Password-less logins with SSH 1.2.27?

Password-less logins with SSH 1.2.27?

Post by ra.. » Thu, 09 Dec 1999 04:00:00




>Also, here is the log of the session:
>What do I need to do to get "RhostsRSAAuthentication"?

>$ ssh webdv -v
>SSH Version 1.2.27 [sparc-sun-solaris2.6], protocol version 1.5.
>Standard version.  Does not use RSAREF.
>scrim: Reading configuration data /usr/users/ilya/.ssh/config
>scrim: Reading configuration data /etc/ssh_config

I think you need to compile with RSA. Unfortunately, there is a patent on this
in the US. Fortunately, the patent expires next year.

I would *NEVER* suggest that someone ignore the patent issues, compile and
install the software, and send RSA an anonymous check since they refuse (by
ignoring requests and questions) to deal with small licenses for small sites.

>scrim: Encryption type: idea
>scrim: Sent encrypted session key.
>scrim: Installing crc compensation attack detector.
>scrim: Received encrypted confirmation.
>scrim: Remote: Server does not permit empty password login.
>scrim: Trying rhosts or /etc/hosts.equiv with RSA host authentication.
>scrim: Remote: Rhosts/hosts.equiv authentication refused: client user 'ilya', server user 'ilya', client host
>scrim: Server refused our rhosts authentication or host key.
>scrim: No agent.
>scrim: Doing password authentication.


You *HAVE* generated a local identity key, used SSH to log into the remote
site to establish the key in "~/.ssh/known_hosts", and put an entry in
~/.shosts for

        localhostname   username

Right?

--

                        Nico Kadel-Garcia

 
 
 

Password-less logins with SSH 1.2.27?

Post by Steev » Thu, 09 Dec 1999 04:00:00




> >>$ ssh webdv -v
> >>SSH Version 1.2.27 [sparc-sun-solaris2.6], protocol version 1.5.
> >>Standard version.  Does not use RSAREF.
> >>scrim: Reading configuration data /usr/users/ilya/.ssh/config
> >>scrim: Reading configuration data /etc/ssh_config

> > I think you need to compile with RSA. Unfortunately, there is a patent on this
> > in the US. Fortunately, the patent expires next year.

> I am not sure if RSA has anything to do with the matter.  It would be nice to
> have RSA encryption, that's for sure.

> > You *HAVE* generated a local identity key,

> Correct, I ran ssh-keygen.

> > used SSH to log into the remote site to establish the key in
> > "~/.ssh/known_hosts", and put an entry in ~/.shosts for

> >       localhostname   username

> > Right?

> Yes, I've done all of that. It still refuses to authenticate.

Does the other end have the source host in its known_hosts
file?  Try to use slogin to return to the fully qualified
hostname (including domain).

--
:wq

 
 
 

Password-less logins with SSH 1.2.27?

Post by Monty Wall » Thu, 09 Dec 1999 04:00:00


[snip]

ok, I have a working setup for no-password rsa machine authenticated
logon:

You need:

/etc/hosts.equiv for non-root logins
for root or specific individual logins ~/.rhosts
should contain your permitted host names.
(not make sure rsh, rexec, and friends are disabled...)

-sshd_config should have

RhostsAuthentication no
RhostsRSAAuthentication yes
RSAAuthentication yes
PasswordAuthentication yes

-ssh_config should have

RhostsAuthentication no
RSAAuthentication yes
RhostsRSAAuthentication yes
PasswordAuthentication yes
UseRsh no
FallBackToRsh no

ssh_known_hosts should contain the
host public keys of the allowed machines

--

-       MIS, Oklahoma Tax Commission
-
- My opinions are my own, my employer knows nothing about it.

 
 
 

Password-less logins with SSH 1.2.27?

Post by ra.. » Fri, 10 Dec 1999 04:00:00



>Does the other end have the source host in its known_hosts
>file?  Try to use slogin to return to the fully qualified
>hostname (including domain).

Good point! Also, you need to be sure that the real hostname and/or
IP addresses are stored, not just a single alias for each machine. If
reverse DNS is not set up for your machine, for example, the known_hosts
entries may be searched for on a basis other than the normally used
hostname when you type "ssh remotehost".

--

                        Nico Kadel-Garcia

 
 
 

Password-less logins with SSH 1.2.27?

