Mailing List Archive

problem with HostbasedAuthentication
Hi,
I am trying to setup a hostbased passwrodless ssh from a client to a server using this guide http://www.ehow.com/how_7621307_set-up-hostbased-authentication.html.

The client looks like:

mahmood@client:~$ cat /etc/ssh/ssh_config  | grep "HostbasedAuthentication"
   HostbasedAuthentication yes 
mahmood@client:~$ cat /etc/ssh/ssh_config  | grep "EnableSSHKeysign"
   EnableSSHKeysign yes


and the server looks like:
mahmood@server:~$ cat /etc/ssh/sshd_config  | grep "HostbasedAuthentication"
HostbasedAuthentication yes 
mahmood@server:~$ cat /etc/ssh/sshd_config  | grep "IgnoreRhosts"
IgnoreRhosts no 

also the server has the key for client:

mahmood@server:~$ cat /etc/ssh/ssh_known_hosts 
client ssh-rsa AAAAB3Nz.....

the ~/.shosts file on the server contains:
mahmood@server:~$ cat .shosts 
client.domain mahmood

Then on both server and client, the ssh service is restarted:
mahmood@client:~$ sudo service ssh restart
ssh start/running, process 1355
mahmood@server:~$ sudo service ssh restart
ssh start/running, process 28982

How, when I run "ssh -vvv server" from client (to show the verbose messages), I still get the password prompt. 

mahmood@client:~$ ssh -vvv server
OpenSSH_5.3p1 Debian-3ubuntu6, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to server [192.168.1.1] port 22.
debug1: Connection established.
debug1: identity file /home/mahmood/.ssh/identity type -1
debug1: identity file /home/mahmood/.ssh/id_rsa type -1
debug1: identity file /home/mahmood/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3p1 Debian-3ubuntu4
debug1: match: OpenSSH_5.3p1 Debian-3ubuntu4 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu6
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug3: Wrote 792 bytes for a total of 831
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-
group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-
group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug3: Wrote 24 bytes for a total of 855
debug2: dh_gen_key: priv key bits set: 124/256
debug2: bits set: 507/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: Wrote 144 bytes for a total of 999
debug3: check_host_in_hostfile: filename /home/mahmood/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug3: check_host_in_hostfile: filename /home/mahmood/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 2
debug1: Host 'server' is known and matches the RSA host key.
debug1: Found key in /home/mahmood/.ssh/known_hosts:1
debug2: bits set: 503/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: Wrote 16 bytes for a total of 1015
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug3: Wrote 48 bytes for a total of 1063
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/mahmood/.ssh/identity ((nil))
debug2: key: /home/mahmood/.ssh/id_rsa ((nil))
debug2: key: /home/mahmood/.ssh/id_dsa ((nil))
debug3: Wrote 64 bytes for a total of 1127
debug1: Authentications that can continue: publickey,password,hostbased
debug3: start over, passed a different list publickey,password,hostbased
debug3: preferred gssapi-keyex,gssapi-with-mic,gssapi,hostbased,publickey,keyboard-interactive,password
debug3: authmethod_lookup hostbased
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled hostbased
debug1: Next authentication method: hostbased
debug2: userauth_hostbased: chost client.
debug2: ssh_keysign called
debug3: ssh_msg_send: type 2
debug3: ssh_msg_recv entering
debug1: permanently_drop_suid: 1000
debug2: we sent a hostbased packet, wait for reply
debug3: Wrote 608 bytes for a total of 1735
debug1: Authentications that can continue: publickey,password,hostbased
debug2: userauth_hostbased: chost client.
debug2: ssh_keysign called
debug3: ssh_msg_send: type 2
debug3: ssh_msg_recv entering
debug1: permanently_drop_suid: 1000
debug2: we sent a hostbased packet, wait for reply
debug3: Wrote 672 bytes for a total of 2407
debug1: Authentications that can continue: publickey,password,hostbased
debug1: No more client hostkeys for hostbased authentication.
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/mahmood/.ssh/identity
debug3: no such identity: /home/mahmood/.ssh/identity
debug1: Trying private key: /home/mahmood/.ssh/id_rsa
debug3: no such identity: /home/mahmood/.ssh/id_rsa
debug1: Trying private key: /home/mahmood/.ssh/id_dsa
debug3: no such identity: /home/mahmood/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
mahmood@server's password: 


Any idea about that?
 
// Naderan *Mahmood;
Re: problem with HostbasedAuthentication [ In reply to ]
On Wed, Apr 27, 2011 at 1:12 AM, Mahmood Naderan <nt_mahmood@yahoo.com> wrote:
>>Change the order method. Have hostbased before password
>
> Sorry where should I do that?

man ssh_config and look into PreferredAuthentications

>
> // Naderan *Mahmood;
>
> From: Asif Iqbal <vadud3@gmail.com>
> To: Mahmood Naderan <nt_mahmood@yahoo.com>
> Cc: "secureshell@securityfocus.com" <secureshell@securityfocus.com>
> Sent: Wednesday, April 27, 2011 9:17 AM
> Subject: Re: problem with HostbasedAuthentication
>
>
> Change the order method. Have hostbased before password
> On Apr 26, 2011 11:52 PM, "Mahmood Naderan" <nt_mahmood@yahoo.com> wrote:
>>
>>
>> Hi,
>> I am trying to setup a hostbased passwrodless ssh from a client to a server using this guide http://www.ehow.com/how_7621307_set-up-hostbased-authentication.html.
>>
>> The client looks like:
>>
>> mahmood@client:~$ cat /etc/ssh/ssh_config  | grep "HostbasedAuthentication"
>>    HostbasedAuthentication yes
>> mahmood@client:~$ cat /etc/ssh/ssh_config  | grep "EnableSSHKeysign"
>>    EnableSSHKeysign yes
>>
>>
>> and the server looks like:
>> mahmood@server:~$ cat /etc/ssh/sshd_config  | grep "HostbasedAuthentication"
>> HostbasedAuthentication yes
>> mahmood@server:~$ cat /etc/ssh/sshd_config  | grep "IgnoreRhosts"
>> IgnoreRhosts no
>>
>> also the server has the key for client:
>>
>> mahmood@server:~$ cat /etc/ssh/ssh_known_hosts
>> client ssh-rsa AAAAB3Nz.....
>>
>> the ~/.shosts file on the server contains:
>> mahmood@server:~$ cat .shosts
>> client.domain mahmood
>>
>> Then on both server and client, the ssh service is restarted:
>> mahmood@client:~$ sudo service ssh restart
>> ssh start/running, process 1355
>> mahmood@server:~$ sudo service ssh restart
>> ssh start/running, process 28982
>>
>> How, when I run "ssh -vvv server" from client (to show the verbose messages), I still get the password prompt.
>>
>> mahmood@client:~$ ssh -vvv server
>> OpenSSH_5.3p1 Debian-3ubuntu6, OpenSSL 0.9.8k 25 Mar 2009
>> debug1: Reading configuration data /etc/ssh/ssh_config
>> debug1: Applying options for *
>> debug2: ssh_connect: needpriv 0
>> debug1: Connecting to server [192.168.1.1] port 22.
>> debug1: Connection established.
>> debug1: identity file /home/mahmood/.ssh/identity type -1
>> debug1: identity file /home/mahmood/.ssh/id_rsa type -1
>> debug1: identity file /home/mahmood/.ssh/id_dsa type -1
>> debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3p1 Debian-3ubuntu4
>> debug1: match: OpenSSH_5.3p1 Debian-3ubuntu4 pat OpenSSH*
>> debug1: Enabling compatibility mode for protocol 2.0
>> debug1: Local version string SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu6
>> debug2: fd 3 setting O_NONBLOCK
>> debug1: SSH2_MSG_KEXINIT sent
>> debug3: Wrote 792 bytes for a total of 831
>> debug1: SSH2_MSG_KEXINIT received
>> debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-
>> group1-sha1
>> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
>> debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
>> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
>> debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
>> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
>> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
>> md5-96
>> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
>> md5-96
>> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
>> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
>> debug2: kex_parse_kexinit:
>> debug2: kex_parse_kexinit:
>> debug2: kex_parse_kexinit: first_kex_follows 0
>> debug2: kex_parse_kexinit: reserved 0
>> debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-
>> group1-sha1
>> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
>> debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
>> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
>> debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
>> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
>> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
>> md5-96
>> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
>> md5-96
>> debug2: kex_parse_kexinit: none,zlib@openssh.com
>> debug2: kex_parse_kexinit: none,zlib@openssh.com
>> debug2: kex_parse_kexinit:
>> debug2: kex_parse_kexinit:
>> debug2: kex_parse_kexinit: first_kex_follows 0
>> debug2: kex_parse_kexinit: reserved 0
>> debug2: mac_setup: found hmac-md5
>> debug1: kex: server->client aes128-ctr hmac-md5 none
>> debug2: mac_setup: found hmac-md5
>> debug1: kex: client->server aes128-ctr hmac-md5 none
>> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
>> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
>> debug3: Wrote 24 bytes for a total of 855
>> debug2: dh_gen_key: priv key bits set: 124/256
>> debug2: bits set: 507/1024
>> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
>> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
>> debug3: Wrote 144 bytes for a total of 999
>> debug3: check_host_in_hostfile: filename /home/mahmood/.ssh/known_hosts
>> debug3: check_host_in_hostfile: match line 1
>> debug3: check_host_in_hostfile: filename /home/mahmood/.ssh/known_hosts
>> debug3: check_host_in_hostfile: match line 2
>> debug1: Host 'server' is known and matches the RSA host key.
>> debug1: Found key in /home/mahmood/.ssh/known_hosts:1
>> debug2: bits set: 503/1024
>> debug1: ssh_rsa_verify: signature correct
>> debug2: kex_derive_keys
>> debug2: set_newkeys: mode 1
>> debug1: SSH2_MSG_NEWKEYS sent
>> debug1: expecting SSH2_MSG_NEWKEYS
>> debug3: Wrote 16 bytes for a total of 1015
>> debug2: set_newkeys: mode 0
>> debug1: SSH2_MSG_NEWKEYS received
>> debug1: SSH2_MSG_SERVICE_REQUEST sent
>> debug3: Wrote 48 bytes for a total of 1063
>> debug2: service_accept: ssh-userauth
>> debug1: SSH2_MSG_SERVICE_ACCEPT received
>> debug2: key: /home/mahmood/.ssh/identity ((nil))
>> debug2: key: /home/mahmood/.ssh/id_rsa ((nil))
>> debug2: key: /home/mahmood/.ssh/id_dsa ((nil))
>> debug3: Wrote 64 bytes for a total of 1127
>> debug1: Authentications that can continue: publickey,password,hostbased
>> debug3: start over, passed a different list publickey,password,hostbased
>> debug3: preferred gssapi-keyex,gssapi-with-mic,gssapi,hostbased,publickey,keyboard-interactive,password
>> debug3: authmethod_lookup hostbased
>> debug3: remaining preferred: publickey,keyboard-interactive,password
>> debug3: authmethod_is_enabled hostbased
>> debug1: Next authentication method: hostbased
>> debug2: userauth_hostbased: chost client.
>> debug2: ssh_keysign called
>> debug3: ssh_msg_send: type 2
>> debug3: ssh_msg_recv entering
>> debug1: permanently_drop_suid: 1000
>> debug2: we sent a hostbased packet, wait for reply
>> debug3: Wrote 608 bytes for a total of 1735
>> debug1: Authentications that can continue: publickey,password,hostbased
>> debug2: userauth_hostbased: chost client.
>> debug2: ssh_keysign called
>> debug3: ssh_msg_send: type 2
>> debug3: ssh_msg_recv entering
>> debug1: permanently_drop_suid: 1000
>> debug2: we sent a hostbased packet, wait for reply
>> debug3: Wrote 672 bytes for a total of 2407
>> debug1: Authentications that can continue: publickey,password,hostbased
>> debug1: No more client hostkeys for hostbased authentication.
>> debug2: we did not send a packet, disable method
>> debug3: authmethod_lookup publickey
>> debug3: remaining preferred: keyboard-interactive,password
>> debug3: authmethod_is_enabled publickey
>> debug1: Next authentication method: publickey
>> debug1: Trying private key: /home/mahmood/.ssh/identity
>> debug3: no such identity: /home/mahmood/.ssh/identity
>> debug1: Trying private key: /home/mahmood/.ssh/id_rsa
>> debug3: no such identity: /home/mahmood/.ssh/id_rsa
>> debug1: Trying private key: /home/mahmood/.ssh/id_dsa
>> debug3: no such identity: /home/mahmood/.ssh/id_dsa
>> debug2: we did not send a packet, disable method
>> debug3: authmethod_lookup password
>> debug3: remaining preferred: ,password
>> debug3: authmethod_is_enabled password
>> debug1: Next authentication method: password
>> mahmood@server's password:
>>
>>
>> Any idea about that?
>>
>> // Naderan *Mahmood;
>>
>



--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
Re: problem with HostbasedAuthentication [ In reply to ]
Sometimes the issue lies with hostname as well. What I mean with that is the known_hosts may have just the host name where as when the connection is established, the debug shows the FQDN. I faced this issue so to be sure, I edited the known_hosts file and inserted the hostname, hostname's FQDN and it's IP address (all comma separated).

Also ensure that you both the hosts' known_hosts files have opposite servers names (as prescribed above).

All the above checks makes it work for me.

Hope this solves.

Kind regards,
Sharad
--- On Thu, 28/4/11, Asif Iqbal <vadud3@gmail.com> wrote:

> From: Asif Iqbal <vadud3@gmail.com>
> Subject: Re: problem with HostbasedAuthentication
> To: "Mahmood Naderan" <nt_mahmood@yahoo.com>
> Cc: "secureshell@securityfocus.com" <secureshell@securityfocus.com>
> Date: Thursday, 28 April, 2011, 12:38 AM
> On Wed, Apr 27, 2011 at 1:12 AM,
> Mahmood Naderan <nt_mahmood@yahoo.com>
> wrote:
> >>Change the order method. Have hostbased before
> password
> >
> > Sorry where should I do that?
>
> man ssh_config and look into PreferredAuthentications
>
> >
> > // Naderan *Mahmood;
> >
> > From: Asif Iqbal <vadud3@gmail.com>
> > To: Mahmood Naderan <nt_mahmood@yahoo.com>
> > Cc: "secureshell@securityfocus.com"
> <secureshell@securityfocus.com>
> > Sent: Wednesday, April 27, 2011 9:17 AM
> > Subject: Re: problem with HostbasedAuthentication
> >
> >
> > Change the order method. Have hostbased before
> password
> > On Apr 26, 2011 11:52 PM, "Mahmood Naderan" <nt_mahmood@yahoo.com>
> wrote:
> >>
> >>
> >> Hi,
> >> I am trying to setup a hostbased passwrodless ssh
> from a client to a server using this guide http://www.ehow.com/how_7621307_set-up-hostbased-authentication.html.
> >>
> >> The client looks like:
> >>
> >> mahmood@client:~$ cat /etc/ssh/ssh_config  | grep
> "HostbasedAuthentication"
> >>    HostbasedAuthentication yes
> >> mahmood@client:~$ cat /etc/ssh/ssh_config  | grep
> "EnableSSHKeysign"
> >>    EnableSSHKeysign yes
> >>
> >>
> >> and the server looks like:
> >> mahmood@server:~$ cat /etc/ssh/sshd_config  |
> grep "HostbasedAuthentication"
> >> HostbasedAuthentication yes
> >> mahmood@server:~$ cat /etc/ssh/sshd_config  |
> grep "IgnoreRhosts"
> >> IgnoreRhosts no
> >>
> >> also the server has the key for client:
> >>
> >> mahmood@server:~$ cat /etc/ssh/ssh_known_hosts
> >> client ssh-rsa AAAAB3Nz.....
> >>
> >> the ~/.shosts file on the server contains:
> >> mahmood@server:~$ cat .shosts
> >> client.domain mahmood
> >>
> >> Then on both server and client, the ssh service is
> restarted:
> >> mahmood@client:~$ sudo service ssh restart
> >> ssh start/running, process 1355
> >> mahmood@server:~$ sudo service ssh restart
> >> ssh start/running, process 28982
> >>
> >> How, when I run "ssh -vvv server" from client (to
> show the verbose messages), I still get the password
> prompt.
> >>
> >> mahmood@client:~$ ssh -vvv server
> >> OpenSSH_5.3p1 Debian-3ubuntu6, OpenSSL 0.9.8k 25
> Mar 2009
> >> debug1: Reading configuration data
> /etc/ssh/ssh_config
> >> debug1: Applying options for *
> >> debug2: ssh_connect: needpriv 0
> >> debug1: Connecting to server [192.168.1.1] port
> 22.
> >> debug1: Connection established.
> >> debug1: identity file /home/mahmood/.ssh/identity
> type -1
> >> debug1: identity file /home/mahmood/.ssh/id_rsa
> type -1
> >> debug1: identity file /home/mahmood/.ssh/id_dsa
> type -1
> >> debug1: Remote protocol version 2.0, remote
> software version OpenSSH_5.3p1 Debian-3ubuntu4
> >> debug1: match: OpenSSH_5.3p1 Debian-3ubuntu4 pat
> OpenSSH*
> >> debug1: Enabling compatibility mode for protocol
> 2.0
> >> debug1: Local version string SSH-2.0-OpenSSH_5.3p1
> Debian-3ubuntu6
> >> debug2: fd 3 setting O_NONBLOCK
> >> debug1: SSH2_MSG_KEXINIT sent
> >> debug3: Wrote 792 bytes for a total of 831
> >> debug1: SSH2_MSG_KEXINIT received
> >> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-
> >> group1-sha1
> >> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> >> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
> >> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> >> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
> >> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> >> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
> >> md5-96
> >> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
> >> md5-96
> >> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
> >> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
> >> debug2: kex_parse_kexinit:
> >> debug2: kex_parse_kexinit:
> >> debug2: kex_parse_kexinit: first_kex_follows 0
> >> debug2: kex_parse_kexinit: reserved 0
> >> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-
> >> group1-sha1
> >> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> >> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
> >> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> >> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
> >> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> >> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
> >> md5-96
> >> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
> >> md5-96
> >> debug2: kex_parse_kexinit: none,zlib@openssh.com
> >> debug2: kex_parse_kexinit: none,zlib@openssh.com
> >> debug2: kex_parse_kexinit:
> >> debug2: kex_parse_kexinit:
> >> debug2: kex_parse_kexinit: first_kex_follows 0
> >> debug2: kex_parse_kexinit: reserved 0
> >> debug2: mac_setup: found hmac-md5
> >> debug1: kex: server->client aes128-ctr hmac-md5
> none
> >> debug2: mac_setup: found hmac-md5
> >> debug1: kex: client->server aes128-ctr hmac-md5
> none
> >> debug1:
> SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> >> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> >> debug3: Wrote 24 bytes for a total of 855
> >> debug2: dh_gen_key: priv key bits set: 124/256
> >> debug2: bits set: 507/1024
> >> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> >> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> >> debug3: Wrote 144 bytes for a total of 999
> >> debug3: check_host_in_hostfile: filename
> /home/mahmood/.ssh/known_hosts
> >> debug3: check_host_in_hostfile: match line 1
> >> debug3: check_host_in_hostfile: filename
> /home/mahmood/.ssh/known_hosts
> >> debug3: check_host_in_hostfile: match line 2
> >> debug1: Host 'server' is known and matches the RSA
> host key.
> >> debug1: Found key in
> /home/mahmood/.ssh/known_hosts:1
> >> debug2: bits set: 503/1024
> >> debug1: ssh_rsa_verify: signature correct
> >> debug2: kex_derive_keys
> >> debug2: set_newkeys: mode 1
> >> debug1: SSH2_MSG_NEWKEYS sent
> >> debug1: expecting SSH2_MSG_NEWKEYS
> >> debug3: Wrote 16 bytes for a total of 1015
> >> debug2: set_newkeys: mode 0
> >> debug1: SSH2_MSG_NEWKEYS received
> >> debug1: SSH2_MSG_SERVICE_REQUEST sent
> >> debug3: Wrote 48 bytes for a total of 1063
> >> debug2: service_accept: ssh-userauth
> >> debug1: SSH2_MSG_SERVICE_ACCEPT received
> >> debug2: key: /home/mahmood/.ssh/identity ((nil))
> >> debug2: key: /home/mahmood/.ssh/id_rsa ((nil))
> >> debug2: key: /home/mahmood/.ssh/id_dsa ((nil))
> >> debug3: Wrote 64 bytes for a total of 1127
> >> debug1: Authentications that can continue:
> publickey,password,hostbased
> >> debug3: start over, passed a different list
> publickey,password,hostbased
> >> debug3: preferred
> gssapi-keyex,gssapi-with-mic,gssapi,hostbased,publickey,keyboard-interactive,password
> >> debug3: authmethod_lookup hostbased
> >> debug3: remaining preferred:
> publickey,keyboard-interactive,password
> >> debug3: authmethod_is_enabled hostbased
> >> debug1: Next authentication method: hostbased
> >> debug2: userauth_hostbased: chost client.
> >> debug2: ssh_keysign called
> >> debug3: ssh_msg_send: type 2
> >> debug3: ssh_msg_recv entering
> >> debug1: permanently_drop_suid: 1000
> >> debug2: we sent a hostbased packet, wait for
> reply
> >> debug3: Wrote 608 bytes for a total of 1735
> >> debug1: Authentications that can continue:
> publickey,password,hostbased
> >> debug2: userauth_hostbased: chost client.
> >> debug2: ssh_keysign called
> >> debug3: ssh_msg_send: type 2
> >> debug3: ssh_msg_recv entering
> >> debug1: permanently_drop_suid: 1000
> >> debug2: we sent a hostbased packet, wait for
> reply
> >> debug3: Wrote 672 bytes for a total of 2407
> >> debug1: Authentications that can continue:
> publickey,password,hostbased
> >> debug1: No more client hostkeys for hostbased
> authentication.
> >> debug2: we did not send a packet, disable method
> >> debug3: authmethod_lookup publickey
> >> debug3: remaining preferred:
> keyboard-interactive,password
> >> debug3: authmethod_is_enabled publickey
> >> debug1: Next authentication method: publickey
> >> debug1: Trying private key:
> /home/mahmood/.ssh/identity
> >> debug3: no such identity:
> /home/mahmood/.ssh/identity
> >> debug1: Trying private key:
> /home/mahmood/.ssh/id_rsa
> >> debug3: no such identity:
> /home/mahmood/.ssh/id_rsa
> >> debug1: Trying private key:
> /home/mahmood/.ssh/id_dsa
> >> debug3: no such identity:
> /home/mahmood/.ssh/id_dsa
> >> debug2: we did not send a packet, disable method
> >> debug3: authmethod_lookup password
> >> debug3: remaining preferred: ,password
> >> debug3: authmethod_is_enabled password
> >> debug1: Next authentication method: password
> >> mahmood@server's password:
> >>
> >>
> >> Any idea about that?
> >>
> >> // Naderan *Mahmood;
> >>
> >
>
>
>
> --
> Asif Iqbal
> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> A: Because it messes up the order in which people normally
> read text.
> Q: Why is top-posting such a bad thing?
>
Re: problem with HostbasedAuthentication [ In reply to ]
Can you explain exactly which file I should edit? What is FQDN? By 'hostname', Do you mean server hostname of client hostname.
Should I do that on both side or server side?...

// Naderan *Mahmood;


----- Original Message -----
From: Sharad <sharad2011@yahoo.com>
To: Mahmood Naderan <nt_mahmood@yahoo.com>; Asif Iqbal <vadud3@gmail.com>
Cc: "secureshell@securityfocus.com" <secureshell@securityfocus.com>
Sent: Thursday, April 28, 2011 1:16 PM
Subject: Re: problem with HostbasedAuthentication

Sometimes the issue lies with hostname as well. What I mean with that is the known_hosts may have just the host name where as when the connection is established, the debug shows the FQDN. I faced this issue so to be sure, I edited the known_hosts file and inserted the hostname, hostname's FQDN and it's IP address (all comma separated).

Also ensure that you both the hosts' known_hosts files have opposite servers names (as prescribed above).

All the above checks makes it work for me.

Hope this solves.

Kind regards,
Sharad
--- On Thu, 28/4/11, Asif Iqbal <vadud3@gmail.com> wrote:

> From: Asif Iqbal <vadud3@gmail.com>
> Subject: Re: problem with HostbasedAuthentication
> To: "Mahmood Naderan" <nt_mahmood@yahoo.com>
> Cc: "secureshell@securityfocus.com" <secureshell@securityfocus.com>
> Date: Thursday, 28 April, 2011, 12:38 AM
> On Wed, Apr 27, 2011 at 1:12 AM,
> Mahmood Naderan <nt_mahmood@yahoo.com>
> wrote:
> >>Change the order method. Have hostbased before
> password
> >
> > Sorry where should I do that?
>
> man ssh_config and look into PreferredAuthentications
>
> >
> > // Naderan *Mahmood;
> >
> > From: Asif Iqbal <vadud3@gmail.com>
> > To: Mahmood Naderan <nt_mahmood@yahoo.com>
> > Cc: "secureshell@securityfocus.com"
> <secureshell@securityfocus.com>
> > Sent: Wednesday, April 27, 2011 9:17 AM
> > Subject: Re: problem with HostbasedAuthentication
> >
> >
> > Change the order method. Have hostbased before
> password
> > On Apr 26, 2011 11:52 PM, "Mahmood Naderan" <nt_mahmood@yahoo.com>
> wrote:
> >>
> >>
> >> Hi,
> >> I am trying to setup a hostbased passwrodless ssh
> from a client to a server using this guide http://www.ehow.com/how_7621307_set-up-hostbased-authentication.html.
> >>
> >> The client looks like:
> >>
> >> mahmood@client:~$ cat /etc/ssh/ssh_config  | grep
> "HostbasedAuthentication"
> >>    HostbasedAuthentication yes
> >> mahmood@client:~$ cat /etc/ssh/ssh_config  | grep
> "EnableSSHKeysign"
> >>    EnableSSHKeysign yes
> >>
> >>
> >> and the server looks like:
> >> mahmood@server:~$ cat /etc/ssh/sshd_config  |
> grep "HostbasedAuthentication"
> >> HostbasedAuthentication yes
> >> mahmood@server:~$ cat /etc/ssh/sshd_config  |
> grep "IgnoreRhosts"
> >> IgnoreRhosts no
> >>
> >> also the server has the key for client:
> >>
> >> mahmood@server:~$ cat /etc/ssh/ssh_known_hosts
> >> client ssh-rsa AAAAB3Nz.....
> >>
> >> the ~/.shosts file on the server contains:
> >> mahmood@server:~$ cat .shosts
> >> client.domain mahmood
> >>
> >> Then on both server and client, the ssh service is
> restarted:
> >> mahmood@client:~$ sudo service ssh restart
> >> ssh start/running, process 1355
> >> mahmood@server:~$ sudo service ssh restart
> >> ssh start/running, process 28982
> >>
> >> How, when I run "ssh -vvv server" from client (to
> show the verbose messages), I still get the password
> prompt.
> >>
> >> mahmood@client:~$ ssh -vvv server
> >> OpenSSH_5.3p1 Debian-3ubuntu6, OpenSSL 0.9.8k 25
> Mar 2009
> >> debug1: Reading configuration data
> /etc/ssh/ssh_config
> >> debug1: Applying options for *
> >> debug2: ssh_connect: needpriv 0
> >> debug1: Connecting to server [192.168.1.1] port
> 22.
> >> debug1: Connection established.
> >> debug1: identity file /home/mahmood/.ssh/identity
> type -1
> >> debug1: identity file /home/mahmood/.ssh/id_rsa
> type -1
> >> debug1: identity file /home/mahmood/.ssh/id_dsa
> type -1
> >> debug1: Remote protocol version 2.0, remote
> software version OpenSSH_5.3p1 Debian-3ubuntu4
> >> debug1: match: OpenSSH_5.3p1 Debian-3ubuntu4 pat
> OpenSSH*
> >> debug1: Enabling compatibility mode for protocol
> 2.0
> >> debug1: Local version string SSH-2.0-OpenSSH_5.3p1
> Debian-3ubuntu6
> >> debug2: fd 3 setting O_NONBLOCK
> >> debug1: SSH2_MSG_KEXINIT sent
> >> debug3: Wrote 792 bytes for a total of 831
> >> debug1: SSH2_MSG_KEXINIT received
> >> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-
> >> group1-sha1
> >> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> >> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
> >> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> >> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
> >> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> >> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
> >> md5-96
> >> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
> >> md5-96
> >> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
> >> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
> >> debug2: kex_parse_kexinit:
> >> debug2: kex_parse_kexinit:
> >> debug2: kex_parse_kexinit: first_kex_follows 0
> >> debug2: kex_parse_kexinit: reserved 0
> >> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-
> >> group1-sha1
> >> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> >> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
> >> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> >> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
> >> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> >> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
> >> md5-96
> >> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
> >> md5-96
> >> debug2: kex_parse_kexinit: none,zlib@openssh.com
> >> debug2: kex_parse_kexinit: none,zlib@openssh.com
> >> debug2: kex_parse_kexinit:
> >> debug2: kex_parse_kexinit:
> >> debug2: kex_parse_kexinit: first_kex_follows 0
> >> debug2: kex_parse_kexinit: reserved 0
> >> debug2: mac_setup: found hmac-md5
> >> debug1: kex: server->client aes128-ctr hmac-md5
> none
> >> debug2: mac_setup: found hmac-md5
> >> debug1: kex: client->server aes128-ctr hmac-md5
> none
> >> debug1:
> SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> >> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> >> debug3: Wrote 24 bytes for a total of 855
> >> debug2: dh_gen_key: priv key bits set: 124/256
> >> debug2: bits set: 507/1024
> >> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> >> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> >> debug3: Wrote 144 bytes for a total of 999
> >> debug3: check_host_in_hostfile: filename
> /home/mahmood/.ssh/known_hosts
> >> debug3: check_host_in_hostfile: match line 1
> >> debug3: check_host_in_hostfile: filename
> /home/mahmood/.ssh/known_hosts
> >> debug3: check_host_in_hostfile: match line 2
> >> debug1: Host 'server' is known and matches the RSA
> host key.
> >> debug1: Found key in
> /home/mahmood/.ssh/known_hosts:1
> >> debug2: bits set: 503/1024
> >> debug1: ssh_rsa_verify: signature correct
> >> debug2: kex_derive_keys
> >> debug2: set_newkeys: mode 1
> >> debug1: SSH2_MSG_NEWKEYS sent
> >> debug1: expecting SSH2_MSG_NEWKEYS
> >> debug3: Wrote 16 bytes for a total of 1015
> >> debug2: set_newkeys: mode 0
> >> debug1: SSH2_MSG_NEWKEYS received
> >> debug1: SSH2_MSG_SERVICE_REQUEST sent
> >> debug3: Wrote 48 bytes for a total of 1063
> >> debug2: service_accept: ssh-userauth
> >> debug1: SSH2_MSG_SERVICE_ACCEPT received
> >> debug2: key: /home/mahmood/.ssh/identity ((nil))
> >> debug2: key: /home/mahmood/.ssh/id_rsa ((nil))
> >> debug2: key: /home/mahmood/.ssh/id_dsa ((nil))
> >> debug3: Wrote 64 bytes for a total of 1127
> >> debug1: Authentications that can continue:
> publickey,password,hostbased
> >> debug3: start over, passed a different list
> publickey,password,hostbased
> >> debug3: preferred
> gssapi-keyex,gssapi-with-mic,gssapi,hostbased,publickey,keyboard-interactive,password
> >> debug3: authmethod_lookup hostbased
> >> debug3: remaining preferred:
> publickey,keyboard-interactive,password
> >> debug3: authmethod_is_enabled hostbased
> >> debug1: Next authentication method: hostbased
> >> debug2: userauth_hostbased: chost client.
> >> debug2: ssh_keysign called
> >> debug3: ssh_msg_send: type 2
> >> debug3: ssh_msg_recv entering
> >> debug1: permanently_drop_suid: 1000
> >> debug2: we sent a hostbased packet, wait for
> reply
> >> debug3: Wrote 608 bytes for a total of 1735
> >> debug1: Authentications that can continue:
> publickey,password,hostbased
> >> debug2: userauth_hostbased: chost client.
> >> debug2: ssh_keysign called
> >> debug3: ssh_msg_send: type 2
> >> debug3: ssh_msg_recv entering
> >> debug1: permanently_drop_suid: 1000
> >> debug2: we sent a hostbased packet, wait for
> reply
> >> debug3: Wrote 672 bytes for a total of 2407
> >> debug1: Authentications that can continue:
> publickey,password,hostbased
> >> debug1: No more client hostkeys for hostbased
> authentication.
> >> debug2: we did not send a packet, disable method
> >> debug3: authmethod_lookup publickey
> >> debug3: remaining preferred:
> keyboard-interactive,password
> >> debug3: authmethod_is_enabled publickey
> >> debug1: Next authentication method: publickey
> >> debug1: Trying private key:
> /home/mahmood/.ssh/identity
> >> debug3: no such identity:
> /home/mahmood/.ssh/identity
> >> debug1: Trying private key:
> /home/mahmood/.ssh/id_rsa
> >> debug3: no such identity:
> /home/mahmood/.ssh/id_rsa
> >> debug1: Trying private key:
> /home/mahmood/.ssh/id_dsa
> >> debug3: no such identity:
> /home/mahmood/.ssh/id_dsa
> >> debug2: we did not send a packet, disable method
> >> debug3: authmethod_lookup password
> >> debug3: remaining preferred: ,password
> >> debug3: authmethod_is_enabled password
> >> debug1: Next authentication method: password
> >> mahmood@server's password:
> >>
> >>
> >> Any idea about that?
> >>
> >> // Naderan *Mahmood;
> >>
> >
>
>
>
> --
> Asif Iqbal
> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> A: Because it messes up the order in which people normally
> read text.
> Q: Why is top-posting such a bad thing?
>
Re: problem with HostbasedAuthentication [ In reply to ]
Mahmood,

The files are /home/username/.ssh/known_hosts on both server and client.

