search for: hostbasedauthentication

I'm trying to use HostbasedAuthentication. Running ssh -v -v -v user at host the following error occurs: debug3: authmethod_is_enabled hostbased debug1: next auth method to try is hostbased debug2: userauth_hostbased: chost <host> debug2: we did not send a packet, disable method What does this mean ? I enabled HostbasedAuthenticati...

Do people actually use HostbasedAuthentication? It needs several steps to enable and generally seems quite arcane by now. I wonder if this is something that could be trimmed away... -- Christian "naddy" Weisgerber naddy at mips.inka.de

...g). * ssh(1) prints out all known host keys for a host if it receives an unknown host key of a different type. * Fixed AES/Rijndael EVP integration for OpenSSL < 0.9.7 (caused problems with bounds checking patches for gcc). * ssh-keysign(8) is disabled by default and only enabled if the HostbasedAuthentication option is enabled in the global ssh_config(5) file. * ssh-keysign(8) uses RSA blinding in order to avoid timing attacks against the RSA host key. * A use-after-free bug was fixed in ssh-keysign(8). This bug broke hostbased authentication on several platforms. * ssh-agent(1) is now install...

...g). * ssh(1) prints out all known host keys for a host if it receives an unknown host key of a different type. * Fixed AES/Rijndael EVP integration for OpenSSL < 0.9.7 (caused problems with bounds checking patches for gcc). * ssh-keysign(8) is disabled by default and only enabled if the HostbasedAuthentication option is enabled in the global ssh_config(5) file. * ssh-keysign(8) uses RSA blinding in order to avoid timing attacks against the RSA host key. * A use-after-free bug was fixed in ssh-keysign(8). This bug broke hostbased authentication on several platforms. * ssh-agent(1) is now install...

Maybe I just can't read properly, but I just spent the best part of a day trying to work out why HostbasedAuthentication wouldn't work for me (with protocol 2 in openssh-2.9p1). It seems (though maybe there is something wrong with my install), that after enabling it in the sshd_config it doesn't work, since the client will not in fact request it (by default). I was fooled by the statement in the ssh man pag...

...76 rlebar at erac.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID Summary|HostbasedAuthentication, |HostbasedAuthentication, |followed snailbook but not |followed snailbook but not |working! :-( |working! :-( ------- Additional Comments From rlebar at erac.com 2002-08-08 03:06 ------- Never mind. I needed to put shosts.equiv in /opt/e...

...you enable hostbased authentication in OpenSSH? I have two Red Hat 7.3 machines running openssh-3.4p1, and I would like to be able to ssh from either of the machines to the other, as any user, without using passwords or per-user keys. My /etc/ssh/sshd_config contains: [...] IgnoreRhosts no HostbasedAuthentication yes [...] My /etc/ssh/ssh_config contains: [...] HostbasedAuthentication yes [...] I created the known hosts file like so: box1# cd /etc/ssh box1# cp ssh_host_dsa_key.pub ssh_known_hosts2 I replicated the config directory: box2# rm -rf /etc/ssh box2# mkdir /etc/ssh box2# chown...

When using "HostbasedUsesNameFromPacketOnly yes", the ssh client sends the hostname with a trailing dot, but the server does not strip off the trailing dot when matching against .shosts et. al., or when looking up keys in ssh_known_hosts2. This causes the host to not be found. Adding the hostname with trailing dot to the config files "fixes" this, but I think sshd should

http://bugzilla.mindrot.org/show_bug.cgi?id=382 markus at openbsd.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From markus at openbsd.org 2002-09-11

All: I have a problem connecting Openssh 3.0.2p1 on Solaris 8 using hostname authentication for non-root users. When I connect to the sshd from a second machine as root it works fine using HostbasedAuthentication, but it always fails with non-root users. I suspect that I am having a permissions problem somewhere, but I'll be damned if I can figure out where. Any and all help appreciated. -David Relevant file snippets below: **************** Error message generated from the server-side command...

I'm attaching a simple doc patch against current CVS - feel free to re-word it as you see fit. I also noticed that if UseDNS is no, HostbasedUsesNameFromPacketOnly _must_ be yes if you want HostbasedAuthentication to work. -- Carson -------------- next part -------------- --- sshd_config.5.DIST 2003-09-13 02:25:18.365707000 -0400+++ sshd_config.5 2003-09-13 02:46:29.430974000 -0400@@ -245,6 +245,16 @@ and applies to protocol version 2 only. The default is .Dq no .+.It Cm HostbasedUsesNameFromPacketOnly+Spe...

