hostbased debugging - SSH

This is a discussion on hostbased debugging - SSH ; OK, here's the short version. I have many machines. They're all pretty close to identical. Hostbased auth works on (and between) all but one. I cannot log INTO the one where it doesn't work. I have: * correct keys in ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: hostbased debugging

  1. hostbased debugging

    OK, here's the short version. I have many machines. They're all
    pretty close to identical. Hostbased auth works on (and between) all
    but one. I cannot log INTO the one where it doesn't work. I have:

    * correct keys in ssh_host_*_key and ssh_host_*_key.pub
    * those same keys correctly added to ssh_known_hosts (as hostname,
    FQDN, and IP)
    * the host appearing (tried hostname, FQDN, and IP) in /etc/hosts
    * the host appearing (tried hostname, FQDN, and IP) in shosts.equiv
    and /root/.shosts
    * trying both as root and regular user
    * hostbased on in both ssh_config and sshd_config

    I'm running OpenSSH 3.6.1p2. There is one thing that makes this
    machine different from the others. They others form a private network
    with one acting as the gateway. This machine is just a regular machine
    outside that network. I would think that would make things EASIER,
    though. It's also possible that something has become munged in the
    tweeking process. I have removed and reinstalled sshd. I'm
    contemplating a full system reinstall, but would certainly rather not
    do that.

    I'm including below (cleansed) snippets of the output from "sshd -d -d
    -d" and "ssh -vvv thehost". It's clear that hostbased is failing with
    "key 0x8772d40 is disallowed" but I don't know WHY. Any help or other
    things to try would be much appreciated.


    -Michael

    Server:

    debug1: userauth-request for user ash service ssh-connection method
    hostbaseddebug1: attempt 1 failures 1
    debug2: input_userauth_request: try method hostbased
    debug1: userauth_hostbased: cuser ash chost serv. pkalg ssh-dss slen 55
    debug3: mm_key_allowed entering
    debug3: mm_request_send entering: type 20
    debug3: monitor_read: checking request 20
    debug3: mm_answer_keyallowed entering
    debug3: mm_answer_keyallowed: key_from_blob: 0x8772d40
    debug2: userauth_hostbased: chost serv. resolvedname serv ipaddr
    125.135.21.115
    debug2: auth_rhosts2: clientuser ash hostname serv. ipaddr serv.
    debug1: temporarily_use_uid: 578/578 (e=0/0)
    debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
    debug3: mm_request_receive_expect entering: type 21
    debug3: mm_request_receive entering
    debug1: restore_uid: 0/0
    debug1: temporarily_use_uid: 578/578 (e=0/0)
    debug1: restore_uid: 0/0
    debug3: mm_answer_keyallowed: key 0x8772d40 is disallowed
    debug3: mm_request_send entering: type 21
    debug3: mm_request_receive entering
    debug2: userauth_hostbased: authenticated 0
    Failed hostbased for ash from 125.135.21.115 port 33514 ssh2
    debug1: userauth-request for user ash service ssh-connection method
    hostbaseddebug1: attempt 2 failures 2
    debug2: input_userauth_request: try method hostbased
    debug1: userauth_hostbased: cuser ash chost serv. pkalg ssh-rsa slen
    143
    debug3: mm_key_allowed entering
    debug3: mm_request_send entering: type 20
    debug3: monitor_read: checking request 20
    debug3: mm_answer_keyallowed entering
    debug3: mm_answer_keyallowed: key_from_blob: 0x8772d50
    debug2: userauth_hostbased: chost serv. resolvedname serv ipaddr
    125.135.21.115
    debug2: auth_rhosts2: clientuser ash hostname serv. ipaddr serv.
    debug1: temporarily_use_uid: 578/578 (e=0/0)
    debug1: restore_uid: 0/0
    debug1: temporarily_use_uid: 578/578 (e=0/0)
    debug1: restore_uid: 0/0
    debug3: mm_answer_keyallowed: key 0x8772d50 is disallowed
    debug3: mm_request_send entering: type 21
    debug3: mm_request_receive entering
    debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
    debug3: mm_request_receive_expect entering: type 21
    debug3: mm_request_receive entering
    debug2: userauth_hostbased: authenticated 0
    Failed hostbased for ash from 125.135.21.115 port 33514 ssh2

    Client:

    debug1: Next authentication method: hostbased
    debug2: userauth_hostbased: chost serv.
    debug2: ssh_keysign called
    debug3: ssh_msg_send: type 2
    debug3: ssh_msg_recv entering
    debug2: we sent a hostbased packet, wait for reply
    debug1: Authentications that can continue:
    publickey,password,keyboard-interactive,hostbased
    debug2: userauth_hostbased: chost ocplservice.
    debug2: ssh_keysign called
    debug3: ssh_msg_send: type 2
    debug3: ssh_msg_recv entering
    debug2: we sent a hostbased packet, wait for reply
    debug1: Authentications that can continue:
    publickey,password,keyboard-interactive,hostbased
    debug1: No more client hostkeys for hostbased authentication.


  2. Re: hostbased debugging


    A hostbased authentication request contains the name of the client host as
    supplied by the client. OpenSSH normally compares this against a reverse
    lookup on the client IP address, and fails authentication if they don't
    match. There's little point to this behavior, since the real security
    lies in the hostname/key match and signature verification. And it causes
    breakage in your situation, where many hosts are coming through a NAT
    gateway with the same IP address.

    You can turn off the DNS check with the undocumented sshd option:

    HostbasedUsesNameFromPacketOnly yes

    However... this feature has a bug. OpenSSH normally strips the trailing
    dot from the supplied hostname. It fails to do this if this option is
    set, causing it to cease matching any hostnames in the known-hosts file
    (which of course do not have the technically-correct trailing dots).
    Here's a diff for fixing it:

    --------------------------------------------------------------------------------
    --- auth2-hostbased.c.~1.1.1.2~ 2006-10-01 00:00:03.247144000 -0400
    +++ auth2-hostbased.c.~1.2~ 2006-09-30 23:58:23.255270000 -0400
    @@ -142,15 +142,25 @@
    debug2("userauth_hostbased: chost %s resolvedname %s ipaddr %s",
    chost, resolvedname, ipaddr);

    + /* DESCO local mod
    +
    + This stanza was mistakenly inside the following "else" clause,
    + with the result that setting hostbased_uses_name_from_packet_only
    + would actually cause hostbased authentication to cease working,
    + since no one has domain names with dots on the end in their
    + known_hosts files.
    +
    + */
    + if (((len = strlen(chost)) > 0) && chost[len - 1] == '.') {
    + debug2("stripping trailing dot from chost %s", chost);
    + chost[len - 1] = '\0';
    + }
    +
    if (options.hostbased_uses_name_from_packet_only) {
    if (auth_rhosts2(pw, cuser, chost, chost) == 0)
    return 0;
    lookup = chost;
    } else {
    - if (((len = strlen(chost)) > 0) && chost[len - 1] == '.') {
    - debug2("stripping trailing dot from chost %s", chost);
    - chost[len - 1] = '\0';
    - }
    if (strcasecmp(resolvedname, chost) != 0)
    logit("userauth_hostbased mismatch: "
    "client sends %s, but we resolve %s to %s",
    --------------------------------------------------------------------------------

    --
    Richard Silverman
    res@qoxp.net


+ Reply to Thread