From owner-freebsd-security Fri Jun 8 7:47:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f4.law11.hotmail.com [64.4.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 7142E37B401 for ; Fri, 8 Jun 2001 07:47:04 -0700 (PDT) (envelope-from mishson@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Fri, 8 Jun 2001 07:47:03 -0700 Received: from 63.121.153.2 by lw11fd.law11.hotmail.msn.com with HTTP; Fri, 08 Jun 2001 14:47:03 GMT X-Originating-IP: [63.121.153.2] From: "Misha Kamushkin" To: freebsd-security@freebsd.org Subject: openssh auth. problem Date: Fri, 08 Jun 2001 07:47:03 -0700 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 08 Jun 2001 14:47:03.0651 (UTC) FILETIME=[E1A6E330:01C0F029] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org hello, i think i tried everything under the sun to get this to work but with no results. i need to get ssh to work without prompting me for a password. i created id_dsa and id_dsa.pub with ssh-keygen. then i export the key with ssh-keygen -x. after that i copied the exported key to my server and renamed it known_hosts2 and i also tried athorized_keys2. i have enable hostbasedauthentication on both client and sever config files. here's client conf file: [root@ber ssh2]# cat ssh_config Host 1.1.1.1 ForwardAgent no ForwardX11 yes HostbasedAuthentication yes PreferredAuthentications hostbased,password # RhostsAuthentication no RhostsRSAAuthentication yes # RSAAuthentication yes # PasswordAuthentication yes FallBackToRsh no # UseRsh no # BatchMode no # CheckHostIP yes # StrictHostKeyChecking yes # IdentityFile ~/.ssh/known_hosts2 IdentityFile ~/.ssh/id_dsa # IdentityFile ~/.ssh/id_rsa Port 22 Protocol 2 Cipher blowfish # EscapeChar ~ here's server config file: [root@lit ssh2]# cat sshd_config Port 22 Protocol 2 #ListenAddress 0.0.0.0 #ListenAddress :: HostKey /etc/ssh2/ssh_host_key HostKey /etc/ssh2/ssh_host_rsa_key HostKey /etc/ssh2/ssh_host_dsa_key ServerKeyBits 768 LoginGraceTime 600 KeyRegenerationInterval 3600 PermitRootLogin yes # # Don't read ~/.rhosts and ~/.shosts files IgnoreRhosts yes # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes StrictModes yes X11Forwarding no X11DisplayOffset 10 PrintMotd yes #PrintLastLog no KeepAlive yes # Logging SyslogFacility AUTH LogLevel INFO #obsoletes QuietMode and FascistLogging RhostsAuthentication no # # For this to work you will also need host keys in /etc/ssh2/ssh_known_hosts #RhostsRSAAuthentication yes # similar for protocol version 2 HostbasedAuthentication yes # RSAAuthentication yes # To disable tunneled clear text passwords, change to no here! PasswordAuthentication yes PermitEmptyPasswords yes # Uncomment to disable s/key passwords #ChallengeResponseAuthentication no # Uncomment to enable PAM keyboard-interactive authentication # Warning: enabling this may bypass the setting of 'PasswordAuthentication' #PAMAuthenticationViaKbdInt yes # To change Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #AFSTokenPassing no #KerberosTicketCleanup no # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes #CheckMail yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net #ReverseMappingCheck yes Subsystem sftp /usr/local//libexec/sftp-server here's the output [root@ber ssh2]# ssh 2.2.2.2 -v OpenSSH_2.9p1, SSH protocols 1.5/2.0, OpenSSL 0x0090581f debug1: Reading configuration data /etc/ssh2/ssh_config debug1: Seeding random number generator debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 0 geteuid 0 anon 1 debug1: Connecting to 2.2.2.2 [2.2.2.2] port 22. debug1: temporarily_use_uid: 0/0 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 0/0 (e=0) debug1: restore_uid debug1: Connection established. debug1: read PEM private key done: type DSA debug1: read PEM private key done: type RSA debug1: identity file /root/.ssh/identity type -1 debug1: identity file /root/.ssh/id_rsa type -1 debug1: identity file /root/.ssh/id_dsa type 2 debug1: Remote protocol version 2.0, remote software version OpenSSH_2.9p1 debug1: match: OpenSSH_2.9p1 pat ^OpenSSH Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_2.9p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 137/256 debug1: bits set: 1039/2049 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host '2.2.2.2' is known and matches the RSA host key. debug1: Found key in /root/.ssh/known_hosts2:1 debug1: bits set: 1022/2049 debug1: ssh_rsa_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password,keyboard-interactive,hostbased debug1: next auth method to try is publickey debug1: try privkey: /root/.ssh/identity debug1: try privkey: /root/.ssh/id_rsa debug1: try pubkey: /root/.ssh/id_dsa debug1: authentications that can continue: publickey,password,keyboard-interactive,hostbased debug1: next auth method to try is password root@2.2.2.2's password: what am i doing wrong. can somebody bring some light on this. what's the correct step by step configuration. thanks in advance. _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message