LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 04-28-2011, 05:54 AM   #61
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 15.0
Posts: 1,337

Rep: Reputation: 259Reputation: 259Reputation: 259

I wouldn’t trust the ouptut as it uses hard coded TCP/IP addresses, and even if you changed the TCP/IP address, you faced already a connection problem before and the script doesn’t distinguish between errors. Maybe it’s even working despite the message.

As I asked: did you check the server’s /etc/ssh/ssh_known_host file? The error you face points to a not accepted key.
 
Old 04-28-2011, 06:00 AM   #62
mahmoodn
Member
 
Registered: May 2010
Posts: 426

Original Poster
Rep: Reputation: 16
On the server
Code:
mahmood@server:~$ cat /etc/ssh/ssh_known_hosts
client,192.168.1.3 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA9Mi0TEUzMLJ1i2gascvkXilTE2g3BIYKcs6qIcFXa7w8GB+LN6GoH3uJ+0PujwQVdzO4B8qpQ+ClM9uwYxo61x9bIYh/nwqaVqJrI5VOtbzlzXPCs0SWeDAjVTJzTcX3Pk+D10lfqLDL2jLblzZD7yJpm0Elb8tuF4ISMeFaKP6MeG4m+Ygl+zbcvYzpvqtTpQSmM2u9SIEW+Cg62VuMw7xkrXqNg671ewdc53SvCQM8PysJCRUNDPcy1nKA4chhq/HDuyvpKVaPrFWugaoKGWkAz3Y0Ny6Xge4O3EJsclbuQt3AY6oXPsOkyBMm3QRU+I4Tjl7TCm0EjS+B8QXTEQ==
mahmood@server:~$
and from the client:
Code:
debug1: Authentications that can continue: publickey,password,hostbased
debug2: userauth_hostbased: chost client.
debug2: ssh_keysign called
debug3: ssh_msg_send: type 2
debug3: ssh_msg_recv entering
debug1: permanently_drop_suid: 1000
debug2: we sent a hostbased packet, wait for reply
debug3: Wrote 672 bytes for a total of 2407
debug1: Authentications that can continue: publickey,password,hostbased
debug1: No more client hostkeys for hostbased authentication.
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/mahmood/.ssh/identity
debug3: no such identity: /home/mahmood/.ssh/identity
debug1: Trying private key: /home/mahmood/.ssh/id_rsa
debug3: no such identity: /home/mahmood/.ssh/id_rsa
debug1: Trying private key: /home/mahmood/.ssh/id_dsa
debug3: no such identity: /home/mahmood/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
mahmood@server's password:
All the problem is
Code:
debug1: Authentications that can continue: publickey,password,hostbased
debug1: No more client hostkeys for hostbased authentication.
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
For unknown reason it ignores hostbased

UPDATE:
At this page https://www.cs.uwaterloo.ca/twiki/vi...Authentication it is sated:
"No more client hostkeys for hostbased authentication" suggests that either end of the connection was having trouble looking up the reverse IP of the client and matching it against the key.

but I don't know what to do

Last edited by mahmoodn; 04-28-2011 at 06:04 AM.
 
Old 04-28-2011, 06:30 AM   #63
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 15.0
Posts: 1,337

Rep: Reputation: 259Reputation: 259Reputation: 259
When I look in the source all tests failed with "No more client hostkeys for hostbased authentication."

And this key is from the client /etc/ssh/ssh_host_rsa_key.pub?
 
Old 04-28-2011, 06:32 AM   #64
mahmoodn
Member
 
Registered: May 2010
Posts: 426

Original Poster
Rep: Reputation: 16
Code:
mahmood@server:~$ cat /etc/ssh/ssh_host_rsa_key.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuBCfN+TMtNok1WezSr7aj7LqFm01NAlITGgLBRN4juwa01yfj+lbqkPaWQZg9bHUyH5iBge7HqjM0eFf0a8KRxL0yYB3nfcWJebWJ+XuEBIRPTAoZkJdsi26omY8fStN8p1fzqXsgVNCnrY8k16zTXMltcN+MNPG7x9nutZQu9uvNIteshthRLJyD34KzOIqf4anW1A2MRfGkQUJEc9Kwg/l6FYRSS2Y6irAaQq3dgO7hlwnesdXNJZRPeI1JmaxT20NVgWbZn4gbozuxrj21gFXKLJTioTy1FtKleY9mjPlCSyRBZJGw1MKfKtvhmSfyno8fvPV35iB0m+LMRYI/Q== root@server
mahmood@server:~$
What does root@server doing here? is that ok?

Last edited by mahmoodn; 04-28-2011 at 06:33 AM.
 
Old 04-28-2011, 06:38 AM   #65
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 15.0
Posts: 1,337

Rep: Reputation: 259Reputation: 259Reputation: 259
Client - not server.
 