By FQDN, I meant host's fully qualified domain name.

Following is the example:

Assuming both client and server are linux hosts:

Server IP: 192.168.1.1
Client IP: 192.168.1.101

Server Name: lnx_srvr_1.domain.com
Client Name: lnx_clnt_101.domain.com

User name on each host is mahmood.

Following would be the entries in .shosts on lnx_srvr_1


lnx_srvr_1:/home/mahmood $ cat .shosts

lnx_clnt_101.domain.com mahmood
192.168.1.101 mahmood
lnx_clnt_101 mahmood

Following should exist in /home/mahmood/.ssh/known_hosts file on the server side:
192.168.1.101,lnx_clnt_101,lnx_clnt_101.domain.com ssh-rsa AAAAB3Nz...

Following should also exist in /home/mahmood/.ssh/known_hosts file on the client side:
192.168.1.1,lnx_srvr_1,lnx_srvr_1.domain.com ssh-rsa AAAAB3Nz...

Ensure that .ssh directory on both client and server are rwx for owner only and group/rest of world is 000.

Hope this helps! Good Luck! :)

Regards,
Sharad
--- On Thu, 28/4/11, Mahmood Naderan <nt_mahmood@yahoo.com> wrote:

> From: Mahmood Naderan <nt_mahmood@yahoo.com>
> Subject: Re: problem with HostbasedAuthentication
> To: "Sharad" <sharad2011@yahoo.com>
> Cc: "secureshell@securityfocus.com" <secureshell@securityfocus.com>
> Date: Thursday, 28 April, 2011, 3:54 PM
> Can you explain exactly which file I
> should edit? What is FQDN? By 'hostname', Do you mean server
> hostname of client hostname.
> Should I do that on both side or server side?...
>
> // Naderan *Mahmood;
>
>
> ----- Original Message -----
> From: Sharad <sharad2011@yahoo.com>
> To: Mahmood Naderan <nt_mahmood@yahoo.com>;
> Asif Iqbal <vadud3@gmail.com>
> Cc: "secureshell@securityfocus.com"
> <secureshell@securityfocus.com>
> Sent: Thursday, April 28, 2011 1:16 PM
> Subject: Re: problem with HostbasedAuthentication
>
> Sometimes the issue lies with hostname as well. What I mean
> with that is the known_hosts may have just the host name
> where as when the connection is established, the debug shows
> the FQDN. I faced this issue so to be sure, I edited the
> known_hosts file and inserted the hostname, hostname's FQDN
> and it's IP address (all comma separated).
>
> Also ensure that you both the hosts' known_hosts files have
> opposite servers names (as prescribed above).
>
> All the above checks makes it work for me.
>
> Hope this solves.
>
> Kind regards,
> Sharad
> --- On Thu, 28/4/11, Asif Iqbal <vadud3@gmail.com>
> wrote:
>
> > From: Asif Iqbal <vadud3@gmail.com>
> > Subject: Re: problem with HostbasedAuthentication
> > To: "Mahmood Naderan" <nt_mahmood@yahoo.com>
> > Cc: "secureshell@securityfocus.com"
> <secureshell@securityfocus.com>
> > Date: Thursday, 28 April, 2011, 12:38 AM
> > On Wed, Apr 27, 2011 at 1:12 AM,
> > Mahmood Naderan <nt_mahmood@yahoo.com>
> > wrote:
> > >>Change the order method. Have hostbased
> before
> > password
> > >
> > > Sorry where should I do that?
> >
> > man ssh_config and look into PreferredAuthentications
> >
> > >
> > > // Naderan *Mahmood;
> > >
> > > From: Asif Iqbal <vadud3@gmail.com>
> > > To: Mahmood Naderan <nt_mahmood@yahoo.com>
> > > Cc: "secureshell@securityfocus.com"
> > <secureshell@securityfocus.com>
> > > Sent: Wednesday, April 27, 2011 9:17 AM
> > > Subject: Re: problem with
> HostbasedAuthentication
> > >
> > >
> > > Change the order method. Have hostbased before
> > password
> > > On Apr 26, 2011 11:52 PM, "Mahmood Naderan"
> <nt_mahmood@yahoo.com>
> > wrote:
> > >>
> > >>
> > >> Hi,
> > >> I am trying to setup a hostbased passwrodless
> ssh
> > from a client to a server using this guide http://www.ehow.com/how_7621307_set-up-hostbased-authentication.html.
> > >>
> > >> The client looks like:
> > >>
> > >> mahmood@client:~$ cat /etc/ssh/ssh_config  |
> grep
> > "HostbasedAuthentication"
> > >>    HostbasedAuthentication yes
> > >> mahmood@client:~$ cat /etc/ssh/ssh_config  |
> grep
> > "EnableSSHKeysign"
> > >>    EnableSSHKeysign yes
> > >>
> > >>
> > >> and the server looks like:
> > >> mahmood@server:~$ cat /etc/ssh/sshd_config 
> |
> > grep "HostbasedAuthentication"
> > >> HostbasedAuthentication yes
> > >> mahmood@server:~$ cat /etc/ssh/sshd_config 
> |
> > grep "IgnoreRhosts"
> > >> IgnoreRhosts no
> > >>
> > >> also the server has the key for client:
> > >>
> > >> mahmood@server:~$ cat
> /etc/ssh/ssh_known_hosts
> > >> client ssh-rsa AAAAB3Nz.....
> > >>
> > >> the ~/.shosts file on the server contains:
> > >> mahmood@server:~$ cat .shosts
> > >> client.domain mahmood
> > >>
> > >> Then on both server and client, the ssh
> service is
> > restarted:
> > >> mahmood@client:~$ sudo service ssh restart
> > >> ssh start/running, process 1355
> > >> mahmood@server:~$ sudo service ssh restart
> > >> ssh start/running, process 28982
> > >>
> > >> How, when I run "ssh -vvv server" from client
> (to
> > show the verbose messages), I still get the password
> > prompt.
> > >>
> > >> mahmood@client:~$ ssh -vvv server
> > >> OpenSSH_5.3p1 Debian-3ubuntu6, OpenSSL 0.9.8k
> 25
> > Mar 2009
> > >> debug1: Reading configuration data
> > /etc/ssh/ssh_config
> > >> debug1: Applying options for *
> > >> debug2: ssh_connect: needpriv 0
> > >> debug1: Connecting to server [192.168.1.1]
> port
> > 22.
> > >> debug1: Connection established.
> > >> debug1: identity file
> /home/mahmood/.ssh/identity
> > type -1
> > >> debug1: identity file
> /home/mahmood/.ssh/id_rsa
> > type -1
> > >> debug1: identity file
> /home/mahmood/.ssh/id_dsa
> > type -1
> > >> debug1: Remote protocol version 2.0, remote
> > software version OpenSSH_5.3p1 Debian-3ubuntu4
> > >> debug1: match: OpenSSH_5.3p1 Debian-3ubuntu4
> pat
> > OpenSSH*
> > >> debug1: Enabling compatibility mode for
> protocol
> > 2.0
> > >> debug1: Local version string
> SSH-2.0-OpenSSH_5.3p1
> > Debian-3ubuntu6
> > >> debug2: fd 3 setting O_NONBLOCK
> > >> debug1: SSH2_MSG_KEXINIT sent
> > >> debug3: Wrote 792 bytes for a total of 831
> > >> debug1: SSH2_MSG_KEXINIT received
> > >> debug2: kex_parse_kexinit:
> >
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-
> > >> group1-sha1
> > >> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> > >> debug2: kex_parse_kexinit:
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
> > >> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> > >> debug2: kex_parse_kexinit:
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
> > >> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> > >> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
> > >> md5-96
> > >> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
> > >> md5-96
> > >> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
> > >> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
> > >> debug2: kex_parse_kexinit:
> > >> debug2: kex_parse_kexinit:
> > >> debug2: kex_parse_kexinit: first_kex_follows
> 0
> > >> debug2: kex_parse_kexinit: reserved 0
> > >> debug2: kex_parse_kexinit:
> >
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-
> > >> group1-sha1
> > >> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> > >> debug2: kex_parse_kexinit:
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
> > >> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> > >> debug2: kex_parse_kexinit:
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
> > >> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> > >> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
> > >> md5-96
> > >> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
> > >> md5-96
> > >> debug2: kex_parse_kexinit: none,zlib@openssh.com
> > >> debug2: kex_parse_kexinit: none,zlib@openssh.com
> > >> debug2: kex_parse_kexinit:
> > >> debug2: kex_parse_kexinit:
> > >> debug2: kex_parse_kexinit: first_kex_follows
> 0
> > >> debug2: kex_parse_kexinit: reserved 0
> > >> debug2: mac_setup: found hmac-md5
> > >> debug1: kex: server->client aes128-ctr
> hmac-md5
> > none
> > >> debug2: mac_setup: found hmac-md5
> > >> debug1: kex: client->server aes128-ctr
> hmac-md5
> > none
> > >> debug1:
> > SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192)
> sent
> > >> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> > >> debug3: Wrote 24 bytes for a total of 855
> > >> debug2: dh_gen_key: priv key bits set:
> 124/256
> > >> debug2: bits set: 507/1024
> > >> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> > >> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> > >> debug3: Wrote 144 bytes for a total of 999
> > >> debug3: check_host_in_hostfile: filename
> > /home/mahmood/.ssh/known_hosts
> > >> debug3: check_host_in_hostfile: match line 1
> > >> debug3: check_host_in_hostfile: filename
> > /home/mahmood/.ssh/known_hosts
> > >> debug3: check_host_in_hostfile: match line 2
> > >> debug1: Host 'server' is known and matches
> the RSA
> > host key.
> > >> debug1: Found key in
> > /home/mahmood/.ssh/known_hosts:1
> > >> debug2: bits set: 503/1024
> > >> debug1: ssh_rsa_verify: signature correct
> > >> debug2: kex_derive_keys
> > >> debug2: set_newkeys: mode 1
> > >> debug1: SSH2_MSG_NEWKEYS sent
> > >> debug1: expecting SSH2_MSG_NEWKEYS
> > >> debug3: Wrote 16 bytes for a total of 1015
> > >> debug2: set_newkeys: mode 0
> > >> debug1: SSH2_MSG_NEWKEYS received
> > >> debug1: SSH2_MSG_SERVICE_REQUEST sent
> > >> debug3: Wrote 48 bytes for a total of 1063
> > >> debug2: service_accept: ssh-userauth
> > >> debug1: SSH2_MSG_SERVICE_ACCEPT received
> > >> debug2: key: /home/mahmood/.ssh/identity
> ((nil))
> > >> debug2: key: /home/mahmood/.ssh/id_rsa
> ((nil))
> > >> debug2: key: /home/mahmood/.ssh/id_dsa
> ((nil))
> > >> debug3: Wrote 64 bytes for a total of 1127
> > >> debug1: Authentications that can continue:
> > publickey,password,hostbased
> > >> debug3: start over, passed a different list
> > publickey,password,hostbased
> > >> debug3: preferred
> >
> gssapi-keyex,gssapi-with-mic,gssapi,hostbased,publickey,keyboard-interactive,password
> > >> debug3: authmethod_lookup hostbased
> > >> debug3: remaining preferred:
> > publickey,keyboard-interactive,password
> > >> debug3: authmethod_is_enabled hostbased
> > >> debug1: Next authentication method:
> hostbased
> > >> debug2: userauth_hostbased: chost client.
> > >> debug2: ssh_keysign called
> > >> debug3: ssh_msg_send: type 2
> > >> debug3: ssh_msg_recv entering
> > >> debug1: permanently_drop_suid: 1000
> > >> debug2: we sent a hostbased packet, wait for
> > reply
> > >> debug3: Wrote 608 bytes for a total of 1735
> > >> debug1: Authentications that can continue:
> > publickey,password,hostbased
> > >> debug2: userauth_hostbased: chost client.
> > >> debug2: ssh_keysign called
> > >> debug3: ssh_msg_send: type 2
> > >> debug3: ssh_msg_recv entering
> > >> debug1: permanently_drop_suid: 1000
> > >> debug2: we sent a hostbased packet, wait for
> > reply
> > >> debug3: Wrote 672 bytes for a total of 2407
> > >> debug1: Authentications that can continue:
> > publickey,password,hostbased
> > >> debug1: No more client hostkeys for
> hostbased
> > authentication.
> > >> debug2: we did not send a packet, disable
> method
> > >> debug3: authmethod_lookup publickey
> > >> debug3: remaining preferred:
> > keyboard-interactive,password
> > >> debug3: authmethod_is_enabled publickey
> > >> debug1: Next authentication method:
> publickey
> > >> debug1: Trying private key:
> > /home/mahmood/.ssh/identity
> > >> debug3: no such identity:
> > /home/mahmood/.ssh/identity
> > >> debug1: Trying private key:
> > /home/mahmood/.ssh/id_rsa
> > >> debug3: no such identity:
> > /home/mahmood/.ssh/id_rsa
> > >> debug1: Trying private key:
> > /home/mahmood/.ssh/id_dsa
> > >> debug3: no such identity:
> > /home/mahmood/.ssh/id_dsa
> > >> debug2: we did not send a packet, disable
> method
> > >> debug3: authmethod_lookup password
> > >> debug3: remaining preferred: ,password
> > >> debug3: authmethod_is_enabled password
> > >> debug1: Next authentication method: password
> > >> mahmood@server's password:
> > >>
> > >>
> > >> Any idea about that?
> > >>
> > >> // Naderan *Mahmood;
> > >>
> > >
> >
> >
> >
> > --
> > Asif Iqbal
> > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> > A: Because it messes up the order in which people
> normally
> > read text.
> > Q: Why is top-posting such a bad thing?
> >
>
Re: problem with HostbasedAuthentication [ In reply to ]
Dear Sharad,
I am now trying to setup a hostbased ssh from server to client (previously client->server worked fine based on your help). I want it to be bidirectional.
 
I did the same thing in reverse (now the client becomes server and the server becoms client). However this is what I get while trying to ssh from server to client:
 
 
debug3: Wrote 48 bytes for a total of 1063
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/mahmood/.ssh/identity ((nil))
debug2: key: /home/mahmood/.ssh/id_rsa ((nil))
debug2: key: /home/mahmood/.ssh/id_dsa ((nil))
debug3: Wrote 64 bytes for a total of 1127
debug1: Authentications that can continue: publickey,password,hostbased
debug3: start over, passed a different list publickey,password,hostbased
debug3: preferred gssapi-keyex,gssapi-with-mic,gssapi,hostbased,publickey,keyboard-interactive,password
debug3: authmethod_lookup hostbased
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled hostbased
debug1: Next authentication method: hostbased
get_socket_address: getnameinfo 8 failed: Name or service not known
debug2: userauth_hostbased: chost server.
debug2: ssh_keysign called
debug3: ssh_msg_send: type 2
debug3: ssh_msg_recv entering
debug1: permanently_drop_suid: 1000
get_socket_address: getnameinfo 8 failed: Name or service not known
cannot get sockname for fd
ssh_keysign: no reply
key_sign failed
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/mahmood/.ssh/identity
debug3: no such identity: /home/mahmood/.ssh/identity
debug1: Trying private key: /home/mahmood/.ssh/id_rsa
debug3: no such identity: /home/mahmood/.ssh/id_rsa
debug1: Trying private key: /home/mahmood/.ssh/id_dsa
debug3: no such identity: /home/mahmood/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
mahmood@192.168.1.3's password:

 
What is your suggestion?

// Naderan *Mahmood;


----- Original Message -----
From: Sharad <sharad2011@yahoo.com>
To: Mahmood Naderan <nt_mahmood@yahoo.com>
Cc: "secureshell@securityfocus.com" <secureshell@securityfocus.com>
Sent: Thursday, April 28, 2011 5:20 PM
Subject: Re: problem with HostbasedAuthentication

Mahmood,

The files are /home/username/.ssh/known_hosts on both server and client.

By FQDN, I meant host's fully qualified domain name.

Following is the example:

Assuming both client and server are linux hosts:

Server IP: 192.168.1.1
Client IP: 192.168.1.101

Server Name: lnx_srvr_1.domain.com
Client Name: lnx_clnt_101.domain.com

User name on each host is mahmood.

Following would be the entries in .shosts on lnx_srvr_1


lnx_srvr_1:/home/mahmood $ cat .shosts

lnx_clnt_101.domain.com mahmood
192.168.1.101 mahmood
lnx_clnt_101 mahmood

Following should exist in /home/mahmood/.ssh/known_hosts file on the server side:
192.168.1.101,lnx_clnt_101,lnx_clnt_101.domain.com  ssh-rsa AAAAB3Nz...

Following should also exist in /home/mahmood/.ssh/known_hosts file on the client side:
192.168.1.1,lnx_srvr_1,lnx_srvr_1.domain.com  ssh-rsa AAAAB3Nz...

Ensure that .ssh directory on both client and server are rwx for owner only and group/rest of world is 000.

Hope this helps! Good Luck! :)

Regards,
Sharad 
--- On Thu, 28/4/11, Mahmood Naderan <nt_mahmood@yahoo.com> wrote:

> From: Mahmood Naderan <nt_mahmood@yahoo.com>
> Subject: Re: problem with HostbasedAuthentication
> To: "Sharad" <sharad2011@yahoo.com>
> Cc: "secureshell@securityfocus.com" <secureshell@securityfocus.com>
> Date: Thursday, 28 April, 2011, 3:54 PM
> Can you explain exactly which file I
> should edit? What is FQDN? By 'hostname', Do you mean server
> hostname of client hostname.
> Should I do that on both side or server side?...
>
> // Naderan *Mahmood;
>
>
> ----- Original Message -----
> From: Sharad <sharad2011@yahoo.com>
> To: Mahmood Naderan <nt_mahmood@yahoo.com>;
> Asif Iqbal <vadud3@gmail.com>
> Cc: "secureshell@securityfocus.com"
> <secureshell@securityfocus.com>
> Sent: Thursday, April 28, 2011 1:16 PM
> Subject: Re: problem with HostbasedAuthentication
>
> Sometimes the issue lies with hostname as well. What I mean
> with that is the known_hosts may have just the host name
> where as when the connection is established, the debug shows
> the FQDN. I faced this issue so to be sure, I edited the
> known_hosts file and inserted the hostname, hostname's FQDN
> and it's IP address (all comma separated).
>
> Also ensure that you both the hosts' known_hosts files have
> opposite servers names (as prescribed above).
>
> All the above checks makes it work for me.
>
> Hope this solves.
>
> Kind regards,
> Sharad
> --- On Thu, 28/4/11, Asif Iqbal <vadud3@gmail.com>
> wrote:
>
> > From: Asif Iqbal <vadud3@gmail.com>
> > Subject: Re: problem with HostbasedAuthentication
> > To: "Mahmood Naderan" <nt_mahmood@yahoo.com>
> > Cc: "secureshell@securityfocus.com"
> <secureshell@securityfocus.com>
> > Date: Thursday, 28 April, 2011, 12:38 AM
> > On Wed, Apr 27, 2011 at 1:12 AM,
> > Mahmood Naderan <nt_mahmood@yahoo.com>
> > wrote:
> > >>Change the order method. Have hostbased
> before
> > password
> > >
> > > Sorry where should I do that?
> >
> > man ssh_config and look into PreferredAuthentications
> >
> > >
> > > // Naderan *Mahmood;
> > >
> > > From: Asif Iqbal <vadud3@gmail.com>
> > > To: Mahmood Naderan <nt_mahmood@yahoo.com>
> > > Cc: "secureshell@securityfocus.com"
> > <secureshell@securityfocus.com>
> > > Sent: Wednesday, April 27, 2011 9:17 AM
> > > Subject: Re: problem with
> HostbasedAuthentication
> > >
> > >
> > > Change the order method. Have hostbased before
> > password
> > > On Apr 26, 2011 11:52 PM, "Mahmood Naderan"
> <nt_mahmood@yahoo.com>
> > wrote:
> > >>
> > >>
> > >> Hi,
> > >> I am trying to setup a hostbased passwrodless
> ssh
> > from a client to a server using this guide http://www.ehow.com/how_7621307_set-up-hostbased-authentication.html.
> > >>
> > >> The client looks like:
> > >>
> > >> mahmood@client:~$ cat /etc/ssh/ssh_config  |
> grep
> > "HostbasedAuthentication"
> > >>    HostbasedAuthentication yes
> > >> mahmood@client:~$ cat /etc/ssh/ssh_config  |
> grep
> > "EnableSSHKeysign"
> > >>    EnableSSHKeysign yes
> > >>
> > >>
> > >> and the server looks like:
> > >> mahmood@server:~$ cat /etc/ssh/sshd_config 
> |
> > grep "HostbasedAuthentication"
> > >> HostbasedAuthentication yes
> > >> mahmood@server:~$ cat /etc/ssh/sshd_config 
> |
> > grep "IgnoreRhosts"
> > >> IgnoreRhosts no
> > >>
> > >> also the server has the key for client:
> > >>
> > >> mahmood@server:~$ cat
> /etc/ssh/ssh_known_hosts
> > >> client ssh-rsa AAAAB3Nz.....
> > >>
> > >> the ~/.shosts file on the server contains:
> > >> mahmood@server:~$ cat .shosts
> > >> client.domain mahmood
> > >>
> > >> Then on both server and client, the ssh
> service is
> > restarted:
> > >> mahmood@client:~$ sudo service ssh restart
> > >> ssh start/running, process 1355
> > >> mahmood@server:~$ sudo service ssh restart
> > >> ssh start/running, process 28982
> > >>
> > >> How, when I run "ssh -vvv server" from client
> (to
> > show the verbose messages), I still get the password
> > prompt.
> > >>
> > >> mahmood@client:~$ ssh -vvv server
> > >> OpenSSH_5.3p1 Debian-3ubuntu6, OpenSSL 0.9.8k
> 25
> > Mar 2009
> > >> debug1: Reading configuration data
> > /etc/ssh/ssh_config
> > >> debug1: Applying options for *
> > >> debug2: ssh_connect: needpriv 0
> > >> debug1: Connecting to server [192.168.1.1]
> port
> > 22.
> > >> debug1: Connection established.
> > >> debug1: identity file
> /home/mahmood/.ssh/identity
> > type -1
> > >> debug1: identity file
> /home/mahmood/.ssh/id_rsa
> > type -1
> > >> debug1: identity file
> /home/mahmood/.ssh/id_dsa
> > type -1
> > >> debug1: Remote protocol version 2.0, remote
> > software version OpenSSH_5.3p1 Debian-3ubuntu4
> > >> debug1: match: OpenSSH_5.3p1 Debian-3ubuntu4
> pat
> > OpenSSH*
> > >> debug1: Enabling compatibility mode for
> protocol
> > 2.0
> > >> debug1: Local version string
> SSH-2.0-OpenSSH_5.3p1
> > Debian-3ubuntu6
> > >> debug2: fd 3 setting O_NONBLOCK
> > >> debug1: SSH2_MSG_KEXINIT sent
> > >> debug3: Wrote 792 bytes for a total of 831
> > >> debug1: SSH2_MSG_KEXINIT received
> > >> debug2: kex_parse_kexinit:
> >
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-
> > >> group1-sha1
> > >> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> > >> debug2: kex_parse_kexinit:
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
> > >> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> > >> debug2: kex_parse_kexinit:
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
> > >> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> > >> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
> > >> md5-96
> > >> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
> > >> md5-96
> > >> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
> > >> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
> > >> debug2: kex_parse_kexinit:
> > >> debug2: kex_parse_kexinit:
> > >> debug2: kex_parse_kexinit: first_kex_follows
> 0
> > >> debug2: kex_parse_kexinit: reserved 0
> > >> debug2: kex_parse_kexinit:
> >
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-
> > >> group1-sha1
> > >> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> > >> debug2: kex_parse_kexinit:
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
> > >> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> > >> debug2: kex_parse_kexinit:
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
> > >> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> > >> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
> > >> md5-96
> > >> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
> > >> md5-96
> > >> debug2: kex_parse_kexinit: none,zlib@openssh.com
> > >> debug2: kex_parse_kexinit: none,zlib@openssh.com
> > >> debug2: kex_parse_kexinit:
> > >> debug2: kex_parse_kexinit:
> > >> debug2: kex_parse_kexinit: first_kex_follows
> 0
> > >> debug2: kex_parse_kexinit: reserved 0
> > >> debug2: mac_setup: found hmac-md5
> > >> debug1: kex: server->client aes128-ctr
> hmac-md5
> > none
> > >> debug2: mac_setup: found hmac-md5
> > >> debug1: kex: client->server aes128-ctr
> hmac-md5
> > none
> > >> debug1:
> > SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192)
> sent
> > >> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> > >> debug3: Wrote 24 bytes for a total of 855
> > >> debug2: dh_gen_key: priv key bits set:
> 124/256
> > >> debug2: bits set: 507/1024
> > >> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> > >> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> > >> debug3: Wrote 144 bytes for a total of 999
> > >> debug3: check_host_in_hostfile: filename
> > /home/mahmood/.ssh/known_hosts
> > >> debug3: check_host_in_hostfile: match line 1
> > >> debug3: check_host_in_hostfile: filename
> > /home/mahmood/.ssh/known_hosts
> > >> debug3: check_host_in_hostfile: match line 2
> > >> debug1: Host 'server' is known and matches
> the RSA
> > host key.
> > >> debug1: Found key in
> > /home/mahmood/.ssh/known_hosts:1
> > >> debug2: bits set: 503/1024
> > >> debug1: ssh_rsa_verify: signature correct
> > >> debug2: kex_derive_keys
> > >> debug2: set_newkeys: mode 1
> > >> debug1: SSH2_MSG_NEWKEYS sent
> > >> debug1: expecting SSH2_MSG_NEWKEYS
> > >> debug3: Wrote 16 bytes for a total of 1015
> > >> debug2: set_newkeys: mode 0
> > >> debug1: SSH2_MSG_NEWKEYS received
> > >> debug1: SSH2_MSG_SERVICE_REQUEST sent
> > >> debug3: Wrote 48 bytes for a total of 1063
> > >> debug2: service_accept: ssh-userauth
> > >> debug1: SSH2_MSG_SERVICE_ACCEPT received
> > >> debug2: key: /home/mahmood/.ssh/identity
> ((nil))
> > >> debug2: key: /home/mahmood/.ssh/id_rsa
> ((nil))
> > >> debug2: key: /home/mahmood/.ssh/id_dsa
> ((nil))
> > >> debug3: Wrote 64 bytes for a total of 1127
> > >> debug1: Authentications that can continue:
> > publickey,password,hostbased
> > >> debug3: start over, passed a different list
> > publickey,password,hostbased
> > >> debug3: preferred
> >
> gssapi-keyex,gssapi-with-mic,gssapi,hostbased,publickey,keyboard-interactive,password
> > >> debug3: authmethod_lookup hostbased
> > >> debug3: remaining preferred:
> > publickey,keyboard-interactive,password
> > >> debug3: authmethod_is_enabled hostbased
> > >> debug1: Next authentication method:
> hostbased
> > >> debug2: userauth_hostbased: chost client.
> > >> debug2: ssh_keysign called
> > >> debug3: ssh_msg_send: type 2
> > >> debug3: ssh_msg_recv entering
> > >> debug1: permanently_drop_suid: 1000
> > >> debug2: we sent a hostbased packet, wait for
> > reply
> > >> debug3: Wrote 608 bytes for a total of 1735
> > >> debug1: Authentications that can continue:
> > publickey,password,hostbased
> > >> debug2: userauth_hostbased: chost client.
> > >> debug2: ssh_keysign called
> > >> debug3: ssh_msg_send: type 2
> > >> debug3: ssh_msg_recv entering
> > >> debug1: permanently_drop_suid: 1000
> > >> debug2: we sent a hostbased packet, wait for
> > reply
> > >> debug3: Wrote 672 bytes for a total of 2407
> > >> debug1: Authentications that can continue:
> > publickey,password,hostbased
> > >> debug1: No more client hostkeys for
> hostbased
> > authentication.
> > >> debug2: we did not send a packet, disable
> method
> > >> debug3: authmethod_lookup publickey
> > >> debug3: remaining preferred:
> > keyboard-interactive,password
> > >> debug3: authmethod_is_enabled publickey
> > >> debug1: Next authentication method:
> publickey
> > >> debug1: Trying private key:
> > /home/mahmood/.ssh/identity
> > >> debug3: no such identity:
> > /home/mahmood/.ssh/identity
> > >> debug1: Trying private key:
> > /home/mahmood/.ssh/id_rsa
> > >> debug3: no such identity:
> > /home/mahmood/.ssh/id_rsa
> > >> debug1: Trying private key:
> > /home/mahmood/.ssh/id_dsa
> > >> debug3: no such identity:
> > /home/mahmood/.ssh/id_dsa
> > >> debug2: we did not send a packet, disable
> method
> > >> debug3: authmethod_lookup password
> > >> debug3: remaining preferred: ,password
> > >> debug3: authmethod_is_enabled password
> > >> debug1: Next authentication method: password
> > >> mahmood@server's password:
> > >>
> > >>
> > >> Any idea about that?
> > >>
> > >> // Naderan *Mahmood;
> > >>
> > >
> >
> >
> >
> > --
> > Asif Iqbal
> > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> > A: Because it messes up the order in which people
> normally
> > read text.
> > Q: Why is top-posting such a bad thing?
> >
>
Re: problem with HostbasedAuthentication [ In reply to ]
On Thu, Apr 28, 2011 at 1:54 AM, Mahmood Naderan <nt_mahmood@yahoo.com> wrote:
>>man ssh_config and look into PreferredAuthentications
> I added this line to sshd_config:
> ...
> HostbasedAuthentication yes
> PreferredAuthentications hostbased,keyboard-interactive,password,publickey
> ...
>
> afte restarting the service, the connection is refused while connecting to server from client:

restart was not necessary.

>
> mahmood@client:~$ ssh -vvv server
> OpenSSH_5.3p1 Debian-3ubuntu6, OpenSSL 0.9.8k 25 Mar 2009
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to server [192.168.1.1] port 22.
> debug1: connect to address 192.168.1.1 port 22: Connection refused
> ssh: connect to host server port 22: Connection refused

if suggestion from Sharad did not help post the debug output of the
sshd as well.

