search for: ssh_keysign

The problem I am seeing was introduced between 6.4p1 and 6.5p1 (and still exists in 6.6p1). With HostbasedAuthentication/EnableSSHKeysign turned on, I am seeing one of two sets of messages: no matching hostkey found ssh_keysign: no reply key_sign failed and not a valid request ssh_keysign: no reply key_sign failed Then in either case two password prompts: bowman at HOST.math.utah.edu's password: Permission denied, please try again. bowman at HOST.math.utah.edu's password: I've used strace and dtrace t...

Hi, On Fri, Jan 9, 2015, at 10:48 AM, Tim Rice wrote: > My ssh_config has > Host * > HostbasedAuthentication yes > EnableSSHKeysign yes > NoHostAuthenticationForLocalhost yes > > NoHostAuthenticationForLocalhost is not necessary. > The one you are missing is EnableSSHKeysign. > > Additionally, you made no mention of your ssh_known_hosts files. Make > sure

...tion to its documented role as provider of defaults. $ ssh -V OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f $ cat .ssh/config Host localhost HostbasedAuthentication yes PreferredAuthentications hostbased $ ssh localhost Hostbased authentication not enabled in /etc/ssh/ssh_config ssh_keysign: no reply key_sign failed Permission denied (publickey,password,keyboard-interactive,hostbased). The situation is rectified by enabling Hostbased authentication in /etc/ssh/ssh_config (as the error message suggests), but this must be done by the systems administrator. Why is the setting in .ssh/c...

...$(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT) $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) to:...

..._RAND_HELPER)" ; then \ - $(INSTALL) -m 0755 $(STRIP_OPT) ssh-rand-helper $(DESTDIR)$(libexecdir)/ssh-rand-helper ; \ + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-rand-helper$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-rand-helper$(EXEEXT) ; \ fi - $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign $(DESTDIR)$(SSH_KEYSIGN) - $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper $(DESTDIR)$(SSH_PKCS11_HELPER) - $(INSTALL) -m 0755 $(STRIP_OPT) sftp $(DESTDIR)$(bindir)/sftp - $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server $(DESTDIR)$(SFTP_SERVER) + $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$...

...,publickey,keyboard-interactive,password debug3: authmethod_lookup hostbased debug3: remaining preferred: publickey,keyboard-interactive,password debug3: authmethod_is_enabled hostbased debug1: next auth method to try is hostbased debug2: userauth_hostbased: chost enfm-pc8.utcc.utoronto.ca. debug1: ssh_keysign called debug3: msg_send: type 2 debug3: msg_recv entering debug2: we sent a hostbased packet, wait for reply debug1: Remote: Accepted by .rhosts. debug1: Remote: Accepted host enfm-pc8.utcc.utoronto.ca ip 128.100.102.101 client_user mikep server_user mikep debug1: authentications that can continue:...

...latter versions of openssh (3.4,3.5 and 3.6.1) all seem to suffer from a broken ssh-keysign binary. This causes HostbasedAuthentication to fail. We have installed 3.6.1p1 on a Solaris 8 machine using openssl-0.9.6i. This fails thusly ssh server <......some \digits removed - a key perhaps?> ssh_keysign: no reply key_sign failed a at server's password For version 3.4p1 we patched ssh-keysign.c and it worked as expected. When we use the same ssh-keysign with the 3.6.1 distribution it also works as expected. Have other people noticed this? Is it so on other OSes? Is there a patch anyway? open...

...hment (id=1612) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1612) Allow get_local_name() to handle a socket or pipe. If hostbased authentication is enabled and a proxy command is used to connect to the server, the following warning messages typically appear: cannot get sockname for fd ssh_keysign: no reply key_sign failed This is due to the assumption that the file descriptor passed to get_local_name() corresponds to a socket, which is not the case when a proxy command is used. The attached patch modifies get_local_name() sot that it falls back to using gethostname() if get_socket_addres...

https://bugzilla.mindrot.org/show_bug.cgi?id=2211 Bug ID: 2211 Summary: Too many hostbased authentication attempts Product: Portable OpenSSH Version: 6.5p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs at

...(as before) > > ssh server.DOMAIN.COM > Permission denied (hostbased). > > instead, as my user, fails differently for some reason, > > ssh server.DOMAIN.COM > ... > no matching hostkey found for key ED25519 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx > ssh_keysign: no reply > key_sign failed > Permission denied (hostbased). > So, that indicates that you have a problem with your client setup. Since you are trying to use ssh from /usr/local/bin, I take it that it is a local build. As such, some of the files may not be properly located. You can...

Rather then implementing kafs in MIT Kerberos, I would like to suggest an alternative which has advantages to all parties. The OpenSSH sshd needs to do two things: (1) sets a PAG in the kernel, (2) obtains an AFS token storing it in the kernel. It can use the Kerberos credentials either obtained via GSSAPI delegation, PAM or other kerberos login code in the sshd. The above two