...norant question, maybe I'm missing something ... Is there a way for a sshd server to be able to enforce both client host key authentication as well as user authentication, say for roving user-administered laptops. So a sysadmin can restrict access to allow only client hosts which can pass the HostbasedAuthentication tests, whatever the current IP name/address, but still insist on the user authenticating themselves (by password say). Is this possible? I see there's a SSH2 configuration of RequiredAuthentications which might allow the sysadmin to specify two authentications required, but it's not in o...

...ec] [-c host_cert_file] [-E log_file] [-f config_file] [-g login_grace_time] [-h host_key_file] [-k key_gen_time] [-o option] [-p port] I have configured for hostbased authentication client ssh_config ... PreferredAuthentications hostbased,publickey HostbasedAuthentication yes PubkeyAuthentication yes PasswordAuthentication no ... server sshd_config ... AuthenticationMethods hostbased,publickey HostbasedAuthentication yes HostbasedUsesNameFromPacketOnly yes PubkeyAuthentication...

http://cvs-mirror.mozilla.org/webtools/bugzilla/show_bug.cgi?id=382 Summary: Privilege Separation breaks HostbasedAuthentication Product: Portable OpenSSH Version: -current Platform: Sparc OS/Version: Solaris Status: NEW Severity: major Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: rlebar at...

http://bugzilla.mindrot.org/show_bug.cgi?id=376 Summary: HostbasedAuthentication, followed snailbook but not working! :-( Product: Portable OpenSSH Version: -current Platform: UltraSparc URL: http://groups.google.com/groups?dq=&hl=en&lr=&ie=UTF- 8&group=comp.security.ssh&s...

...d" line. If I have all my host keys in /etc/ssh/ssh_known_hosts on the server I'm trying to connect to, it should allow me in. Right? I've tried all 3 at the same time, then seperately, and nothing. I've also tried generating new keys, that didn't work either. Yes I have HostbasedAuthentication set to yes in /etc/ssh/sshd_config on the server i'm connecting to. I do have HostbasedAuthentication set to yes in /etc/ssh/ssh_config on the client i'm coming from. I also have an /etc/ssh/shosts.equiv file on the server. My DSN is setup correctly on both systems, there are no proble...

It looks like host based authentication will not work if you attempt to set EnableSSHKeysign on a per host basis. Ie. This does not work. ------- Host ou8 HostName ou8.somedomain.com HostbasedAuthentication yes EnableSSHKeysign yes NoHostAuthenticationForLocalhost yes ------- Unless you also add ----- Host * EnableSSHKeysign yes ----- Is this the intended behavior? -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net

...sh2 [...] The full output is in the attachment, if I've been snipping too much (I hope it doesn't get stripped off by the mailing list software). Some basic configuration info: ssh_config (stripped): Host hostname.domainname.tld PreferredAuthentications hostbased,publickey,password HostbasedAuthentication yes GlobalKnownHostsFile /etc/ssh/ssh_known_hosts2 CheckHostIP yes StrictHostKeyChecking ask Protocol 2 sshd_config (stripped): Protocol 2 HostbasedAuthentication yes IgnoreRhosts no shosts.equiv (stripped): 192.168.1.5 hostname.domainname.tld + + (Last line just for test...

Hi, On Fri, Jan 9, 2015, at 10:48 AM, Tim Rice wrote: > My ssh_config has > Host * > HostbasedAuthentication yes > EnableSSHKeysign yes > NoHostAuthenticationForLocalhost yes > > NoHostAuthenticationForLocalhost is not necessary. > The one you are missing is EnableSSHKeysign. > > Additionally, you made no mention of your ssh_known_hosts files. Make > sure the client's pub...

...able from the inside, so e.g. though something like this would do the job in sshd_config: #general config #... Match User foo LocalAddress 10.0.0.1,fe80:abba::0 PasswordAuthentication no KbdInteractiveAuthentication no RhostsRSAAuthentication no HostbasedAuthentication no KerberosAuthentication no GSSAPIAuthentication no RSAAuthentication no PubkeyAuthentication yes Match User foo LocalAddress !10.0.0.1,!fe80:abba::0 PasswordAuthentication no KbdInteract...