Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

hostbased debugging

239 views
Skip to first unread message

mste...@gmail.com

unread,
Sep 27, 2006, 1:28:01 PM9/27/06
to
OK, here's the short version. I have many machines. They're all
pretty close to identical. Hostbased auth works on (and between) all
but one. I cannot log INTO the one where it doesn't work. I have:

* correct keys in ssh_host_*_key and ssh_host_*_key.pub
* those same keys correctly added to ssh_known_hosts (as hostname,
FQDN, and IP)
* the host appearing (tried hostname, FQDN, and IP) in /etc/hosts
* the host appearing (tried hostname, FQDN, and IP) in shosts.equiv
and /root/.shosts
* trying both as root and regular user
* hostbased on in both ssh_config and sshd_config

I'm running OpenSSH 3.6.1p2. There is one thing that makes this
machine different from the others. They others form a private network
with one acting as the gateway. This machine is just a regular machine
outside that network. I would think that would make things EASIER,
though. It's also possible that something has become munged in the
tweeking process. I have removed and reinstalled sshd. I'm
contemplating a full system reinstall, but would certainly rather not
do that.

I'm including below (cleansed) snippets of the output from "sshd -d -d
-d" and "ssh -vvv thehost". It's clear that hostbased is failing with
"key 0x8772d40 is disallowed" but I don't know WHY. Any help or other
things to try would be much appreciated.


-Michael

Server:

debug1: userauth-request for user ash service ssh-connection method
hostbaseddebug1: attempt 1 failures 1
debug2: input_userauth_request: try method hostbased
debug1: userauth_hostbased: cuser ash chost serv. pkalg ssh-dss slen 55
debug3: mm_key_allowed entering
debug3: mm_request_send entering: type 20
debug3: monitor_read: checking request 20
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 0x8772d40
debug2: userauth_hostbased: chost serv. resolvedname serv ipaddr
125.135.21.115
debug2: auth_rhosts2: clientuser ash hostname serv. ipaddr serv.
debug1: temporarily_use_uid: 578/578 (e=0/0)
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
debug3: mm_request_receive_expect entering: type 21
debug3: mm_request_receive entering
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 578/578 (e=0/0)
debug1: restore_uid: 0/0
debug3: mm_answer_keyallowed: key 0x8772d40 is disallowed
debug3: mm_request_send entering: type 21
debug3: mm_request_receive entering
debug2: userauth_hostbased: authenticated 0
Failed hostbased for ash from 125.135.21.115 port 33514 ssh2
debug1: userauth-request for user ash service ssh-connection method
hostbaseddebug1: attempt 2 failures 2
debug2: input_userauth_request: try method hostbased
debug1: userauth_hostbased: cuser ash chost serv. pkalg ssh-rsa slen
143
debug3: mm_key_allowed entering
debug3: mm_request_send entering: type 20
debug3: monitor_read: checking request 20
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 0x8772d50
debug2: userauth_hostbased: chost serv. resolvedname serv ipaddr
125.135.21.115
debug2: auth_rhosts2: clientuser ash hostname serv. ipaddr serv.
debug1: temporarily_use_uid: 578/578 (e=0/0)
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 578/578 (e=0/0)
debug1: restore_uid: 0/0
debug3: mm_answer_keyallowed: key 0x8772d50 is disallowed
debug3: mm_request_send entering: type 21
debug3: mm_request_receive entering
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
debug3: mm_request_receive_expect entering: type 21
debug3: mm_request_receive entering
debug2: userauth_hostbased: authenticated 0
Failed hostbased for ash from 125.135.21.115 port 33514 ssh2

Client:

debug1: Next authentication method: hostbased
debug2: userauth_hostbased: chost serv.
debug2: ssh_keysign called
debug3: ssh_msg_send: type 2
debug3: ssh_msg_recv entering
debug2: we sent a hostbased packet, wait for reply
debug1: Authentications that can continue:
publickey,password,keyboard-interactive,hostbased
debug2: userauth_hostbased: chost ocplservice.
debug2: ssh_keysign called
debug3: ssh_msg_send: type 2
debug3: ssh_msg_recv entering
debug2: we sent a hostbased packet, wait for reply
debug1: Authentications that can continue:
publickey,password,keyboard-interactive,hostbased
debug1: No more client hostkeys for hostbased authentication.

Richard E. Silverman

unread,
Oct 1, 2006, 12:12:10 AM10/1/06
to

A hostbased authentication request contains the name of the client host as
supplied by the client. OpenSSH normally compares this against a reverse
lookup on the client IP address, and fails authentication if they don't
match. There's little point to this behavior, since the real security
lies in the hostname/key match and signature verification. And it causes
breakage in your situation, where many hosts are coming through a NAT
gateway with the same IP address.

You can turn off the DNS check with the undocumented sshd option:

HostbasedUsesNameFromPacketOnly yes

However... this feature has a bug. OpenSSH normally strips the trailing
dot from the supplied hostname. It fails to do this if this option is
set, causing it to cease matching any hostnames in the known-hosts file
(which of course do not have the technically-correct trailing dots).
Here's a diff for fixing it:

--------------------------------------------------------------------------------
--- auth2-hostbased.c.~1.1.1.2~ 2006-10-01 00:00:03.247144000 -0400
+++ auth2-hostbased.c.~1.2~ 2006-09-30 23:58:23.255270000 -0400
@@ -142,15 +142,25 @@
debug2("userauth_hostbased: chost %s resolvedname %s ipaddr %s",
chost, resolvedname, ipaddr);

+ /* DESCO local mod
+
+ This stanza was mistakenly inside the following "else" clause,
+ with the result that setting hostbased_uses_name_from_packet_only
+ would actually cause hostbased authentication to cease working,
+ since no one has domain names with dots on the end in their
+ known_hosts files.
+
+ */
+ if (((len = strlen(chost)) > 0) && chost[len - 1] == '.') {
+ debug2("stripping trailing dot from chost %s", chost);
+ chost[len - 1] = '\0';
+ }
+
if (options.hostbased_uses_name_from_packet_only) {
if (auth_rhosts2(pw, cuser, chost, chost) == 0)
return 0;
lookup = chost;
} else {
- if (((len = strlen(chost)) > 0) && chost[len - 1] == '.') {
- debug2("stripping trailing dot from chost %s", chost);
- chost[len - 1] = '\0';
- }
if (strcasecmp(resolvedname, chost) != 0)
logit("userauth_hostbased mismatch: "
"client sends %s, but we resolve %s to %s",
--------------------------------------------------------------------------------

--
Richard Silverman
r...@qoxp.net

0 new messages