Old 04-28-2011, 06:40 AM   #66
mahmoodn
Member
 
Registered: May 2010
Posts: 426

Original Poster
Rep: Reputation: 16
Code:
mahmood@client:~$ cat /etc/ssh/ssh_host_rsa_key.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA9Mi0TEUzMLJ1i2gascvkXilTE2g3BIYKcs6qIcFXa7w8GB+LN6GoH3uJ+0PujwQVdzO4B8qpQ+ClM9uwYxo61x9bIYh/nwqaVqJrI5VOtbzlzXPCs0SWeDAjVTJzTcX3Pk+D10lfqLDL2jLblzZD7yJpm0Elb8tuF4ISMeFaKP6MeG4m+Ygl+zbcvYzpvqtTpQSmM2u9SIEW+Cg62VuMw7xkrXqNg671ewdc53SvCQM8PysJCRUNDPcy1nKA4chhq/HDuyvpKVaPrFWugaoKGWkAz3Y0Ny6Xge4O3EJsclbuQt3AY6oXPsOkyBMm3QRU+I4Tjl7TCm0EjS+B8QXTEQ== root@server
mahmood@client:~$
Again root@server is there. Shouldn't be mahmood@server?
 
Old 04-28-2011, 06:45 AM   #67
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 15.0
Posts: 1,337

Rep: Reputation: 259Reputation: 259Reputation: 259
And "client" is the only name - no client.local or anything else in /etc/hosts on any of the machines?
 
Old 04-28-2011, 06:49 AM   #68
EricTRA
LQ Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1296Reputation: 1296Reputation: 1296Reputation: 1296Reputation: 1296Reputation: 1296Reputation: 1296Reputation: 1296Reputation: 1296
Hello,

Deactivate reverse lookup and try again to eliminate that possibility by putting (uncommenting if exists) the following:
Code:
UseDns no
VerifyReverseMapping No
then restart SSH and try again.

Kind regards,

Eric
 
Old 04-28-2011, 06:50 AM   #69
mahmoodn
Member
 
Registered: May 2010
Posts: 426

Original Poster
Rep: Reputation: 16
On server:
Code:
mahmood@server:blackscholes$ cat /etc/hosts
127.0.0.1       localhost     localhost,server
124.22.69.105  server
192.168.1.3     client

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

mahmood@server:~$ sudo find / -name "client.local"
mahmood@server:~$
on client:
Code:
mahmood@client:~$ cat /etc/hosts
127.0.0.1 localhost
192.168.1.1 server
192.168.1.3 client
Can you explain what is the problem exactly? what is going on while client want to ssh to server? If I want to do that from scratch, which files should i delete (*.pub, ssh_nown_hosts, ....)??

Quote:
Deactivate reverse lookup and try again to eliminate that possibility by putting (uncommenting if exists) the following
in ssh_config or sshd_config?

Last edited by mahmoodn; 04-28-2011 at 06:52 AM.
 
Old 04-28-2011, 06:56 AM   #70
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 15.0
Posts: 1,337

Rep: Reputation: 259Reputation: 259Reputation: 259
What’s that:
Quote:
127.0.0.1 localhost localhost,server
124.22.69.105 server

192.168.1.1 server
The server should have one address.
 
1 members found this post helpful.
Old 04-28-2011, 06:57 AM   #71
EricTRA
LQ Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1296Reputation: 1296Reputation: 1296Reputation: 1296Reputation: 1296Reputation: 1296Reputation: 1296Reputation: 1296Reputation: 1296
Quote:
Originally Posted by mahmoodn View Post
in ssh_config or sshd_config?
Hi,

Sorry, in sshd_config, so if you have one way set up then on the server side. If you have bidirectional setup then on both machines. No guarantee it will work but it will deactivate reverse lookup so you will be able to see if anything else might be wrong.

Kind regards,

Eric
 
Old 04-28-2011, 07:01 AM   #72
mahmoodn
Member
 
Registered: May 2010
Posts: 426

Original Poster
Rep: Reputation: 16
Quote:
The server should have one address
server has two network interface. 124.22.69.105 is used to connect to internet while 192.168.1.1 is used inside cluster

Quote:
Sorry, in sshd_config
Code:
mahmood@server:~$ cat  /etc/ssh/sshd_config | grep "UseDns"
UseDns no
mahmood@server:~$ cat  /etc/ssh/sshd_config | grep "VerifyReverseMapping "
VerifyReverseMapping No
mahmood@server:~$ sudo service ssh restart
ssh start/running, process 12934
an on the client:
Code:
mahmood@client:~$ sudo service ssh restart
ssh start/running, process 2176

mahmood@client:~$ ssh -vvv server
debug1: Authentications that can continue: publickey,password,hostbased
debug1: No more client hostkeys for hostbased authentication.
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/mahmood/.ssh/identity
debug3: no such identity: /home/mahmood/.ssh/identity
debug1: Trying private key: /home/mahmood/.ssh/id_rsa
debug3: no such identity: /home/mahmood/.ssh/id_rsa
debug1: Trying private key: /home/mahmood/.ssh/id_dsa
debug3: no such identity: /home/mahmood/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
mahmood@server's password:
 
Old 04-28-2011, 09:12 AM   #73
mahmoodn
Member
 
Registered: May 2010
Posts: 426

Original Poster
Rep: Reputation: 16
I found the solution. Thanks to "Sharad" who point that on openssh mailing list.

