Everyone has probably seen this question a 1,000 times by now, but here goes.
I need to get a trusted host arrangement between a number of machines.
Configurations for several machines went find, but one is giving me trouble.
I copied the ssh_config; sshd_config from a successful implementation to the
problem box.
Okay...so what is leading to "Rhosts Authentication disabled." It
will
authenticate on passphrase/password. Is there another config file somewhere
or what?
Thanks in advance.
MACHINE - Redhat 7.2 - openssh-2.9p2-9
client''s /etc/ssh/ssh_config includes:
<commented lines>
Host statamatic
ForwardAgent yes
ForwardX11 yes
FallBackToRsh no
Protocol 2,1
RhostsAuthentication yes
RhostsRSAAuthentication yes
DSAAuthentication yes
IdentityFile ~/.ssh/identity
# Be paranoid by default
Host *
ForwardAgent no
ForwardX11 yes
FallBackToRsh no
Protocol 2,1
RhostsAuthentication yes
RhostsRSAAuthentication yes
DSAAuthentication yes
PERMISSIONS:
-rw-r--r-- 1 root root 1261 Nov 30 08:35 ssh_config
-rw------- 1 root root 1195 Nov 27 10:53 sshd_config
When I: ssh -v -v -v statamatic I get:
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for statamatic
debug1: Applying options for *
debug1: Seeding random number generator
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: restore_uid
Host machine sshd_config --- probably not important since problem seems to
occur before this, nevertheless, greps of the more important lines:
RhostsAuthentication yes
RhostsRSAAuthentication yes
DSAAuthentication yes
RSAAuthentication yes
PasswordAuthentication yes
#SkeyAuthentication no
#KerberosAuthentication no
HostKey /etc/ssh/ssh_host_key
#IgnoreUserKnownHosts yes
IgnoreRhosts no
# Uncomment if you don''t trust ~/.ssh/known_hosts for
RhostsRSAAuthentication
RhostsAuthentication yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication yes
========================================Michaell Taylor, PhD
On Mon, Dec 03, 2001 at 09:58:42AM -0500, Michaell Taylor wrote:> Everyone has probably seen this question a 1,000 times by now, but here goes. > I need to get a trusted host arrangement between a number of machines. > Configurations for several machines went find, but one is giving me trouble. > I copied the ssh_config; sshd_config from a successful implementation to the > problem box.When you say "one is giving you trouble" do you mean trouble as a client or trouble as a server or both? I''ve got a couple of guesses based on your description, one on the client side and one on the server side.> Okay...so what is leading to "Rhosts Authentication disabled." It will > authenticate on passphrase/password. Is there another config file somewhere > or what?Not a config file. Probably file permissions, but not the permissions on the config files.> Thanks in advance.> MACHINE - Redhat 7.2 - openssh-2.9p2-9[...]> PERMISSIONS: > -rw-r--r-- 1 root root 1261 Nov 30 08:35 ssh_config > -rw------- 1 root root 1195 Nov 27 10:53 sshd_configWhat about permissions on ssh on the client machine?> When I: ssh -v -v -v statamatic I get:> debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Applying options for statamatic > debug1: Applying options for * > debug1: Seeding random number generator > debug1: Rhosts Authentication disabled, originating port will not be trusted. > debug1: restore_uidBased on the verbage of the "disabled" message, I''m sort of suspicious that ssh may not be suid to root. In order to make shosts/rhosts authentication work, ssh needs to be suid to root in order to bind to a low order port. ] [root@alcove /home]# ls -l /usr/bin/ssh ] -rwsr-xr-x 1 root root 231408 Oct 9 14:49 /usr/bin/ssh> Host machine sshd_config --- probably not important since problem seems to > occur before this, nevertheless, greps of the more important lines:[...] Another thing to look at, especially if the problem is on the server machine, is the permissions in the path leading to the home directory of the account. I''ve had things disabled because permissions on the parent or grandparent directories were to permissive.> ========================================> Michaell Taylor, PhDIAC... Why are you using rhosts/shosts authentication anyways? Why not generate RSA or DSA keys and use key authenticated access instead? That way you are not relying on IP addresses and DNS lookups as a part of your authentication scheme.> _______________________________________________ > Redhat-secure-server mailing list > Redhat-secure-server@redhat.com > https://listman.redhat.com/mailman/listinfo/redhat-secure-serverMike -- Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