>
>>It could be a permissions issue.  Try 'chmod 600 ~/.shosts'.
> I changed to 600 however still get the same prompt
>
>
> // Naderan *Mahmood;
>
>
> ----- Original Message -----
> From: Asif Iqbal <vadud3@gmail.com>
> To: Mahmood Naderan <nt_mahmood@yahoo.com>
> Cc: "secureshell@securityfocus.com" <secureshell@securityfocus.com>
> Sent: Wednesday, April 27, 2011 11:38 PM
> Subject: Re: problem with HostbasedAuthentication
>
> On Wed, Apr 27, 2011 at 1:12 AM, Mahmood Naderan <nt_mahmood@yahoo.com> wrote:
>>>Change the order method. Have hostbased before password
>>
>> Sorry where should I do that?
>
> man ssh_config and look into PreferredAuthentications
>
>>
>> // Naderan *Mahmood;
>>
>> From: Asif Iqbal <vadud3@gmail.com>
>> To: Mahmood Naderan <nt_mahmood@yahoo.com>
>> Cc: "secureshell@securityfocus.com" <secureshell@securityfocus.com>
>> Sent: Wednesday, April 27, 2011 9:17 AM
>> Subject: Re: problem with HostbasedAuthentication
>>
>>
>> Change the order method. Have hostbased before password
>> On Apr 26, 2011 11:52 PM, "Mahmood Naderan" <nt_mahmood@yahoo.com> wrote:
>>>
>>>
>>> Hi,
>>> I am trying to setup a hostbased passwrodless ssh from a client to a server using this guide http://www.ehow.com/how_7621307_set-up-hostbased-authentication.html.
>>>
>>> The client looks like:
>>>
>>> mahmood@client:~$ cat /etc/ssh/ssh_config  | grep "HostbasedAuthentication"
>>>    HostbasedAuthentication yes
>>> mahmood@client:~$ cat /etc/ssh/ssh_config  | grep "EnableSSHKeysign"
>>>    EnableSSHKeysign yes
>>>
>>>
>>> and the server looks like:
>>> mahmood@server:~$ cat /etc/ssh/sshd_config  | grep "HostbasedAuthentication"
>>> HostbasedAuthentication yes
>>> mahmood@server:~$ cat /etc/ssh/sshd_config  | grep "IgnoreRhosts"
>>> IgnoreRhosts no
>>>
>>> also the server has the key for client:
>>>
>>> mahmood@server:~$ cat /etc/ssh/ssh_known_hosts
>>> client ssh-rsa AAAAB3Nz.....
>>>
>>> the ~/.shosts file on the server contains:
>>> mahmood@server:~$ cat .shosts
>>> client.domain mahmood
>>>
>>> Then on both server and client, the ssh service is restarted:
>>> mahmood@client:~$ sudo service ssh restart
>>> ssh start/running, process 1355
>>> mahmood@server:~$ sudo service ssh restart
>>> ssh start/running, process 28982
>>>
>>> How, when I run "ssh -vvv server" from client (to show the verbose messages), I still get the password prompt.
>>>
>>> mahmood@client:~$ ssh -vvv server
>>> OpenSSH_5.3p1 Debian-3ubuntu6, OpenSSL 0.9.8k 25 Mar 2009
>>> debug1: Reading configuration data /etc/ssh/ssh_config
>>> debug1: Applying options for *
>>> debug2: ssh_connect: needpriv 0
>>> debug1: Connecting to server [192.168.1.1] port 22.
>>> debug1: Connection established.
>>> debug1: identity file /home/mahmood/.ssh/identity type -1
>>> debug1: identity file /home/mahmood/.ssh/id_rsa type -1
>>> debug1: identity file /home/mahmood/.ssh/id_dsa type -1
>>> debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3p1 Debian-3ubuntu4
>>> debug1: match: OpenSSH_5.3p1 Debian-3ubuntu4 pat OpenSSH*
>>> debug1: Enabling compatibility mode for protocol 2.0
>>> debug1: Local version string SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu6
>>> debug2: fd 3 setting O_NONBLOCK
>>> debug1: SSH2_MSG_KEXINIT sent
>>> debug3: Wrote 792 bytes for a total of 831
>>> debug1: SSH2_MSG_KEXINIT received
>>> debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-
>>> group1-sha1
>>> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
>>> debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
>>> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
>>> debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
>>> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
>>> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
>>> md5-96
>>> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
>>> md5-96
>>> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
>>> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
>>> debug2: kex_parse_kexinit:
>>> debug2: kex_parse_kexinit:
>>> debug2: kex_parse_kexinit: first_kex_follows 0
>>> debug2: kex_parse_kexinit: reserved 0
>>> debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-
>>> group1-sha1
>>> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
>>> debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
>>> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
>>> debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
>>> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
>>> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
>>> md5-96
>>> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
>>> md5-96
>>> debug2: kex_parse_kexinit: none,zlib@openssh.com
>>> debug2: kex_parse_kexinit: none,zlib@openssh.com
>>> debug2: kex_parse_kexinit:
>>> debug2: kex_parse_kexinit:
>>> debug2: kex_parse_kexinit: first_kex_follows 0
>>> debug2: kex_parse_kexinit: reserved 0
>>> debug2: mac_setup: found hmac-md5
>>> debug1: kex: server->client aes128-ctr hmac-md5 none
>>> debug2: mac_setup: found hmac-md5
>>> debug1: kex: client->server aes128-ctr hmac-md5 none
>>> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
>>> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
>>> debug3: Wrote 24 bytes for a total of 855
>>> debug2: dh_gen_key: priv key bits set: 124/256
>>> debug2: bits set: 507/1024
>>> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
>>> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
>>> debug3: Wrote 144 bytes for a total of 999
>>> debug3: check_host_in_hostfile: filename /home/mahmood/.ssh/known_hosts
>>> debug3: check_host_in_hostfile: match line 1
>>> debug3: check_host_in_hostfile: filename /home/mahmood/.ssh/known_hosts
>>> debug3: check_host_in_hostfile: match line 2
>>> debug1: Host 'server' is known and matches the RSA host key.
>>> debug1: Found key in /home/mahmood/.ssh/known_hosts:1
>>> debug2: bits set: 503/1024
>>> debug1: ssh_rsa_verify: signature correct
>>> debug2: kex_derive_keys
>>> debug2: set_newkeys: mode 1
>>> debug1: SSH2_MSG_NEWKEYS sent
>>> debug1: expecting SSH2_MSG_NEWKEYS
>>> debug3: Wrote 16 bytes for a total of 1015
>>> debug2: set_newkeys: mode 0
>>> debug1: SSH2_MSG_NEWKEYS received
>>> debug1: SSH2_MSG_SERVICE_REQUEST sent
>>> debug3: Wrote 48 bytes for a total of 1063
>>> debug2: service_accept: ssh-userauth
>>> debug1: SSH2_MSG_SERVICE_ACCEPT received
>>> debug2: key: /home/mahmood/.ssh/identity ((nil))
>>> debug2: key: /home/mahmood/.ssh/id_rsa ((nil))
>>> debug2: key: /home/mahmood/.ssh/id_dsa ((nil))
>>> debug3: Wrote 64 bytes for a total of 1127
>>> debug1: Authentications that can continue: publickey,password,hostbased
>>> debug3: start over, passed a different list publickey,password,hostbased
>>> debug3: preferred gssapi-keyex,gssapi-with-mic,gssapi,hostbased,publickey,keyboard-interactive,password
>>> debug3: authmethod_lookup hostbased
>>> debug3: remaining preferred: publickey,keyboard-interactive,password
>>> debug3: authmethod_is_enabled hostbased
>>> debug1: Next authentication method: hostbased
>>> debug2: userauth_hostbased: chost client.
>>> debug2: ssh_keysign called
>>> debug3: ssh_msg_send: type 2
>>> debug3: ssh_msg_recv entering
>>> debug1: permanently_drop_suid: 1000
>>> debug2: we sent a hostbased packet, wait for reply
>>> debug3: Wrote 608 bytes for a total of 1735
>>> debug1: Authentications that can continue: publickey,password,hostbased
>>> debug2: userauth_hostbased: chost client.
>>> debug2: ssh_keysign called
>>> debug3: ssh_msg_send: type 2
>>> debug3: ssh_msg_recv entering
>>> debug1: permanently_drop_suid: 1000
>>> debug2: we sent a hostbased packet, wait for reply
>>> debug3: Wrote 672 bytes for a total of 2407
>>> debug1: Authentications that can continue: publickey,password,hostbased
>>> debug1: No more client hostkeys for hostbased authentication.
>>> debug2: we did not send a packet, disable method
>>> debug3: authmethod_lookup publickey
>>> debug3: remaining preferred: keyboard-interactive,password
>>> debug3: authmethod_is_enabled publickey
>>> debug1: Next authentication method: publickey
>>> debug1: Trying private key: /home/mahmood/.ssh/identity
>>> debug3: no such identity: /home/mahmood/.ssh/identity
>>> debug1: Trying private key: /home/mahmood/.ssh/id_rsa
>>> debug3: no such identity: /home/mahmood/.ssh/id_rsa
>>> debug1: Trying private key: /home/mahmood/.ssh/id_dsa
>>> debug3: no such identity: /home/mahmood/.ssh/id_dsa
>>> debug2: we did not send a packet, disable method
>>> debug3: authmethod_lookup password
>>> debug3: remaining preferred: ,password
>>> debug3: authmethod_is_enabled password
>>> debug1: Next authentication method: password
>>> mahmood@server's password:
>>>
>>>
>>> Any idea about that?
>>>
>>> // Naderan *Mahmood;
>>>
>>
>
>
>
> --
> Asif Iqbal
> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
>
>



--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
Re: problem with HostbasedAuthentication [ In reply to ]
Hi Mahmood,

This line looks out of place. Check that host name is getting resolved:

get_socket_address: getnameinfo 8 failed: Name or service not known

I am sure you would have performed the same steps on both hosts. Try establishing connection with IP Address instead of hostname.

Regards,
Sharad
--- On Thu, 28/4/11, Mahmood Naderan <nt_mahmood@yahoo.com> wrote:

> From: Mahmood Naderan <nt_mahmood@yahoo.com>
> Subject: Re: problem with HostbasedAuthentication
> To: "Sharad" <sharad2011@yahoo.com>
> Cc: "secureshell@securityfocus.com" <secureshell@securityfocus.com>
> Date: Thursday, 28 April, 2011, 11:12 PM
> Dear Sharad,
> I am now trying to setup a hostbased ssh from server to
> client (previously client->server worked fine based on
> your help). I want it to be bidirectional.
>  
> I did the same thing in reverse (now the client becomes
> server and the server becoms client). However this is what I
> get while trying to ssh from server to client:
>  
>  
> debug3: Wrote 48 bytes for a total of 1063
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug2: key: /home/mahmood/.ssh/identity ((nil))
> debug2: key: /home/mahmood/.ssh/id_rsa ((nil))
> debug2: key: /home/mahmood/.ssh/id_dsa ((nil))
> debug3: Wrote 64 bytes for a total of 1127
> debug1: Authentications that can continue:
> publickey,password,hostbased
> debug3: start over, passed a different list
> publickey,password,hostbased
> debug3: preferred
> gssapi-keyex,gssapi-with-mic,gssapi,hostbased,publickey,keyboard-interactive,password
> debug3: authmethod_lookup hostbased
> debug3: remaining preferred:
> publickey,keyboard-interactive,password
> debug3: authmethod_is_enabled hostbased
> debug1: Next authentication method: hostbased
> get_socket_address: getnameinfo 8 failed: Name or service
> not known
> debug2: userauth_hostbased: chost server.
> debug2: ssh_keysign called
> debug3: ssh_msg_send: type 2
> debug3: ssh_msg_recv entering
> debug1: permanently_drop_suid: 1000
> get_socket_address: getnameinfo 8 failed: Name or service
> not known
> cannot get sockname for fd
> ssh_keysign: no reply
> key_sign failed
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_is_enabled publickey
> debug1: Next authentication method: publickey
> debug1: Trying private key: /home/mahmood/.ssh/identity
> debug3: no such identity: /home/mahmood/.ssh/identity
> debug1: Trying private key: /home/mahmood/.ssh/id_rsa
> debug3: no such identity: /home/mahmood/.ssh/id_rsa
> debug1: Trying private key: /home/mahmood/.ssh/id_dsa
> debug3: no such identity: /home/mahmood/.ssh/id_dsa
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup password
> debug3: remaining preferred: ,password
> debug3: authmethod_is_enabled password
> debug1: Next authentication method: password
> mahmood@192.168.1.3's password:
>
>  
> What is your suggestion?
>
> // Naderan *Mahmood;
>
>
> ----- Original Message -----
> From: Sharad <sharad2011@yahoo.com>
> To: Mahmood Naderan <nt_mahmood@yahoo.com>
> Cc: "secureshell@securityfocus.com"
> <secureshell@securityfocus.com>
> Sent: Thursday, April 28, 2011 5:20 PM
> Subject: Re: problem with HostbasedAuthentication
>
> Mahmood,
>
> The files are /home/username/.ssh/known_hosts on both
> server and client.
>
> By FQDN, I meant host's fully qualified domain name.
>
> Following is the example:
>
> Assuming both client and server are linux hosts:
>
> Server IP: 192.168.1.1
> Client IP: 192.168.1.101
>
> Server Name: lnx_srvr_1.domain.com
> Client Name: lnx_clnt_101.domain.com
>
> User name on each host is mahmood.
>
> Following would be the entries in .shosts on lnx_srvr_1
>
>
> lnx_srvr_1:/home/mahmood $ cat .shosts
>
> lnx_clnt_101.domain.com mahmood
> 192.168.1.101 mahmood
> lnx_clnt_101 mahmood
>
> Following should exist in /home/mahmood/.ssh/known_hosts
> file on the server side:
> 192.168.1.101,lnx_clnt_101,lnx_clnt_101.domain.com 
> ssh-rsa AAAAB3Nz...
>
> Following should also exist in
> /home/mahmood/.ssh/known_hosts file on the client side:
> 192.168.1.1,lnx_srvr_1,lnx_srvr_1.domain.com  ssh-rsa
> AAAAB3Nz...
>
> Ensure that .ssh directory on both client and server are
> rwx for owner only and group/rest of world is 000.
>
> Hope this helps! Good Luck! :)
>
> Regards,
> Sharad 
> --- On Thu, 28/4/11, Mahmood Naderan <nt_mahmood@yahoo.com>
> wrote:
>
> > From: Mahmood Naderan <nt_mahmood@yahoo.com>
> > Subject: Re: problem with HostbasedAuthentication
> > To: "Sharad" <sharad2011@yahoo.com>
> > Cc: "secureshell@securityfocus.com"
> <secureshell@securityfocus.com>
> > Date: Thursday, 28 April, 2011, 3:54 PM
> > Can you explain exactly which file I
> > should edit? What is FQDN? By 'hostname', Do you mean
> server
> > hostname of client hostname.
> > Should I do that on both side or server side?...
> >
> > // Naderan *Mahmood;
> >
> >
> > ----- Original Message -----
> > From: Sharad <sharad2011@yahoo.com>
> > To: Mahmood Naderan <nt_mahmood@yahoo.com>;
> > Asif Iqbal <vadud3@gmail.com>
> > Cc: "secureshell@securityfocus.com"
> > <secureshell@securityfocus.com>
> > Sent: Thursday, April 28, 2011 1:16 PM
> > Subject: Re: problem with HostbasedAuthentication
> >
> > Sometimes the issue lies with hostname as well. What I
> mean
> > with that is the known_hosts may have just the host
> name
> > where as when the connection is established, the debug
> shows
> > the FQDN. I faced this issue so to be sure, I edited
> the
> > known_hosts file and inserted the hostname, hostname's
> FQDN
> > and it's IP address (all comma separated).
> >
> > Also ensure that you both the hosts' known_hosts files
> have
> > opposite servers names (as prescribed above).
> >
> > All the above checks makes it work for me.
> >
> > Hope this solves.
> >
> > Kind regards,
> > Sharad
> > --- On Thu, 28/4/11, Asif Iqbal <vadud3@gmail.com>
> > wrote:
> >
> > > From: Asif Iqbal <vadud3@gmail.com>
> > > Subject: Re: problem with
> HostbasedAuthentication
> > > To: "Mahmood Naderan" <nt_mahmood@yahoo.com>
> > > Cc: "secureshell@securityfocus.com"
> > <secureshell@securityfocus.com>
> > > Date: Thursday, 28 April, 2011, 12:38 AM
> > > On Wed, Apr 27, 2011 at 1:12 AM,
> > > Mahmood Naderan <nt_mahmood@yahoo.com>
> > > wrote:
> > > >>Change the order method. Have hostbased
> > before
> > > password
> > > >
> > > > Sorry where should I do that?
> > >
> > > man ssh_config and look into
> PreferredAuthentications
> > >
> > > >
> > > > // Naderan *Mahmood;
> > > >
> > > > From: Asif Iqbal <vadud3@gmail.com>
> > > > To: Mahmood Naderan <nt_mahmood@yahoo.com>
> > > > Cc: "secureshell@securityfocus.com"
> > > <secureshell@securityfocus.com>
> > > > Sent: Wednesday, April 27, 2011 9:17 AM
> > > > Subject: Re: problem with
> > HostbasedAuthentication
> > > >
> > > >
> > > > Change the order method. Have hostbased
> before
> > > password
> > > > On Apr 26, 2011 11:52 PM, "Mahmood Naderan"
> > <nt_mahmood@yahoo.com>
> > > wrote:
> > > >>
> > > >>
> > > >> Hi,
> > > >> I am trying to setup a hostbased
> passwrodless
> > ssh
> > > from a client to a server using this guide http://www.ehow.com/how_7621307_set-up-hostbased-authentication.html.
> > > >>
> > > >> The client looks like:
> > > >>
> > > >> mahmood@client:~$ cat
> /etc/ssh/ssh_config  |
> > grep
> > > "HostbasedAuthentication"
> > > >>    HostbasedAuthentication yes
> > > >> mahmood@client:~$ cat
> /etc/ssh/ssh_config  |
> > grep
> > > "EnableSSHKeysign"
> > > >>    EnableSSHKeysign yes
> > > >>
> > > >>
> > > >> and the server looks like:
> > > >> mahmood@server:~$ cat
> /etc/ssh/sshd_config 
> > |
> > > grep "HostbasedAuthentication"
> > > >> HostbasedAuthentication yes
> > > >> mahmood@server:~$ cat
> /etc/ssh/sshd_config 
> > |
> > > grep "IgnoreRhosts"
> > > >> IgnoreRhosts no
> > > >>
> > > >> also the server has the key for client:
> > > >>
> > > >> mahmood@server:~$ cat
> > /etc/ssh/ssh_known_hosts
> > > >> client ssh-rsa AAAAB3Nz.....
> > > >>
> > > >> the ~/.shosts file on the server
> contains:
> > > >> mahmood@server:~$ cat .shosts
> > > >> client.domain mahmood
> > > >>
> > > >> Then on both server and client, the ssh
> > service is
> > > restarted:
> > > >> mahmood@client:~$ sudo service ssh
> restart
> > > >> ssh start/running, process 1355
> > > >> mahmood@server:~$ sudo service ssh
> restart
> > > >> ssh start/running, process 28982
> > > >>
> > > >> How, when I run "ssh -vvv server" from
> client
> > (to
> > > show the verbose messages), I still get the
> password
> > > prompt.
> > > >>
> > > >> mahmood@client:~$ ssh -vvv server
> > > >> OpenSSH_5.3p1 Debian-3ubuntu6, OpenSSL
> 0.9.8k
> > 25
> > > Mar 2009
> > > >> debug1: Reading configuration data
> > > /etc/ssh/ssh_config
> > > >> debug1: Applying options for *
> > > >> debug2: ssh_connect: needpriv 0
> > > >> debug1: Connecting to server
> [192.168.1.1]
> > port
> > > 22.
> > > >> debug1: Connection established.
> > > >> debug1: identity file
> > /home/mahmood/.ssh/identity
> > > type -1
> > > >> debug1: identity file
> > /home/mahmood/.ssh/id_rsa
> > > type -1
> > > >> debug1: identity file
> > /home/mahmood/.ssh/id_dsa
> > > type -1
> > > >> debug1: Remote protocol version 2.0,
> remote
> > > software version OpenSSH_5.3p1 Debian-3ubuntu4
> > > >> debug1: match: OpenSSH_5.3p1
> Debian-3ubuntu4
> > pat
> > > OpenSSH*
> > > >> debug1: Enabling compatibility mode for
> > protocol
> > > 2.0
> > > >> debug1: Local version string
> > SSH-2.0-OpenSSH_5.3p1
> > > Debian-3ubuntu6
> > > >> debug2: fd 3 setting O_NONBLOCK
> > > >> debug1: SSH2_MSG_KEXINIT sent
> > > >> debug3: Wrote 792 bytes for a total of
> 831
> > > >> debug1: SSH2_MSG_KEXINIT received
> > > >> debug2: kex_parse_kexinit:
> > >
> >
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-
> > > >> group1-sha1
> > > >> debug2: kex_parse_kexinit:
> ssh-rsa,ssh-dss
> > > >> debug2: kex_parse_kexinit:
> > >
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
> > > >> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> > > >> debug2: kex_parse_kexinit:
> > >
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
> > > >> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> > > >> debug2: kex_parse_kexinit:
> > hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
> > > >> md5-96
> > > >> debug2: kex_parse_kexinit:
> > hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
> > > >> md5-96
> > > >> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
> > > >> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
> > > >> debug2: kex_parse_kexinit:
> > > >> debug2: kex_parse_kexinit:
> > > >> debug2: kex_parse_kexinit:
> first_kex_follows
> > 0
> > > >> debug2: kex_parse_kexinit: reserved 0
> > > >> debug2: kex_parse_kexinit:
> > >
> >
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-
> > > >> group1-sha1
> > > >> debug2: kex_parse_kexinit:
> ssh-rsa,ssh-dss
> > > >> debug2: kex_parse_kexinit:
> > >
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
> > > >> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> > > >> debug2: kex_parse_kexinit:
> > >
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
> > > >> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> > > >> debug2: kex_parse_kexinit:
> > hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
> > > >> md5-96
> > > >> debug2: kex_parse_kexinit:
> > hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
> > > >> md5-96
> > > >> debug2: kex_parse_kexinit: none,zlib@openssh.com
> > > >> debug2: kex_parse_kexinit: none,zlib@openssh.com
> > > >> debug2: kex_parse_kexinit:
> > > >> debug2: kex_parse_kexinit:
> > > >> debug2: kex_parse_kexinit:
> first_kex_follows
> > 0
> > > >> debug2: kex_parse_kexinit: reserved 0
> > > >> debug2: mac_setup: found hmac-md5
> > > >> debug1: kex: server->client
> aes128-ctr
> > hmac-md5
> > > none
> > > >> debug2: mac_setup: found hmac-md5
> > > >> debug1: kex: client->server
> aes128-ctr
> > hmac-md5
> > > none
> > > >> debug1:
> > >
> SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192)
> > sent
> > > >> debug1: expecting
> SSH2_MSG_KEX_DH_GEX_GROUP
> > > >> debug3: Wrote 24 bytes for a total of
> 855
> > > >> debug2: dh_gen_key: priv key bits set:
> > 124/256
> > > >> debug2: bits set: 507/1024
> > > >> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> > > >> debug1: expecting
> SSH2_MSG_KEX_DH_GEX_REPLY
> > > >> debug3: Wrote 144 bytes for a total of
> 999
> > > >> debug3: check_host_in_hostfile:
> filename
> > > /home/mahmood/.ssh/known_hosts
> > > >> debug3: check_host_in_hostfile: match
> line 1
> > > >> debug3: check_host_in_hostfile:
> filename
> > > /home/mahmood/.ssh/known_hosts
> > > >> debug3: check_host_in_hostfile: match
> line 2
> > > >> debug1: Host 'server' is known and
> matches
> > the RSA
> > > host key.
> > > >> debug1: Found key in
> > > /home/mahmood/.ssh/known_hosts:1
> > > >> debug2: bits set: 503/1024
> > > >> debug1: ssh_rsa_verify: signature
> correct
> > > >> debug2: kex_derive_keys
> > > >> debug2: set_newkeys: mode 1
> > > >> debug1: SSH2_MSG_NEWKEYS sent
> > > >> debug1: expecting SSH2_MSG_NEWKEYS
> > > >> debug3: Wrote 16 bytes for a total of
> 1015
> > > >> debug2: set_newkeys: mode 0
> > > >> debug1: SSH2_MSG_NEWKEYS received
> > > >> debug1: SSH2_MSG_SERVICE_REQUEST sent
> > > >> debug3: Wrote 48 bytes for a total of
> 1063
> > > >> debug2: service_accept: ssh-userauth
> > > >> debug1: SSH2_MSG_SERVICE_ACCEPT
> received
> > > >> debug2: key:
> /home/mahmood/.ssh/identity
> > ((nil))
> > > >> debug2: key: /home/mahmood/.ssh/id_rsa
> > ((nil))
> > > >> debug2: key: /home/mahmood/.ssh/id_dsa
> > ((nil))
> > > >> debug3: Wrote 64 bytes for a total of
> 1127
> > > >> debug1: Authentications that can
> continue:
> > > publickey,password,hostbased
> > > >> debug3: start over, passed a different
> list
> > > publickey,password,hostbased
> > > >> debug3: preferred
> > >
> >
> gssapi-keyex,gssapi-with-mic,gssapi,hostbased,publickey,keyboard-interactive,password
> > > >> debug3: authmethod_lookup hostbased
> > > >> debug3: remaining preferred:
> > > publickey,keyboard-interactive,password
> > > >> debug3: authmethod_is_enabled hostbased
> > > >> debug1: Next authentication method:
> > hostbased
> > > >> debug2: userauth_hostbased: chost
> client.
> > > >> debug2: ssh_keysign called
> > > >> debug3: ssh_msg_send: type 2
> > > >> debug3: ssh_msg_recv entering
> > > >> debug1: permanently_drop_suid: 1000
> > > >> debug2: we sent a hostbased packet, wait
> for
> > > reply
> > > >> debug3: Wrote 608 bytes for a total of
> 1735
> > > >> debug1: Authentications that can
> continue:
> > > publickey,password,hostbased
> > > >> debug2: userauth_hostbased: chost
> client.
> > > >> debug2: ssh_keysign called
> > > >> debug3: ssh_msg_send: type 2
> > > >> debug3: ssh_msg_recv entering
> > > >> debug1: permanently_drop_suid: 1000
> > > >> debug2: we sent a hostbased packet, wait
> for
> > > reply
> > > >> debug3: Wrote 672 bytes for a total of
> 2407
> > > >> debug1: Authentications that can
> continue:
> > > publickey,password,hostbased
> > > >> debug1: No more client hostkeys for
> > hostbased
> > > authentication.
> > > >> debug2: we did not send a packet,
> disable
> > method
> > > >> debug3: authmethod_lookup publickey
> > > >> debug3: remaining preferred:
> > > keyboard-interactive,password
> > > >> debug3: authmethod_is_enabled publickey
> > > >> debug1: Next authentication method:
> > publickey
> > > >> debug1: Trying private key:
> > > /home/mahmood/.ssh/identity
> > > >> debug3: no such identity:
> > > /home/mahmood/.ssh/identity
> > > >> debug1: Trying private key:
> > > /home/mahmood/.ssh/id_rsa
> > > >> debug3: no such identity:
> > > /home/mahmood/.ssh/id_rsa
> > > >> debug1: Trying private key:
> > > /home/mahmood/.ssh/id_dsa
> > > >> debug3: no such identity:
> > > /home/mahmood/.ssh/id_dsa
> > > >> debug2: we did not send a packet,
> disable
> > method
> > > >> debug3: authmethod_lookup password
> > > >> debug3: remaining preferred: ,password
> > > >> debug3: authmethod_is_enabled password
> > > >> debug1: Next authentication method:
> password
> > > >> mahmood@server's password:
> > > >>
> > > >>
> > > >> Any idea about that?
> > > >>
> > > >> // Naderan *Mahmood;
> > > >>
> > > >
> > >
> > >
> > >
> > > --
> > > Asif Iqbal
> > > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> > > A: Because it messes up the order in which
> people
> > normally
> > > read text.
> > > Q: Why is top-posting such a bad thing?
> > >
> >
>
>
Re: problem with HostbasedAuthentication [ In reply to ]
The same thing happens with IP address
 
 
mahmood@server:~$ ssh -vvv 192.168.1.3
OpenSSH_5.3p1 Debian-3ubuntu4, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 192.168.1.3 [192.168.1.3] port 22.
debug1: Connection established.
debug1: identity file /home/mahmood/.ssh/identity type -1
debug1: identity file /home/mahmood/.ssh/id_rsa type -1
debug1: identity file /home/mahmood/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3p1 Debian-3ubuntu6
debug1: match: OpenSSH_5.3p1 Debian-3ubuntu6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug3: Wrote 792 bytes for a total of 831
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug3: Wrote 24 bytes for a total of 855
debug2: dh_gen_key: priv key bits set: 129/256
debug2: bits set: 505/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: Wrote 144 bytes for a total of 999
debug3: check_host_in_hostfile: filename /home/mahmood/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host '192.168.1.3' is known and matches the RSA host key.
debug1: Found key in /home/mahmood/.ssh/known_hosts:1
debug2: bits set: 517/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: Wrote 16 bytes for a total of 1015
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug3: Wrote 48 bytes for a total of 1063
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/mahmood/.ssh/identity ((nil))
debug2: key: /home/mahmood/.ssh/id_rsa ((nil))
debug2: key: /home/mahmood/.ssh/id_dsa ((nil))
debug3: Wrote 64 bytes for a total of 1127
debug1: Authentications that can continue: publickey,password,hostbased
debug3: start over, passed a different list publickey,password,hostbased
debug3: preferred gssapi-keyex,gssapi-with-mic,gssapi,hostbased,publickey,keyboard-interactive,password
debug3: authmethod_lookup hostbased
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled hostbased
debug1: Next authentication method: hostbased
get_socket_address: getnameinfo 8 failed: Name or service not known
debug2: userauth_hostbased: chost server.
debug2: ssh_keysign called
debug3: ssh_msg_send: type 2
debug3: ssh_msg_recv entering
debug1: permanently_drop_suid: 1000
get_socket_address: getnameinfo 8 failed: Name or service not known
cannot get sockname for fd
ssh_keysign: no reply
key_sign failed
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/mahmood/.ssh/identity
debug3: no such identity: /home/mahmood/.ssh/identity
debug1: Trying private key: /home/mahmood/.ssh/id_rsa
debug3: no such identity: /home/mahmood/.ssh/id_rsa
debug1: Trying private key: /home/mahmood/.ssh/id_dsa
debug3: no such identity: /home/mahmood/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
mahmood@192.168.1.3's password:


// Naderan *Mahmood;


----- Original Message -----
From: Sharad <sharad2011@yahoo.com>
To: Mahmood Naderan <nt_mahmood@yahoo.com>
Cc: "secureshell@securityfocus.com" <secureshell@securityfocus.com>
Sent: Friday, April 29, 2011 11:19 AM
Subject: Re: problem with HostbasedAuthentication

Hi Mahmood,

This line looks out of place. Check that host name is getting resolved:

get_socket_address: getnameinfo 8 failed: Name or service not known

I am sure you would have performed the same steps on both hosts. Try establishing connection with IP Address instead of hostname.

