From owner-freebsd-questions@FreeBSD.ORG  Sun Oct 10 19:37:03 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 87E8116A4CE
	for <freebsd-questions@freebsd.org>;
	Sun, 10 Oct 2004 19:37:03 +0000 (GMT)
Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk
	[81.2.69.218])	by mx1.FreeBSD.org (Postfix) with ESMTP id 092F043D1F
	for <freebsd-questions@freebsd.org>;
	Sun, 10 Oct 2004 19:37:02 +0000 (GMT)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from happy-idiot-talk.infracaninophile.co.uk
	(localhost.infracaninophile.co.uk [IPv6:::1])i9AJauJ4015669
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Sun, 10 Oct 2004 20:36:56 +0100 (BST)
	(envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk)
Received: (from matthew@localhost)i9AJau9w015642;
	Sun, 10 Oct 2004 20:36:56 +0100 (BST)	(envelope-from matthew)
Date: Sun, 10 Oct 2004 20:36:56 +0100
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
To: Joe Schmoe <non_secure@yahoo.com>
Message-ID: <20041010193656.GA8450@happy-idiot-talk.infracaninophile.co.uk>
Mail-Followup-To: Matthew Seaman <m.seaman@infracaninophile.co.uk>,
	Joe Schmoe <non_secure@yahoo.com>, freebsd-questions@freebsd.org
References: <20041010192044.11548.qmail@web53301.mail.yahoo.com>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="8t9RHnE3ZwKMSgU+"
Content-Disposition: inline
In-Reply-To: <20041010192044.11548.qmail@web53301.mail.yahoo.com>
User-Agent: Mutt/1.4.2.1i
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.5.6
	(smtp.infracaninophile.co.uk [IPv6:::1]); Sun, 10 Oct 2004 20:36:56 +0100
	(BST)
X-Virus-Scanned: clamd / ClamAV version devel-20040904, clamav-milter version
	0.75l	on smtp.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, hits=-4.8 required=5.0 tests=AWL,BAYES_00 autolearn=ham 
	version=2.64
X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on 
	happy-idiot-talk.infracaninophile.co.uk
cc: freebsd-questions@freebsd.org
Subject: Re: host-based ssh authentication (no password) not working ...
	help needed
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Oct 2004 19:37:03 -0000


--8t9RHnE3ZwKMSgU+
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Oct 10, 2004 at 12:20:44PM -0700, Joe Schmoe wrote:
> I have machines CLIENT and SERVER.
>=20
> On SERVER, I set the following options in
> /etc/ssh/sshd_config :
>=20
> RhostsAuthentication      no
> RhostsRSAAuthentication   yes
>=20
> Then I copied the host public key from /etc/ssh on
> CLIENT to /etc/ssh/ssh_known_hosts on SERVER - so now
> the SERVER has the CLIENTs public key.
>=20
> Finally, I added the hostname of CLIENT to
> /etc/hosts.equiv on SERVER.  Then I HUPped sshd on
> SERVER.
>=20
> So now I go to CLIENT and run:
>=20
> ssh username@SERVER
>=20
> and it asks me for a password!!
>=20
> I even tried:
>=20
> ssh -1 username@SERVER
>=20
> and that didn't work either.  I thought maybe RSA was
> ssh1 only, so I needed to force ssh1 ... but as I
> said, that didn't work either.
>=20
> Two questions:
>=20
> 1. What am I doing wrong ?

For ssh(1) to work using key based auth, all of the files in
~user/.ssh on the server must have the correct permissions, and the
host public keys for the server should be known to the client machine,
and vice versa.

A good way to diagnose the problem is to run:

    # sshd -d -d -d -p 2222

on the server (ie. turn on maximum debugging output, and run on a
different port than usual).

Then from the client, run:

    % ssh -v -v -v -p 2222 server

The verbose output from sshd will usually tell you exactly what's wrong.
=20
> 2. Am I right that using RSA host authentication like
> this will only work with ssh1 ?  If so, how can I use
> ssh2 with host based key sharing ?

No.  Incorrect.  SSH2 uses two possible key types: rsa or dsa.  Use
either -- it makes little practical difference in most situations.
SSH1 uses an older form of RSA, now called rsa1.  You shouldn't use
SSH1 unless you have no other choice -- ie. a system that only
supports SSH1 -- because it is significantly less secure than SSH2.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

--8t9RHnE3ZwKMSgU+
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)

iD8DBQFBaY9YiD657aJF7eIRAhtxAKCE+wjj0qrc2CUOclNXxcLeIZU+YACghM5B
qWLzNnERb6xbFBUUiisZYC0=
=rcK6
-----END PGP SIGNATURE-----

--8t9RHnE3ZwKMSgU+--