machine A connects to B in a trust relationship - no problem. B cannot connect to A in a similar manner. As I read the -v-v-v output, when B attempts to do so (as client) something is disabling the trust authentication prior to contacting A. Common (as opposed to learned) sense causes me to suspect /etc/ssh/ssh_config from the log, but it (included below) seems to allow host based auth. debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for statamatic debug1: Applying options for * debug1: Seeding random number generator debug1: Rhosts Authentication disabled, originating port will not be Thanks, hope this clarifies. Michaell Michael H. Warfield wrote:> On Mon, Dec 03, 2001 at 09:58:42AM -0500, Michaell Taylor wrote: > > Everyone has probably seen this question a 1,000 times by now, but here > > goes. I need to get a trusted host arrangement between a number of > > machines. Configurations for several machines went find, but one is > > giving me trouble. I copied the ssh_config; sshd_config from a successful > > implementation to the problem box. > > When you say "one is giving you trouble" do you mean trouble > as a client or trouble as a server or both? I''ve got a couple of > guesses based on your description, one on the client side and one on > the server side. > > > Okay...so what is leading to "Rhosts Authentication disabled." It will > > authenticate on passphrase/password. Is there another config file > > somewhere or what? > > Not a config file. Probably file permissions, but not the > permissions on the config files. > > > Thanks in advance. > > > > > > MACHINE - Redhat 7.2 - openssh-2.9p2-9 > > [...] > > > PERMISSIONS: > > -rw-r--r-- 1 root root 1261 Nov 30 08:35 ssh_config > > -rw------- 1 root root 1195 Nov 27 10:53 sshd_config > > What about permissions on ssh on the client machine? > > > When I: ssh -v -v -v statamatic I get: > > > > debug1: Reading configuration data /etc/ssh/ssh_config > > debug1: Applying options for statamatic > > debug1: Applying options for * > > debug1: Seeding random number generator > > debug1: Rhosts Authentication disabled, originating port will not be > > trusted. debug1: restore_uid > > Based on the verbage of the "disabled" message, I''m sort of > suspicious that ssh may not be suid to root. In order to make > shosts/rhosts authentication work, ssh needs to be suid to root in order > to bind to a low order port. > > ] [root@alcove /home]# ls -l /usr/bin/ssh > ] -rwsr-xr-x 1 root root 231408 Oct 9 14:49 /usr/bin/ssh > > > Host machine sshd_config --- probably not important since problem seems > > to occur before this, nevertheless, greps of the more important lines: > > [...] > > Another thing to look at, especially if the problem is on the > server machine, is the permissions in the path leading to the home > directory of the account. I''ve had things disabled because permissions > on the parent or grandparent directories were to permissive. > > > ========================================> > Michaell Taylor, PhD > > IAC... Why are you using rhosts/shosts authentication anyways? > Why not generate RSA or DSA keys and use key authenticated access instead? > That way you are not relying on IP addresses and DNS lookups as a part > of your authentication scheme. > > > _______________________________________________ > > Redhat-secure-server mailing list > > Redhat-secure-server@redhat.com > > https://listman.redhat.com/mailman/listinfo/redhat-secure-server > > Mike-- ========================================Michaell Taylor, PhD