Regards,
Sharad
--- On Thu, 28/4/11, Mahmood Naderan <nt_mahmood@yahoo.com> wrote:

> From: Mahmood Naderan <nt_mahmood@yahoo.com>
> Subject: Re: problem with HostbasedAuthentication
> To: "Sharad" <sharad2011@yahoo.com>
> Cc: "secureshell@securityfocus.com" <secureshell@securityfocus.com>
> Date: Thursday, 28 April, 2011, 11:12 PM
> Dear Sharad,
> I am now trying to setup a hostbased ssh from server to
> client (previously client->server worked fine based on
> your help). I want it to be bidirectional.
>  
> I did the same thing in reverse (now the client becomes
> server and the server becoms client). However this is what I
> get while trying to ssh from server to client:
>  
>  
> debug3: Wrote 48 bytes for a total of 1063
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug2: key: /home/mahmood/.ssh/identity ((nil))
> debug2: key: /home/mahmood/.ssh/id_rsa ((nil))
> debug2: key: /home/mahmood/.ssh/id_dsa ((nil))
> debug3: Wrote 64 bytes for a total of 1127
> debug1: Authentications that can continue:
> publickey,password,hostbased
> debug3: start over, passed a different list
> publickey,password,hostbased
> debug3: preferred
> gssapi-keyex,gssapi-with-mic,gssapi,hostbased,publickey,keyboard-interactive,password
> debug3: authmethod_lookup hostbased
> debug3: remaining preferred:
> publickey,keyboard-interactive,password
> debug3: authmethod_is_enabled hostbased
> debug1: Next authentication method: hostbased
> get_socket_address: getnameinfo 8 failed: Name or service
> not known
> debug2: userauth_hostbased: chost server.
> debug2: ssh_keysign called
> debug3: ssh_msg_send: type 2
> debug3: ssh_msg_recv entering
> debug1: permanently_drop_suid: 1000
> get_socket_address: getnameinfo 8 failed: Name or service
> not known
> cannot get sockname for fd
> ssh_keysign: no reply
> key_sign failed
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_is_enabled publickey
> debug1: Next authentication method: publickey
> debug1: Trying private key: /home/mahmood/.ssh/identity
> debug3: no such identity: /home/mahmood/.ssh/identity
> debug1: Trying private key: /home/mahmood/.ssh/id_rsa
> debug3: no such identity: /home/mahmood/.ssh/id_rsa
> debug1: Trying private key: /home/mahmood/.ssh/id_dsa
> debug3: no such identity: /home/mahmood/.ssh/id_dsa
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup password
> debug3: remaining preferred: ,password
> debug3: authmethod_is_enabled password
> debug1: Next authentication method: password
> mahmood@192.168.1.3's password:
>
>  
> What is your suggestion?
>
> // Naderan *Mahmood;
>
>
> ----- Original Message -----
> From: Sharad <sharad2011@yahoo.com>
> To: Mahmood Naderan <nt_mahmood@yahoo.com>
> Cc: "secureshell@securityfocus.com"
> <secureshell@securityfocus.com>
> Sent: Thursday, April 28, 2011 5:20 PM
> Subject: Re: problem with HostbasedAuthentication
>
> Mahmood,
>
> The files are /home/username/.ssh/known_hosts on both
> server and client.
>
> By FQDN, I meant host's fully qualified domain name.
>
> Following is the example:
>
> Assuming both client and server are linux hosts:
>
> Server IP: 192.168.1.1
> Client IP: 192.168.1.101
>
> Server Name: lnx_srvr_1.domain.com
> Client Name: lnx_clnt_101.domain.com
>
> User name on each host is mahmood.
>
> Following would be the entries in .shosts on lnx_srvr_1
>
>
> lnx_srvr_1:/home/mahmood $ cat .shosts
>
> lnx_clnt_101.domain.com mahmood
> 192.168.1.101 mahmood
> lnx_clnt_101 mahmood
>
> Following should exist in /home/mahmood/.ssh/known_hosts
> file on the server side:
> 192.168.1.101,lnx_clnt_101,lnx_clnt_101.domain.com 
> ssh-rsa AAAAB3Nz...
>
> Following should also exist in
> /home/mahmood/.ssh/known_hosts file on the client side:
> 192.168.1.1,lnx_srvr_1,lnx_srvr_1.domain.com  ssh-rsa
> AAAAB3Nz...
>
> Ensure that .ssh directory on both client and server are
> rwx for owner only and group/rest of world is 000.
>
> Hope this helps! Good Luck! :)
>
> Regards,
> Sharad 
> --- On Thu, 28/4/11, Mahmood Naderan <nt_mahmood@yahoo.com>
> wrote:
>
> > From: Mahmood Naderan <nt_mahmood@yahoo.com>
> > Subject: Re: problem with HostbasedAuthentication
> > To: "Sharad" <sharad2011@yahoo.com>
> > Cc: "secureshell@securityfocus.com"
> <secureshell@securityfocus.com>
> > Date: Thursday, 28 April, 2011, 3:54 PM
> > Can you explain exactly which file I
> > should edit? What is FQDN? By 'hostname', Do you mean
> server
> > hostname of client hostname.
> > Should I do that on both side or server side?...
> >
> > // Naderan *Mahmood;
> >
> >
> > ----- Original Message -----
> > From: Sharad <sharad2011@yahoo.com>
> > To: Mahmood Naderan <nt_mahmood@yahoo.com>;
> > Asif Iqbal <vadud3@gmail.com>
> > Cc: "secureshell@securityfocus.com"
> > <secureshell@securityfocus.com>
> > Sent: Thursday, April 28, 2011 1:16 PM
> > Subject: Re: problem with HostbasedAuthentication
> >
> > Sometimes the issue lies with hostname as well. What I
> mean
> > with that is the known_hosts may have just the host
> name
> > where as when the connection is established, the debug
> shows
> > the FQDN. I faced this issue so to be sure, I edited
> the
> > known_hosts file and inserted the hostname, hostname's
> FQDN
> > and it's IP address (all comma separated).
> >
> > Also ensure that you both the hosts' known_hosts files
> have
> > opposite servers names (as prescribed above).
> >
> > All the above checks makes it work for me.
> >
> > Hope this solves.
> >
> > Kind regards,
> > Sharad
> > --- On Thu, 28/4/11, Asif Iqbal <vadud3@gmail.com>
> > wrote:
> >
> > > From: Asif Iqbal <vadud3@gmail.com>
> > > Subject: Re: problem with
> HostbasedAuthentication
> > > To: "Mahmood Naderan" <nt_mahmood@yahoo.com>
> > > Cc: "secureshell@securityfocus.com"
> > <secureshell@securityfocus.com>
> > > Date: Thursday, 28 April, 2011, 12:38 AM
> > > On Wed, Apr 27, 2011 at 1:12 AM,
> > > Mahmood Naderan <nt_mahmood@yahoo.com>
> > > wrote:
> > > >>Change the order method. Have hostbased
> > before
> > > password
> > > >
> > > > Sorry where should I do that?
> > >
> > > man ssh_config and look into
> PreferredAuthentications
> > >
> > > >
> > > > // Naderan *Mahmood;
> > > >
> > > > From: Asif Iqbal <vadud3@gmail.com>
> > > > To: Mahmood Naderan <nt_mahmood@yahoo.com>
> > > > Cc: "secureshell@securityfocus.com"
> > > <secureshell@securityfocus.com>
> > > > Sent: Wednesday, April 27, 2011 9:17 AM
> > > > Subject: Re: problem with
> > HostbasedAuthentication
> > > >
> > > >
> > > > Change the order method. Have hostbased
> before
> > > password
> > > > On Apr 26, 2011 11:52 PM, "Mahmood Naderan"
> > <nt_mahmood@yahoo.com>
> > > wrote:
> > > >>
> > > >>
> > > >> Hi,
> > > >> I am trying to setup a hostbased
> passwrodless
> > ssh
> > > from a client to a server using this guide http://www.ehow.com/how_7621307_set-up-hostbased-authentication.html.
> > > >>
> > > >> The client looks like:
> > > >>
> > > >> mahmood@client:~$ cat
> /etc/ssh/ssh_config  |
> > grep
> > > "HostbasedAuthentication"
> > > >>    HostbasedAuthentication yes
> > > >> mahmood@client:~$ cat
> /etc/ssh/ssh_config  |
> > grep
> > > "EnableSSHKeysign"
> > > >>    EnableSSHKeysign yes
> > > >>
> > > >>
> > > >> and the server looks like:
> > > >> mahmood@server:~$ cat
> /etc/ssh/sshd_config 
> > |
> > > grep "HostbasedAuthentication"
> > > >> HostbasedAuthentication yes
> > > >> mahmood@server:~$ cat
> /etc/ssh/sshd_config 
> > |
> > > grep "IgnoreRhosts"
> > > >> IgnoreRhosts no
> > > >>
> > > >> also the server has the key for client:
> > > >>
> > > >> mahmood@server:~$ cat
> > /etc/ssh/ssh_known_hosts
> > > >> client ssh-rsa AAAAB3Nz.....
> > > >>
> > > >> the ~/.shosts file on the server
> contains:
> > > >> mahmood@server:~$ cat .shosts
> > > >> client.domain mahmood
> > > >>
> > > >> Then on both server and client, the ssh
> > service is
> > > restarted:
> > > >> mahmood@client:~$ sudo service ssh
> restart
> > > >> ssh start/running, process 1355
> > > >> mahmood@server:~$ sudo service ssh
> restart
> > > >> ssh start/running, process 28982
> > > >>
> > > >> How, when I run "ssh -vvv server" from
> client
> > (to
> > > show the verbose messages), I still get the
> password
> > > prompt.
> > > >>
> > > >> mahmood@client:~$ ssh -vvv server
> > > >> OpenSSH_5.3p1 Debian-3ubuntu6, OpenSSL
> 0.9.8k
> > 25
> > > Mar 2009
> > > >> debug1: Reading configuration data
> > > /etc/ssh/ssh_config
> > > >> debug1: Applying options for *
> > > >> debug2: ssh_connect: needpriv 0
> > > >> debug1: Connecting to server
> [192.168.1.1]
> > port
> > > 22.
> > > >> debug1: Connection established.
> > > >> debug1: identity file
> > /home/mahmood/.ssh/identity
> > > type -1
> > > >> debug1: identity file
> > /home/mahmood/.ssh/id_rsa
> > > type -1
> > > >> debug1: identity file
> > /home/mahmood/.ssh/id_dsa
> > > type -1
> > > >> debug1: Remote protocol version 2.0,
> remote
> > > software version OpenSSH_5.3p1 Debian-3ubuntu4
> > > >> debug1: match: OpenSSH_5.3p1
> Debian-3ubuntu4
> > pat
> > > OpenSSH*
> > > >> debug1: Enabling compatibility mode for
> > protocol
> > > 2.0
> > > >> debug1: Local version string
> > SSH-2.0-OpenSSH_5.3p1
> > > Debian-3ubuntu6
> > > >> debug2: fd 3 setting O_NONBLOCK
> > > >> debug1: SSH2_MSG_KEXINIT sent
> > > >> debug3: Wrote 792 bytes for a total of
> 831
> > > >> debug1: SSH2_MSG_KEXINIT received
> > > >> debug2: kex_parse_kexinit:
> > >
> >
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-
> > > >> group1-sha1
> > > >> debug2: kex_parse_kexinit:
> ssh-rsa,ssh-dss
> > > >> debug2: kex_parse_kexinit:
> > >
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
> > > >> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> > > >> debug2: kex_parse_kexinit:
> > >
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
> > > >> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> > > >> debug2: kex_parse_kexinit:
> > hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
> > > >> md5-96
> > > >> debug2: kex_parse_kexinit:
> > hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
> > > >> md5-96
> > > >> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
> > > >> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
> > > >> debug2: kex_parse_kexinit:
> > > >> debug2: kex_parse_kexinit:
> > > >> debug2: kex_parse_kexinit:
> first_kex_follows
> > 0
> > > >> debug2: kex_parse_kexinit: reserved 0
> > > >> debug2: kex_parse_kexinit:
> > >
> >
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-
> > > >> group1-sha1
> > > >> debug2: kex_parse_kexinit:
> ssh-rsa,ssh-dss
> > > >> debug2: kex_parse_kexinit:
> > >
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
> > > >> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> > > >> debug2: kex_parse_kexinit:
> > >
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
> > > >> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> > > >> debug2: kex_parse_kexinit:
> > hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
> > > >> md5-96
> > > >> debug2: kex_parse_kexinit:
> > hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
> > > >> md5-96
> > > >> debug2: kex_parse_kexinit: none,zlib@openssh.com
> > > >> debug2: kex_parse_kexinit: none,zlib@openssh.com
> > > >> debug2: kex_parse_kexinit:
> > > >> debug2: kex_parse_kexinit:
> > > >> debug2: kex_parse_kexinit:
> first_kex_follows
> > 0
> > > >> debug2: kex_parse_kexinit: reserved 0
> > > >> debug2: mac_setup: found hmac-md5
> > > >> debug1: kex: server->client
> aes128-ctr
> > hmac-md5
> > > none
> > > >> debug2: mac_setup: found hmac-md5
> > > >> debug1: kex: client->server
> aes128-ctr
> > hmac-md5
> > > none
> > > >> debug1:
> > >
> SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192)
> > sent
> > > >> debug1: expecting
> SSH2_MSG_KEX_DH_GEX_GROUP
> > > >> debug3: Wrote 24 bytes for a total of
> 855
> > > >> debug2: dh_gen_key: priv key bits set:
> > 124/256
> > > >> debug2: bits set: 507/1024
> > > >> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> > > >> debug1: expecting
> SSH2_MSG_KEX_DH_GEX_REPLY
> > > >> debug3: Wrote 144 bytes for a total of
> 999
> > > >> debug3: check_host_in_hostfile:
> filename
> > > /home/mahmood/.ssh/known_hosts
> > > >> debug3: check_host_in_hostfile: match
> line 1
> > > >> debug3: check_host_in_hostfile:
> filename
> > > /home/mahmood/.ssh/known_hosts
> > > >> debug3: check_host_in_hostfile: match
> line 2
> > > >> debug1: Host 'server' is known and
> matches
> > the RSA
> > > host key.
> > > >> debug1: Found key in
> > > /home/mahmood/.ssh/known_hosts:1
> > > >> debug2: bits set: 503/1024
> > > >> debug1: ssh_rsa_verify: signature
> correct
> > > >> debug2: kex_derive_keys
> > > >> debug2: set_newkeys: mode 1
> > > >> debug1: SSH2_MSG_NEWKEYS sent
> > > >> debug1: expecting SSH2_MSG_NEWKEYS
> > > >> debug3: Wrote 16 bytes for a total of
> 1015
> > > >> debug2: set_newkeys: mode 0
> > > >> debug1: SSH2_MSG_NEWKEYS received
> > > >> debug1: SSH2_MSG_SERVICE_REQUEST sent
> > > >> debug3: Wrote 48 bytes for a total of
> 1063
> > > >> debug2: service_accept: ssh-userauth
> > > >> debug1: SSH2_MSG_SERVICE_ACCEPT
> received
> > > >> debug2: key:
> /home/mahmood/.ssh/identity
> > ((nil))
> > > >> debug2: key: /home/mahmood/.ssh/id_rsa
> > ((nil))
> > > >> debug2: key: /home/mahmood/.ssh/id_dsa
> > ((nil))
> > > >> debug3: Wrote 64 bytes for a total of
> 1127
> > > >> debug1: Authentications that can
> continue:
> > > publickey,password,hostbased
> > > >> debug3: start over, passed a different
> list
> > > publickey,password,hostbased
> > > >> debug3: preferred
> > >
> >
> gssapi-keyex,gssapi-with-mic,gssapi,hostbased,publickey,keyboard-interactive,password
> > > >> debug3: authmethod_lookup hostbased
> > > >> debug3: remaining preferred:
> > > publickey,keyboard-interactive,password
> > > >> debug3: authmethod_is_enabled hostbased
> > > >> debug1: Next authentication method:
> > hostbased
> > > >> debug2: userauth_hostbased: chost
> client.
> > > >> debug2: ssh_keysign called
> > > >> debug3: ssh_msg_send: type 2
> > > >> debug3: ssh_msg_recv entering
> > > >> debug1: permanently_drop_suid: 1000
> > > >> debug2: we sent a hostbased packet, wait
> for
> > > reply
> > > >> debug3: Wrote 608 bytes for a total of
> 1735
> > > >> debug1: Authentications that can
> continue:
> > > publickey,password,hostbased
> > > >> debug2: userauth_hostbased: chost
> client.
> > > >> debug2: ssh_keysign called
> > > >> debug3: ssh_msg_send: type 2
> > > >> debug3: ssh_msg_recv entering
> > > >> debug1: permanently_drop_suid: 1000
> > > >> debug2: we sent a hostbased packet, wait
> for
> > > reply
> > > >> debug3: Wrote 672 bytes for a total of
> 2407
> > > >> debug1: Authentications that can
> continue:
> > > publickey,password,hostbased
> > > >> debug1: No more client hostkeys for
> > hostbased
> > > authentication.
> > > >> debug2: we did not send a packet,
> disable
> > method
> > > >> debug3: authmethod_lookup publickey
> > > >> debug3: remaining preferred:
> > > keyboard-interactive,password
> > > >> debug3: authmethod_is_enabled publickey
> > > >> debug1: Next authentication method:
> > publickey
> > > >> debug1: Trying private key:
> > > /home/mahmood/.ssh/identity
> > > >> debug3: no such identity:
> > > /home/mahmood/.ssh/identity
> > > >> debug1: Trying private key:
> > > /home/mahmood/.ssh/id_rsa
> > > >> debug3: no such identity:
> > > /home/mahmood/.ssh/id_rsa
> > > >> debug1: Trying private key:
> > > /home/mahmood/.ssh/id_dsa
> > > >> debug3: no such identity:
> > > /home/mahmood/.ssh/id_dsa
> > > >> debug2: we did not send a packet,
> disable
> > method
> > > >> debug3: authmethod_lookup password
> > > >> debug3: remaining preferred: ,password
> > > >> debug3: authmethod_is_enabled password
> > > >> debug1: Next authentication method:
> password
> > > >> mahmood@server's password:
> > > >>
> > > >>
> > > >> Any idea about that?
> > > >>
> > > >> // Naderan *Mahmood;
> > > >>
> > > >
> > >
> > >
> > >
> > > --
> > > Asif Iqbal
> > > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> > > A: Because it messes up the order in which
> people
> > normally
> > > read text.
> > > Q: Why is top-posting such a bad thing?
> > >
> >
>
>
Re: problem with HostbasedAuthentication [ In reply to ]
Can you run debug on server as well using sshd -d. More -d's mean more debug information (you can use at the max 3 d's) :D

Regards,
Sharad
--- On Fri, 29/4/11, Mahmood Naderan <nt_mahmood@yahoo.com> wrote:

> From: Mahmood Naderan <nt_mahmood@yahoo.com>
> Subject: Re: problem with HostbasedAuthentication
> To: "Sharad" <sharad2011@yahoo.com>
> Cc: "secureshell@securityfocus.com" <secureshell@securityfocus.com>
> Date: Friday, 29 April, 2011, 12:23 PM
> The same thing happens with IP
> address
>  
>  
> mahmood@server:~$ ssh -vvv 192.168.1.3
> OpenSSH_5.3p1 Debian-3ubuntu4, OpenSSL 0.9.8k 25 Mar 2009
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to 192.168.1.3 [192.168.1.3] port 22.
> debug1: Connection established.
> debug1: identity file /home/mahmood/.ssh/identity type -1
> debug1: identity file /home/mahmood/.ssh/id_rsa type -1
> debug1: identity file /home/mahmood/.ssh/id_dsa type -1
> debug1: Remote protocol version 2.0, remote software
> version OpenSSH_5.3p1 Debian-3ubuntu6
> debug1: match: OpenSSH_5.3p1 Debian-3ubuntu6 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.3p1
> Debian-3ubuntu4
> debug2: fd 3 setting O_NONBLOCK
> debug1: SSH2_MSG_KEXINIT sent
> debug3: Wrote 792 bytes for a total of 831
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib@openssh.com
> debug2: kex_parse_kexinit: none,zlib@openssh.com
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: mac_setup: found hmac-md5
> debug1: kex: server->client aes128-ctr hmac-md5 none
> debug2: mac_setup: found hmac-md5
> debug1: kex: client->server aes128-ctr hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192)
> sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug3: Wrote 24 bytes for a total of 855
> debug2: dh_gen_key: priv key bits set: 129/256
> debug2: bits set: 505/1024
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug3: Wrote 144 bytes for a total of 999
> debug3: check_host_in_hostfile: filename
> /home/mahmood/.ssh/known_hosts
> debug3: check_host_in_hostfile: match line 1
> debug1: Host '192.168.1.3' is known and matches the RSA
> host key.
> debug1: Found key in /home/mahmood/.ssh/known_hosts:1
> debug2: bits set: 517/1024
> debug1: ssh_rsa_verify: signature correct
> debug2: kex_derive_keys
> debug2: set_newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug3: Wrote 16 bytes for a total of 1015
> debug2: set_newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug3: Wrote 48 bytes for a total of 1063
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug2: key: /home/mahmood/.ssh/identity ((nil))
> debug2: key: /home/mahmood/.ssh/id_rsa ((nil))
> debug2: key: /home/mahmood/.ssh/id_dsa ((nil))
> debug3: Wrote 64 bytes for a total of 1127
> debug1: Authentications that can continue:
> publickey,password,hostbased
> debug3: start over, passed a different list
> publickey,password,hostbased
> debug3: preferred
> gssapi-keyex,gssapi-with-mic,gssapi,hostbased,publickey,keyboard-interactive,password
> debug3: authmethod_lookup hostbased
> debug3: remaining preferred:
> publickey,keyboard-interactive,password
> debug3: authmethod_is_enabled hostbased
> debug1: Next authentication method: hostbased
> get_socket_address: getnameinfo 8 failed: Name or service
> not known
> debug2: userauth_hostbased: chost server.
> debug2: ssh_keysign called
> debug3: ssh_msg_send: type 2
> debug3: ssh_msg_recv entering
> debug1: permanently_drop_suid: 1000
> get_socket_address: getnameinfo 8 failed: Name or service
> not known
> cannot get sockname for fd
> ssh_keysign: no reply
> key_sign failed
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_is_enabled publickey
> debug1: Next authentication method: publickey
> debug1: Trying private key: /home/mahmood/.ssh/identity
> debug3: no such identity: /home/mahmood/.ssh/identity
> debug1: Trying private key: /home/mahmood/.ssh/id_rsa
> debug3: no such identity: /home/mahmood/.ssh/id_rsa
> debug1: Trying private key: /home/mahmood/.ssh/id_dsa
> debug3: no such identity: /home/mahmood/.ssh/id_dsa
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup password
> debug3: remaining preferred: ,password
> debug3: authmethod_is_enabled password
> debug1: Next authentication method: password
> mahmood@192.168.1.3's password:
>
>
> // Naderan *Mahmood;
>
>
> ----- Original Message -----
> From: Sharad <sharad2011@yahoo.com>
> To: Mahmood Naderan <nt_mahmood@yahoo.com>
> Cc: "secureshell@securityfocus.com"
> <secureshell@securityfocus.com>
> Sent: Friday, April 29, 2011 11:19 AM
> Subject: Re: problem with HostbasedAuthentication
>
> Hi Mahmood,
>
> This line looks out of place. Check that host name is
> getting resolved:
>
> get_socket_address: getnameinfo 8 failed: Name or service
> not known
>
> I am sure you would have performed the same steps on both
> hosts. Try establishing connection with IP Address instead
> of hostname.
>
> Regards,
> Sharad
> --- On Thu, 28/4/11, Mahmood Naderan <nt_mahmood@yahoo.com>
> wrote:
>
> > From: Mahmood Naderan <nt_mahmood@yahoo.com>
> > Subject: Re: problem with HostbasedAuthentication
> > To: "Sharad" <sharad2011@yahoo.com>
> > Cc: "secureshell@securityfocus.com"
> <secureshell@securityfocus.com>
> > Date: Thursday, 28 April, 2011, 11:12 PM
> > Dear Sharad,
> > I am now trying to setup a hostbased ssh from server
> to
> > client (previously client->server worked fine based
> on
> > your help). I want it to be bidirectional.
> >  
> > I did the same thing in reverse (now the client
> becomes
> > server and the server becoms client). However this is
> what I
> > get while trying to ssh from server to client:
> >  
> >  
> > debug3: Wrote 48 bytes for a total of 1063
> > debug2: service_accept: ssh-userauth
> > debug1: SSH2_MSG_SERVICE_ACCEPT received
> > debug2: key: /home/mahmood/.ssh/identity ((nil))
> > debug2: key: /home/mahmood/.ssh/id_rsa ((nil))
> > debug2: key: /home/mahmood/.ssh/id_dsa ((nil))
> > debug3: Wrote 64 bytes for a total of 1127
> > debug1: Authentications that can continue:
> > publickey,password,hostbased
> > debug3: start over, passed a different list
> > publickey,password,hostbased
> > debug3: preferred
> >
> gssapi-keyex,gssapi-with-mic,gssapi,hostbased,publickey,keyboard-interactive,password
> > debug3: authmethod_lookup hostbased
> > debug3: remaining preferred:
> > publickey,keyboard-interactive,password
> > debug3: authmethod_is_enabled hostbased
> > debug1: Next authentication method: hostbased
> > get_socket_address: getnameinfo 8 failed: Name or
> service
> > not known
> > debug2: userauth_hostbased: chost server.
> > debug2: ssh_keysign called
> > debug3: ssh_msg_send: type 2
> > debug3: ssh_msg_recv entering
> > debug1: permanently_drop_suid: 1000
> > get_socket_address: getnameinfo 8 failed: Name or
> service
> > not known
> > cannot get sockname for fd
> > ssh_keysign: no reply
> > key_sign failed
> > debug2: we did not send a packet, disable method
> > debug3: authmethod_lookup publickey
> > debug3: remaining preferred:
> keyboard-interactive,password
> > debug3: authmethod_is_enabled publickey
> > debug1: Next authentication method: publickey
> > debug1: Trying private key:
> /home/mahmood/.ssh/identity
> > debug3: no such identity: /home/mahmood/.ssh/identity
> > debug1: Trying private key: /home/mahmood/.ssh/id_rsa
> > debug3: no such identity: /home/mahmood/.ssh/id_rsa
> > debug1: Trying private key: /home/mahmood/.ssh/id_dsa
> > debug3: no such identity: /home/mahmood/.ssh/id_dsa
> > debug2: we did not send a packet, disable method
> > debug3: authmethod_lookup password
> > debug3: remaining preferred: ,password
> > debug3: authmethod_is_enabled password
> > debug1: Next authentication method: password
> > mahmood@192.168.1.3's password:
> >
> >  
> > What is your suggestion?
> >
> > // Naderan *Mahmood;
> >
> >
> > ----- Original Message -----
> > From: Sharad <sharad2011@yahoo.com>
> > To: Mahmood Naderan <nt_mahmood@yahoo.com>
> > Cc: "secureshell@securityfocus.com"
> > <secureshell@securityfocus.com>
> > Sent: Thursday, April 28, 2011 5:20 PM
> > Subject: Re: problem with HostbasedAuthentication
> >
> > Mahmood,
> >
> > The files are /home/username/.ssh/known_hosts on both
> > server and client.
> >
> > By FQDN, I meant host's fully qualified domain name.
> >
> > Following is the example:
> >
> > Assuming both client and server are linux hosts:
> >
> > Server IP: 192.168.1.1
> > Client IP: 192.168.1.101
> >
> > Server Name: lnx_srvr_1.domain.com
> > Client Name: lnx_clnt_101.domain.com
> >
> > User name on each host is mahmood.
> >
> > Following would be the entries in .shosts on
> lnx_srvr_1
> >
> >
> > lnx_srvr_1:/home/mahmood $ cat .shosts
> >
> > lnx_clnt_101.domain.com mahmood
> > 192.168.1.101 mahmood
> > lnx_clnt_101 mahmood
> >
> > Following should exist in
> /home/mahmood/.ssh/known_hosts
> > file on the server side:
> > 192.168.1.101,lnx_clnt_101,lnx_clnt_101.domain.com 
> > ssh-rsa AAAAB3Nz...
> >
> > Following should also exist in
> > /home/mahmood/.ssh/known_hosts file on the client
> side:
> > 192.168.1.1,lnx_srvr_1,lnx_srvr_1.domain.com 
> ssh-rsa
> > AAAAB3Nz...
> >
> > Ensure that .ssh directory on both client and server
> are
> > rwx for owner only and group/rest of world is 000.
> >
> > Hope this helps! Good Luck! :)
> >
> > Regards,
> > Sharad 
> > --- On Thu, 28/4/11, Mahmood Naderan <nt_mahmood@yahoo.com>
> > wrote:
> >
> > > From: Mahmood Naderan <nt_mahmood@yahoo.com>
> > > Subject: Re: problem with
> HostbasedAuthentication
> > > To: "Sharad" <sharad2011@yahoo.com>
> > > Cc: "secureshell@securityfocus.com"
> > <secureshell@securityfocus.com>
> > > Date: Thursday, 28 April, 2011, 3:54 PM
> > > Can you explain exactly which file I
> > > should edit? What is FQDN? By 'hostname', Do you
> mean
> > server
> > > hostname of client hostname.
> > > Should I do that on both side or server side?...
> > >
> > > // Naderan *Mahmood;
> > >
> > >
> > > ----- Original Message -----
> > > From: Sharad <sharad2011@yahoo.com>
> > > To: Mahmood Naderan <nt_mahmood@yahoo.com>;
> > > Asif Iqbal <vadud3@gmail.com>
> > > Cc: "secureshell@securityfocus.com"
> > > <secureshell@securityfocus.com>
> > > Sent: Thursday, April 28, 2011 1:16 PM
> > > Subject: Re: problem with
> HostbasedAuthentication
> > >
> > > Sometimes the issue lies with hostname as well.
> What I
> > mean
> > > with that is the known_hosts may have just the
> host
> > name
> > > where as when the connection is established, the
> debug
> > shows
> > > the FQDN. I faced this issue so to be sure, I
> edited
> > the
> > > known_hosts file and inserted the hostname,
> hostname's
> > FQDN
> > > and it's IP address (all comma separated).
> > >
> > > Also ensure that you both the hosts' known_hosts
> files
> > have
> > > opposite servers names (as prescribed above).
> > >
> > > All the above checks makes it work for me.
> > >
> > > Hope this solves.
> > >
> > > Kind regards,
> > > Sharad
> > > --- On Thu, 28/4/11, Asif Iqbal <vadud3@gmail.com>
> > > wrote:
> > >
> > > > From: Asif Iqbal <vadud3@gmail.com>
> > > > Subject: Re: problem with
> > HostbasedAuthentication
> > > > To: "Mahmood Naderan" <nt_mahmood@yahoo.com>
> > > > Cc: "secureshell@securityfocus.com"
> > > <secureshell@securityfocus.com>
> > > > Date: Thursday, 28 April, 2011, 12:38 AM
> > > > On Wed, Apr 27, 2011 at 1:12 AM,
> > > > Mahmood Naderan <nt_mahmood@yahoo.com>
> > > > wrote:
> > > > >>Change the order method. Have
> hostbased
> > > before
> > > > password
> > > > >
> > > > > Sorry where should I do that?
> > > >
> > > > man ssh_config and look into
> > PreferredAuthentications
> > > >
> > > > >
> > > > > // Naderan *Mahmood;
> > > > >
> > > > > From: Asif Iqbal <vadud3@gmail.com>
> > > > > To: Mahmood Naderan <nt_mahmood@yahoo.com>
> > > > > Cc: "secureshell@securityfocus.com"
> > > > <secureshell@securityfocus.com>
> > > > > Sent: Wednesday, April 27, 2011 9:17
> AM
> > > > > Subject: Re: problem with
> > > HostbasedAuthentication
> > > > >
> > > > >
> > > > > Change the order method. Have
> hostbased
> > before
> > > > password
> > > > > On Apr 26, 2011 11:52 PM, "Mahmood
> Naderan"
> > > <nt_mahmood@yahoo.com>
> > > > wrote:
> > > > >>
> > > > >>
> > > > >> Hi,
> > > > >> I am trying to setup a hostbased
> > passwrodless
> > > ssh
> > > > from a client to a server using this guide
> http://www.ehow.com/how_7621307_set-up-hostbased-authentication.html.
> > > > >>
> > > > >> The client looks like:
> > > > >>
> > > > >> mahmood@client:~$ cat
> > /etc/ssh/ssh_config  |
> > > grep
> > > > "HostbasedAuthentication"
> > > > >>    HostbasedAuthentication yes
> > > > >> mahmood@client:~$ cat
> > /etc/ssh/ssh_config  |
> > > grep
> > > > "EnableSSHKeysign"
> > > > >>    EnableSSHKeysign yes
> > > > >>
> > > > >>
> > > > >> and the server looks like:
> > > > >> mahmood@server:~$ cat
> > /etc/ssh/sshd_config 
> > > |
> > > > grep "HostbasedAuthentication"
> > > > >> HostbasedAuthentication yes
> > > > >> mahmood@server:~$ cat
> > /etc/ssh/sshd_config 
> > > |
> > > > grep "IgnoreRhosts"
> > > > >> IgnoreRhosts no
> > > > >>
> > > > >> also the server has the key for
> client:
> > > > >>
> > > > >> mahmood@server:~$ cat
> > > /etc/ssh/ssh_known_hosts
> > > > >> client ssh-rsa AAAAB3Nz.....
> > > > >>
> > > > >> the ~/.shosts file on the server
> > contains:
> > > > >> mahmood@server:~$ cat .shosts
> > > > >> client.domain mahmood
> > > > >>
> > > > >> Then on both server and client, the
> ssh
> > > service is
> > > > restarted:
> > > > >> mahmood@client:~$ sudo service ssh
> > restart
> > > > >> ssh start/running, process 1355
> > > > >> mahmood@server:~$ sudo service ssh
> > restart
> > > > >> ssh start/running, process 28982
> > > > >>
> > > > >> How, when I run "ssh -vvv server"
> from
> > client
> > > (to
> > > > show the verbose messages), I still get the
> > password
> > > > prompt.
> > > > >>
> > > > >> mahmood@client:~$ ssh -vvv server
> > > > >> OpenSSH_5.3p1 Debian-3ubuntu6,
> OpenSSL
> > 0.9.8k
> > > 25
> > > > Mar 2009
> > > > >> debug1: Reading configuration data
> > > > /etc/ssh/ssh_config
> > > > >> debug1: Applying options for *
> > > > >> debug2: ssh_connect: needpriv 0
> > > > >> debug1: Connecting to server
> > [192.168.1.1]
> > > port
> > > > 22.
> > > > >> debug1: Connection established.
> > > > >> debug1: identity file
> > > /home/mahmood/.ssh/identity
> > > > type -1
> > > > >> debug1: identity file
> > > /home/mahmood/.ssh/id_rsa
> > > > type -1
> > > > >> debug1: identity file
> > > /home/mahmood/.ssh/id_dsa
> > > > type -1
> > > > >> debug1: Remote protocol version
> 2.0,
> > remote
> > > > software version OpenSSH_5.3p1
> Debian-3ubuntu4
> > > > >> debug1: match: OpenSSH_5.3p1
> > Debian-3ubuntu4
> > > pat
> > > > OpenSSH*
> > > > >> debug1: Enabling compatibility mode
> for
> > > protocol
> > > > 2.0
> > > > >> debug1: Local version string
> > > SSH-2.0-OpenSSH_5.3p1
> > > > Debian-3ubuntu6
> > > > >> debug2: fd 3 setting O_NONBLOCK
> > > > >> debug1: SSH2_MSG_KEXINIT sent
> > > > >> debug3: Wrote 792 bytes for a total
> of
> > 831
> > > > >> debug1: SSH2_MSG_KEXINIT received
> > > > >> debug2: kex_parse_kexinit:
> > > >
> > >
> >
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-
> > > > >> group1-sha1
> > > > >> debug2: kex_parse_kexinit:
> > ssh-rsa,ssh-dss
> > > > >> debug2: kex_parse_kexinit:
> > > >
> > >
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
> > > > >> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> > > > >> debug2: kex_parse_kexinit:
> > > >
> > >
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
> > > > >> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> > > > >> debug2: kex_parse_kexinit:
> > > hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
> > > > >> md5-96
> > > > >> debug2: kex_parse_kexinit:
> > > hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
> > > > >> md5-96
> > > > >> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
> > > > >> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
> > > > >> debug2: kex_parse_kexinit:
> > > > >> debug2: kex_parse_kexinit:
> > > > >> debug2: kex_parse_kexinit:
> > first_kex_follows
> > > 0
> > > > >> debug2: kex_parse_kexinit: reserved
> 0
> > > > >> debug2: kex_parse_kexinit:
> > > >
> > >
> >
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-
> > > > >> group1-sha1
> > > > >> debug2: kex_parse_kexinit:
> > ssh-rsa,ssh-dss
> > > > >> debug2: kex_parse_kexinit:
> > > >
> > >
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
> > > > >> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> > > > >> debug2: kex_parse_kexinit:
> > > >
> > >
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
> > > > >> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> > > > >> debug2: kex_parse_kexinit:
> > > hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
> > > > >> md5-96
> > > > >> debug2: kex_parse_kexinit:
> > > hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
> > > > >> md5-96
> > > > >> debug2: kex_parse_kexinit: none,zlib@openssh.com
> > > > >> debug2: kex_parse_kexinit: none,zlib@openssh.com
> > > > >> debug2: kex_parse_kexinit:
> > > > >> debug2: kex_parse_kexinit:
> > > > >> debug2: kex_parse_kexinit:
> > first_kex_follows
> > > 0
> > > > >> debug2: kex_parse_kexinit: reserved
> 0
> > > > >> debug2: mac_setup: found hmac-md5
> > > > >> debug1: kex: server->client
> > aes128-ctr
> > > hmac-md5
> > > > none
> > > > >> debug2: mac_setup: found hmac-md5
> > > > >> debug1: kex: client->server
> > aes128-ctr
> > > hmac-md5
> > > > none
> > > > >> debug1:
> > > >
> > SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192)
> > > sent
> > > > >> debug1: expecting
> > SSH2_MSG_KEX_DH_GEX_GROUP
> > > > >> debug3: Wrote 24 bytes for a total
> of
> > 855
> > > > >> debug2: dh_gen_key: priv key bits
> set:
> > > 124/256
> > > > >> debug2: bits set: 507/1024
> > > > >> debug1: SSH2_MSG_KEX_DH_GEX_INIT
> sent
> > > > >> debug1: expecting
> > SSH2_MSG_KEX_DH_GEX_REPLY
> > > > >> debug3: Wrote 144 bytes for a total
> of
> > 999
> > > > >> debug3: check_host_in_hostfile:
> > filename
> > > > /home/mahmood/.ssh/known_hosts
> > > > >> debug3: check_host_in_hostfile:
> match
> > line 1
> > > > >> debug3: check_host_in_hostfile:
> > filename
> > > > /home/mahmood/.ssh/known_hosts
> > > > >> debug3: check_host_in_hostfile:
> match
> > line 2
> > > > >> debug1: Host 'server' is known and
> > matches
> > > the RSA
> > > > host key.
> > > > >> debug1: Found key in
> > > > /home/mahmood/.ssh/known_hosts:1
> > > > >> debug2: bits set: 503/1024
> > > > >> debug1: ssh_rsa_verify: signature
> > correct
> > > > >> debug2: kex_derive_keys
> > > > >> debug2: set_newkeys: mode 1
> > > > >> debug1: SSH2_MSG_NEWKEYS sent
> > > > >> debug1: expecting SSH2_MSG_NEWKEYS
> > > > >> debug3: Wrote 16 bytes for a total
> of
> > 1015
> > > > >> debug2: set_newkeys: mode 0
> > > > >> debug1: SSH2_MSG_NEWKEYS received
> > > > >> debug1: SSH2_MSG_SERVICE_REQUEST
> sent
> > > > >> debug3: Wrote 48 bytes for a total
> of
> > 1063
> > > > >> debug2: service_accept:
> ssh-userauth
> > > > >> debug1: SSH2_MSG_SERVICE_ACCEPT
> > received
> > > > >> debug2: key:
> > /home/mahmood/.ssh/identity
> > > ((nil))
> > > > >> debug2: key:
> /home/mahmood/.ssh/id_rsa
> > > ((nil))
> > > > >> debug2: key:
> /home/mahmood/.ssh/id_dsa
> > > ((nil))
> > > > >> debug3: Wrote 64 bytes for a total
> of
> > 1127
> > > > >> debug1: Authentications that can
> > continue:
> > > > publickey,password,hostbased
> > > > >> debug3: start over, passed a
> different
> > list
> > > > publickey,password,hostbased
> > > > >> debug3: preferred
> > > >
> > >
> >
> gssapi-keyex,gssapi-with-mic,gssapi,hostbased,publickey,keyboard-interactive,password
> > > > >> debug3: authmethod_lookup
> hostbased
> > > > >> debug3: remaining preferred:
> > > > publickey,keyboard-interactive,password
> > > > >> debug3: authmethod_is_enabled
> hostbased
> > > > >> debug1: Next authentication
> method:
> > > hostbased
> > > > >> debug2: userauth_hostbased: chost
> > client.
> > > > >> debug2: ssh_keysign called
> > > > >> debug3: ssh_msg_send: type 2
> > > > >> debug3: ssh_msg_recv entering
> > > > >> debug1: permanently_drop_suid:
> 1000
> > > > >> debug2: we sent a hostbased packet,
> wait
> > for
> > > > reply
> > > > >> debug3: Wrote 608 bytes for a total
> of
> > 1735
> > > > >> debug1: Authentications that can
> > continue:
> > > > publickey,password,hostbased
> > > > >> debug2: userauth_hostbased: chost
> > client.
> > > > >> debug2: ssh_keysign called
> > > > >> debug3: ssh_msg_send: type 2
> > > > >> debug3: ssh_msg_recv entering
> > > > >> debug1: permanently_drop_suid:
> 1000
> > > > >> debug2: we sent a hostbased packet,
> wait
> > for
> > > > reply
> > > > >> debug3: Wrote 672 bytes for a total
> of
> > 2407
> > > > >> debug1: Authentications that can
> > continue:
> > > > publickey,password,hostbased
> > > > >> debug1: No more client hostkeys
> for
> > > hostbased
> > > > authentication.
> > > > >> debug2: we did not send a packet,
> > disable
> > > method
> > > > >> debug3: authmethod_lookup
> publickey
> > > > >> debug3: remaining preferred:
> > > > keyboard-interactive,password
> > > > >> debug3: authmethod_is_enabled
> publickey
> > > > >> debug1: Next authentication
> method:
> > > publickey
> > > > >> debug1: Trying private key:
> > > > /home/mahmood/.ssh/identity
> > > > >> debug3: no such identity:
> > > > /home/mahmood/.ssh/identity
> > > > >> debug1: Trying private key:
> > > > /home/mahmood/.ssh/id_rsa
> > > > >> debug3: no such identity:
> > > > /home/mahmood/.ssh/id_rsa
> > > > >> debug1: Trying private key:
> > > > /home/mahmood/.ssh/id_dsa
> > > > >> debug3: no such identity:
> > > > /home/mahmood/.ssh/id_dsa
> > > > >> debug2: we did not send a packet,
> > disable
> > > method
> > > > >> debug3: authmethod_lookup password
> > > > >> debug3: remaining preferred:
> ,password
> > > > >> debug3: authmethod_is_enabled
> password
> > > > >> debug1: Next authentication
> method:
> > password
> > > > >> mahmood@server's password:
> > > > >>
> > > > >>
> > > > >> Any idea about that?
> > > > >>
> > > > >> // Naderan *Mahmood;
> > > > >>
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Asif Iqbal
> > > > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> > > > A: Because it messes up the order in which
> > people
> > > normally
> > > > read text.
> > > > Q: Why is top-posting such a bad thing?
> > > >
> > >
> >
> >
>
>
Re: problem with HostbasedAuthentication [ In reply to ]
Sorry what do you mean?
 
