Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Trying to configure trusted-host authentication...

0 views
Skip to first unread message

Viktor Haag

unread,
Apr 16, 2001, 6:57:33 PM4/16/01
to
...unsuccessfully.

I'm using the openssh-2.5.2p2-1.1mdk which provides

OpenSSH_v2.5.2p2, SSH protocols 1.5/2.0

I have a small number of linux machines, and they're all in a
pretty secure position (behind the corporate firewall), so I'd
like to set up trusted-host authentication so I can dispense with
password authentication.

I used ssh-keygen to generate an identity and identity.pub file,
and I've set up an /etc/shosts.equiv file on all the linux
machines.

One more wrinkle -- my user account is actually on a network file
system that's NFS mounted to the same place on each linux box
(/home/vhaag), so each linux box "shares" the same ~/.ssh and
~/.shosts files (but not /etc/shosts.equiv files).

By my understanding of the system, this should permit me to
slogin in across all these systems without needing to password
authenticate.

Here's a copy of my /etc/ssh/ssh_config file (same on all
machines involved in the tests):

> # Site-wide defaults for various options
>
> # Host *
> # ForwardAgent no
> # ForwardX11 no
> # RhostsAuthentication no
> # RhostsRSAAuthentication yes
> # RSAAuthentication yes
> # PasswordAuthentication yes
> # FallBackToRsh no
> # UseRsh no
> # BatchMode no
> # CheckHostIP yes
> # StrictHostKeyChecking yes
> # IdentityFile ~/.ssh/identity
> # IdentityFile ~/.ssh/id_dsa
> # IdentityFile ~/.ssh/id_rsa1
> # IdentityFile ~/.ssh/id_rsa2
> # Port 22
> # Protocol 2,1
> # Cipher blowfish
> # EscapeChar ~
>
> Host *
> ForwardAgent yes
> ForwardX11 yes
> Cipher blowfish
> TransmitInterlude 100
> StrictHostKeyChecking no
> PasswordAuthentication yes
> RSAAuthentication yes
> RhostsRSAAuthentication yes
> Protocol 1,2

When I do an 'slogin -v machineFoo', here's the verbose output:

> OpenSSH_2.5.2p2, SSH protocols 1.5/2.0, OpenSSL 0x0090581f
> debug1: Seeding random number generator
> debug1: Rhosts Authentication disabled, originating port will not be trusted.
> debug1: ssh_connect: getuid 1224 geteuid 0 anon 1
> debug1: Connecting to machineFoo [xxx.xxx.xxx.xxx] port 22.
> debug1: Connection established.
> debug1: identity file /home/vhaag/.ssh/identity type 0
> debug1: unknown identity file /home/vhaag/.ssh/id_rsa
> debug1: identity file /home/vhaag/.ssh/id_rsa type -1
> debug1: unknown identity file /home/vhaag/.ssh/id_dsa
> debug1: identity file /home/vhaag/.ssh/id_dsa type -1
> debug1: Remote protocol version 1.99, remote software version OpenSSH_2.5.2p2
> debug1: match: OpenSSH_2.5.2p2 pat ^OpenSSH
> debug1: Local version string SSH-1.5-OpenSSH_2.5.2p2
> debug1: Waiting for server public key.
> debug1: Received server public key (768 bits) and host key (1024 bits).
> debug1: Host 'machineFoo' is known and matches the RSA1 host key.
> debug1: Found key in /home/vhaag/.ssh/known_hosts:1
> debug1: Encryption type: blowfish
> debug1: Sent encrypted session key.
> debug1: Installing crc compensation attack detector.
> debug1: Received encrypted confirmation.
> debug1: Trying RSA authentication with key 'vh...@myMainMachine.rim.net'
> debug1: Server refused our key.
> debug1: Doing password authentication.
> vhaag@machineFoo's password:


Can anyone please provide assistence here? I'm not all that
comfortable with configuring SSH, but I'd like to get past this
hurdle... I'm *particularly* suspicious of that second debug1
statement--does this mean that my package was built/compiled
without support for Rhosts authentication (even
RhostsRSAAuthentication?), or is that merely because the 'weak'
host authentication has been marked with 'no' in the config file
(as it should be, if I understand things right...)?


--
Viktor Haag Senior Technical Writer, RIM
Results of today's Quote-O-Matic:
"Darn. My fellow ravers wll be so disappointed: it was my turn to
bring the bundt cake..."

