Date: Sun, 10 Oct 2004 20:36:56 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Joe Schmoe <non_secure@yahoo.com> Cc: freebsd-questions@freebsd.org Subject: Re: host-based ssh authentication (no password) not working ... help needed Message-ID: <20041010193656.GA8450@happy-idiot-talk.infracaninophile.co.uk> In-Reply-To: <20041010192044.11548.qmail@web53301.mail.yahoo.com> References: <20041010192044.11548.qmail@web53301.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--8t9RHnE3ZwKMSgU+
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sun, Oct 10, 2004 at 12:20:44PM -0700, Joe Schmoe wrote:
> I have machines CLIENT and SERVER.
>=20
> On SERVER, I set the following options in
> /etc/ssh/sshd_config :
>=20
> RhostsAuthentication no
> RhostsRSAAuthentication yes
>=20
> Then I copied the host public key from /etc/ssh on
> CLIENT to /etc/ssh/ssh_known_hosts on SERVER - so now
> the SERVER has the CLIENTs public key.
>=20
> Finally, I added the hostname of CLIENT to
> /etc/hosts.equiv on SERVER. Then I HUPped sshd on
> SERVER.
>=20
> So now I go to CLIENT and run:
>=20
> ssh username@SERVER
>=20
> and it asks me for a password!!
>=20
> I even tried:
>=20
> ssh -1 username@SERVER
>=20
> and that didn't work either. I thought maybe RSA was
> ssh1 only, so I needed to force ssh1 ... but as I
> said, that didn't work either.
>=20
> Two questions:
>=20
> 1. What am I doing wrong ?
For ssh(1) to work using key based auth, all of the files in
~user/.ssh on the server must have the correct permissions, and the
host public keys for the server should be known to the client machine,
and vice versa.
A good way to diagnose the problem is to run:
# sshd -d -d -d -p 2222
on the server (ie. turn on maximum debugging output, and run on a
different port than usual).
Then from the client, run:
% ssh -v -v -v -p 2222 server
The verbose output from sshd will usually tell you exactly what's wrong.
=20
> 2. Am I right that using RSA host authentication like
> this will only work with ssh1 ? If so, how can I use
> ssh2 with host based key sharing ?
No. Incorrect. SSH2 uses two possible key types: rsa or dsa. Use
either -- it makes little practical difference in most situations.
SSH1 uses an older form of RSA, now called rsa1. You shouldn't use
SSH1 unless you have no other choice -- ie. a system that only
supports SSH1 -- because it is significantly less secure than SSH2.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
--8t9RHnE3ZwKMSgU+
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)
iD8DBQFBaY9YiD657aJF7eIRAhtxAKCE+wjj0qrc2CUOclNXxcLeIZU+YACghM5B
qWLzNnERb6xbFBUUiisZYC0=
=rcK6
-----END PGP SIGNATURE-----
--8t9RHnE3ZwKMSgU+--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041010193656.GA8450>