mahmood@server:~$ sudo sshd -d
sshd re-exec requires execution with an absolute path
mahmood@server:~$ sudo sshd -d 3
sshd re-exec requires execution with an absolute path
mahmood@server:~$ sudo sshd -ddd
sshd re-exec requires execution with an absolute path

My last post was the debug information for server->client.

// Naderan *Mahmood;


----- Original Message -----
From: Sharad <sharad2011@yahoo.com>
To: Mahmood Naderan <nt_mahmood@yahoo.com>
Cc: "secureshell@securityfocus.com" <secureshell@securityfocus.com>
Sent: Friday, April 29, 2011 11:31 AM
Subject: Re: problem with HostbasedAuthentication

Can you run debug on server as well using sshd -d. More -d's mean more debug information (you can use at the max 3 d's) :D

Regards,
Sharad
--- On Fri, 29/4/11, Mahmood Naderan <nt_mahmood@yahoo.com> wrote:

> From: Mahmood Naderan <nt_mahmood@yahoo.com>
> Subject: Re: problem with HostbasedAuthentication
> To: "Sharad" <sharad2011@yahoo.com>
> Cc: "secureshell@securityfocus.com" <secureshell@securityfocus.com>
> Date: Friday, 29 April, 2011, 12:23 PM
> The same thing happens with IP
> address
>  
>  
> mahmood@server:~$ ssh -vvv 192.168.1.3
> OpenSSH_5.3p1 Debian-3ubuntu4, OpenSSL 0.9.8k 25 Mar 2009
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to 192.168.1.3 [192.168.1.3] port 22.
> debug1: Connection established.
> debug1: identity file /home/mahmood/.ssh/identity type -1
> debug1: identity file /home/mahmood/.ssh/id_rsa type -1
> debug1: identity file /home/mahmood/.ssh/id_dsa type -1
> debug1: Remote protocol version 2.0, remote software
> version OpenSSH_5.3p1 Debian-3ubuntu6
> debug1: match: OpenSSH_5.3p1 Debian-3ubuntu6 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.3p1
> Debian-3ubuntu4
> debug2: fd 3 setting O_NONBLOCK
> debug1: SSH2_MSG_KEXINIT sent
> debug3: Wrote 792 bytes for a total of 831
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib@openssh.com
> debug2: kex_parse_kexinit: none,zlib@openssh.com
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: mac_setup: found hmac-md5
> debug1: kex: server->client aes128-ctr hmac-md5 none
> debug2: mac_setup: found hmac-md5
> debug1: kex: client->server aes128-ctr hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192)
> sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug3: Wrote 24 bytes for a total of 855
> debug2: dh_gen_key: priv key bits set: 129/256
> debug2: bits set: 505/1024
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug3: Wrote 144 bytes for a total of 999
> debug3: check_host_in_hostfile: filename
> /home/mahmood/.ssh/known_hosts
> debug3: check_host_in_hostfile: match line 1
> debug1: Host '192.168.1.3' is known and matches the RSA
> host key.
> debug1: Found key in /home/mahmood/.ssh/known_hosts:1
> debug2: bits set: 517/1024
> debug1: ssh_rsa_verify: signature correct
> debug2: kex_derive_keys
> debug2: set_newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug3: Wrote 16 bytes for a total of 1015
> debug2: set_newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug3: Wrote 48 bytes for a total of 1063
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug2: key: /home/mahmood/.ssh/identity ((nil))
> debug2: key: /home/mahmood/.ssh/id_rsa ((nil))
> debug2: key: /home/mahmood/.ssh/id_dsa ((nil))
> debug3: Wrote 64 bytes for a total of 1127
> debug1: Authentications that can continue:
> publickey,password,hostbased
> debug3: start over, passed a different list
> publickey,password,hostbased
> debug3: preferred
> gssapi-keyex,gssapi-with-mic,gssapi,hostbased,publickey,keyboard-interactive,password
> debug3: authmethod_lookup hostbased
> debug3: remaining preferred:
> publickey,keyboard-interactive,password
> debug3: authmethod_is_enabled hostbased
> debug1: Next authentication method: hostbased
> get_socket_address: getnameinfo 8 failed: Name or service
> not known
> debug2: userauth_hostbased: chost server.
> debug2: ssh_keysign called
> debug3: ssh_msg_send: type 2
> debug3: ssh_msg_recv entering
> debug1: permanently_drop_suid: 1000
> get_socket_address: getnameinfo 8 failed: Name or service
> not known
> cannot get sockname for fd
> ssh_keysign: no reply
> key_sign failed
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_is_enabled publickey
> debug1: Next authentication method: publickey
> debug1: Trying private key: /home/mahmood/.ssh/identity
> debug3: no such identity: /home/mahmood/.ssh/identity
> debug1: Trying private key: /home/mahmood/.ssh/id_rsa
> debug3: no such identity: /home/mahmood/.ssh/id_rsa
> debug1: Trying private key: /home/mahmood/.ssh/id_dsa
> debug3: no such identity: /home/mahmood/.ssh/id_dsa
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup password
> debug3: remaining preferred: ,password
> debug3: authmethod_is_enabled password
> debug1: Next authentication method: password
> mahmood@192.168.1.3's password:
>
>
> // Naderan *Mahmood;
>
>
> ----- Original Message -----
> From: Sharad <sharad2011@yahoo.com>
> To: Mahmood Naderan <nt_mahmood@yahoo.com>
> Cc: "secureshell@securityfocus.com"
> <secureshell@securityfocus.com>
> Sent: Friday, April 29, 2011 11:19 AM
> Subject: Re: problem with HostbasedAuthentication
>
> Hi Mahmood,
>
> This line looks out of place. Check that host name is
> getting resolved:
>
> get_socket_address: getnameinfo 8 failed: Name or service
> not known
>
> I am sure you would have performed the same steps on both
> hosts. Try establishing connection with IP Address instead
> of hostname.
>
> Regards,
> Sharad
> --- On Thu, 28/4/11, Mahmood Naderan <nt_mahmood@yahoo.com>
> wrote:
>
> > From: Mahmood Naderan <nt_mahmood@yahoo.com>
> > Subject: Re: problem with HostbasedAuthentication
> > To: "Sharad" <sharad2011@yahoo.com>
> > Cc: "secureshell@securityfocus.com"
> <secureshell@securityfocus.com>
> > Date: Thursday, 28 April, 2011, 11:12 PM
> > Dear Sharad,
> > I am now trying to setup a hostbased ssh from server
> to
> > client (previously client->server worked fine based
> on
> > your help). I want it to be bidirectional.
> >  
> > I did the same thing in reverse (now the client
> becomes
> > server and the server becoms client). However this is
> what I
> > get while trying to ssh from server to client:
> >  
> >  
> > debug3: Wrote 48 bytes for a total of 1063
> > debug2: service_accept: ssh-userauth
> > debug1: SSH2_MSG_SERVICE_ACCEPT received
> > debug2: key: /home/mahmood/.ssh/identity ((nil))
> > debug2: key: /home/mahmood/.ssh/id_rsa ((nil))
> > debug2: key: /home/mahmood/.ssh/id_dsa ((nil))
> > debug3: Wrote 64 bytes for a total of 1127
> > debug1: Authentications that can continue:
> > publickey,password,hostbased
> > debug3: start over, passed a different list
> > publickey,password,hostbased
> > debug3: preferred
> >
> gssapi-keyex,gssapi-with-mic,gssapi,hostbased,publickey,keyboard-interactive,password
> > debug3: authmethod_lookup hostbased
> > debug3: remaining preferred:
> > publickey,keyboard-interactive,password
> > debug3: authmethod_is_enabled hostbased
> > debug1: Next authentication method: hostbased
> > get_socket_address: getnameinfo 8 failed: Name or
> service
> > not known
> > debug2: userauth_hostbased: chost server.
> > debug2: ssh_keysign called
> > debug3: ssh_msg_send: type 2
> > debug3: ssh_msg_recv entering
> > debug1: permanently_drop_suid: 1000
> > get_socket_address: getnameinfo 8 failed: Name or
> service
> > not known
> > cannot get sockname for fd
> > ssh_keysign: no reply
> > key_sign failed
> > debug2: we did not send a packet, disable method
> > debug3: authmethod_lookup publickey
> > debug3: remaining preferred:
> keyboard-interactive,password
> > debug3: authmethod_is_enabled publickey
> > debug1: Next authentication method: publickey
> > debug1: Trying private key:
> /home/mahmood/.ssh/identity
> > debug3: no such identity: /home/mahmood/.ssh/identity
> > debug1: Trying private key: /home/mahmood/.ssh/id_rsa
> > debug3: no such identity: /home/mahmood/.ssh/id_rsa
> > debug1: Trying private key: /home/mahmood/.ssh/id_dsa
> > debug3: no such identity: /home/mahmood/.ssh/id_dsa
> > debug2: we did not send a packet, disable method
> > debug3: authmethod_lookup password
> > debug3: remaining preferred: ,password
> > debug3: authmethod_is_enabled password
> > debug1: Next authentication method: password
> > mahmood@192.168.1.3's password:
> >
> >  
> > What is your suggestion?
> >
> > // Naderan *Mahmood;
> >
> >
> > ----- Original Message -----
> > From: Sharad <sharad2011@yahoo.com>
> > To: Mahmood Naderan <nt_mahmood@yahoo.com>
> > Cc: "secureshell@securityfocus.com"
> > <secureshell@securityfocus.com>
> > Sent: Thursday, April 28, 2011 5:20 PM
> > Subject: Re: problem with HostbasedAuthentication
> >
> > Mahmood,
> >
> > The files are /home/username/.ssh/known_hosts on both
> > server and client.
> >
> > By FQDN, I meant host's fully qualified domain name.
> >
> > Following is the example:
> >
> > Assuming both client and server are linux hosts:
> >
> > Server IP: 192.168.1.1
> > Client IP: 192.168.1.101
> >
> > Server Name: lnx_srvr_1.domain.com
> > Client Name: lnx_clnt_101.domain.com
> >
> > User name on each host is mahmood.
> >
> > Following would be the entries in .shosts on
> lnx_srvr_1
> >
> >
> > lnx_srvr_1:/home/mahmood $ cat .shosts
> >
> > lnx_clnt_101.domain.com mahmood
> > 192.168.1.101 mahmood
> > lnx_clnt_101 mahmood
> >
> > Following should exist in
> /home/mahmood/.ssh/known_hosts
> > file on the server side:
> > 192.168.1.101,lnx_clnt_101,lnx_clnt_101.domain.com 
> > ssh-rsa AAAAB3Nz...
> >
> > Following should also exist in
> > /home/mahmood/.ssh/known_hosts file on the client
> side:
> > 192.168.1.1,lnx_srvr_1,lnx_srvr_1.domain.com 
> ssh-rsa
> > AAAAB3Nz...
> >
> > Ensure that .ssh directory on both client and server
> are
> > rwx for owner only and group/rest of world is 000.
> >
> > Hope this helps! Good Luck! :)
> >
> > Regards,
> > Sharad 
> > --- On Thu, 28/4/11, Mahmood Naderan <nt_mahmood@yahoo.com>
> > wrote:
> >
> > > From: Mahmood Naderan <nt_mahmood@yahoo.com>
> > > Subject: Re: problem with
> HostbasedAuthentication
> > > To: "Sharad" <sharad2011@yahoo.com>
> > > Cc: "secureshell@securityfocus.com"
> > <secureshell@securityfocus.com>
> > > Date: Thursday, 28 April, 2011, 3:54 PM
> > > Can you explain exactly which file I
> > > should edit? What is FQDN? By 'hostname', Do you
> mean
> > server
> > > hostname of client hostname.
> > > Should I do that on both side or server side?...
> > >
> > > // Naderan *Mahmood;
> > >
> > >
> > > ----- Original Message -----
> > > From: Sharad <sharad2011@yahoo.com>
> > > To: Mahmood Naderan <nt_mahmood@yahoo.com>;
> > > Asif Iqbal <vadud3@gmail.com>
> > > Cc: "secureshell@securityfocus.com"
> > > <secureshell@securityfocus.com>
> > > Sent: Thursday, April 28, 2011 1:16 PM
> > > Subject: Re: problem with
> HostbasedAuthentication
> > >
> > > Sometimes the issue lies with hostname as well.
> What I
> > mean
> > > with that is the known_hosts may have just the
> host
> > name
> > > where as when the connection is established, the
> debug
> > shows
> > > the FQDN. I faced this issue so to be sure, I
> edited
> > the
> > > known_hosts file and inserted the hostname,
> hostname's
> > FQDN
> > > and it's IP address (all comma separated).
> > >
> > > Also ensure that you both the hosts' known_hosts
> files
> > have
> > > opposite servers names (as prescribed above).
> > >
> > > All the above checks makes it work for me.
> > >
> > > Hope this solves.
> > >
> > > Kind regards,
> > > Sharad
> > > --- On Thu, 28/4/11, Asif Iqbal <vadud3@gmail.com>
> > > wrote:
> > >
> > > > From: Asif Iqbal <vadud3@gmail.com>
> > > > Subject: Re: problem with
> > HostbasedAuthentication
> > > > To: "Mahmood Naderan" <nt_mahmood@yahoo.com>
> > > > Cc: "secureshell@securityfocus.com"
> > > <secureshell@securityfocus.com>
> > > > Date: Thursday, 28 April, 2011, 12:38 AM
> > > > On Wed, Apr 27, 2011 at 1:12 AM,
> > > > Mahmood Naderan <nt_mahmood@yahoo.com>
> > > > wrote:
> > > > >>Change the order method. Have
> hostbased
> > > before
> > > > password
> > > > >
> > > > > Sorry where should I do that?
> > > >
> > > > man ssh_config and look into
> > PreferredAuthentications
> > > >
> > > > >
> > > > > // Naderan *Mahmood;
> > > > >
> > > > > From: Asif Iqbal <vadud3@gmail.com>
> > > > > To: Mahmood Naderan <nt_mahmood@yahoo.com>
> > > > > Cc: "secureshell@securityfocus.com"
> > > > <secureshell@securityfocus.com>
> > > > > Sent: Wednesday, April 27, 2011 9:17
> AM
> > > > > Subject: Re: problem with
> > > HostbasedAuthentication
> > > > >
> > > > >
> > > > > Change the order method. Have
> hostbased
> > before
> > > > password
> > > > > On Apr 26, 2011 11:52 PM, "Mahmood
> Naderan"
> > > <nt_mahmood@yahoo.com>
> > > > wrote:
> > > > >>
> > > > >>
> > > > >> Hi,
> > > > >> I am trying to setup a hostbased
> > passwrodless
> > > ssh
> > > > from a client to a server using this guide
> http://www.ehow.com/how_7621307_set-up-hostbased-authentication.html.
> > > > >>
> > > > >> The client looks like:
> > > > >>
> > > > >> mahmood@client:~$ cat
> > /etc/ssh/ssh_config  |
> > > grep
> > > > "HostbasedAuthentication"
> > > > >>    HostbasedAuthentication yes
> > > > >> mahmood@client:~$ cat
> > /etc/ssh/ssh_config  |
> > > grep
> > > > "EnableSSHKeysign"
> > > > >>    EnableSSHKeysign yes
> > > > >>
> > > > >>
> > > > >> and the server looks like:
> > > > >> mahmood@server:~$ cat
> > /etc/ssh/sshd_config 
> > > |
> > > > grep "HostbasedAuthentication"
> > > > >> HostbasedAuthentication yes
> > > > >> mahmood@server:~$ cat
> > /etc/ssh/sshd_config 
> > > |
> > > > grep "IgnoreRhosts"
> > > > >> IgnoreRhosts no
> > > > >>
> > > > >> also the server has the key for
> client:
> > > > >>
> > > > >> mahmood@server:~$ cat
> > > /etc/ssh/ssh_known_hosts
> > > > >> client ssh-rsa AAAAB3Nz.....
> > > > >>
> > > > >> the ~/.shosts file on the server
> > contains:
> > > > >> mahmood@server:~$ cat .shosts
> > > > >> client.domain mahmood
> > > > >>
> > > > >> Then on both server and client, the
> ssh
> > > service is
> > > > restarted:
> > > > >> mahmood@client:~$ sudo service ssh
> > restart
> > > > >> ssh start/running, process 1355
> > > > >> mahmood@server:~$ sudo service ssh
> > restart
> > > > >> ssh start/running, process 28982
> > > > >>
> > > > >> How, when I run "ssh -vvv server"
> from
> > client
> > > (to
> > > > show the verbose messages), I still get the
> > password
> > > > prompt.
> > > > >>
> > > > >> mahmood@client:~$ ssh -vvv server
> > > > >> OpenSSH_5.3p1 Debian-3ubuntu6,
> OpenSSL
> > 0.9.8k
> > > 25
> > > > Mar 2009
> > > > >> debug1: Reading configuration data
> > > > /etc/ssh/ssh_config
> > > > >> debug1: Applying options for *
> > > > >> debug2: ssh_connect: needpriv 0
> > > > >> debug1: Connecting to server
> > [192.168.1.1]
> > > port
> > > > 22.
> > > > >> debug1: Connection established.
> > > > >> debug1: identity file
> > > /home/mahmood/.ssh/identity
> > > > type -1
> > > > >> debug1: identity file
> > > /home/mahmood/.ssh/id_rsa
> > > > type -1
> > > > >> debug1: identity file
> > > /home/mahmood/.ssh/id_dsa
> > > > type -1
> > > > >> debug1: Remote protocol version
> 2.0,
> > remote
> > > > software version OpenSSH_5.3p1
> Debian-3ubuntu4
> > > > >> debug1: match: OpenSSH_5.3p1
> > Debian-3ubuntu4
> > > pat
> > > > OpenSSH*
> > > > >> debug1: Enabling compatibility mode
> for
> > > protocol
> > > > 2.0
> > > > >> debug1: Local version string
> > > SSH-2.0-OpenSSH_5.3p1
> > > > Debian-3ubuntu6
> > > > >> debug2: fd 3 setting O_NONBLOCK
> > > > >> debug1: SSH2_MSG_KEXINIT sent
> > > > >> debug3: Wrote 792 bytes for a total
> of
> > 831
> > > > >> debug1: SSH2_MSG_KEXINIT received
> > > > >> debug2: kex_parse_kexinit:
> > > >
> > >
> >
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-
> > > > >> group1-sha1
> > > > >> debug2: kex_parse_kexinit:
> > ssh-rsa,ssh-dss
> > > > >> debug2: kex_parse_kexinit:
> > > >
> > >
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
> > > > >> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> > > > >> debug2: kex_parse_kexinit:
> > > >
> > >
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
> > > > >> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> > > > >> debug2: kex_parse_kexinit:
> > > hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
> > > > >> md5-96
> > > > >> debug2: kex_parse_kexinit:
> > > hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
> > > > >> md5-96
> > > > >> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
> > > > >> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
> > > > >> debug2: kex_parse_kexinit:
> > > > >> debug2: kex_parse_kexinit:
> > > > >> debug2: kex_parse_kexinit:
> > first_kex_follows
> > > 0
> > > > >> debug2: kex_parse_kexinit: reserved
> 0
> > > > >> debug2: kex_parse_kexinit:
> > > >
> > >
> >
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-
> > > > >> group1-sha1
> > > > >> debug2: kex_parse_kexinit:
> > ssh-rsa,ssh-dss
> > > > >> debug2: kex_parse_kexinit:
> > > >
> > >
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
> > > > >> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> > > > >> debug2: kex_parse_kexinit:
> > > >
> > >
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
> > > > >> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> > > > >> debug2: kex_parse_kexinit:
> > > hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
> > > > >> md5-96
> > > > >> debug2: kex_parse_kexinit:
> > > hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
> > > > >> md5-96
> > > > >> debug2: kex_parse_kexinit: none,zlib@openssh.com
> > > > >> debug2: kex_parse_kexinit: none,zlib@openssh.com
> > > > >> debug2: kex_parse_kexinit:
> > > > >> debug2: kex_parse_kexinit:
> > > > >> debug2: kex_parse_kexinit:
> > first_kex_follows
> > > 0
> > > > >> debug2: kex_parse_kexinit: reserved
> 0
> > > > >> debug2: mac_setup: found hmac-md5
> > > > >> debug1: kex: server->client
> > aes128-ctr
> > > hmac-md5
> > > > none
> > > > >> debug2: mac_setup: found hmac-md5
> > > > >> debug1: kex: client->server
> > aes128-ctr
> > > hmac-md5
> > > > none
> > > > >> debug1:
> > > >
> > SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192)
> > > sent
> > > > >> debug1: expecting
> > SSH2_MSG_KEX_DH_GEX_GROUP
> > > > >> debug3: Wrote 24 bytes for a total
> of
> > 855
> > > > >> debug2: dh_gen_key: priv key bits
> set:
> > > 124/256
> > > > >> debug2: bits set: 507/1024
> > > > >> debug1: SSH2_MSG_KEX_DH_GEX_INIT
> sent
> > > > >> debug1: expecting
> > SSH2_MSG_KEX_DH_GEX_REPLY
> > > > >> debug3: Wrote 144 bytes for a total
> of
> > 999
> > > > >> debug3: check_host_in_hostfile:
> > filename
> > > > /home/mahmood/.ssh/known_hosts
> > > > >> debug3: check_host_in_hostfile:
> match
> > line 1
> > > > >> debug3: check_host_in_hostfile:
> > filename
> > > > /home/mahmood/.ssh/known_hosts
> > > > >> debug3: check_host_in_hostfile:
> match
> > line 2
> > > > >> debug1: Host 'server' is known and
> > matches
> > > the RSA
> > > > host key.
> > > > >> debug1: Found key in
> > > > /home/mahmood/.ssh/known_hosts:1
> > > > >> debug2: bits set: 503/1024
> > > > >> debug1: ssh_rsa_verify: signature
> > correct
> > > > >> debug2: kex_derive_keys
> > > > >> debug2: set_newkeys: mode 1
> > > > >> debug1: SSH2_MSG_NEWKEYS sent
> > > > >> debug1: expecting SSH2_MSG_NEWKEYS
> > > > >> debug3: Wrote 16 bytes for a total
> of
> > 1015
> > > > >> debug2: set_newkeys: mode 0
> > > > >> debug1: SSH2_MSG_NEWKEYS received
> > > > >> debug1: SSH2_MSG_SERVICE_REQUEST
> sent
> > > > >> debug3: Wrote 48 bytes for a total
> of
> > 1063
> > > > >> debug2: service_accept:
> ssh-userauth
> > > > >> debug1: SSH2_MSG_SERVICE_ACCEPT
> > received
> > > > >> debug2: key:
> > /home/mahmood/.ssh/identity
> > > ((nil))
> > > > >> debug2: key:
> /home/mahmood/.ssh/id_rsa
> > > ((nil))
> > > > >> debug2: key:
> /home/mahmood/.ssh/id_dsa
> > > ((nil))
> > > > >> debug3: Wrote 64 bytes for a total
> of
> > 1127
> > > > >> debug1: Authentications that can
> > continue:
> > > > publickey,password,hostbased
> > > > >> debug3: start over, passed a
> different
> > list
> > > > publickey,password,hostbased
> > > > >> debug3: preferred
> > > >
> > >
> >
> gssapi-keyex,gssapi-with-mic,gssapi,hostbased,publickey,keyboard-interactive,password
> > > > >> debug3: authmethod_lookup
> hostbased
> > > > >> debug3: remaining preferred:
> > > > publickey,keyboard-interactive,password
> > > > >> debug3: authmethod_is_enabled
> hostbased
> > > > >> debug1: Next authentication
> method:
> > > hostbased
> > > > >> debug2: userauth_hostbased: chost
> > client.
> > > > >> debug2: ssh_keysign called
> > > > >> debug3: ssh_msg_send: type 2
> > > > >> debug3: ssh_msg_recv entering
> > > > >> debug1: permanently_drop_suid:
> 1000
> > > > >> debug2: we sent a hostbased packet,
> wait
> > for
> > > > reply
> > > > >> debug3: Wrote 608 bytes for a total
> of
> > 1735
> > > > >> debug1: Authentications that can
> > continue:
> > > > publickey,password,hostbased
> > > > >> debug2: userauth_hostbased: chost
> > client.
> > > > >> debug2: ssh_keysign called
> > > > >> debug3: ssh_msg_send: type 2
> > > > >> debug3: ssh_msg_recv entering
> > > > >> debug1: permanently_drop_suid:
> 1000
> > > > >> debug2: we sent a hostbased packet,
> wait
> > for
> > > > reply
> > > > >> debug3: Wrote 672 bytes for a total
> of
> > 2407
> > > > >> debug1: Authentications that can
> > continue:
> > > > publickey,password,hostbased
> > > > >> debug1: No more client hostkeys
> for
> > > hostbased
> > > > authentication.
> > > > >> debug2: we did not send a packet,
> > disable
> > > method
> > > > >> debug3: authmethod_lookup
> publickey
> > > > >> debug3: remaining preferred:
> > > > keyboard-interactive,password
> > > > >> debug3: authmethod_is_enabled
> publickey
> > > > >> debug1: Next authentication
> method:
> > > publickey
> > > > >> debug1: Trying private key:
> > > > /home/mahmood/.ssh/identity
> > > > >> debug3: no such identity:
> > > > /home/mahmood/.ssh/identity
> > > > >> debug1: Trying private key:
> > > > /home/mahmood/.ssh/id_rsa
> > > > >> debug3: no such identity:
> > > > /home/mahmood/.ssh/id_rsa
> > > > >> debug1: Trying private key:
> > > > /home/mahmood/.ssh/id_dsa
> > > > >> debug3: no such identity:
> > > > /home/mahmood/.ssh/id_dsa
> > > > >> debug2: we did not send a packet,
> > disable
> > > method
> > > > >> debug3: authmethod_lookup password
> > > > >> debug3: remaining preferred:
> ,password
> > > > >> debug3: authmethod_is_enabled
> password
> > > > >> debug1: Next authentication
> method:
> > password
> > > > >> mahmood@server's password:
> > > > >>
> > > > >>
> > > > >> Any idea about that?
> > > > >>
> > > > >> // Naderan *Mahmood;
> > > > >>
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Asif Iqbal
> > > > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> > > > A: Because it messes up the order in which
> > people
> > > normally
> > > > read text.
> > > > Q: Why is top-posting such a bad thing?
> > > >
> > >
> >
> >
>
>
Re: problem with HostbasedAuthentication [ In reply to ]
Use the absolute path of sshd as follows:


sudo /etc/ssh/sbin/sshd -ddd

Please ensure that the path is correct. I don't know if ur sshd exists in /etc/ssh/sbin/sshd.