Viktor Haag

unread,
Apr 17, 2001, 2:23:41 PM4/17/01
to
Viktor Haag <vh...@rim.net> writes:

> ...unsuccessfully.
>
> I'm using the openssh-2.5.2p2-1.1mdk which provides
>
> OpenSSH_v2.5.2p2, SSH protocols 1.5/2.0
>
> I have a small number of linux machines, and they're all in a
> pretty secure position (behind the corporate firewall), so I'd
> like to set up trusted-host authentication so I can dispense with
> password authentication.
>
> I used ssh-keygen to generate an identity and identity.pub file,
> and I've set up an /etc/shosts.equiv file on all the linux
> machines.
>
> One more wrinkle -- my user account is actually on a network file
> system that's NFS mounted to the same place on each linux box
> (/home/vhaag), so each linux box "shares" the same ~/.ssh and
> ~/.shosts files (but not /etc/shosts.equiv files).
>
> By my understanding of the system, this should permit me to
> slogin in across all these systems without needing to password
> authenticate.

I did some more research on this problem. After reading some
recent posts in this newsgroup, I added

UsePrivilegedPort yes

Config files of all the servers involved.

And after a closer reading of the ssh(1) man page, I put the
contents of my indentity.pub RSA public key into a file called
'authorized_keys'. Since my network home directory is mounted on
all the machines, all these files (public key, private key,
authorized keys) are in the same directory: I realize this is
probably dodgy practice in general...

Now a verbose login yields this:

> debug1: Seeding random number generator

> debug1: ssh_connect: getuid 1224 geteuid 0 anon 0


> debug1: Connecting to machineFoo [xxx.xxx.xxx.xxx] port 22.

> debug1: Allocated local port 775.


> debug1: Connection established.
> debug1: identity file /home/vhaag/.ssh/identity type 0
> debug1: unknown identity file /home/vhaag/.ssh/id_rsa
> debug1: identity file /home/vhaag/.ssh/id_rsa type -1
> debug1: unknown identity file /home/vhaag/.ssh/id_dsa
> debug1: identity file /home/vhaag/.ssh/id_dsa type -1
> debug1: Remote protocol version 1.99, remote software version OpenSSH_2.5.2p2
> debug1: match: OpenSSH_2.5.2p2 pat ^OpenSSH
> debug1: Local version string SSH-1.5-OpenSSH_2.5.2p2
> debug1: Waiting for server public key.
> debug1: Received server public key (768 bits) and host key (1024 bits).
> debug1: Host 'machineFoo' is known and matches the RSA1 host key.
> debug1: Found key in /home/vhaag/.ssh/known_hosts:1
> debug1: Encryption type: blowfish
> debug1: Sent encrypted session key.
> debug1: Installing crc compensation attack detector.
> debug1: Received encrypted confirmation.

> debug1: Trying RSA authentication with key 'vh...@mainMachine.rim.net'
> debug1: Received RSA challenge from server.
> Enter passphrase for RSA key 'vh...@mainMachine.rim.net':
> debug1: Sending response to host key RSA challenge.
> debug1: Remote: RSA authentication accepted.
> debug1: RSA authentication accepted by server.
> debug1: Requesting pty.
> debug1: Requesting X11 forwarding with authentication spoofing.
> debug1: Requesting shell.
> debug1: Entering interactive session.

So, now it actually uses RSA authentication, but its still not
doing trusted-host RSAAuthentication. Can anyone help me?


--
Viktor Haag Senior Technical Writer, RIM
Results of today's Quote-O-Matic:

"C-SPAN is for wimps. They're a bunch of grannies."

Richard Silverman

unread,
Apr 17, 2001, 2:37:30 PM4/17/01
to

1) You don't need authorized_keys, identity(.pub), etc. -- that's all for
public-key authentication, which you don't want to use. The whole
point of RhostsRSA is that it doesn't require any of that.

2) Did you set "RhostsRSAAuthentication yes" in sshd_config? It's off by
default.

--
Richard Silverman
sl...@shore.net

Viktor Haag

unread,
Apr 17, 2001, 2:51:45 PM4/17/01
to
Richard Silverman <r...@des.jhy.us.ml.com> writes:

> 1) You don't need authorized_keys, identity(.pub), etc. --
> that's all for public-key authentication, which you don't want
> to use. The whole point of RhostsRSA is that it doesn't
> require any of that.

Yes, thanks -- I just figured that out 10 minutes ago 8-).

> 2) Did you set "RhostsRSAAuthentication yes" in sshd_config?
> It's off by default.

Umm -- yes, the problem was that this was set properly in one of
the daemon config files, but not in the others. Also, the
ssh_known_hosts file was in /etc instead of /etc/ssh where it was
supposed to be.

I think it's working now.

Thanks very much for your answer, Richard. I suppose I should
have waited to post my questions until I had done more work on
things, since I essentially solved my own problem.

However, I know that I personally appreciate seeing other people
"work out there problems" in public like this from time to time,
as it gives me clues on how to solve my own issues.

I now fade into the background again... 8-)


--
Viktor Haag Senior Technical Writer, RIM
Results of today's Quote-O-Matic:

"Everytime I see you grin, I'm such a koo koo individual... "

0 new messages