similar to: [Bug 616] proxycommand breaks hostbased authentication.

http://bugzilla.mindrot.org/show_bug.cgi?id=616 Summary: proxycommand breaks hostbased authentication. Product: Portable OpenSSH Version: 3.6.1p2 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: openssh-bugs at mindrot.org ReportedBy: stuart

I run OpenSSH on linux @ client which ssh /usr/local/bin/ssh ssh -v OpenSSH_6.7p1, OpenSSL 1.0.1j 15 Oct 2014 @ server which sshd /usr/local/bin/sshd sshd -v unknown option -- V OpenSSH_6.7p1, OpenSSL 1.0.1j 15 Oct 2014 usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file] [-E log_file] [-f config_file] [-g login_grace_time]

In auth2-hostbased.c, line #146 if (auth_rhosts2(pw, cuser, chost, chost) == 0) ^^^^^ shouldn't this be if (auth_rhosts2(pw, cuser, chost, ipaddr) == 0) ^^^^^^ The code was found in 4.2. Best regards, Choung S.Park

Hi, On Fri, Jan 9, 2015, at 10:48 AM, Tim Rice wrote: > My ssh_config has > Host * > HostbasedAuthentication yes > EnableSSHKeysign yes > NoHostAuthenticationForLocalhost yes > > NoHostAuthenticationForLocalhost is not necessary. > The one you are missing is EnableSSHKeysign. > > Additionally, you made no mention of your ssh_known_hosts files. Make > sure

If HostbasedUsesNameFromPacketOnly is set to yes, sshd does not remove the trailing dot from the client supplied hostname, causing sshd to attempt to look up "foo.example.com." (note trailing period) in known_hosts and .shosts instead of "foo.example.com" Trivial patch attached. -- Carson -------------- next part -------------- An embedded and charset-unspecified text was

There is a nasty problem when using hostbased authentication: [thomas at sarkovy ~]$ journalctl -l -f | grep -Fe 'sshd[' Okt 22 15:20:54 sarkovy sshd[35034]: userauth_hostbased mismatch: client sends htpc.koeller.dyndns.org, but we resolve 192.168.0.2 to 192.168.0.2 Okt 22 15:20:54 sarkovy sshd[35034]: Connection closed by authenticating user thomas 192.168.0.2 port 36284 [preauth] ^C

openssh-3.0p1 still contains the bug which I already reported on Sept. 28 2001 for 2.9p2, namely, the trailing dot in chost should be stripped before calling auth_rhosts2() even with option "HostbasedUsesNameFromPacketOnly yes". Otherwise, the host names in /etc/hosts.equiv and .rhosts would have to be dot-terminated. Fix: Move lines 776-779 of auth2.c upwards to after line 767. (These

As far as I know this patch has no security implications -- I don't believe that allowing sshd to use get_local_name() (in canohost.c) on a connected socket to determine it's own fqdn will allow a malicious client (or router or dns server) to make it come to the wrong conclusion. But please let me know if you think I'm wrong. Please also let me know if you're just not interested

On Mon, 23 Oct 2023 at 00:43, Thomas K?ller <thomas at koeller.dyndns.org> wrote: > There is a nasty problem when using hostbased authentication: Suggestions: - "host" does DNS lookups, but is your system's nsswitch.conf or equivalent actually configured to use DNS? - have you turned off DNS lookups in sshd with "UseDNS no" in sshd_config? - you could try

On 18.08.23 07:39, Darren Tucker wrote: > On Fri, 18 Aug 2023 at 15:25, Stuart Longland VK4MSL <me at vk4msl.com> wrote: > [...] >> The crux of this is that we cannot assume the local IPv4 address is >> unique, since it's not (and in many cases, not even static). > > If the IP address is not significant, you can tell ssh to not record > them ("CheckHostIP

https://bugzilla.mindrot.org/show_bug.cgi?id=1569 Summary: Hostbased auth fails when using a proxy command Product: Portable OpenSSH Version: 5.2p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: unassigned-bugs at mindrot.org ReportedBy:

Dear openssh developers and users, I'm new to the list, and my apologies if this question has been asked before. I've tried to look for answers and haven't succeeded, which is why I'm asking. Here's the situation: I'm connect to a dual-stacked host with A and AAAA records. The IPv6 connectivity to the host is broken. When connecting to the host directly from my client

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've noticed that when I use ProxyCommand commands to connect, the commands do not exit when ssh exits. This results in a bunch of commands piling up on the machine over time. I experimented with four machines: linux-2.2.19+patches, openssh-3.0.1p1 linux-2.2.14+patches, openssh-3.0.1p1 freebsd-4.5-stable, openssh-2.9 localisations 20020307

Hello Damien, Brian and all, thanks for the suggestions. I actually had not considered host-based authentication and looked it up. As I understand from my first quick reading, I would need to specify the clients which are allowed to use host-based auth on the server with a DNS name or an IP, which would not work for a client behind a CG NAT or in a cellular network. Or did I get this wrong?

Hi Scott, You've entirely missed my point. Yes, if I connect directly to a host, I can use '-4' to force IPv4. When connecting through a proxy, I can't easily control which address family to use, nor the TCP connect timeout. Sure, if I use netcat to proxy, I could supply a '-4' to it to force connecting over IPv4. But making that permanent is also a pain because I want

Hi, Based on some experimentation with 5.4p1 and a cursory examination of the source code, it doesn't look like hostbased authentication takes advantage of certificates other than to authenticate the server. Is that correct? In cluster environments, hostbased authentication is still useful but the size of the ssh_known_hosts file can become unwieldy in large clusters. As an example, a few

Hi, We want to use Hostbased Authentication in OpenSSH 3.4p1 completely based on rhosts or shosts. Don't want to have any keys exchange between server and client. Created /etc/ssh/sshd_config on OpenSSH server with: RhostsAuthentication yes IgnoreRhosts no HostbasedAuthentication yes Created /etc/ssh/ssh_config on client with: Host * HostbasedAuthentication yes Created /etc/rhosts.equiv,

Hi, is there any way to use hostbased authentication without the need to have the SSH host keys stored in a known_hosts file? We run a large cluster where we need to have passwordless remote login available. We currently do that with hostbased SSH authentication. But it is error-prone and a lot of work to keep the known_hosts file up to date on all hosts. (This is the same situation like DNS vs

Hello, I've troubles getting the hostbased method to work. I've given up on system-to-system for now (different versions), and I'm just trying to debug localhost. As far as I can see, the key is accepted, but then a sudden "Failed hostbased" is returned: [...] debug3: mm_answer_keyallowed: key 0x8099bc0 is disallowed debug3: mm_append_debug: Appending debug messages for

On 11/11/23 9:31 PM, Damien Miller wrote: > It's not discouraged so much as rarely used. It's very useful in some > situations and I can think of good reasons to use it more often (e.g > requiring both host and user identity as part of authentication). > > It definitely has more rough edges than user publickey authentication - > it's harder to set up (admin only)