Regards,
sharad
--- On Fri, 29/4/11, Mahmood Naderan <nt_mahmood@yahoo.com> wrote:

> From: Mahmood Naderan <nt_mahmood@yahoo.com>
> Subject: Re: problem with HostbasedAuthentication
> To: "Sharad" <sharad2011@yahoo.com>
> Cc: "secureshell@securityfocus.com" <secureshell@securityfocus.com>
> Date: Friday, 29 April, 2011, 12:34 PM
> Sorry what do you mean?
>  
> mahmood@server:~$ sudo sshd -d
> sshd re-exec requires execution with an absolute path
> mahmood@server:~$ sudo sshd -d 3
> sshd re-exec requires execution with an absolute path
> mahmood@server:~$ sudo sshd -ddd
> sshd re-exec requires execution with an absolute path
>
> My last post was the debug information for
> server->client.
>
> // Naderan *Mahmood;
>
>
> ----- Original Message -----
> From: Sharad <sharad2011@yahoo.com>
> To: Mahmood Naderan <nt_mahmood@yahoo.com>
> Cc: "secureshell@securityfocus.com"
> <secureshell@securityfocus.com>
> Sent: Friday, April 29, 2011 11:31 AM
> Subject: Re: problem with HostbasedAuthentication
>
> Can you run debug on server as well using sshd -d. More
> -d's mean more debug information (you can use at the max 3
> d's) :D
>
> Regards,
> Sharad
> --- On Fri, 29/4/11, Mahmood Naderan <nt_mahmood@yahoo.com>
> wrote:
>
> > From: Mahmood Naderan <nt_mahmood@yahoo.com>
> > Subject: Re: problem with HostbasedAuthentication
> > To: "Sharad" <sharad2011@yahoo.com>
> > Cc: "secureshell@securityfocus.com"
> <secureshell@securityfocus.com>
> > Date: Friday, 29 April, 2011, 12:23 PM
> > The same thing happens with IP
> > address
> >  
> >  
> > mahmood@server:~$ ssh -vvv 192.168.1.3
> > OpenSSH_5.3p1 Debian-3ubuntu4, OpenSSL 0.9.8k 25 Mar
> 2009
> > debug1: Reading configuration data
> /etc/ssh/ssh_config
> > debug1: Applying options for *
> > debug2: ssh_connect: needpriv 0
> > debug1: Connecting to 192.168.1.3 [192.168.1.3] port
> 22.
> > debug1: Connection established.
> > debug1: identity file /home/mahmood/.ssh/identity type
> -1
> > debug1: identity file /home/mahmood/.ssh/id_rsa type
> -1
> > debug1: identity file /home/mahmood/.ssh/id_dsa type
> -1
> > debug1: Remote protocol version 2.0, remote software
> > version OpenSSH_5.3p1 Debian-3ubuntu6
> > debug1: match: OpenSSH_5.3p1 Debian-3ubuntu6 pat
> OpenSSH*
> > debug1: Enabling compatibility mode for protocol 2.0
> > debug1: Local version string SSH-2.0-OpenSSH_5.3p1
> > Debian-3ubuntu4
> > debug2: fd 3 setting O_NONBLOCK
> > debug1: SSH2_MSG_KEXINIT sent
> > debug3: Wrote 792 bytes for a total of 831
> > debug1: SSH2_MSG_KEXINIT received
> > debug2: kex_parse_kexinit:
> >
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> > debug2: kex_parse_kexinit:
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> > debug2: kex_parse_kexinit:
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> > debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> > debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> > debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
> > debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
> > debug2: kex_parse_kexinit:
> > debug2: kex_parse_kexinit:
> > debug2: kex_parse_kexinit: first_kex_follows 0
> > debug2: kex_parse_kexinit: reserved 0
> > debug2: kex_parse_kexinit:
> >
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> > debug2: kex_parse_kexinit:
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> > debug2: kex_parse_kexinit:
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> > debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> > debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> > debug2: kex_parse_kexinit: none,zlib@openssh.com
> > debug2: kex_parse_kexinit: none,zlib@openssh.com
> > debug2: kex_parse_kexinit:
> > debug2: kex_parse_kexinit:
> > debug2: kex_parse_kexinit: first_kex_follows 0
> > debug2: kex_parse_kexinit: reserved 0
> > debug2: mac_setup: found hmac-md5
> > debug1: kex: server->client aes128-ctr hmac-md5
> none
> > debug2: mac_setup: found hmac-md5
> > debug1: kex: client->server aes128-ctr hmac-md5
> none
> > debug1:
> SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192)
> > sent
> > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> > debug3: Wrote 24 bytes for a total of 855
> > debug2: dh_gen_key: priv key bits set: 129/256
> > debug2: bits set: 505/1024
> > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> > debug3: Wrote 144 bytes for a total of 999
> > debug3: check_host_in_hostfile: filename
> > /home/mahmood/.ssh/known_hosts
> > debug3: check_host_in_hostfile: match line 1
> > debug1: Host '192.168.1.3' is known and matches the
> RSA
> > host key.
> > debug1: Found key in /home/mahmood/.ssh/known_hosts:1
> > debug2: bits set: 517/1024
> > debug1: ssh_rsa_verify: signature correct
> > debug2: kex_derive_keys
> > debug2: set_newkeys: mode 1
> > debug1: SSH2_MSG_NEWKEYS sent
> > debug1: expecting SSH2_MSG_NEWKEYS
> > debug3: Wrote 16 bytes for a total of 1015
> > debug2: set_newkeys: mode 0
> > debug1: SSH2_MSG_NEWKEYS received
> > debug1: SSH2_MSG_SERVICE_REQUEST sent
> > debug3: Wrote 48 bytes for a total of 1063
> > debug2: service_accept: ssh-userauth
> > debug1: SSH2_MSG_SERVICE_ACCEPT received
> > debug2: key: /home/mahmood/.ssh/identity ((nil))
> > debug2: key: /home/mahmood/.ssh/id_rsa ((nil))
> > debug2: key: /home/mahmood/.ssh/id_dsa ((nil))
> > debug3: Wrote 64 bytes for a total of 1127
> > debug1: Authentications that can continue:
> > publickey,password,hostbased
> > debug3: start over, passed a different list
> > publickey,password,hostbased
> > debug3: preferred
> >
> gssapi-keyex,gssapi-with-mic,gssapi,hostbased,publickey,keyboard-interactive,password
> > debug3: authmethod_lookup hostbased
> > debug3: remaining preferred:
> > publickey,keyboard-interactive,password
> > debug3: authmethod_is_enabled hostbased
> > debug1: Next authentication method: hostbased
> > get_socket_address: getnameinfo 8 failed: Name or
> service
> > not known
> > debug2: userauth_hostbased: chost server.
> > debug2: ssh_keysign called
> > debug3: ssh_msg_send: type 2
> > debug3: ssh_msg_recv entering
> > debug1: permanently_drop_suid: 1000
> > get_socket_address: getnameinfo 8 failed: Name or
> service
> > not known
> > cannot get sockname for fd
> > ssh_keysign: no reply
> > key_sign failed
> > debug2: we did not send a packet, disable method
> > debug3: authmethod_lookup publickey
> > debug3: remaining preferred:
> keyboard-interactive,password
> > debug3: authmethod_is_enabled publickey
> > debug1: Next authentication method: publickey
> > debug1: Trying private key:
> /home/mahmood/.ssh/identity
> > debug3: no such identity: /home/mahmood/.ssh/identity
> > debug1: Trying private key: /home/mahmood/.ssh/id_rsa
> > debug3: no such identity: /home/mahmood/.ssh/id_rsa
> > debug1: Trying private key: /home/mahmood/.ssh/id_dsa
> > debug3: no such identity: /home/mahmood/.ssh/id_dsa
> > debug2: we did not send a packet, disable method
> > debug3: authmethod_lookup password
> > debug3: remaining preferred: ,password
> > debug3: authmethod_is_enabled password
> > debug1: Next authentication method: password
> > mahmood@192.168.1.3's password:
> >
> >
> > // Naderan *Mahmood;
> >
> >
> > ----- Original Message -----
> > From: Sharad <sharad2011@yahoo.com>
> > To: Mahmood Naderan <nt_mahmood@yahoo.com>
> > Cc: "secureshell@securityfocus.com"
> > <secureshell@securityfocus.com>
> > Sent: Friday, April 29, 2011 11:19 AM
> > Subject: Re: problem with HostbasedAuthentication
> >
> > Hi Mahmood,
> >
> > This line looks out of place. Check that host name is
> > getting resolved:
> >
> > get_socket_address: getnameinfo 8 failed: Name or
> service
> > not known
> >
> > I am sure you would have performed the same steps on
> both
> > hosts. Try establishing connection with IP Address
> instead
> > of hostname.
> >
> > Regards,
> > Sharad
> > --- On Thu, 28/4/11, Mahmood Naderan <nt_mahmood@yahoo.com>
> > wrote:
> >
> > > From: Mahmood Naderan <nt_mahmood@yahoo.com>
> > > Subject: Re: problem with
> HostbasedAuthentication
> > > To: "Sharad" <sharad2011@yahoo.com>
> > > Cc: "secureshell@securityfocus.com"
> > <secureshell@securityfocus.com>
> > > Date: Thursday, 28 April, 2011, 11:12 PM
> > > Dear Sharad,
> > > I am now trying to setup a hostbased ssh from
> server
> > to
> > > client (previously client->server worked fine
> based
> > on
> > > your help). I want it to be bidirectional.
> > >  
> > > I did the same thing in reverse (now the client
> > becomes
> > > server and the server becoms client). However
> this is
> > what I
> > > get while trying to ssh from server to client:
> > >  
> > >  
> > > debug3: Wrote 48 bytes for a total of 1063
> > > debug2: service_accept: ssh-userauth
> > > debug1: SSH2_MSG_SERVICE_ACCEPT received
> > > debug2: key: /home/mahmood/.ssh/identity ((nil))
> > > debug2: key: /home/mahmood/.ssh/id_rsa ((nil))
> > > debug2: key: /home/mahmood/.ssh/id_dsa ((nil))
> > > debug3: Wrote 64 bytes for a total of 1127
> > > debug1: Authentications that can continue:
> > > publickey,password,hostbased
> > > debug3: start over, passed a different list
> > > publickey,password,hostbased
> > > debug3: preferred
> > >
> >
> gssapi-keyex,gssapi-with-mic,gssapi,hostbased,publickey,keyboard-interactive,password
> > > debug3: authmethod_lookup hostbased
> > > debug3: remaining preferred:
> > > publickey,keyboard-interactive,password
> > > debug3: authmethod_is_enabled hostbased
> > > debug1: Next authentication method: hostbased
> > > get_socket_address: getnameinfo 8 failed: Name
> or
> > service
> > > not known
> > > debug2: userauth_hostbased: chost server.
> > > debug2: ssh_keysign called
> > > debug3: ssh_msg_send: type 2
> > > debug3: ssh_msg_recv entering
> > > debug1: permanently_drop_suid: 1000
> > > get_socket_address: getnameinfo 8 failed: Name
> or
> > service
> > > not known
> > > cannot get sockname for fd
> > > ssh_keysign: no reply
> > > key_sign failed
> > > debug2: we did not send a packet, disable method
> > > debug3: authmethod_lookup publickey
> > > debug3: remaining preferred:
> > keyboard-interactive,password
> > > debug3: authmethod_is_enabled publickey
> > > debug1: Next authentication method: publickey
> > > debug1: Trying private key:
> > /home/mahmood/.ssh/identity
> > > debug3: no such identity:
> /home/mahmood/.ssh/identity
> > > debug1: Trying private key:
> /home/mahmood/.ssh/id_rsa
> > > debug3: no such identity:
> /home/mahmood/.ssh/id_rsa
> > > debug1: Trying private key:
> /home/mahmood/.ssh/id_dsa
> > > debug3: no such identity:
> /home/mahmood/.ssh/id_dsa
> > > debug2: we did not send a packet, disable method
> > > debug3: authmethod_lookup password
> > > debug3: remaining preferred: ,password
> > > debug3: authmethod_is_enabled password
> > > debug1: Next authentication method: password
> > > mahmood@192.168.1.3's password:
> > >
> > >  
> > > What is your suggestion?
> > >
> > > // Naderan *Mahmood;
> > >
> > >
> > > ----- Original Message -----
> > > From: Sharad <sharad2011@yahoo.com>
> > > To: Mahmood Naderan <nt_mahmood@yahoo.com>
> > > Cc: "secureshell@securityfocus.com"
> > > <secureshell@securityfocus.com>
> > > Sent: Thursday, April 28, 2011 5:20 PM
> > > Subject: Re: problem with
> HostbasedAuthentication
> > >
> > > Mahmood,
> > >
> > > The files are /home/username/.ssh/known_hosts on
> both
> > > server and client.
> > >
> > > By FQDN, I meant host's fully qualified domain
> name.
> > >
> > > Following is the example:
> > >
> > > Assuming both client and server are linux hosts:
> > >
> > > Server IP: 192.168.1.1
> > > Client IP: 192.168.1.101
> > >
> > > Server Name: lnx_srvr_1.domain.com
> > > Client Name: lnx_clnt_101.domain.com
> > >
> > > User name on each host is mahmood.
> > >
> > > Following would be the entries in .shosts on
> > lnx_srvr_1
> > >
> > >
> > > lnx_srvr_1:/home/mahmood $ cat .shosts
> > >
> > > lnx_clnt_101.domain.com mahmood
> > > 192.168.1.101 mahmood
> > > lnx_clnt_101 mahmood
> > >
> > > Following should exist in
> > /home/mahmood/.ssh/known_hosts
> > > file on the server side:
> > >
> 192.168.1.101,lnx_clnt_101,lnx_clnt_101.domain.com 
> > > ssh-rsa AAAAB3Nz...
> > >
> > > Following should also exist in
> > > /home/mahmood/.ssh/known_hosts file on the
> client
> > side:
> > > 192.168.1.1,lnx_srvr_1,lnx_srvr_1.domain.com 
> > ssh-rsa
> > > AAAAB3Nz...
> > >
> > > Ensure that .ssh directory on both client and
> server
> > are
> > > rwx for owner only and group/rest of world is
> 000.
> > >
> > > Hope this helps! Good Luck! :)
> > >
> > > Regards,
> > > Sharad 
> > > --- On Thu, 28/4/11, Mahmood Naderan <nt_mahmood@yahoo.com>
> > > wrote:
> > >
> > > > From: Mahmood Naderan <nt_mahmood@yahoo.com>
> > > > Subject: Re: problem with
> > HostbasedAuthentication
> > > > To: "Sharad" <sharad2011@yahoo.com>
> > > > Cc: "secureshell@securityfocus.com"
> > > <secureshell@securityfocus.com>
> > > > Date: Thursday, 28 April, 2011, 3:54 PM
> > > > Can you explain exactly which file I
> > > > should edit? What is FQDN? By 'hostname', Do
> you
> > mean
> > > server
> > > > hostname of client hostname.
> > > > Should I do that on both side or server
> side?...
> > > >
> > > > // Naderan *Mahmood;
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: Sharad <sharad2011@yahoo.com>
> > > > To: Mahmood Naderan <nt_mahmood@yahoo.com>;
> > > > Asif Iqbal <vadud3@gmail.com>
> > > > Cc: "secureshell@securityfocus.com"
> > > > <secureshell@securityfocus.com>
> > > > Sent: Thursday, April 28, 2011 1:16 PM
> > > > Subject: Re: problem with
> > HostbasedAuthentication
> > > >
> > > > Sometimes the issue lies with hostname as
> well.
> > What I
> > > mean
> > > > with that is the known_hosts may have just
> the
> > host
> > > name
> > > > where as when the connection is established,
> the
> > debug
> > > shows
> > > > the FQDN. I faced this issue so to be sure,
> I
> > edited
> > > the
> > > > known_hosts file and inserted the hostname,
> > hostname's
> > > FQDN
> > > > and it's IP address (all comma separated).
> > > >
> > > > Also ensure that you both the hosts'
> known_hosts
> > files
> > > have
> > > > opposite servers names (as prescribed
> above).
> > > >
> > > > All the above checks makes it work for me.
> > > >
> > > > Hope this solves.
> > > >
> > > > Kind regards,
> > > > Sharad
> > > > --- On Thu, 28/4/11, Asif Iqbal <vadud3@gmail.com>
> > > > wrote:
> > > >
> > > > > From: Asif Iqbal <vadud3@gmail.com>
> > > > > Subject: Re: problem with
> > > HostbasedAuthentication
> > > > > To: "Mahmood Naderan" <nt_mahmood@yahoo.com>
> > > > > Cc: "secureshell@securityfocus.com"
> > > > <secureshell@securityfocus.com>
> > > > > Date: Thursday, 28 April, 2011, 12:38
> AM
> > > > > On Wed, Apr 27, 2011 at 1:12 AM,
> > > > > Mahmood Naderan <nt_mahmood@yahoo.com>
> > > > > wrote:
> > > > > >>Change the order method. Have
> > hostbased
> > > > before
> > > > > password
> > > > > >
> > > > > > Sorry where should I do that?
> > > > >
> > > > > man ssh_config and look into
> > > PreferredAuthentications
> > > > >
> > > > > >
> > > > > > // Naderan *Mahmood;
> > > > > >
> > > > > > From: Asif Iqbal <vadud3@gmail.com>
> > > > > > To: Mahmood Naderan <nt_mahmood@yahoo.com>
> > > > > > Cc: "secureshell@securityfocus.com"
> > > > > <secureshell@securityfocus.com>
> > > > > > Sent: Wednesday, April 27, 2011
> 9:17
> > AM
> > > > > > Subject: Re: problem with
> > > > HostbasedAuthentication
> > > > > >
> > > > > >
> > > > > > Change the order method. Have
> > hostbased
> > > before
> > > > > password
> > > > > > On Apr 26, 2011 11:52 PM,
> "Mahmood
> > Naderan"
> > > > <nt_mahmood@yahoo.com>
> > > > > wrote:
> > > > > >>
> > > > > >>
> > > > > >> Hi,
> > > > > >> I am trying to setup a
> hostbased
> > > passwrodless
> > > > ssh
> > > > > from a client to a server using this
> guide
> > http://www.ehow.com/how_7621307_set-up-hostbased-authentication.html.
> > > > > >>
> > > > > >> The client looks like:
> > > > > >>
> > > > > >> mahmood@client:~$ cat
> > > /etc/ssh/ssh_config  |
> > > > grep
> > > > > "HostbasedAuthentication"
> > > > > >>    HostbasedAuthentication
> yes
> > > > > >> mahmood@client:~$ cat
> > > /etc/ssh/ssh_config  |
> > > > grep
> > > > > "EnableSSHKeysign"
> > > > > >>    EnableSSHKeysign yes
> > > > > >>
> > > > > >>
> > > > > >> and the server looks like:
> > > > > >> mahmood@server:~$ cat
> > > /etc/ssh/sshd_config 
> > > > |
> > > > > grep "HostbasedAuthentication"
> > > > > >> HostbasedAuthentication yes
> > > > > >> mahmood@server:~$ cat
> > > /etc/ssh/sshd_config 
> > > > |
> > > > > grep "IgnoreRhosts"
> > > > > >> IgnoreRhosts no
> > > > > >>
> > > > > >> also the server has the key
> for
> > client:
> > > > > >>
> > > > > >> mahmood@server:~$ cat
> > > > /etc/ssh/ssh_known_hosts
> > > > > >> client ssh-rsa AAAAB3Nz.....
> > > > > >>
> > > > > >> the ~/.shosts file on the
> server
> > > contains:
> > > > > >> mahmood@server:~$ cat .shosts
> > > > > >> client.domain mahmood
> > > > > >>
> > > > > >> Then on both server and
> client, the
> > ssh
> > > > service is
> > > > > restarted:
> > > > > >> mahmood@client:~$ sudo service
> ssh
> > > restart
> > > > > >> ssh start/running, process
> 1355
> > > > > >> mahmood@server:~$ sudo service
> ssh
> > > restart
> > > > > >> ssh start/running, process
> 28982
> > > > > >>
> > > > > >> How, when I run "ssh -vvv
> server"
> > from
> > > client
> > > > (to
> > > > > show the verbose messages), I still get
> the
> > > password
> > > > > prompt.
> > > > > >>
> > > > > >> mahmood@client:~$ ssh -vvv
> server
> > > > > >> OpenSSH_5.3p1
> Debian-3ubuntu6,
> > OpenSSL
> > > 0.9.8k
> > > > 25
> > > > > Mar 2009
> > > > > >> debug1: Reading configuration
> data
> > > > > /etc/ssh/ssh_config
> > > > > >> debug1: Applying options for
> *
> > > > > >> debug2: ssh_connect: needpriv
> 0
> > > > > >> debug1: Connecting to server
> > > [192.168.1.1]
> > > > port
> > > > > 22.
> > > > > >> debug1: Connection
> established.
> > > > > >> debug1: identity file
> > > > /home/mahmood/.ssh/identity
> > > > > type -1
> > > > > >> debug1: identity file
> > > > /home/mahmood/.ssh/id_rsa
> > > > > type -1
> > > > > >> debug1: identity file
> > > > /home/mahmood/.ssh/id_dsa
> > > > > type -1
> > > > > >> debug1: Remote protocol
> version
> > 2.0,
> > > remote
> > > > > software version OpenSSH_5.3p1
> > Debian-3ubuntu4
> > > > > >> debug1: match: OpenSSH_5.3p1
> > > Debian-3ubuntu4
> > > > pat
> > > > > OpenSSH*
> > > > > >> debug1: Enabling compatibility
> mode
> > for
> > > > protocol
> > > > > 2.0
> > > > > >> debug1: Local version string
> > > > SSH-2.0-OpenSSH_5.3p1
> > > > > Debian-3ubuntu6
> > > > > >> debug2: fd 3 setting
> O_NONBLOCK
> > > > > >> debug1: SSH2_MSG_KEXINIT sent
> > > > > >> debug3: Wrote 792 bytes for a
> total
> > of
> > > 831
> > > > > >> debug1: SSH2_MSG_KEXINIT
> received
> > > > > >> debug2: kex_parse_kexinit:
> > > > >
> > > >
> > >
> >
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-
> > > > > >> group1-sha1
> > > > > >> debug2: kex_parse_kexinit:
> > > ssh-rsa,ssh-dss
> > > > > >> debug2: kex_parse_kexinit:
> > > > >
> > > >
> > >
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
> > > > > >> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> > > > > >> debug2: kex_parse_kexinit:
> > > > >
> > > >
> > >
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
> > > > > >> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> > > > > >> debug2: kex_parse_kexinit:
> > > > hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
> > > > > >> md5-96
> > > > > >> debug2: kex_parse_kexinit:
> > > > hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
> > > > > >> md5-96
> > > > > >> debug2: kex_parse_kexinit:
> none,zlib@openssh.com,zlib
> > > > > >> debug2: kex_parse_kexinit:
> none,zlib@openssh.com,zlib
> > > > > >> debug2: kex_parse_kexinit:
> > > > > >> debug2: kex_parse_kexinit:
> > > > > >> debug2: kex_parse_kexinit:
> > > first_kex_follows
> > > > 0
> > > > > >> debug2: kex_parse_kexinit:
> reserved
> > 0
> > > > > >> debug2: kex_parse_kexinit:
> > > > >
> > > >
> > >
> >
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-
> > > > > >> group1-sha1
> > > > > >> debug2: kex_parse_kexinit:
> > > ssh-rsa,ssh-dss
> > > > > >> debug2: kex_parse_kexinit:
> > > > >
> > > >
> > >
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
> > > > > >> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> > > > > >> debug2: kex_parse_kexinit:
> > > > >
> > > >
> > >
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
> > > > > >> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> > > > > >> debug2: kex_parse_kexinit:
> > > > hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
> > > > > >> md5-96
> > > > > >> debug2: kex_parse_kexinit:
> > > > hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
> > > > > >> md5-96
> > > > > >> debug2: kex_parse_kexinit:
> none,zlib@openssh.com
> > > > > >> debug2: kex_parse_kexinit:
> none,zlib@openssh.com
> > > > > >> debug2: kex_parse_kexinit:
> > > > > >> debug2: kex_parse_kexinit:
> > > > > >> debug2: kex_parse_kexinit:
> > > first_kex_follows
> > > > 0
> > > > > >> debug2: kex_parse_kexinit:
> reserved
> > 0
> > > > > >> debug2: mac_setup: found
> hmac-md5
> > > > > >> debug1: kex:
> server->client
> > > aes128-ctr
> > > > hmac-md5
> > > > > none
> > > > > >> debug2: mac_setup: found
> hmac-md5
> > > > > >> debug1: kex:
> client->server
> > > aes128-ctr
> > > > hmac-md5
> > > > > none
> > > > > >> debug1:
> > > > >
> > >
> SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192)
> > > > sent
> > > > > >> debug1: expecting
> > > SSH2_MSG_KEX_DH_GEX_GROUP
> > > > > >> debug3: Wrote 24 bytes for a
> total
> > of
> > > 855
> > > > > >> debug2: dh_gen_key: priv key
> bits
> > set:
> > > > 124/256
> > > > > >> debug2: bits set: 507/1024
> > > > > >> debug1:
> SSH2_MSG_KEX_DH_GEX_INIT
> > sent
> > > > > >> debug1: expecting
> > > SSH2_MSG_KEX_DH_GEX_REPLY
> > > > > >> debug3: Wrote 144 bytes for a
> total
> > of
> > > 999
> > > > > >> debug3:
> check_host_in_hostfile:
> > > filename
> > > > > /home/mahmood/.ssh/known_hosts
> > > > > >> debug3:
> check_host_in_hostfile:
> > match
> > > line 1
> > > > > >> debug3:
> check_host_in_hostfile:
> > > filename
> > > > > /home/mahmood/.ssh/known_hosts
> > > > > >> debug3:
> check_host_in_hostfile:
> > match
> > > line 2
> > > > > >> debug1: Host 'server' is known
> and
> > > matches
> > > > the RSA
> > > > > host key.
> > > > > >> debug1: Found key in
> > > > > /home/mahmood/.ssh/known_hosts:1
> > > > > >> debug2: bits set: 503/1024
> > > > > >> debug1: ssh_rsa_verify:
> signature
> > > correct
> > > > > >> debug2: kex_derive_keys
> > > > > >> debug2: set_newkeys: mode 1
> > > > > >> debug1: SSH2_MSG_NEWKEYS sent
> > > > > >> debug1: expecting
> SSH2_MSG_NEWKEYS
> > > > > >> debug3: Wrote 16 bytes for a
> total
> > of
> > > 1015
> > > > > >> debug2: set_newkeys: mode 0
> > > > > >> debug1: SSH2_MSG_NEWKEYS
> received
> > > > > >> debug1:
> SSH2_MSG_SERVICE_REQUEST
> > sent
> > > > > >> debug3: Wrote 48 bytes for a
> total
> > of
> > > 1063
> > > > > >> debug2: service_accept:
> > ssh-userauth
> > > > > >> debug1:
> SSH2_MSG_SERVICE_ACCEPT
> > > received
> > > > > >> debug2: key:
> > > /home/mahmood/.ssh/identity
> > > > ((nil))
> > > > > >> debug2: key:
> > /home/mahmood/.ssh/id_rsa
> > > > ((nil))
> > > > > >> debug2: key:
> > /home/mahmood/.ssh/id_dsa
> > > > ((nil))
> > > > > >> debug3: Wrote 64 bytes for a
> total
> > of
> > > 1127
> > > > > >> debug1: Authentications that
> can
> > > continue:
> > > > > publickey,password,hostbased
> > > > > >> debug3: start over, passed a
> > different
> > > list
> > > > > publickey,password,hostbased
> > > > > >> debug3: preferred
> > > > >
> > > >
> > >
> >
> gssapi-keyex,gssapi-with-mic,gssapi,hostbased,publickey,keyboard-interactive,password
> > > > > >> debug3: authmethod_lookup
> > hostbased
> > > > > >> debug3: remaining preferred:
> > > > >
> publickey,keyboard-interactive,password
> > > > > >> debug3: authmethod_is_enabled
> > hostbased
> > > > > >> debug1: Next authentication
> > method:
> > > > hostbased
> > > > > >> debug2: userauth_hostbased:
> chost
> > > client.
> > > > > >> debug2: ssh_keysign called
> > > > > >> debug3: ssh_msg_send: type 2
> > > > > >> debug3: ssh_msg_recv entering
> > > > > >> debug1:
> permanently_drop_suid:
> > 1000
> > > > > >> debug2: we sent a hostbased
> packet,
> > wait
> > > for
> > > > > reply
> > > > > >> debug3: Wrote 608 bytes for a
> total
> > of
> > > 1735
> > > > > >> debug1: Authentications that
> can
> > > continue:
> > > > > publickey,password,hostbased
> > > > > >> debug2: userauth_hostbased:
> chost
> > > client.
> > > > > >> debug2: ssh_keysign called
> > > > > >> debug3: ssh_msg_send: type 2
> > > > > >> debug3: ssh_msg_recv entering
> > > > > >> debug1:
> permanently_drop_suid:
> > 1000
> > > > > >> debug2: we sent a hostbased
> packet,
> > wait
> > > for
> > > > > reply
> > > > > >> debug3: Wrote 672 bytes for a
> total
> > of
> > > 2407
> > > > > >> debug1: Authentications that
> can
> > > continue:
> > > > > publickey,password,hostbased
> > > > > >> debug1: No more client
> hostkeys
> > for
> > > > hostbased
> > > > > authentication.
> > > > > >> debug2: we did not send a
> packet,
> > > disable
> > > > method
> > > > > >> debug3: authmethod_lookup
> > publickey
> > > > > >> debug3: remaining preferred:
> > > > > keyboard-interactive,password
> > > > > >> debug3: authmethod_is_enabled
> > publickey
> > > > > >> debug1: Next authentication
> > method:
> > > > publickey
> > > > > >> debug1: Trying private key:
> > > > > /home/mahmood/.ssh/identity
> > > > > >> debug3: no such identity:
> > > > > /home/mahmood/.ssh/identity
> > > > > >> debug1: Trying private key:
> > > > > /home/mahmood/.ssh/id_rsa
> > > > > >> debug3: no such identity:
> > > > > /home/mahmood/.ssh/id_rsa
> > > > > >> debug1: Trying private key:
> > > > > /home/mahmood/.ssh/id_dsa
> > > > > >> debug3: no such identity:
> > > > > /home/mahmood/.ssh/id_dsa
> > > > > >> debug2: we did not send a
> packet,
> > > disable
> > > > method
> > > > > >> debug3: authmethod_lookup
> password
> > > > > >> debug3: remaining preferred:
> > ,password
> > > > > >> debug3: authmethod_is_enabled
> > password
> > > > > >> debug1: Next authentication
> > method:
> > > password
> > > > > >> mahmood@server's password:
> > > > > >>
> > > > > >>
> > > > > >> Any idea about that?
> > > > > >>
> > > > > >> // Naderan *Mahmood;
> > > > > >>
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Asif Iqbal
> > > > > PGP Key: 0xE62693C5 KeyServer:
> pgp.mit.edu
> > > > > A: Because it messes up the order in
> which
> > > people
> > > > normally
> > > > > read text.
> > > > > Q: Why is top-posting such a bad
> thing?
> > > > >
> > > >
> > >
> > >
> >
> >
>
>
Re: problem with HostbasedAuthentication [ In reply to ]
This is what I get
 
mahmood@server:~$ sudo /usr/sbin/sshd -ddd
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 686
debug2: parse_server_config: config /etc/ssh/sshd_config len 686
debug3: /etc/ssh/sshd_config:5 setting Port 22
debug3: /etc/ssh/sshd_config:9 setting Protocol 2
debug3: /etc/ssh/sshd_config:11 setting HostKey /etc/ssh/ssh_host_rsa_key
debug3: /etc/ssh/sshd_config:12 setting HostKey /etc/ssh/ssh_host_dsa_key
debug3: /etc/ssh/sshd_config:14 setting UsePrivilegeSeparation yes
debug3: /etc/ssh/sshd_config:17 setting KeyRegenerationInterval 3600
debug3: /etc/ssh/sshd_config:18 setting ServerKeyBits 768
debug3: /etc/ssh/sshd_config:20 setting UseDns no
debug3: /etc/ssh/sshd_config:21 setting VerifyReverseMapping No
/etc/ssh/sshd_config line 21: Deprecated option VerifyReverseMapping
debug3: /etc/ssh/sshd_config:24 setting SyslogFacility AUTH
debug3: /etc/ssh/sshd_config:25 setting LogLevel INFO
debug3: /etc/ssh/sshd_config:28 setting LoginGraceTime 120
debug3: /etc/ssh/sshd_config:29 setting PermitRootLogin yes
debug3: /etc/ssh/sshd_config:30 setting StrictModes yes
debug3: /etc/ssh/sshd_config:32 setting RSAAuthentication yes
debug3: /etc/ssh/sshd_config:33 setting PubkeyAuthentication yes
debug3: /etc/ssh/sshd_config:37 setting IgnoreRhosts no
debug3: /etc/ssh/sshd_config:39 setting RhostsRSAAuthentication no
debug3: /etc/ssh/sshd_config:41 setting HostbasedAuthentication yes
debug3: /etc/ssh/sshd_config:49 setting PermitEmptyPasswords no
debug3: /etc/ssh/sshd_config:53 setting ChallengeResponseAuthentication no
debug3: /etc/ssh/sshd_config:68 setting X11Forwarding yes
debug3: /etc/ssh/sshd_config:69 setting X11DisplayOffset 10
debug3: /etc/ssh/sshd_config:70 setting PrintMotd no
debug3: /etc/ssh/sshd_config:71 setting PrintLastLog yes
debug3: /etc/ssh/sshd_config:72 setting TCPKeepAlive yes
debug3: /etc/ssh/sshd_config:79 setting AcceptEnv LANG LC_*
debug3: /etc/ssh/sshd_config:81 setting Subsystem sftp /usr/lib/openssh/sftp-server
debug3: /etc/ssh/sshd_config:92 setting UsePAM yes
debug1: sshd version OpenSSH_5.3p1 Debian-3ubuntu4
debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: private host key: #0 type 1 RSA
debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-ddd'
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
Bind to port 22 on 0.0.0.0 failed: Address already in use.
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 22 on ::.
Bind to port 22 on :: failed: Address already in use.
Cannot bind any address.
mahmood@server:~$


// Naderan *Mahmood;


----- Original Message -----
From: Sharad <sharad2011@yahoo.com>
To: Mahmood Naderan <nt_mahmood@yahoo.com>
Cc: secureshell@securityfocus.com
Sent: Friday, April 29, 2011 1:04 PM
Subject: Re: problem with HostbasedAuthentication

Use the absolute path of sshd as follows:


sudo /etc/ssh/sbin/sshd -ddd

Please ensure that the path is correct. I don't know if ur sshd exists in /etc/ssh/sbin/sshd.