Post by Vincent Zweij » Sat, 11 Dec 1999 04:00:00


 * Followups to comp.security.ssh


||  Also, here is the log of the session:
||  What do I need to do to get "RhostsRSAAuthentication"?
||
||  $ ssh webdv -v
||  SSH Version 1.2.27 [sparc-sun-solaris2.6], protocol version 1.5.
||  Standard version.  Does not use RSAREF.
||  scrim: Reading configuration data /usr/users/ilya/.ssh/config
||  scrim: Reading configuration data /etc/ssh_config
||  scrim: ssh_connect: getuid 1005 geteuid 0 anon 0
||  scrim: Connecting to webdv port 22.
||  scrim: Allocated local port 1022.
||  scrim: Connection established.
||  scrim: Remote protocol version 1.5, remote software version 1.2.27
||  scrim: Waiting for server public key.
||  scrim: Received server public key (768 bits) and host key (1024 bits).
||  scrim: Host 'webdv' is known and matches the host key.
||  scrim: Initializing random; seed file /usr/users/ilya/.ssh/random_seed
||  scrim: Encryption type: idea
||  scrim: Sent encrypted session key.
||  scrim: Installing crc compensation attack detector.
||  scrim: Received encrypted confirmation.
||  scrim: Remote: Server does not permit empty password login.
||  scrim: Trying rhosts or /etc/hosts.equiv with RSA host authentication.
||  scrim: Remote: Rhosts/hosts.equiv authentication refused: client user 'ilya', server user 'ilya', client host
                                                                                                      ^^^^^^^^^^^
||  scrim: Server refused our rhosts authentication or host key.
||  scrim: No agent.
||  scrim: Doing password authentication.

Your server doesn't seem to know the client host name.  What's in sshd's
logs on the server?  Maybe that can cast some light on what's going on.

This is what my sshd logs for RhostsRSAAuthentication:


    Dec  9 05:28:09 love sshd[23942]: log: Connection from <remoteaddress> port 1022
    Dec  9 05:28:10 love sshd[23942]: debug: Client protocol version 1.5; client software version 1.2.26
    Dec  9 05:28:10 love sshd[23942]: debug: Sent 768 bit public key and 1024 bit host key.
    Dec  9 05:28:13 love sshd[23942]: debug: Encryption type: idea
    Dec  9 05:28:14 love sshd[23942]: debug: Received session key; encryption turned on.
    Dec  9 05:28:17 love sshd[23942]: debug: Installing crc compensation attack detector.
    Dec  9 05:28:20 love sshd[23942]: debug: Attempting authentication for <localuser>.
    Dec  9 05:28:21 love sshd[23942]: debug: Trying rhosts with RSA host authentication for <remoteuser>
    Dec  9 05:28:23 love sshd[23942]: debug: Rhosts RSA authentication: canonical host <remotehost>
                                                                                       ^^^^^^^^^^^^
    Dec  9 05:28:25 love sshd[23942]: log: Rhosts with RSA host authentication accepted for <localuser>, <remoteuser> on <remotehost>.

It seems sshd really wants the canonical client host name.  Are you sure
DNS is working right from the server's side?  And that reverse DNS is
actually set up for the client address?

Good luck.                                                      Vincent.
--

<http://www.xs4all.nl/~zweije/>      | don't read, does anybody get burnt?"
[Xhost should be taken out and shot] |            -- Paul Tomblin on a.s.r.

 
 
 

1. Password-less logins with SSH 1.2.27?

That is passwordless in the sense of "you don't need to type a
password to the remote machine".  I take it you also desire
passwordless in the sense of "you don't need to type a
passphrase in order to decrypt the private key on the local
host"?  If so, let me first echo a fragment of the ssh-keygen
man page:
       USING  GOOD,  UNGUESSABLE  PASSPHRASES  IS STRONGLY RECOM-
       MENDED.  EMPTY PASSPHRASES SHOULD NOT BE USED  UNLESS  YOU
       UNDERSTAND WHAT YOU ARE DOING.

Okay, that said: did you set "BatchMode" to "yes" in either the
/etc/ssh_config or the $HOME/.ssh/config file?  You also need to
specify to ssh-keygen that the private key is to be stored
unencrypted, by specifying an empty passphrase (whether on
initial key generation or at a later time using the -p option;
either interactively or as an argument to the -N option).

(I am also assuming that by "exhanged public keys" you mean that
you stored the proper keys in the appropriate /etc/ssh_known_hosts
and/or $HOME/.ssh/known_hosts files.)

                --Ken Pizzini

2. Need for asynchronous I/O routines

3. ssh 1.2.27 make error on RH 6.1

4. Re : Spontaneous Combustion ME TOO !!!

5. ssh 1.2.27 make install as root?

6. awk for a cleaner approach

7. Pb X11 Forwarding with ssh 1.2.27

8. Apache Proxy Authentication

9. error compiling ssh 1.2.27 on AIX 4.3.2

10. Ssh 1.2.27 available

11. ssh 1.2.27 on AIX...

12. SSH 1.2.27 and X11 Forwarding - a solution

13. Password-less ssh