.ed25519
>>
>> shouldn't this be HostKey in sshd_config?
>> presumably that's what ssh-keysign is looking for,
>> not a *user* key.
>
> That's on the *client*. note that it's in ssh_config
exactly.  how else is ssh-keysign going to know about your 
non-default (client) host key's location?
> 	cat /usr/local/etc/ssh/ssh_config
> 		...
> 		Host *
> 		IdentityFile /usr/local/etc/ssh/ssh.client.ed25519
again, IdentityFile is a user key.
> On the *server*, in sshd_config it's
>
> 	cat /usr/local/etc/ssh/sshd_config
> 		...
> 		HostKey  /usr/local/etc/ssh/ssh.server.ed25519
sure, that's great.  the problem is on the client side...

regards, mark hahn

>>> shouldn't this be HostKey in sshd_config?
apologies, I didn't check the source, and indeed ssh-keysign
has the hostkey paths hardcoded.

would it be bad if this were runtime-configurable?