Regards,
sharad
--- On Fri, 29/4/11, Mahmood Naderan <nt_mahmood@yahoo.com> wrote:

> From: Mahmood Naderan <nt_mahmood@yahoo.com>
> Subject: Re: problem with HostbasedAuthentication
> To: "Sharad" <sharad2011@yahoo.com>
> Cc: "secureshell@securityfocus.com" <secureshell@securityfocus.com>
> Date: Friday, 29 April, 2011, 12:34 PM
> Sorry what do you mean?
>  
> mahmood@server:~$ sudo sshd -d
> sshd re-exec requires execution with an absolute path
> mahmood@server:~$ sudo sshd -d 3
> sshd re-exec requires execution with an absolute path
> mahmood@server:~$ sudo sshd -ddd
> sshd re-exec requires execution with an absolute path
>
> My last post was the debug information for
> server->client.
>
> // Naderan *Mahmood;
>
>
> ----- Original Message -----
> From: Sharad <sharad2011@yahoo.com>
> To: Mahmood Naderan <nt_mahmood@yahoo.com>
> Cc: "secureshell@securityfocus.com"
> <secureshell@securityfocus.com>
> Sent: Friday, April 29, 2011 11:31 AM
> Subject: Re: problem with HostbasedAuthentication
>
> Can you run debug on server as well using sshd -d. More
> -d's mean more debug information (you can use at the max 3
> d's) :D
>
> Regards,
> Sharad
> --- On Fri, 29/4/11, Mahmood Naderan <nt_mahmood@yahoo.com>
> wrote:
>
> > From: Mahmood Naderan <nt_mahmood@yahoo.com>
> > Subject: Re: problem with HostbasedAuthentication
> > To: "Sharad" <sharad2011@yahoo.com>
> > Cc: "secureshell@securityfocus.com"
> <secureshell@securityfocus.com>
> > Date: Friday, 29 April, 2011, 12:23 PM
> > The same thing happens with IP
> > address
> >  
> >  
> > mahmood@server:~$ ssh -vvv 192.168.1.3
> > OpenSSH_5.3p1 Debian-3ubuntu4, OpenSSL 0.9.8k 25 Mar
> 2009
> > debug1: Reading configuration data
> /etc/ssh/ssh_config
> > debug1: Applying options for *
> > debug2: ssh_connect: needpriv 0
> > debug1: Connecting to 192.168.1.3 [192.168.1.3] port
> 22.
> > debug1: Connection established.
> > debug1: identity file /home/mahmood/.ssh/identity type
> -1
> > debug1: identity file /home/mahmood/.ssh/id_rsa type
> -1
> > debug1: identity file /home/mahmood/.ssh/id_dsa type
> -1
> > debug1: Remote protocol version 2.0, remote software
> > version OpenSSH_5.3p1 Debian-3ubuntu6
> > debug1: match: OpenSSH_5.3p1 Debian-3ubuntu6 pat
> OpenSSH*
> > debug1: Enabling compatibility mode for protocol 2.0
> > debug1: Local version string SSH-2.0-OpenSSH_5.3p1
> > Debian-3ubuntu4
> > debug2: fd 3 setting O_NONBLOCK
> > debug1: SSH2_MSG_KEXINIT sent
> > debug3: Wrote 792 bytes for a total of 831
> > debug1: SSH2_MSG_KEXINIT received
> > debug2: kex_parse_kexinit:
> >
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> > debug2: kex_parse_kexinit:
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> > debug2: kex_parse_kexinit:
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> > debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> > debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> > debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
> > debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
> > debug2: kex_parse_kexinit:
> > debug2: kex_parse_kexinit:
> > debug2: kex_parse_kexinit: first_kex_follows 0
> > debug2: kex_parse_kexinit: reserved 0
> > debug2: kex_parse_kexinit:
> >
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> > debug2: kex_parse_kexinit:
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> > debug2: kex_parse_kexinit:
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> > debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> > debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> > debug2: kex_parse_kexinit: none,zlib@openssh.com
> > debug2: kex_parse_kexinit: none,zlib@openssh.com
> > debug2: kex_parse_kexinit:
> > debug2: kex_parse_kexinit:
> > debug2: kex_parse_kexinit: first_kex_follows 0
> > debug2: kex_parse_kexinit: reserved 0
> > debug2: mac_setup: found hmac-md5
> > debug1: kex: server->client aes128-ctr hmac-md5
> none
> > debug2: mac_setup: found hmac-md5
> > debug1: kex: client->server aes128-ctr hmac-md5
> none
> > debug1:
> SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192)
> > sent
> > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> > debug3: Wrote 24 bytes for a total of 855
> > debug2: dh_gen_key: priv key bits set: 129/256
> > debug2: bits set: 505/1024
> > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> > debug3: Wrote 144 bytes for a total of 999
> > debug3: check_host_in_hostfile: filename
> > /home/mahmood/.ssh/known_hosts
> > debug3: check_host_in_hostfile: match line 1
> > debug1: Host '192.168.1.3' is known and matches the
> RSA
> > host key.
> > debug1: Found key in /home/mahmood/.ssh/known_hosts:1
> > debug2: bits set: 517/1024
> > debug1: ssh_rsa_verify: signature correct
> > debug2: kex_derive_keys
> > debug2: set_newkeys: mode 1
> > debug1: SSH2_MSG_NEWKEYS sent
> > debug1: expecting SSH2_MSG_NEWKEYS
> > debug3: Wrote 16 bytes for a total of 1015
> > debug2: set_newkeys: mode 0
> > debug1: SSH2_MSG_NEWKEYS received
> > debug1: SSH2_MSG_SERVICE_REQUEST sent
> > debug3: Wrote 48 bytes for a total of 1063
> > debug2: service_accept: ssh-userauth
> > debug1: SSH2_MSG_SERVICE_ACCEPT received
> > debug2: key: /home/mahmood/.ssh/identity ((nil))
> > debug2: key: /home/mahmood/.ssh/id_rsa ((nil))
> > debug2: key: /home/mahmood/.ssh/id_dsa ((nil))
> > debug3: Wrote 64 bytes for a total of 1127
> > debug1: Authentications that can continue:
> > publickey,password,hostbased
> > debug3: start over, passed a different list
> > publickey,password,hostbased
> > debug3: preferred
> >
> gssapi-keyex,gssapi-with-mic,gssapi,hostbased,publickey,keyboard-interactive,password
> > debug3: authmethod_lookup hostbased
> > debug3: remaining preferred:
> > publickey,keyboard-interactive,password
> > debug3: authmethod_is_enabled hostbased
> > debug1: Next authentication method: hostbased
> > get_socket_address: getnameinfo 8 failed: Name or
> service
> > not known
> > debug2: userauth_hostbased: chost server.
> > debug2: ssh_keysign called
> > debug3: ssh_msg_send: type 2
> > debug3: ssh_msg_recv entering
> > debug1: permanently_drop_suid: 1000
> > get_socket_address: getnameinfo 8 failed: Name or
> service
> > not known
> > cannot get sockname for fd
> > ssh_keysign: no reply
> > key_sign failed
> > debug2: we did not send a packet, disable method
> > debug3: authmethod_lookup publickey
> > debug3: remaining preferred:
> keyboard-interactive,password
> > debug3: authmethod_is_enabled publickey
> > debug1: Next authentication method: publickey
> > debug1: Trying private key:
> /home/mahmood/.ssh/identity
> > debug3: no such identity: /home/mahmood/.ssh/identity
> > debug1: Trying private key: /home/mahmood/.ssh/id_rsa
> > debug3: no such identity: /home/mahmood/.ssh/id_rsa
> > debug1: Trying private key: /home/mahmood/.ssh/id_dsa
> > debug3: no such identity: /home/mahmood/.ssh/id_dsa
> > debug2: we did not send a packet, disable method
> > debug3: authmethod_lookup password
> > debug3: remaining preferred: ,password
> > debug3: authmethod_is_enabled password
> > debug1: Next authentication method: password
> > mahmood@192.168.1.3's password:
> >
> >
> > // Naderan *Mahmood;
> >
> >
> > ----- Original Message -----
> > From: Sharad <sharad2011@yahoo.com>
> > To: Mahmood Naderan <nt_mahmood@yahoo.com>
> > Cc: "secureshell@securityfocus.com"
> > <secureshell@securityfocus.com>
> > Sent: Friday, April 29, 2011 11:19 AM
> > Subject: Re: problem with HostbasedAuthentication
> >
> > Hi Mahmood,
> >
> > This line looks out of place. Check that host name is
> > getting resolved:
> >
> > get_socket_address: getnameinfo 8 failed: Name or
> service
> > not known
> >
> > I am sure you would have performed the same steps on
> both
> > hosts. Try establishing connection with IP Address
> instead
> > of hostname.
> >
> > Regards,
> > Sharad
> > --- On Thu, 28/4/11, Mahmood Naderan <nt_mahmood@yahoo.com>
> > wrote:
> >
> > > From: Mahmood Naderan <nt_mahmood@yahoo.com>
> > > Subject: Re: problem with
> HostbasedAuthentication
> > > To: "Sharad" <sharad2011@yahoo.com>
> > > Cc: "secureshell@securityfocus.com"
> > <secureshell@securityfocus.com>
> > > Date: Thursday, 28 April, 2011, 11:12 PM
> > > Dear Sharad,
> > > I am now trying to setup a hostbased ssh from
> server
> > to
> > > client (previously client->server worked fine
> based
> > on
> > > your help). I want it to be bidirectional.
> > >  
> > > I did the same thing in reverse (now the client
> > becomes
> > > server and the server becoms client). However
> this is
> > what I
> > > get while trying to ssh from server to client:
> > >  
> > >  
> > > debug3: Wrote 48 bytes for a total of 1063
> > > debug2: service_accept: ssh-userauth
> > > debug1: SSH2_MSG_SERVICE_ACCEPT received
> > > debug2: key: /home/mahmood/.ssh/identity ((nil))
> > > debug2: key: /home/mahmood/.ssh/id_rsa ((nil))
> > > debug2: key: /home/mahmood/.ssh/id_dsa ((nil))
> > > debug3: Wrote 64 bytes for a total of 1127
> > > debug1: Authentications that can continue:
> > > publickey,password,hostbased
> > > debug3: start over, passed a different list
> > > publickey,password,hostbased
> > > debug3: preferred
> > >
> >
> gssapi-keyex,gssapi-with-mic,gssapi,hostbased,publickey,keyboard-interactive,password
> > > debug3: authmethod_lookup hostbased
> > > debug3: remaining preferred:
> > > publickey,keyboard-interactive,password
> > > debug3: authmethod_is_enabled hostbased
> > > debug1: Next authentication method: hostbased
> > > get_socket_address: getnameinfo 8 failed: Name
> or
> > service
> > > not known
> > > debug2: userauth_hostbased: chost server.
> > > debug2: ssh_keysign called
> > > debug3: ssh_msg_send: type 2
> > > debug3: ssh_msg_recv entering
> > > debug1: permanently_drop_suid: 1000
> > > get_socket_address: getnameinfo 8 failed: Name
> or
> > service
> > > not known
> > > cannot get sockname for fd
> > > ssh_keysign: no reply
> > > key_sign failed
> > > debug2: we did not send a packet, disable method
> > > debug3: authmethod_lookup publickey
> > > debug3: remaining preferred:
> > keyboard-interactive,password
> > > debug3: authmethod_is_enabled publickey
> > > debug1: Next authentication method: publickey
> > > debug1: Trying private key:
> > /home/mahmood/.ssh/identity
> > > debug3: no such identity:
> /home/mahmood/.ssh/identity
> > > debug1: Trying private key:
> /home/mahmood/.ssh/id_rsa
> > > debug3: no such identity:
> /home/mahmood/.ssh/id_rsa
> > > debug1: Trying private key:
> /home/mahmood/.ssh/id_dsa
> > > debug3: no such identity:
> /home/mahmood/.ssh/id_dsa
> > > debug2: we did not send a packet, disable method
> > > debug3: authmethod_lookup password
> > > debug3: remaining preferred: ,password
> > > debug3: authmethod_is_enabled password
> > > debug1: Next authentication method: password
> > > mahmood@192.168.1.3's password:
> > >
> > >  
> > > What is your suggestion?
> > >
> > > // Naderan *Mahmood;
> > >
> > >
> > > ----- Original Message -----
> > > From: Sharad <sharad2011@yahoo.com>
> > > To: Mahmood Naderan <nt_mahmood@yahoo.com>
> > > Cc: "secureshell@securityfocus.com"
> > > <secureshell@securityfocus.com>
> > > Sent: Thursday, April 28, 2011 5:20 PM
> > > Subject: Re: problem with
> HostbasedAuthentication
> > >
> > > Mahmood,
> > >
> > > The files are /home/username/.ssh/known_hosts on
> both
> > > server and client.
> > >
> > > By FQDN, I meant host's fully qualified domain
> name.
> > >
> > > Following is the example:
> > >
> > > Assuming both client and server are linux hosts:
> > >
> > > Server IP: 192.168.1.1
> > > Client IP: 192.168.1.101
> > >
> > > Server Name: lnx_srvr_1.domain.com
> > > Client Name: lnx_clnt_101.domain.com
> > >
> > > User name on each host is mahmood.
> > >
> > > Following would be the entries in .shosts on
> > lnx_srvr_1
> > >
> > >
> > > lnx_srvr_1:/home/mahmood $ cat .shosts
> > >
> > > lnx_clnt_101.domain.com mahmood
> > > 192.168.1.101 mahmood
> > > lnx_clnt_101 mahmood
> > >
> > > Following should exist in
> > /home/mahmood/.ssh/known_hosts
> > > file on the server side:
> > >
> 192.168.1.101,lnx_clnt_101,lnx_clnt_101.domain.com 
> > > ssh-rsa AAAAB3Nz...
> > >
> > > Following should also exist in
> > > /home/mahmood/.ssh/known_hosts file on the
> client
> > side:
> > > 192.168.1.1,lnx_srvr_1,lnx_srvr_1.domain.com 
> > ssh-rsa
> > > AAAAB3Nz...
> > >
> > > Ensure that .ssh directory on both client and
> server
> > are
> > > rwx for owner only and group/rest of world is
> 000.
> > >
> > > Hope this helps! Good Luck! :)
> > >
> > > Regards,
> > > Sharad 
> > > --- On Thu, 28/4/11, Mahmood Naderan <nt_mahmood@yahoo.com>
> > > wrote:
> > >
> > > > From: Mahmood Naderan <nt_mahmood@yahoo.com>
> > > > Subject: Re: problem with
> > HostbasedAuthentication
> > > > To: "Sharad" <sharad2011@yahoo.com>
> > > > Cc: "secureshell@securityfocus.com"
> > > <secureshell@securityfocus.com>
> > > > Date: Thursday, 28 April, 2011, 3:54 PM
> > > > Can you explain exactly which file I
> > > > should edit? What is FQDN? By 'hostname', Do
> you
> > mean
> > > server
> > > > hostname of client hostname.
> > > > Should I do that on both side or server
> side?...
> > > >
> > > > // Naderan *Mahmood;
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: Sharad <sharad2011@yahoo.com>
> > > > To: Mahmood Naderan <nt_mahmood@yahoo.com>;
> > > > Asif Iqbal <vadud3@gmail.com>
> > > > Cc: "secureshell@securityfocus.com"
> > > > <secureshell@securityfocus.com>
> > > > Sent: Thursday, April 28, 2011 1:16 PM
> > > > Subject: Re: problem with
> > HostbasedAuthentication
> > > >
> > > > Sometimes the issue lies with hostname as
> well.
> > What I
> > > mean
> > > > with that is the known_hosts may have just
> the
> > host
> > > name
> > > > where as when the connection is established,
> the
> > debug
> > > shows
> > > > the FQDN. I faced this issue so to be sure,
> I
> > edited
> > > the
> > > > known_hosts file and inserted the hostname,
> > hostname's
> > > FQDN
> > > > and it's IP address (all comma separated).
> > > >
> > > > Also ensure that you both the hosts'
> known_hosts
> > files
> > > have
> > > > opposite servers names (as prescribed
> above).
> > > >
> > > > All the above checks makes it work for me.
> > > >
> > > > Hope this solves.
> > > >
> > > > Kind regards,
> > > > Sharad
> > > > --- On Thu, 28/4/11, Asif Iqbal <vadud3@gmail.com>
> > > > wrote:
> > > >
> > > > > From: Asif Iqbal <vadud3@gmail.com>
> > > > > Subject: Re: problem with
> > > HostbasedAuthentication
> > > > > To: "Mahmood Naderan" <nt_mahmood@yahoo.com>
> > > > > Cc: "secureshell@securityfocus.com"
> > > > <secureshell@securityfocus.com>
> > > > > Date: Thursday, 28 April, 2011, 12:38
> AM
> > > > > On Wed, Apr 27, 2011 at 1:12 AM,
> > > > > Mahmood Naderan <nt_mahmood@yahoo.com>
> > > > > wrote:
> > > > > >>Change the order method. Have
> > hostbased
> > > > before
> > > > > password
> > > > > >
> > > > > > Sorry where should I do that?
> > > > >
> > > > > man ssh_config and look into
> > > PreferredAuthentications
> > > > >
> > > > > >
> > > > > > // Naderan *Mahmood;
> > > > > >
> > > > > > From: Asif Iqbal <vadud3@gmail.com>
> > > > > > To: Mahmood Naderan <nt_mahmood@yahoo.com>
> > > > > > Cc: "secureshell@securityfocus.com"
> > > > > <secureshell@securityfocus.com>
> > > > > > Sent: Wednesday, April 27, 2011
> 9:17
> > AM
> > > > > > Subject: Re: problem with
> > > > HostbasedAuthentication
> > > > > >
> > > > > >
> > > > > > Change the order method. Have
> > hostbased
> > > before
> > > > > password
> > > > > > On Apr 26, 2011 11:52 PM,
> "Mahmood
> > Naderan"
> > > > <nt_mahmood@yahoo.com>
> > > > > wrote:
> > > > > >>
> > > > > >>
> > > > > >> Hi,
> > > > > >> I am trying to setup a
> hostbased
> > > passwrodless
> > > > ssh
> > > > > from a client to a server using this
> guide
> > http://www.ehow.com/how_7621307_set-up-hostbased-authentication.html.
> > > > > >>
> > > > > >> The client looks like:
> > > > > >>
> > > > > >> mahmood@client:~$ cat
> > > /etc/ssh/ssh_config  |
> > > > grep
> > > > > "HostbasedAuthentication"
> > > > > >>    HostbasedAuthentication
> yes
> > > > > >> mahmood@client:~$ cat
> > > /etc/ssh/ssh_config  |
> > > > grep
> > > > > "EnableSSHKeysign"
> > > > > >>    EnableSSHKeysign yes
> > > > > >>
> > > > > >>
> > > > > >> and the server looks like:
> > > > > >> mahmood@server:~$ cat
> > > /etc/ssh/sshd_config 
> > > > |
> > > > > grep "HostbasedAuthentication"
> > > > > >> HostbasedAuthentication yes
> > > > > >> mahmood@server:~$ cat
> > > /etc/ssh/sshd_config 
> > > > |
> > > > > grep "IgnoreRhosts"
> > > > > >> IgnoreRhosts no
> > > > > >>
> > > > > >> also the server has the key
> for
> > client:
> > > > > >>
> > > > > >> mahmood@server:~$ cat
> > > > /etc/ssh/ssh_known_hosts
> > > > > >> client ssh-rsa AAAAB3Nz.....
> > > > > >>
> > > > > >> the ~/.shosts file on the
> server
> > > contains:
> > > > > >> mahmood@server:~$ cat .shosts
> > > > > >> client.domain mahmood
> > > > > >>
> > > > > >> Then on both server and
> client, the
> > ssh
> > > > service is
> > > > > restarted:
> > > > > >> mahmood@client:~$ sudo service
> ssh
> > > restart
> > > > > >> ssh start/running, process
> 1355
> > > > > >> mahmood@server:~$ sudo service
> ssh
> > > restart
> > > > > >> ssh start/running, process
> 28982
> > > > > >>
> > > > > >> How, when I run "ssh -vvv
> server"
> > from
> > > client
> > > > (to
> > > > > show the verbose messages), I still get
> the
> > > password
> > > > > prompt.
> > > > > >>
> > > > > >> mahmood@client:~$ ssh -vvv
> server
> > > > > >> OpenSSH_5.3p1
> Debian-3ubuntu6,
> > OpenSSL
> > > 0.9.8k
> > > > 25
> > > > > Mar 2009
> > > > > >> debug1: Reading configuration
> data
> > > > > /etc/ssh/ssh_config
> > > > > >> debug1: Applying options for
> *
> > > > > >> debug2: ssh_connect: needpriv
> 0
> > > > > >> debug1: Connecting to server
> > > [192.168.1.1]
> > > > port
> > > > > 22.
> > > > > >> debug1: Connection
> established.
> > > > > >> debug1: identity file
> > > > /home/mahmood/.ssh/identity
> > > > > type -1
> > > > > >> debug1: identity file
> > > > /home/mahmood/.ssh/id_rsa
> > > > > type -1
> > > > > >> debug1: identity file
> > > > /home/mahmood/.ssh/id_dsa
> > > > > type -1
> > > > > >> debug1: Remote protocol
> version
> > 2.0,
> > > remote
> > > > > software version OpenSSH_5.3p1
> > Debian-3ubuntu4
> > > > > >> debug1: match: OpenSSH_5.3p1
> > > Debian-3ubuntu4
> > > > pat
> > > > > OpenSSH*
> > > > > >> debug1: Enabling compatibility
> mode
> > for
> > > > protocol
> > > > > 2.0
> > > > > >> debug1: Local version string
> > > > SSH-2.0-OpenSSH_5.3p1
> > > > > Debian-3ubuntu6
> > > > > >> debug2: fd 3 setting
> O_NONBLOCK
> > > > > >> debug1: SSH2_MSG_KEXINIT sent
> > > > > >> debug3: Wrote 792 bytes for a
> total
> > of
> > > 831
> > > > > >> debug1: SSH2_MSG_KEXINIT
> received
> > > > > >> debug2: kex_parse_kexinit:
> > > > >
> > > >
> > >
> >
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-
> > > > > >> group1-sha1
> > > > > >> debug2: kex_parse_kexinit:
> > > ssh-rsa,ssh-dss
> > > > > >> debug2: kex_parse_kexinit:
> > > > >
> > > >
> > >
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
> > > > > >> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> > > > > >> debug2: kex_parse_kexinit:
> > > > >
> > > >
> > >
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
> > > > > >> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> > > > > >> debug2: kex_parse_kexinit:
> > > > hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
> > > > > >> md5-96
> > > > > >> debug2: kex_parse_kexinit:
> > > > hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
> > > > > >> md5-96
> > > > > >> debug2: kex_parse_kexinit:
> none,zlib@openssh.com,zlib
> > > > > >> debug2: kex_parse_kexinit:
> none,zlib@openssh.com,zlib
> > > > > >> debug2: kex_parse_kexinit:
> > > > > >> debug2: kex_parse_kexinit:
> > > > > >> debug2: kex_parse_kexinit:
> > > first_kex_follows
> > > > 0
> > > > > >> debug2: kex_parse_kexinit:
> reserved
> > 0
> > > > > >> debug2: kex_parse_kexinit:
> > > > >
> > > >
> > >
> >
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-
> > > > > >> group1-sha1
> > > > > >> debug2: kex_parse_kexinit:
> > > ssh-rsa,ssh-dss
> > > > > >> debug2: kex_parse_kexinit:
> > > > >
> > > >
> > >
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
> > > > > >> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> > > > > >> debug2: kex_parse_kexinit:
> > > > >
> > > >
> > >
> >
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
> > > > > >> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> > > > > >> debug2: kex_parse_kexinit:
> > > > hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
> > > > > >> md5-96
> > > > > >> debug2: kex_parse_kexinit:
> > > > hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
> > > > > >> md5-96
> > > > > >> debug2: kex_parse_kexinit:
> none,zlib@openssh.com
> > > > > >> debug2: kex_parse_kexinit:
> none,zlib@openssh.com
> > > > > >> debug2: kex_parse_kexinit:
> > > > > >> debug2: kex_parse_kexinit:
> > > > > >> debug2: kex_parse_kexinit:
> > > first_kex_follows
> > > > 0
> > > > > >> debug2: kex_parse_kexinit:
> reserved
> > 0
> > > > > >> debug2: mac_setup: found
> hmac-md5
> > > > > >> debug1: kex:
> server->client
> > > aes128-ctr
> > > > hmac-md5
> > > > > none
> > > > > >> debug2: mac_setup: found
> hmac-md5
> > > > > >> debug1: kex:
> client->server
> > > aes128-ctr
> > > > hmac-md5
> > > > > none
> > > > > >> debug1:
> > > > >
> > >
> SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192)
> > > > sent
> > > > > >> debug1: expecting
> > > SSH2_MSG_KEX_DH_GEX_GROUP
> > > > > >> debug3: Wrote 24 bytes for a
> total
> > of
> > > 855
> > > > > >> debug2: dh_gen_key: priv key
> bits
> > set:
> > > > 124/256
> > > > > >> debug2: bits set: 507/1024
> > > > > >> debug1:
> SSH2_MSG_KEX_DH_GEX_INIT
> > sent
> > > > > >> debug1: expecting
> > > SSH2_MSG_KEX_DH_GEX_REPLY
> > > > > >> debug3: Wrote 144 bytes for a
> total
> > of
> > > 999
> > > > > >> debug3:
> check_host_in_hostfile:
> > > filename
> > > > > /home/mahmood/.ssh/known_hosts
> > > > > >> debug3:
> check_host_in_hostfile:
> > match
> > > line 1
> > > > > >> debug3:
> check_host_in_hostfile:
> > > filename
> > > > > /home/mahmood/.ssh/known_hosts
> > > > > >> debug3:
> check_host_in_hostfile:
> > match
> > > line 2
> > > > > >> debug1: Host 'server' is known
> and
> > > matches
> > > > the RSA
> > > > > host key.
> > > > > >> debug1: Found key in
> > > > > /home/mahmood/.ssh/known_hosts:1
> > > > > >> debug2: bits set: 503/1024
> > > > > >> debug1: ssh_rsa_verify:
> signature
> > > correct
> > > > > >> debug2: kex_derive_keys
> > > > > >> debug2: set_newkeys: mode 1
> > > > > >> debug1: SSH2_MSG_NEWKEYS sent
> > > > > >> debug1: expecting
> SSH2_MSG_NEWKEYS
> > > > > >> debug3: Wrote 16 bytes for a
> total
> > of
> > > 1015
> > > > > >> debug2: set_newkeys: mode 0
> > > > > >> debug1: SSH2_MSG_NEWKEYS
> received
> > > > > >> debug1:
> SSH2_MSG_SERVICE_REQUEST
> > sent
> > > > > >> debug3: Wrote 48 bytes for a
> total
> > of
> > > 1063
> > > > > >> debug2: service_accept:
> > ssh-userauth
> > > > > >> debug1:
> SSH2_MSG_SERVICE_ACCEPT
> > > received
> > > > > >> debug2: key:
> > > /home/mahmood/.ssh/identity
> > > > ((nil))
> > > > > >> debug2: key:
> > /home/mahmood/.ssh/id_rsa
> > > > ((nil))
> > > > > >> debug2: key:
> > /home/mahmood/.ssh/id_dsa
> > > > ((nil))
> > > > > >> debug3: Wrote 64 bytes for a
> total
> > of
> > > 1127
> > > > > >> debug1: Authentications that
> can
> > > continue:
> > > > > publickey,password,hostbased
> > > > > >> debug3: start over, passed a
> > different
> > > list
> > > > > publickey,password,hostbased
> > > > > >> debug3: preferred
> > > > >
> > > >
> > >
> >
> gssapi-keyex,gssapi-with-mic,gssapi,hostbased,publickey,keyboard-interactive,password
> > > > > >> debug3: authmethod_lookup
> > hostbased
> > > > > >> debug3: remaining preferred:
> > > > >
> publickey,keyboard-interactive,password
> > > > > >> debug3: authmethod_is_enabled
> > hostbased
> > > > > >> debug1: Next authentication
> > method:
> > > > hostbased
> > > > > >> debug2: userauth_hostbased:
> chost
> > > client.
> > > > > >> debug2: ssh_keysign called
> > > > > >> debug3: ssh_msg_send: type 2
> > > > > >> debug3: ssh_msg_recv entering
> > > > > >> debug1:
> permanently_drop_suid:
> > 1000
> > > > > >> debug2: we sent a hostbased
> packet,
> > wait
> > > for
> > > > > reply
> > > > > >> debug3: Wrote 608 bytes for a
> total
> > of
> > > 1735
> > > > > >> debug1: Authentications that
> can
> > > continue:
> > > > > publickey,password,hostbased
> > > > > >> debug2: userauth_hostbased:
> chost
> > > client.
> > > > > >> debug2: ssh_keysign called
> > > > > >> debug3: ssh_msg_send: type 2
> > > > > >> debug3: ssh_msg_recv entering
> > > > > >> debug1:
> permanently_drop_suid:
> > 1000
> > > > > >> debug2: we sent a hostbased
> packet,
> > wait
> > > for
> > > > > reply
> > > > > >> debug3: Wrote 672 bytes for a
> total
> > of
> > > 2407
> > > > > >> debug1: Authentications that
> can
> > > continue:
> > > > > publickey,password,hostbased
> > > > > >> debug1: No more client
> hostkeys
> > for
> > > > hostbased
> > > > > authentication.
> > > > > >> debug2: we did not send a
> packet,
> > > disable
> > > > method
> > > > > >> debug3: authmethod_lookup
> > publickey
> > > > > >> debug3: remaining preferred:
> > > > > keyboard-interactive,password
> > > > > >> debug3: authmethod_is_enabled
> > publickey
> > > > > >> debug1: Next authentication
> > method:
> > > > publickey
> > > > > >> debug1: Trying private key:
> > > > > /home/mahmood/.ssh/identity
> > > > > >> debug3: no such identity:
> > > > > /home/mahmood/.ssh/identity
> > > > > >> debug1: Trying private key:
> > > > > /home/mahmood/.ssh/id_rsa
> > > > > >> debug3: no such identity:
> > > > > /home/mahmood/.ssh/id_rsa
> > > > > >> debug1: Trying private key:
> > > > > /home/mahmood/.ssh/id_dsa
> > > > > >> debug3: no such identity:
> > > > > /home/mahmood/.ssh/id_dsa
> > > > > >> debug2: we did not send a
> packet,
> > > disable
> > > > method
> > > > > >> debug3: authmethod_lookup
> password
> > > > > >> debug3: remaining preferred:
> > ,password
> > > > > >> debug3: authmethod_is_enabled
> > password
> > > > > >> debug1: Next authentication
> > method:
> > > password
> > > > > >> mahmood@server's password:
> > > > > >>
> > > > > >>
> > > > > >> Any idea about that?
> > > > > >>
> > > > > >> // Naderan *Mahmood;
> > > > > >>
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Asif Iqbal
> > > > > PGP Key: 0xE62693C5 KeyServer:
> pgp.mit.edu
> > > > > A: Because it messes up the order in
> which
> > > people
> > > > normally
> > > > > read text.
> > > > > Q: Why is top-posting such a bad
> thing?
> > > > >
> > > >
> > >
> > >
> >
> >
>
>
Re: problem with HostbasedAuthentication [ In reply to ]
I may have missed some of the details, so I apologize if this has been covered, but if you want to do a host-based authentication, the SSH config's (client and server).

