From owner-freebsd-questions@FreeBSD.ORG Sun Oct 10 19:37:03 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 87E8116A4CE for ; Sun, 10 Oct 2004 19:37:03 +0000 (GMT) Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 092F043D1F for ; Sun, 10 Oct 2004 19:37:02 +0000 (GMT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost.infracaninophile.co.uk [IPv6:::1])i9AJauJ4015669 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 10 Oct 2004 20:36:56 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)i9AJau9w015642; Sun, 10 Oct 2004 20:36:56 +0100 (BST) (envelope-from matthew) Date: Sun, 10 Oct 2004 20:36:56 +0100 From: Matthew Seaman To: Joe Schmoe Message-ID: <20041010193656.GA8450@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: Matthew Seaman , Joe Schmoe , freebsd-questions@freebsd.org References: <20041010192044.11548.qmail@web53301.mail.yahoo.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="8t9RHnE3ZwKMSgU+" Content-Disposition: inline In-Reply-To: <20041010192044.11548.qmail@web53301.mail.yahoo.com> User-Agent: Mutt/1.4.2.1i X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.5.6 (smtp.infracaninophile.co.uk [IPv6:::1]); Sun, 10 Oct 2004 20:36:56 +0100 (BST) X-Virus-Scanned: clamd / ClamAV version devel-20040904, clamav-milter version 0.75l on smtp.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, hits=-4.8 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=2.64 X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on happy-idiot-talk.infracaninophile.co.uk cc: freebsd-questions@freebsd.org Subject: Re: host-based ssh authentication (no password) not working ... help needed X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Oct 2004 19:37:03 -0000 --8t9RHnE3ZwKMSgU+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Oct 10, 2004 at 12:20:44PM -0700, Joe Schmoe wrote: > I have machines CLIENT and SERVER. >=20 > On SERVER, I set the following options in > /etc/ssh/sshd_config : >=20 > RhostsAuthentication no > RhostsRSAAuthentication yes >=20 > Then I copied the host public key from /etc/ssh on > CLIENT to /etc/ssh/ssh_known_hosts on SERVER - so now > the SERVER has the CLIENTs public key. >=20 > Finally, I added the hostname of CLIENT to > /etc/hosts.equiv on SERVER. Then I HUPped sshd on > SERVER. >=20 > So now I go to CLIENT and run: >=20 > ssh username@SERVER >=20 > and it asks me for a password!! >=20 > I even tried: >=20 > ssh -1 username@SERVER >=20 > and that didn't work either. I thought maybe RSA was > ssh1 only, so I needed to force ssh1 ... but as I > said, that didn't work either. >=20 > Two questions: >=20 > 1. What am I doing wrong ? For ssh(1) to work using key based auth, all of the files in ~user/.ssh on the server must have the correct permissions, and the host public keys for the server should be known to the client machine, and vice versa. A good way to diagnose the problem is to run: # sshd -d -d -d -p 2222 on the server (ie. turn on maximum debugging output, and run on a different port than usual). Then from the client, run: % ssh -v -v -v -p 2222 server The verbose output from sshd will usually tell you exactly what's wrong. =20 > 2. Am I right that using RSA host authentication like > this will only work with ssh1 ? If so, how can I use > ssh2 with host based key sharing ? No. Incorrect. SSH2 uses two possible key types: rsa or dsa. Use either -- it makes little practical difference in most situations. SSH1 uses an older form of RSA, now called rsa1. You shouldn't use SSH1 unless you have no other choice -- ie. a system that only supports SSH1 -- because it is significantly less secure than SSH2. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --8t9RHnE3ZwKMSgU+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBaY9YiD657aJF7eIRAhtxAKCE+wjj0qrc2CUOclNXxcLeIZU+YACghM5B qWLzNnERb6xbFBUUiisZYC0= =rcK6 -----END PGP SIGNATURE----- --8t9RHnE3ZwKMSgU+--