From owner-ssh@clinet.fi Fri May 18 21:08:10 2001 Received: from smtp1.clinet.fi (smtp1.clinet.fi [194.100.2.57]) by hutcs.cs.hut.fi (8.9.3/8.9.3) with ESMTP id VAA27906 for ; Fri, 18 May 2001 21:08:10 +0300 (EET DST) Received: from mail.clinet.fi (mail.clinet.fi [194.100.0.7]) by smtp1.clinet.fi (Postfix) with ESMTP id D179A20A5D; Fri, 18 May 2001 21:08:03 +0300 (EEST) Received: (from majordom@localhost) by mail.clinet.fi (8.9.3/8.9.3) id UAA09633 for ssh-outgoing; Fri, 18 May 2001 20:47:04 +0300 Received: from ftp.nvg.com ([199.179.254.6]) by mail.clinet.fi (8.9.3/8.9.3) with ESMTP id UAA09624 for ; Fri, 18 May 2001 20:46:59 +0300 Received: from pnt004 (vsat-148-63-55-208.c1.sb4.mcl.starband.net [148.63.55.208]) by ftp.nvg.com (8.9.3+Sun/8.9.3) with SMTP id NAA17822 for ; Fri, 18 May 2001 13:39:37 -0400 (EDT) From: "Ed Henderson" To: Subject: RE: Trouble with root login and hostbased authentication Date: Fri, 18 May 2001 13:42:44 -0400 Message-ID: <002601c0dfc1$f2b1e1c0$0464a8c0@certainty.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 In-Reply-To: <001701c0dfb3$5771f500$0464a8c0@certainty.net> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.clinet.fi id UAA09629 Sender: owner-ssh@clinet.fi Precedence: bulk I just figured it out myself. Root must have a ~/.shosts and "IgnoreRhosts no". I was even able to get it working with protocol 2. > -----Original Message----- > From: owner-ssh@clinet.fi [mailto:owner-ssh@clinet.fi]On Behalf Of Ed > Henderson > Sent: Friday, May 18, 2001 11:58 AM > To: ssh@clinet.fi > Subject: Trouble with root login and hostbased authentication > > > I have successfully gotten ssh to work with non-root users in > "BatchMode yes" but can't get root to work at all (in > Protocol 1 only. 2 doesn't work well). I compiled sshd with > libwrap support. I have created /etc/ssh/shosts.equiv. Here > are some settings from sshd_config: > Protocol 1 > PermitRootLogin yes > IgnoreRhosts yes > IgnoreUserKnownHosts yes > RhostsAuthentication no > RhostsRSAAuthentication yes > HostbasedAuthentication yes > RSAAuthentication yes > > Also some snips from ssh_config (gen is the hostname of the > sshd server): > Host gen > BatchMode yes > RhostsAuthentication no > RhostsRSAAuthentication yes > HostbasedAuthentication yes > > Output from sshd -d: > gen:/etc/ssh> /usr/local/sbin/sshd -d > debug1: Seeded RNG with 33 bytes from programs > debug1: Seeded RNG with 3 bytes from system calls > debug1: sshd version OpenSSH_2.9p1 > debug1: private host key: #0 type 0 RSA1 > debug1: read PEM private key done: type RSA > debug1: private host key: #1 type 1 RSA > debug1: read PEM private key done: type DSA > debug1: private host key: #2 type 2 DSA > debug1: Bind to port 22 on ::. > Server listening on :: port 22. > debug1: Bind to port 22 on 0.0.0.0. > Server listening on 0.0.0.0 port 22. > Generating 768 bit RSA key. > RSA key generation complete. > debug1: Server will not fork when running in debugging mode. > Connection from 192.168.100.101 port 32910 > debug1: Client protocol version 1.5; client software version > OpenSSH_2.9p1 > debug1: match: OpenSSH_2.9p1 pat ^OpenSSH > debug1: Local version string SSH-1.5-OpenSSH_2.9p1 > debug1: Rhosts Authentication disabled, originating port not trusted. > debug1: Sent 768 bit server key and 1024 bit host key. > debug1: Encryption type: 3des > debug1: Received session key; encryption turned on. > debug1: Installing crc compensation attack detector. > debug1: Attempting authentication for root. > debug1: Trying rhosts with RSA host authentication for client > user root > debug1: temporarily_use_uid: 0/1 (e=0) > debug1: restore_uid > debug1: temporarily_use_uid: 0/1 (e=0) > debug1: restore_uid > Failed rhosts-rsa for ROOT from 192.168.100.101 port 32910 ruser root > Connection closed by 192.168.100.101 > debug1: Calling cleanup 0x80835dc(0x0) > debug1: Calling cleanup 0x8088940(0x0) > debug1: writing PRNG seed to file /root/.ssh/prng_seed > > Ouput from ssh -v: > ssh -v gen "cat /etc/passwd" > OpenSSH_2.9p1, SSH protocols 1.5/2.0, OpenSSL 0x0090601f > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Applying options for gen > debug1: Applying options for * > debug1: Seeded RNG with 33 bytes from programs > debug1: Seeded RNG with 3 bytes from system calls > debug1: Rhosts Authentication disabled, originating port will > not be trusted. > debug1: restore_uid > debug1: ssh_connect: getuid 0 geteuid 0 anon 1 > debug1: Connecting to gen [192.168.100.100] port 22. > debug1: temporarily_use_uid: 0/1 (e=0) > debug1: restore_uid > debug1: temporarily_use_uid: 0/1 (e=0) > debug1: restore_uid > debug1: Connection established. > debug1: read PEM private key done: type DSA > debug1: read PEM private key done: type RSA > debug1: identity file /root/.ssh/identity type -1 > debug1: identity file /root/.ssh/id_rsa type -1 > debug1: identity file /root/.ssh/id_dsa type -1 > debug1: Remote protocol version 1.5, remote software version > OpenSSH_2.9p1 > debug1: match: OpenSSH_2.9p1 pat ^OpenSSH > debug1: Local version string SSH-1.5-OpenSSH_2.9p1 > debug1: Waiting for server public key. > debug1: Received server public key (768 bits) and host key > (1024 bits). > debug1: Host 'gen' is known and matches the RSA1 host key. > debug1: Found key in /root/.ssh/known_hosts:1 > debug1: Encryption type: 3des > debug1: Sent encrypted session key. > debug1: Installing crc compensation attack detector. > debug1: Received encrypted confirmation. > debug1: Trying rhosts or /etc/hosts.equiv with RSA host > authentication. > debug1: Server refused our rhosts authentication or host key. > Permission denied. > debug1: Calling cleanup 0x807f7a0(0x0) > debug1: Calling cleanup 0x8084b04(0x0) > debug1: writing PRNG seed to file /root/.ssh/prng_seed > > > Thanks for any help, > Ed. >