HostbasedAuthentication yes

If you need to change the config's, restart SSHD.

service sshd restart

The server has to allow the connections from the remote host. So the remote host's public key, from /etc/ssh/ssh_host_(r|d)sa_key.pub, has to be in /etc/ssh/ssh_known_hosts2, and as stated, you may want to place a comma-separated list of shortname, FQDN and IP before the start of the key so it matches any of those iterations.

Finally, you also need to include the hostname in the user's .shosts file on the server. You said you have this:

mahmood@server:~$ cat .shosts
client.domain mahmood

That doesn't look right to me. It should just be hostname followed by a user, unless you just want to allow in connections as the user.

mahmood@server:~$ cat .shosts
mahmood.domain.com

OR

mahmood@server:~$ cat .shosts
mahmood.domain.com myaccount
mahmood.domain.com anotheruser

Good luck.

Tim

On Apr 28, 2011, at 1:42 PM, Mahmood Naderan wrote:

> Dear Sharad,
> I am now trying to setup a hostbased ssh from server to client (previously client->server worked fine based on your help). I want it to be bidirectional.
>
> I did the same thing in reverse (now the client becomes server and the server becoms client). However this is what I get while trying to ssh from server to client:
>
>
> debug3: Wrote 48 bytes for a total of 1063
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug2: key: /home/mahmood/.ssh/identity ((nil))
> debug2: key: /home/mahmood/.ssh/id_rsa ((nil))
> debug2: key: /home/mahmood/.ssh/id_dsa ((nil))
> debug3: Wrote 64 bytes for a total of 1127
> debug1: Authentications that can continue: publickey,password,hostbased
> debug3: start over, passed a different list publickey,password,hostbased
> debug3: preferred gssapi-keyex,gssapi-with-mic,gssapi,hostbased,publickey,keyboard-interactive,password
> debug3: authmethod_lookup hostbased
> debug3: remaining preferred: publickey,keyboard-interactive,password
> debug3: authmethod_is_enabled hostbased
> debug1: Next authentication method: hostbased
> get_socket_address: getnameinfo 8 failed: Name or service not known
> debug2: userauth_hostbased: chost server.
> debug2: ssh_keysign called
> debug3: ssh_msg_send: type 2
> debug3: ssh_msg_recv entering
> debug1: permanently_drop_suid: 1000
> get_socket_address: getnameinfo 8 failed: Name or service not known
> cannot get sockname for fd
> ssh_keysign: no reply
> key_sign failed
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_is_enabled publickey
> debug1: Next authentication method: publickey
> debug1: Trying private key: /home/mahmood/.ssh/identity
> debug3: no such identity: /home/mahmood/.ssh/identity
> debug1: Trying private key: /home/mahmood/.ssh/id_rsa
> debug3: no such identity: /home/mahmood/.ssh/id_rsa
> debug1: Trying private key: /home/mahmood/.ssh/id_dsa
> debug3: no such identity: /home/mahmood/.ssh/id_dsa
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup password
> debug3: remaining preferred: ,password
> debug3: authmethod_is_enabled password
> debug1: Next authentication method: password
> mahmood@192.168.1.3's password:
>
>
> What is your suggestion?
>
> // Naderan *Mahmood;
>
>
> ----- Original Message -----
> From: Sharad <sharad2011@yahoo.com>
> To: Mahmood Naderan <nt_mahmood@yahoo.com>
> Cc: "secureshell@securityfocus.com" <secureshell@securityfocus.com>
> Sent: Thursday, April 28, 2011 5:20 PM
> Subject: Re: problem with HostbasedAuthentication
>
> Mahmood,
>
> The files are /home/username/.ssh/known_hosts on both server and client.
>
> By FQDN, I meant host's fully qualified domain name.
>
> Following is the example:
>
> Assuming both client and server are linux hosts:
>
> Server IP: 192.168.1.1
> Client IP: 192.168.1.101
>
> Server Name: lnx_srvr_1.domain.com
> Client Name: lnx_clnt_101.domain.com
>
> User name on each host is mahmood.
>
> Following would be the entries in .shosts on lnx_srvr_1
>
>
> lnx_srvr_1:/home/mahmood $ cat .shosts
>
> lnx_clnt_101.domain.com mahmood
> 192.168.1.101 mahmood
> lnx_clnt_101 mahmood
>
> Following should exist in /home/mahmood/.ssh/known_hosts file on the server side:
> 192.168.1.101,lnx_clnt_101,lnx_clnt_101.domain.com ssh-rsa AAAAB3Nz...
>
> Following should also exist in /home/mahmood/.ssh/known_hosts file on the client side:
> 192.168.1.1,lnx_srvr_1,lnx_srvr_1.domain.com ssh-rsa AAAAB3Nz...
>
> Ensure that .ssh directory on both client and server are rwx for owner only and group/rest of world is 000.
>
> Hope this helps! Good Luck! :)
>
> Regards,
> Sharad
> --- On Thu, 28/4/11, Mahmood Naderan <nt_mahmood@yahoo.com> wrote:
>
>> From: Mahmood Naderan <nt_mahmood@yahoo.com>
>> Subject: Re: problem with HostbasedAuthentication
>> To: "Sharad" <sharad2011@yahoo.com>
>> Cc: "secureshell@securityfocus.com" <secureshell@securityfocus.com>
>> Date: Thursday, 28 April, 2011, 3:54 PM
>> Can you explain exactly which file I
>> should edit? What is FQDN? By 'hostname', Do you mean server
>> hostname of client hostname.
>> Should I do that on both side or server side?...
>>
>> // Naderan *Mahmood;
>>
>>
>> ----- Original Message -----
>> From: Sharad <sharad2011@yahoo.com>
>> To: Mahmood Naderan <nt_mahmood@yahoo.com>;
>> Asif Iqbal <vadud3@gmail.com>
>> Cc: "secureshell@securityfocus.com"
>> <secureshell@securityfocus.com>
>> Sent: Thursday, April 28, 2011 1:16 PM
>> Subject: Re: problem with HostbasedAuthentication
>>
>> Sometimes the issue lies with hostname as well. What I mean
>> with that is the known_hosts may have just the host name
>> where as when the connection is established, the debug shows
>> the FQDN. I faced this issue so to be sure, I edited the
>> known_hosts file and inserted the hostname, hostname's FQDN
>> and it's IP address (all comma separated).
>>
>> Also ensure that you both the hosts' known_hosts files have
>> opposite servers names (as prescribed above).
>>
>> All the above checks makes it work for me.
>>
>> Hope this solves.
>>
>> Kind regards,
>> Sharad
>> --- On Thu, 28/4/11, Asif Iqbal <vadud3@gmail.com>
>> wrote:
>>
>>> From: Asif Iqbal <vadud3@gmail.com>
>>> Subject: Re: problem with HostbasedAuthentication
>>> To: "Mahmood Naderan" <nt_mahmood@yahoo.com>
>>> Cc: "secureshell@securityfocus.com"
>> <secureshell@securityfocus.com>
>>> Date: Thursday, 28 April, 2011, 12:38 AM
>>> On Wed, Apr 27, 2011 at 1:12 AM,
>>> Mahmood Naderan <nt_mahmood@yahoo.com>
>>> wrote:
>>>>> Change the order method. Have hostbased
>> before
>>> password
>>>>
>>>> Sorry where should I do that?
>>>
>>> man ssh_config and look into PreferredAuthentications
>>>
>>>>
>>>> // Naderan *Mahmood;
>>>>
>>>> From: Asif Iqbal <vadud3@gmail.com>
>>>> To: Mahmood Naderan <nt_mahmood@yahoo.com>
>>>> Cc: "secureshell@securityfocus.com"
>>> <secureshell@securityfocus.com>
>>>> Sent: Wednesday, April 27, 2011 9:17 AM
>>>> Subject: Re: problem with
>> HostbasedAuthentication
>>>>
>>>>
>>>> Change the order method. Have hostbased before
>>> password
>>>> On Apr 26, 2011 11:52 PM, "Mahmood Naderan"
>> <nt_mahmood@yahoo.com>
>>> wrote:
>>>>>
>>>>>
>>>>> Hi,
>>>>> I am trying to setup a hostbased passwrodless
>> ssh
>>> from a client to a server using this guide http://www.ehow.com/how_7621307_set-up-hostbased-authentication.html.
>>>>>
>>>>> The client looks like:
>>>>>
>>>>> mahmood@client:~$ cat /etc/ssh/ssh_config |
>> grep
>>> "HostbasedAuthentication"
>>>>> HostbasedAuthentication yes
>>>>> mahmood@client:~$ cat /etc/ssh/ssh_config |
>> grep
>>> "EnableSSHKeysign"
>>>>> EnableSSHKeysign yes
>>>>>
>>>>>
>>>>> and the server looks like:
>>>>> mahmood@server:~$ cat /etc/ssh/sshd_config
>> |
>>> grep "HostbasedAuthentication"
>>>>> HostbasedAuthentication yes
>>>>> mahmood@server:~$ cat /etc/ssh/sshd_config
>> |
>>> grep "IgnoreRhosts"
>>>>> IgnoreRhosts no
>>>>>
>>>>> also the server has the key for client:
>>>>>
>>>>> mahmood@server:~$ cat
>> /etc/ssh/ssh_known_hosts
>>>>> client ssh-rsa AAAAB3Nz.....
>>>>>
>>>>> the ~/.shosts file on the server contains:
>>>>> mahmood@server:~$ cat .shosts
>>>>> client.domain mahmood
>>>>>
>>>>> Then on both server and client, the ssh
>> service is
>>> restarted:
>>>>> mahmood@client:~$ sudo service ssh restart
>>>>> ssh start/running, process 1355
>>>>> mahmood@server:~$ sudo service ssh restart
>>>>> ssh start/running, process 28982
>>>>>
>>>>> How, when I run "ssh -vvv server" from client
>> (to
>>> show the verbose messages), I still get the password
>>> prompt.
>>>>>
>>>>> mahmood@client:~$ ssh -vvv server
>>>>> OpenSSH_5.3p1 Debian-3ubuntu6, OpenSSL 0.9.8k
>> 25
>>> Mar 2009
>>>>> debug1: Reading configuration data
>>> /etc/ssh/ssh_config
>>>>> debug1: Applying options for *
>>>>> debug2: ssh_connect: needpriv 0
>>>>> debug1: Connecting to server [192.168.1.1]
>> port
>>> 22.
>>>>> debug1: Connection established.
>>>>> debug1: identity file
>> /home/mahmood/.ssh/identity
>>> type -1
>>>>> debug1: identity file
>> /home/mahmood/.ssh/id_rsa
>>> type -1
>>>>> debug1: identity file
>> /home/mahmood/.ssh/id_dsa
>>> type -1
>>>>> debug1: Remote protocol version 2.0, remote
>>> software version OpenSSH_5.3p1 Debian-3ubuntu4
>>>>> debug1: match: OpenSSH_5.3p1 Debian-3ubuntu4
>> pat
>>> OpenSSH*
>>>>> debug1: Enabling compatibility mode for
>> protocol
>>> 2.0
>>>>> debug1: Local version string
>> SSH-2.0-OpenSSH_5.3p1
>>> Debian-3ubuntu6
>>>>> debug2: fd 3 setting O_NONBLOCK
>>>>> debug1: SSH2_MSG_KEXINIT sent
>>>>> debug3: Wrote 792 bytes for a total of 831
>>>>> debug1: SSH2_MSG_KEXINIT received
>>>>> debug2: kex_parse_kexinit:
>>>
>> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-
>>>>> group1-sha1
>>>>> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
>>>>> debug2: kex_parse_kexinit:
>>>
>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
>>>>> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
>>>>> debug2: kex_parse_kexinit:
>>>
>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
>>>>> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
>>>>> debug2: kex_parse_kexinit:
>> hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
>>>>> md5-96
>>>>> debug2: kex_parse_kexinit:
>> hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
>>>>> md5-96
>>>>> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
>>>>> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
>>>>> debug2: kex_parse_kexinit:
>>>>> debug2: kex_parse_kexinit:
>>>>> debug2: kex_parse_kexinit: first_kex_follows
>> 0
>>>>> debug2: kex_parse_kexinit: reserved 0
>>>>> debug2: kex_parse_kexinit:
>>>
>> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-
>>>>> group1-sha1
>>>>> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
>>>>> debug2: kex_parse_kexinit:
>>>
>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
>>>>> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
>>>>> debug2: kex_parse_kexinit:
>>>
>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
>>>>> cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
>>>>> debug2: kex_parse_kexinit:
>> hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
>>>>> md5-96
>>>>> debug2: kex_parse_kexinit:
>> hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-
>>>>> md5-96
>>>>> debug2: kex_parse_kexinit: none,zlib@openssh.com
>>>>> debug2: kex_parse_kexinit: none,zlib@openssh.com
>>>>> debug2: kex_parse_kexinit:
>>>>> debug2: kex_parse_kexinit:
>>>>> debug2: kex_parse_kexinit: first_kex_follows
>> 0
>>>>> debug2: kex_parse_kexinit: reserved 0
>>>>> debug2: mac_setup: found hmac-md5
>>>>> debug1: kex: server->client aes128-ctr
>> hmac-md5
>>> none
>>>>> debug2: mac_setup: found hmac-md5
>>>>> debug1: kex: client->server aes128-ctr
>> hmac-md5
>>> none
>>>>> debug1:
>>> SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192)
>> sent
>>>>> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
>>>>> debug3: Wrote 24 bytes for a total of 855
>>>>> debug2: dh_gen_key: priv key bits set:
>> 124/256
>>>>> debug2: bits set: 507/1024
>>>>> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
>>>>> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
>>>>> debug3: Wrote 144 bytes for a total of 999
>>>>> debug3: check_host_in_hostfile: filename
>>> /home/mahmood/.ssh/known_hosts
>>>>> debug3: check_host_in_hostfile: match line 1
>>>>> debug3: check_host_in_hostfile: filename
>>> /home/mahmood/.ssh/known_hosts
>>>>> debug3: check_host_in_hostfile: match line 2
>>>>> debug1: Host 'server' is known and matches
>> the RSA
>>> host key.
>>>>> debug1: Found key in
>>> /home/mahmood/.ssh/known_hosts:1
>>>>> debug2: bits set: 503/1024
>>>>> debug1: ssh_rsa_verify: signature correct
>>>>> debug2: kex_derive_keys
>>>>> debug2: set_newkeys: mode 1
>>>>> debug1: SSH2_MSG_NEWKEYS sent
>>>>> debug1: expecting SSH2_MSG_NEWKEYS
>>>>> debug3: Wrote 16 bytes for a total of 1015
>>>>> debug2: set_newkeys: mode 0
>>>>> debug1: SSH2_MSG_NEWKEYS received
>>>>> debug1: SSH2_MSG_SERVICE_REQUEST sent
>>>>> debug3: Wrote 48 bytes for a total of 1063
>>>>> debug2: service_accept: ssh-userauth
>>>>> debug1: SSH2_MSG_SERVICE_ACCEPT received
>>>>> debug2: key: /home/mahmood/.ssh/identity
>> ((nil))
>>>>> debug2: key: /home/mahmood/.ssh/id_rsa
>> ((nil))
>>>>> debug2: key: /home/mahmood/.ssh/id_dsa
>> ((nil))
>>>>> debug3: Wrote 64 bytes for a total of 1127
>>>>> debug1: Authentications that can continue:
>>> publickey,password,hostbased
>>>>> debug3: start over, passed a different list
>>> publickey,password,hostbased
>>>>> debug3: preferred
>>>
>> gssapi-keyex,gssapi-with-mic,gssapi,hostbased,publickey,keyboard-interactive,password
>>>>> debug3: authmethod_lookup hostbased
>>>>> debug3: remaining preferred:
>>> publickey,keyboard-interactive,password
>>>>> debug3: authmethod_is_enabled hostbased
>>>>> debug1: Next authentication method:
>> hostbased
>>>>> debug2: userauth_hostbased: chost client.
>>>>> debug2: ssh_keysign called
>>>>> debug3: ssh_msg_send: type 2
>>>>> debug3: ssh_msg_recv entering
>>>>> debug1: permanently_drop_suid: 1000
>>>>> debug2: we sent a hostbased packet, wait for
>>> reply
>>>>> debug3: Wrote 608 bytes for a total of 1735
>>>>> debug1: Authentications that can continue:
>>> publickey,password,hostbased
>>>>> debug2: userauth_hostbased: chost client.
>>>>> debug2: ssh_keysign called
>>>>> debug3: ssh_msg_send: type 2
>>>>> debug3: ssh_msg_recv entering
>>>>> debug1: permanently_drop_suid: 1000
>>>>> debug2: we sent a hostbased packet, wait for
>>> reply
>>>>> debug3: Wrote 672 bytes for a total of 2407
>>>>> debug1: Authentications that can continue:
>>> publickey,password,hostbased
>>>>> debug1: No more client hostkeys for
>> hostbased
>>> authentication.
>>>>> debug2: we did not send a packet, disable
>> method
>>>>> debug3: authmethod_lookup publickey
>>>>> debug3: remaining preferred:
>>> keyboard-interactive,password
>>>>> debug3: authmethod_is_enabled publickey
>>>>> debug1: Next authentication method:
>> publickey
>>>>> debug1: Trying private key:
>>> /home/mahmood/.ssh/identity
>>>>> debug3: no such identity:
>>> /home/mahmood/.ssh/identity
>>>>> debug1: Trying private key:
>>> /home/mahmood/.ssh/id_rsa
>>>>> debug3: no such identity:
>>> /home/mahmood/.ssh/id_rsa
>>>>> debug1: Trying private key:
>>> /home/mahmood/.ssh/id_dsa
>>>>> debug3: no such identity:
>>> /home/mahmood/.ssh/id_dsa
>>>>> debug2: we did not send a packet, disable
>> method
>>>>> debug3: authmethod_lookup password
>>>>> debug3: remaining preferred: ,password
>>>>> debug3: authmethod_is_enabled password
>>>>> debug1: Next authentication method: password
>>>>> mahmood@server's password:
>>>>>
>>>>>
>>>>> Any idea about that?
>>>>>
>>>>> // Naderan *Mahmood;
>>>>>
>>>>
>>>
>>>
>>>
>>> --
>>> Asif Iqbal
>>> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
>>> A: Because it messes up the order in which people
>> normally
>>> read text.
>>> Q: Why is top-posting such a bad thing?
>>>
>>
>
Re: problem with HostbasedAuthentication [ In reply to ]
>Try disabling KeySign and set it to no in the config files and restart SSHD. Try it again.
Seems to be solved. Thanks Sharad. It is now bidirectional.

// Naderan *Mahmood;


----- Original Message -----
From: Sharad <sharad2011@yahoo.com>
To: Mahmood Naderan <nt_mahmood@yahoo.com>
Cc:
Sent: Friday, April 29, 2011 9:41 PM
Subject: Re: problem with HostbasedAuthentication

Hello Mahmood,

Try disabling KeySign and set it to no in the config files and restart SSHD. Try it again.

Regards,
Sharad
--- On Fri, 29/4/11, Mahmood Naderan <nt_mahmood@yahoo.com> wrote:

> From: Mahmood Naderan <nt_mahmood@yahoo.com>
> Subject: Re: problem with HostbasedAuthentication
> To: "Sharad" <sharad2011@yahoo.com>
> Cc: "secureshell@securityfocus.com" <secureshell@securityfocus.com>
> Date: Friday, 29 April, 2011, 5:31 PM
> On the client:
>  
> mahmood@client:~$ sudo service ssh stop
> [sudo] password for mahmood:
> ssh stop/waiting
>  
> mahmood@client:~$ sudo /usr/sbin/sshd -ddd
> debug2: load_server_config: filename /etc/ssh/sshd_config
> debug2: load_server_config: done config len = 649
> debug2: parse_server_config: config /etc/ssh/sshd_config
> len 649
> debug3: /etc/ssh/sshd_config:5 setting Port 22
> debug3: /etc/ssh/sshd_config:9 setting Protocol 2
> debug3: /etc/ssh/sshd_config:11 setting HostKey
> /etc/ssh/ssh_host_rsa_key
> debug3: /etc/ssh/sshd_config:12 setting HostKey
> /etc/ssh/ssh_host_dsa_key
> debug3: /etc/ssh/sshd_config:14 setting
> UsePrivilegeSeparation yes
> debug3: /etc/ssh/sshd_config:17 setting
> KeyRegenerationInterval 3600
> debug3: /etc/ssh/sshd_config:18 setting ServerKeyBits 768
> debug3: /etc/ssh/sshd_config:21 setting SyslogFacility
> AUTH
> debug3: /etc/ssh/sshd_config:22 setting LogLevel INFO
> debug3: /etc/ssh/sshd_config:25 setting LoginGraceTime 120
> debug3: /etc/ssh/sshd_config:26 setting PermitRootLogin
> yes
> debug3: /etc/ssh/sshd_config:27 setting StrictModes yes
> debug3: /etc/ssh/sshd_config:29 setting RSAAuthentication
> yes
> debug3: /etc/ssh/sshd_config:30 setting
> PubkeyAuthentication yes
> debug3: /etc/ssh/sshd_config:34 setting IgnoreRhosts no
> debug3: /etc/ssh/sshd_config:36 setting
> RhostsRSAAuthentication no
> debug3: /etc/ssh/sshd_config:38 setting
> HostbasedAuthentication yes
> debug3: /etc/ssh/sshd_config:43 setting
> PermitEmptyPasswords no
> debug3: /etc/ssh/sshd_config:47 setting
> ChallengeResponseAuthentication no
> debug3: /etc/ssh/sshd_config:62 setting X11Forwarding yes
> debug3: /etc/ssh/sshd_config:63 setting X11DisplayOffset
> 10
> debug3: /etc/ssh/sshd_config:64 setting PrintMotd no
> debug3: /etc/ssh/sshd_config:65 setting PrintLastLog yes
> debug3: /etc/ssh/sshd_config:66 setting TCPKeepAlive yes
> debug3: /etc/ssh/sshd_config:73 setting AcceptEnv LANG
> LC_*
> debug3: /etc/ssh/sshd_config:75 setting Subsystem sftp
> /usr/lib/openssh/sftp-server
> debug3: /etc/ssh/sshd_config:86 setting UsePAM yes
> debug1: sshd version OpenSSH_5.3p1 Debian-3ubuntu6
> debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
> debug1: read PEM private key done: type RSA
> debug1: Checking blacklist file
> /usr/share/ssh/blacklist.RSA-2048
> debug1: Checking blacklist file
> /etc/ssh/blacklist.RSA-2048
> debug1: private host key: #0 type 1 RSA
> debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
> debug1: read PEM private key done: type DSA
> debug1: Checking blacklist file
> /usr/share/ssh/blacklist.DSA-1024
> debug1: Checking blacklist file
> /etc/ssh/blacklist.DSA-1024
> debug1: private host key: #1 type 2 DSA
> debug1: rexec_argv[0]='/usr/sbin/sshd'
> debug1: rexec_argv[1]='-ddd'
> debug2: fd 3 setting O_NONBLOCK
> debug1: Bind to port 22 on 0.0.0.0.
> Server listening on 0.0.0.0 port 22.
> debug2: fd 4 setting O_NONBLOCK
> debug1: Bind to port 22 on ::.
> Server listening on :: port 22.
>  
>  
>
> While it is listenning, in another shell I ran
>
> mahmood@server:~$ ssh -vvv 192.168.1.3
>  
> Then in the first terminal (which -ddd is on) I see
> debug3: fd 5 is not O_NONBLOCK
> debug1: Server will not fork when running in debugging
> mode.
> debug3: send_rexec_state: entering fd = 8 config len 649
> debug3: ssh_msg_send: type 0
> debug3: send_rexec_state: done
> debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
> debug1: inetd sockets after dupping: 3, 3
> Connection from 192.168.1.1 port 42036
> debug1: Client protocol version 2.0; client software
> version OpenSSH_5.3p1 Debian-3ubuntu4
> debug1: match: OpenSSH_5.3p1 Debian-3ubuntu4 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.3p1
> Debian-3ubuntu6
> debug2: fd 3 setting O_NONBLOCK
> debug2: Network child is on pid 2829
> debug3: preauth child monitor started
> debug3: mm_request_receive entering
> debug3: privsep user:group 103:65534
> debug1: permanently_set_uid: 103/65534
> debug1: list_hostkey_types: ssh-rsa,ssh-dss
> debug1: SSH2_MSG_KEXINIT sent
> debug3: Wrote 784 bytes for a total of 823
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib@openssh.com
> debug2: kex_parse_kexinit: none,zlib@openssh.com
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: mac_setup: found hmac-md5
> debug1: kex: client->server aes128-ctr hmac-md5 none
> debug2: mac_setup: found hmac-md5
> debug1: kex: server->client aes128-ctr hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
> debug3: mm_request_send entering: type 0
> debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI
> debug3: mm_request_receive_expect entering: type 1
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 0
> debug3: mm_answer_moduli: got parameters: 1024 1024 8192
> debug3: mm_request_send entering: type 1
> debug2: monitor_read: 0 used once, disabling now
> debug3: mm_request_receive entering
> debug3: mm_choose_dh: remaining 0
> debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
> debug3: Wrote 152 bytes for a total of 975
> debug2: dh_gen_key: priv key bits set: 129/256
> debug2: bits set: 504/1024
> debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
> debug2: bits set: 551/1024
> debug3: mm_key_sign entering
> debug3: mm_request_send entering: type 5
> debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN
> debug3: mm_request_receive_expect entering: type 6
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 5
> debug3: mm_answer_sign
> debug3: mm_answer_sign: signature 0x7f0bb6bdfbf0(271)
> debug3: mm_request_send entering: type 6
> debug2: monitor_read: 5 used once, disabling now
> debug3: mm_request_receive entering
> debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
> debug2: kex_derive_keys
> debug2: set_newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug3: Wrote 720 bytes for a total of 1695
> debug2: set_newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: KEX done
> debug3: Wrote 48 bytes for a total of 1743
> debug1: userauth-request for user mahmood service
> ssh-connection method none
> debug1: attempt 0 failures 0
> debug3: mm_getpwnamallow entering
> debug3: mm_request_send entering: type 7
> debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
> debug3: mm_request_receive_expect entering: type 8
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 7
> debug3: mm_answer_pwnamallow
> debug3: Trying to reverse map address 192.168.1.1.
> debug2: parse_server_config: config reprocess config len
> 649
> debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
> debug3: mm_request_send entering: type 8
> debug2: monitor_read: 7 used once, disabling now
> debug3: mm_request_receive entering
> debug2: input_userauth_request: setting up authctxt for
> mahmood
> debug3: mm_start_pam entering
> debug3: mm_request_send entering: type 50
> debug3: mm_inform_authserv entering
> debug3: monitor_read: checking request 50
> debug3: mm_request_send entering: type 3
> debug1: PAM: initializing for "mahmood"
> debug2: input_userauth_request: try method none
> debug3: mm_auth_password entering
> debug3: mm_request_send entering: type 11
> debug3: mm_auth_password: waiting for
> MONITOR_ANS_AUTHPASSWORD
> debug3: mm_request_receive_expect entering: type 12
> debug3: mm_request_receive entering
> debug1: PAM: setting PAM_RHOST to "server"
> debug1: PAM: setting PAM_TTY to "ssh"
> debug2: monitor_read: 50 used once, disabling now
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 3
> debug3: mm_answer_authserv: service=ssh-connection, style=,
> role=
> debug2: monitor_read: 3 used once, disabling now
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 11
> debug3: mm_answer_authpassword: sending result 0
> debug3: mm_request_send entering: type 12
> Failed none for mahmood from 192.168.1.1 port 42036 ssh2
> debug3: mm_request_receive entering
> debug3: mm_auth_password: user not authenticated
> debug3: Wrote 64 bytes for a total of 1807
>  
>  
>  
>
> and in the second shell that I used -vvv, I see
>  
> OpenSSH_5.3p1 Debian-3ubuntu4, OpenSSL 0.9.8k 25 Mar 2009
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to 192.168.1.3 [192.168.1.3] port 22.
> debug1: Connection established.
> debug1: identity file /home/mahmood/.ssh/identity type -1
> debug1: identity file /home/mahmood/.ssh/id_rsa type -1
> debug1: identity file /home/mahmood/.ssh/id_dsa type -1
> debug1: Remote protocol version 2.0, remote software
> version OpenSSH_5.3p1 Debian-3ubuntu6
> debug1: match: OpenSSH_5.3p1 Debian-3ubuntu6 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.3p1
> Debian-3ubuntu4
> debug2: fd 3 setting O_NONBLOCK
> debug1: SSH2_MSG_KEXINIT sent
> debug3: Wrote 792 bytes for a total of 831
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib@openssh.com
> debug2: kex_parse_kexinit: none,zlib@openssh.com
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: mac_setup: found hmac-md5
> debug1: kex: server->client aes128-ctr hmac-md5 none
> debug2: mac_setup: found hmac-md5
> debug1: kex: client->server aes128-ctr hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192)
> sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug3: Wrote 24 bytes for a total of 855
> debug2: dh_gen_key: priv key bits set: 131/256
> debug2: bits set: 551/1024
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug3: Wrote 144 bytes for a total of 999
> debug3: check_host_in_hostfile: filename
> /home/mahmood/.ssh/known_hosts
> debug3: check_host_in_hostfile: match line 1
> debug1: Host '192.168.1.3' is known and matches the RSA
> host key.
> debug1: Found key in /home/mahmood/.ssh/known_hosts:1
> debug2: bits set: 504/1024
> debug1: ssh_rsa_verify: signature correct
> debug2: kex_derive_keys
> debug2: set_newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug3: Wrote 16 bytes for a total of 1015
> debug2: set_newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug3: Wrote 48 bytes for a total of 1063
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug2: key: /home/mahmood/.ssh/identity ((nil))
> debug2: key: /home/mahmood/.ssh/id_rsa ((nil))
> debug2: key: /home/mahmood/.ssh/id_dsa ((nil))
> debug3: Wrote 64 bytes for a total of 1127
> debug1: Authentications that can continue:
> publickey,password,hostbased
> debug3: start over, passed a different list
> publickey,password,hostbased
> debug3: preferred
> gssapi-keyex,gssapi-with-mic,gssapi,hostbased,publickey,keyboard-interactive,password
> debug3: authmethod_lookup hostbased
> debug3: remaining preferred:
> publickey,keyboard-interactive,password
> debug3: authmethod_is_enabled hostbased
> debug1: Next authentication method: hostbased
> get_socket_address: getnameinfo 8 failed: Name or service
> not known
> debug2: userauth_hostbased: chost server.
> debug2: ssh_keysign called
> debug3: ssh_msg_send: type 2
> debug3: ssh_msg_recv entering
> debug1: permanently_drop_suid: 1000
> get_socket_address: getnameinfo 8 failed: Name or service
> not known
> cannot get sockname for fd
> ssh_keysign: no reply
> key_sign failed
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_is_enabled publickey
> debug1: Next authentication method: publickey
> debug1: Trying private key: /home/mahmood/.ssh/identity
> debug3: no such identity: /home/mahmood/.ssh/identity
> debug1: Trying private key: /home/mahmood/.ssh/id_rsa
> debug3: no such identity: /home/mahmood/.ssh/id_rsa
> debug1: Trying private key: /home/mahmood/.ssh/id_dsa
> debug3: no such identity: /home/mahmood/.ssh/id_dsa
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup password
> debug3: remaining preferred: ,password
> debug3: authmethod_is_enabled password
> debug1: Next authentication method: password
> mahmood@192.168.1.3's password:
>  
>
> Hope that is the correct information you need.
> Thanks.
>  
> // Naderan *Mahmood;
>