search for: ignorerhost

...is mail earlier than today. The problem is: You can't use the Rhosts-RSA authentication based on the hosts.equiv file and the host keys. The only possible way to do rhosts-RSA authentication is to allow the usage of the .rhosts/.shosts file and put the information in there. If you have "IgnoreRhosts yes" in the configuration file for the sshd, no rhosts-RSA authentication is done because it is not configured. The reason are the following wrong lines of source in auth-rh-rsa.c: /* Check if we would accept it using rhosts authentication. */ if (!auth_rhosts(pw, client_user)) return...

...uiv and the public key of this server is defined in ssh_known_hosts. This setup works for all users except for the root user (which is needed for maintenance scripts to work). We've got it working for the root account by specifying the management server in the /root/.shosts file and setting the IgnoreRhosts option to no. This is not what we want, we want to ignore user specific shost files, so setting the IgnoreRhosts option to yes. In the source of auth-rhosts.c, line 205, an if statement specifies that the central shosts.equiv file is only checked for accounts other than root. Why is this? Regards...

...|= 1 << SSH_AUTH_RHOSTS; if (options.rhosts_rsa_authentication) auth_mask |= 1 << SSH_AUTH_RHOSTS_RSA; if (options.rsa_authentication) auth_mask |= 1 << SSH_AUTH_RSA; Now, in servconf.c, options.rhosts_authentication is set to 0 if IgnoreRhosts is no: case sIgnoreRhosts: intptr = &options->ignore_rhosts; parse_flag: cp = strtok(NULL, WHITESPACE); fprintf(stderr, "sIgnoreRhosts triggered as %s\n", cp); if (!cp) { fprintf(stderr, "%s line %d: missing yes/no argument.\n",...

Okay, we think we've resolved them all now *wipe brow* There were two outstanding problems... Problem 1: The config file has two directives in it: IgnoreRhosts RhostsAuthentication Without realizing it, even though I had IgnoreRhosts set to 'no', RhostsAuthentication was set to 'no' also, so it didn't matter ... This appears to fix the authentication issue of last week :( Problem 2: A regular user can't ssh to another users...

...rity reasons set this to "yes" when running @@ -418,10 +420,6 @@ StrictModes no #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys -# rhosts authentication should not be used -#RhostsAuthentication no -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes # For this to work you will also need host keys in ${SYSCONFDIR}/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 @@ -429,6 +427,8 @@ StrictModes no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthenticat...

How do you enable hostbased authentication in OpenSSH? I have two Red Hat 7.3 machines running openssh-3.4p1, and I would like to be able to ssh from either of the machines to the other, as any user, without using passwords or per-user keys. My /etc/ssh/sshd_config contains: [...] IgnoreRhosts no HostbasedAuthentication yes [...] My /etc/ssh/ssh_config contains: [...] HostbasedAuthentication yes [...] I created the known hosts file like so: box1# cd /etc/ssh box1# cp ssh_host_dsa_key.pub ssh_known_hosts2 I replicated the config directory: box2# rm -rf /etc/ssh box2...

...on 1 server ke +KeyRegenerationInterval 3600 ServerKeyBits 768 + +# Logging +SyslogFacility AUTH +LogLevel INFO +#obsoletes QuietMode and FascistLogging + +# Authentication: + LoginGraceTime 600 -KeyRegenerationInterval 3600 PermitRootLogin yes -# -# Don't read ~/.rhosts and ~/.shosts files -IgnoreRhosts yes -# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication -#IgnoreUserKnownHosts yes - -# # The following setting overrides permission checks on host key files # and directories. For security reasons set this to "yes" when running # NT/W2K, NTFS and CYGWIN...

.../lib/security/pam_limits.so The contents of sshd_config are: Port 22 Protocol 2,1 HostKey /usr/local/etc/ssh/ssh_host_key HostKey /usr/local/etc/ssh/ssh_host_rsa_key HostKey /usr/local/etc/ssh/ssh_host_dsa_key ServerKeyBits 768 LoginGraceTime 600 KeyRegenerationInterval 3600 PermitRootLogin no IgnoreRhosts yes RhostsRSAAuthentication StrictModes yes X11Forwarding no X11DisplayOffset 10 PrintMotd yes KeepAlive yes PrintLastLog no SyslogFacility AUTH LogLevel INFO RhostsRSAAuthentication no HostbasedAuthentication no RSAAuthentication yes PasswordAuthentication yes PermitEmptyPasswords no UsePAM yes #...

