ssh hostbased authemtication

Nessuna risposta
Ritratto di paco_deb
paco_deb
(Geek)
Offline
Geek
Iscritto: 25/10/2007
Messaggi: 152

Ciao a tutti.
Sto impazzendo da circa due giorni provando a configurare l'autenticazione ssh basata su hostname.

ecco cosa ho fatto fin'ora:

SERVER
(/etc/ssh/sshd_config)
<br />...<br />HostbasedAuthentication yes<br />HostbasedUsesNameFromPacketOnly yes<br />...<br />

inoltre ho inserito il nome di dominio dalla macchina a cui garantire l'accesso in /etc/ssh/shosts.equiv

e la sua chiave pubblica in /etc/ssh/ssh_known_hosts

CLIENT
(/etc/ssh/ssh_config)
<br />EnableSSHKeysign    yes<br />Host vega*<br />    Protocol 2<br />    ForwardX11          no<br />    HostbasedAuthentication     yes<br />    PreferredAuthentications    hostbased<br />

Inutile dire che la mappatura tra ip ed hostname è definita in /etc/hosts per entrambe le macchine

.....

ecco cosa mi succede
<br />[root@vega ~]# ssh vega08<br />Permission denied (publickey,gssapi-with-mic,password,hostbased).<br />

<br />[root@vega ~]# ssh -v -v vega08<br />OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008<br />debug1: Reading configuration data /root/.ssh/config<br />debug1: Reading configuration data /etc/ssh/ssh_config<br />debug1: Applying options for *<br />debug1: Applying options for vega*<br />debug2: ssh_connect: needpriv 0<br />debug1: Connecting to vega08 [10.0.0.108] port 22.<br />debug1: Connection established.<br />debug1: read PEM private key done: type DSA<br />debug1: read PEM private key done: type RSA<br />debug1: permanently_set_uid: 0/0<br />debug2: key_type_from_name: unknown key type &#039;-----BEGIN&#039;<br />debug2: key_type_from_name: unknown key type &#039;-----END&#039;<br />debug1: identity file /root/.ssh/id_rsa type 1<br />debug1: identity file /root/.ssh/id_dsa type -1<br />debug1: loaded 2 keys<br />debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3<br />debug1: match: OpenSSH_4.3 pat OpenSSH*<br />debug1: Enabling compatibility mode for protocol 2.0<br />debug1: Local version string SSH-2.0-OpenSSH_4.3<br />debug2: fd 3 setting O_NONBLOCK<br />debug1: SSH2_MSG_KEXINIT sent<br />debug1: SSH2_MSG_KEXINIT received<br />debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1<br />debug2: kex_parse_kexinit: ssh-rsa,ssh-dss<br />debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128<br />-ctr,aes192-ctr,aes256-ctr<br />debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128<br />-ctr,aes192-ctr,aes256-ctr<br />debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96<br />debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96<br />debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib<br />debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib<br />debug2: kex_parse_kexinit:<br />debug2: kex_parse_kexinit:<br />debug2: kex_parse_kexinit: first_kex_follows 0<br />debug2: kex_parse_kexinit: reserved 0<br />debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1<br />debug2: kex_parse_kexinit: ssh-rsa,ssh-dss<br />debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128<br />-ctr,aes192-ctr,aes256-ctr<br />debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr<br />debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96<br />debug2: kex_parse_kexinit: none,zlib@openssh.com<br />debug2: kex_parse_kexinit: none,zlib@openssh.com<br />debug2: kex_parse_kexinit:<br />debug2: kex_parse_kexinit:<br />debug2: kex_parse_kexinit: first_kex_follows 0<br />debug2: kex_parse_kexinit: reserved 0<br />debug2: mac_init: found hmac-md5<br />debug1: kex: server-&gt;client aes128-cbc hmac-md5 none<br />debug2: mac_init: found hmac-md5<br />debug1: kex: client-&gt;server aes128-cbc hmac-md5 none<br />debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024&lt;1024&lt;8192) sent<br />debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP<br />debug2: dh_gen_key: priv key bits set: 137/256<br />debug2: bits set: 513/1024<br />debug1: SSH2_MSG_KEX_DH_GEX_INIT sent<br />debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY<br />debug1: Host &#039;vega08&#039; is known and matches the RSA host key.<br />debug1: Found key in /root/.ssh/known_hosts:4<br />debug2: bits set: 518/1024<br />debug1: ssh_rsa_verify: signature correct<br />debug2: kex_derive_keys<br />debug2: set_newkeys: mode 1<br />debug1: SSH2_MSG_NEWKEYS sent<br />debug1: expecting SSH2_MSG_NEWKEYS<br />debug2: set_newkeys: mode 0<br />debug1: SSH2_MSG_NEWKEYS received<br />debug1: SSH2_MSG_SERVICE_REQUEST sent<br />debug2: service_accept: ssh-userauth<br />debug1: SSH2_MSG_SERVICE_ACCEPT received<br />debug2: key: /root/.ssh/id_rsa (0x9ce7c10)<br />debug2: key: /root/.ssh/id_dsa ((nil))<br />debug1: Authentications that can continue: publickey,gssapi-with-mic,password,hostbased<br />debug1: Next authentication method: hostbased<br />debug2: userauth_hostbased: chost vega00.<br />debug2: we sent a hostbased packet, wait for reply<br />debug1: Authentications that can continue: publickey,gssapi-with-mic,password,hostbased<br />debug2: userauth_hostbased: chost vega00.<br />debug2: we sent a hostbased packet, wait for reply<br />debug1: Authentications that can continue: publickey,gssapi-with-mic,password,hostbased<br />debug1: No more client hostkeys for hostbased authentication.<br />debug2: we did not send a packet, disable method<br />debug1: No more authentication methods to try.<br />Permission denied (publickey,gssapi-with-mic,password,hostbased).<br />

Ho l'impressione che il server se ne freghi altamente della direttiva HostbasedAuthentication e continua a pretendere la chiave pubblica

qualcuno ha una dritta??
>Paco