On Mon, Dec 03, 2001 at 11:25:31AM -0500, Michaell Taylor wrote:> machine A connects to B in a trust relationship - no problem. B cannot > connect to A in a similar manner. As I read the -v-v-v output, when B > attempts to do so (as client) something is disabling the trust authentication > prior to contacting A. Common (as opposed to learned) sense causes me to > suspect /etc/ssh/ssh_config from the log, but it (included below) seems to > allow host based auth.> debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Applying options for statamatic > debug1: Applying options for * > debug1: Seeding random number generator > debug1: Rhosts Authentication disabled, originating port will not be> Thanks, hope this clarifies.A little. 1) Check permissions on B for /usr/bin/ssh. 2) Check permissions and ownership on A of directories leading to the home directory containing your .shosts file. 3) Test against a third machine "C". a) Can C connect to A? b) Can B connect to C? If 3b is no, then I really suspect permissions on /usr/bin/ssh on B. If you find that /usr/sbin/ssh is not suid to root, then "normal" users will be unable to use host based authentication (but key based authentication could still work). If that doesn''t uncover the problem, you might be better off raising the issue on the OpenSSH mailing list rather than this list. I think the RedHat Secure Server list was originally intended for the RedHat E-Commerce secure web server.> Michaell> Michael H. Warfield wrote: > > On Mon, Dec 03, 2001 at 09:58:42AM -0500, Michaell Taylor wrote: > > > Everyone has probably seen this question a 1,000 times by now, but here > > > goes. I need to get a trusted host arrangement between a number of > > > machines. Configurations for several machines went find, but one is > > > giving me trouble. I copied the ssh_config; sshd_config from a successful > > > implementation to the problem box. > > > > When you say "one is giving you trouble" do you mean trouble > > as a client or trouble as a server or both? I''ve got a couple of > > guesses based on your description, one on the client side and one on > > the server side. > > > > > Okay...so what is leading to "Rhosts Authentication disabled." It will > > > authenticate on passphrase/password. Is there another config file > > > somewhere or what? > > > > Not a config file. Probably file permissions, but not the > > permissions on the config files. > > > > > Thanks in advance. > > > > > > > > > MACHINE - Redhat 7.2 - openssh-2.9p2-9 > > > > [...] > > > > > PERMISSIONS: > > > -rw-r--r-- 1 root root 1261 Nov 30 08:35 ssh_config > > > -rw------- 1 root root 1195 Nov 27 10:53 sshd_config > > > > What about permissions on ssh on the client machine? > > > > > When I: ssh -v -v -v statamatic I get: > > > > > > debug1: Reading configuration data /etc/ssh/ssh_config > > > debug1: Applying options for statamatic > > > debug1: Applying options for * > > > debug1: Seeding random number generator > > > debug1: Rhosts Authentication disabled, originating port will not be > > > trusted. debug1: restore_uid > > > > Based on the verbage of the "disabled" message, I''m sort of > > suspicious that ssh may not be suid to root. In order to make > > shosts/rhosts authentication work, ssh needs to be suid to root in order > > to bind to a low order port. > > > > ] [root@alcove /home]# ls -l /usr/bin/ssh > > ] -rwsr-xr-x 1 root root 231408 Oct 9 14:49 /usr/bin/ssh > > > > > Host machine sshd_config --- probably not important since problem seems > > > to occur before this, nevertheless, greps of the more important lines: > > > > [...] > > > > Another thing to look at, especially if the problem is on the > > server machine, is the permissions in the path leading to the home > > directory of the account. I''ve had things disabled because permissions > > on the parent or grandparent directories were to permissive. > > > > > ========================================> > > Michaell Taylor, PhD > > > > IAC... Why are you using rhosts/shosts authentication anyways? > > Why not generate RSA or DSA keys and use key authenticated access instead? > > That way you are not relying on IP addresses and DNS lookups as a part > > of your authentication scheme. > > > > > _______________________________________________ > > > Redhat-secure-server mailing list > > > Redhat-secure-server@redhat.com > > > https://listman.redhat.com/mailman/listinfo/redhat-secure-server > > > > Mike > > -- > ========================================> Michaell Taylor, PhD > > > > _______________________________________________ > Redhat-secure-server mailing list > Redhat-secure-server@redhat.com > https://listman.redhat.com/mailman/listinfo/redhat-secure-server-- Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!