On Thu, 6 Feb 2020 at 12:46, Phil Pennock <phil.pennock at globnix.org> wrote: [...] > ssh_config(5) describes for `HostKeyAlgorithms` that: > } The list of available key types may also be obtained using "ssh -Q key" > > Running `ssh -Q key`, the output does not include these proposed > replacements. > > Only in sshd_config(5): > rsa-sha2-512-cert-v01 at

...Doing password authentication. mr at tcm30's password: " # This is ssh server systemwide configuration file. " Port 22 ListenAddress 0.0.0.0 HostKey /etc/ssh_host_key RandomSeed /etc/ssh_random_seed ServerKeyBits 768 LoginGraceTime 600 KeyRegenerationInterval 7200 PermitRootLogin yes IgnoreRhosts no StrictModes yes QuietMode no X11Forwarding yes X11DisplayOffset 10 FascistLogging no PrintMotd yes KeepAlive yes SyslogFacility DAEMON RhostsAuthentication yes RhostsRSAAuthentication yes RSAAuthentication no PasswordAuthentication yes PermitEmptyPasswords no UseLogin no " The rest of th...

http://bugzilla.mindrot.org/show_bug.cgi?id=516 Summary: RhostsAuthentication failing under AIX 4.3.3 Product: Portable OpenSSH Version: 3.5p1 Platform: PPC OS/Version: AIX Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy:

...gging # Authentication: LoginGraceTime 600 PermitRootLogin yes StrictModes no RSAAuthentication no PubkeyAuthentication no AuthorizedKeysFile %h/.ssh/authorized_keys # rhosts authentication should not be used RhostsAuthentication no # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts no # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication yes # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication IgnoreUserKnownHosts no # To disable tunneled clear t...

...ntials: Authentication # This is ssh server systemwide configuration file. Port 22 ListenAddress 0.0.0.0 #ListenAddress :: HostKey /usr/local/etc/ssh_host_key ServerKeyBits 768 LoginGraceTime 600 KeyRegenerationInterval 3600 PermitRootLogin yes # # Don't read ~/.rhosts and ~/.shosts files IgnoreRhosts yes # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes StrictModes yes X11Forwarding no X11DisplayOffset 10 PrintMotd yes KeepAlive yes # Logging SyslogFacility AUTH LogLevel INFO #obsoletes QuietMode and FascistLogging RhostsAuthenticatio...

is anyone using rhost-rsa + hosts.equiv? is it broken? -------------- next part -------------- An embedded message was scrubbed... From: Francesc Guasch <frankie at etsetb.upc.es> Subject: hosts.equiv Date: Thu, 22 Mar 2001 12:56:22 +0100 Size: 2614 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010322/ced5a345/attachment.mht

...# Authentication: #LoginGraceTime 120 PermitRootLogin no StrictModes yes RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys # rhosts authentication should not be used #RhostsAuthentication no # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKn...

...on: LoginGraceTime 600 PermitRootLogin no StrictModes yes RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys2 # rhosts authentication should not be used #RhostsAuthentication no # Don''t read the user''s ~/.rhosts and ~/.shosts files IgnoreRhosts no # For this to work you will also need host keys in /usr/local/etc/ssh_known_hosts RhostsRSAAuthentication yes # similar for protocol version 2 HostbasedAuthentication yes # Uncomment if you don''t trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To disa...

.../usr/local/ssl/lib -L/usr/local/lib -blibpath:/usr/lib:/lib:/usr/local/lib Libraries: -lwrap -lz -lcrypto Changing UsePrivilegeSeperation to no has no effect. Removing and creating new keys on both sides has no effect. The only changes to the sshd_config file are: PermitRootLogin no IgnoreRhosts no HostbasedAuthentication yes The only changes to the ssh_config file are: Host * ForwardX11 yes HostbasedAuthentication yes RhostsRSAAuthentication yes The relevant part of sshd -ddd output seems to be: debug3: mm_send_debug: Sending debug: Accepted by .rhosts. debug3: mm_send_debug...

....10 One exposed external IP address (for this list, assume to be 100.100.100.100) /etc/ssh/sshd_config: Port 22 Protocol 2,1 ListenAddress 0.0.0.0 HostKey /etc/ssh/ssh_host_key HostDSAKey /etc/ssh/ssh_host_dsa_key ServerKeyBits 768 LoginGraceTime 600 KeyRegenerationInterval 3600 PermitRootLogin no IgnoreRhosts yes StrictModes yes X11Forwarding no X11DisplayOffset 10 PrintMotd yes KeepAlive yes /etc/ppp/options: lock local noauth proxyarp Client information: *Stock Redhat 6.2 machine running a 2.2.17pre20 kernel OpenSSH version 2.2.0p1 (downloaded as Redhat RPMs, revision 2) OpenSSL version 0.9.5a (dow...

...d authentication via the shosts.equiv file. This is essentially a drop-in replacement for what is already being done, just replacing rsh with OpenSSH. However, OpenSSH is hard-coded to *not* check hosts.equiv/shosts.equiv if the target uid is 0. It is possible to get around this by setting "IgnoreRhosts" to no, and putting a .shosts file in the root directory, but this has the highly undesired side-effect of allowing users to create their own .rhosts/.shosts files as well. I modified the source to provide a new option "PermitRootViaHostBased" that would permit the desired behavior...

.... Port 22 #Protocol 2,1 #ListenAddress 0.0.0.0 #ListenAddress :: HostKey /etc/ssh/ssh_host_key HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_rsa_key ServerKeyBits 768 LoginGraceTime 600 KeyRegenerationInterval 3600 PermitRootLogin yes # # Don't read ~/.rhosts and ~/.shosts files IgnoreRhosts yes # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes StrictModes yes X11Forwarding no X11DisplayOffset 10 PrintMotd yes KeepAlive yes # Logging SyslogFacility AUTH LogLevel INFO #obsoletes QuietMode and FascistLogging RhostsAuthenticatio...