Here is the procedure from one way passwordless ssh from client to server (or hostbased authentication). I will complete the procedure for bidirectional later.
1- Assumptions
1.1 server has two NIC, one for internet connection and the other for inside the cluster (192.168.X.X)
Code:
mahmood@server:~$ cat /etc/hosts
127.0.0.1       localhost     localhost,server
19.215.39.105  server
192.168.1.3     client

mahmood@client:~$ cat /etc/hosts
127.0.0.1 localhost
192.168.1.1 server
192.168.1.3 client
1.2 remove /etc/ssh/ssh_known_hosts if any.
1.3 remove ~/.ssh/* if there are any file

2- On the server, edit /etc/ssh/sshd_config and ensure two variables are set to:
Code:
IgnoreRhosts no
HostbasedAuthentication yes
3- on the client, edit /etc/ssh/ssh_config and ensure two variables are set to:
Code:
 
HostbasedAuthentication yes
EnableSSHKeysign yes
4- create a file on server (home directory of user) named .shosts that contain:
Code:
client.domain mahmood
192.168.1.3 mahmood
client mahmood
5- on the server, run "ssh-keyscan client" and add the output to ~/.ssh/known_hosts (note that hostname, ip address, and ipaddress+domainname are added to the beginning of the string. then chmod ".ssh" directory to 700
Code:
mahmood@server:~$ ls -l .ssh/
total 4
-rwx------ 1 mahmood mahmood 417 2011-04-28 18:00 known_hosts
mahmood@server:~$ ls -l .ssh/known_hosts
-rwx------ 1 mahmood mahmood 417 2011-04-28 18:00 .ssh/known_hosts
mahmood@server:~$ cat .ssh/known_hosts
192.168.1.3,client,client.domain ssh-rsa AAAAB.....
mahmood@server:~$
6- on the server, run "ssh-keyscan 192.168.1.1" and add the output to ~/.ssh/known_hosts (note that hostname, ip address, and ipaddress+domainname are added to the beginning of the string. then chmod ".ssh" directory to 700
IMPOTANT NOTE: DONOT USE "SERVER" IN "ssh-keyscan" SINCE THERE ARE TWO ENTRY IN /etc/hosts. IT IS SAFE TO USE THE IP ADDRESS DIRECTLY.

@EricTRA and Reuti: I think that is the trick.... previously I used "server" and it was not clear whether the 192.168.1.1 was used or the valid IP.
Code:
mahmood@client:~$ ls -l .ssh/
total 4
-rwx------ 1 mahmood mahmood 411 Apr 28  2011 known_hosts
mahmood@client:~$ ls -l .ssh/known_hosts
-rwx------ 1 mahmood mahmood 411 Apr 28  2011 .ssh/known_hosts
mahmood@client:~$ cat .ssh/known_hosts
192.168.1.1,server,server.domain ssh-rsa AAAAB3NzaC....
mahmood@client:~$
7- restart ssh service on both server and client:
Code:
mahmood@client:~$ sudo service ssh restart
ssh start/running, process 2223

mahmood@server:~$ sudo service ssh restart
ssh start/running, process 22622
FINISHED. You can now ssh from client to server without password
Code:
mahmood@client:~$ ssh 192.168.1.1
Linux server 2.6.32-24-server #39-Ubuntu SMP Wed Jul 28 06:21:40 UTC 2010 x86_64 GNU/Linux
Ubuntu 10.04.1 LTS

Welcome to the Ubuntu Server!
.....
.....
103 packages can be updated.
54 updates are security updates.

Last login: Thu Apr 28 16:26:05 2011 from 192.168.1.3
mahmood@server:~$
I will state the procedure for bidirectional hostbased ssh (without password) later.

Last edited by mahmoodn; 04-28-2011 at 09:17 AM.
 
Old 04-28-2011, 09:23 AM   #74
EricTRA
LQ Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1296Reputation: 1296Reputation: 1296Reputation: 1296Reputation: 1296Reputation: 1296Reputation: 1296Reputation: 1296Reputation: 1296
Hi,

Great you got it fixed! Looking forward to your update once you get bidirectional functioning.

Kind regards,

Eric
 
Old 08-08-2011, 12:47 PM   #75
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 15.0
Posts: 1,337

Rep: Reputation: 259Reputation: 259Reputation: 259
Quote:
Originally Posted by Reuti View Post
Thx. There is the error:in your output and a Google revealed at least a bug for this in openSUSE, but maybe it’s an OpenSSH issue in the end. I’ll look into it. On a newly setup machine (which has indeed openSUSE 11.4) I face exactly the same :-/.
To get hostbased authentication back in openSUSE 11.4, it’s necessary to rename or delete on the source machine of the intended connection the files:
Code:
master:/etc/ssh # mv ssh_host_ecdsa_key ssh_host_ecdsa_key.old
master:/etc/ssh # mv ssh_host_ecdsa_key.pub ssh_host_ecdsa_key.pub.old
Their presence confuses the ssh-keysign application. Then you can use the rsa keys for hostbased authentication like before.

It’s also necessary to comment the relevant lines in /etc/init.d/sshd to avoid it’s recreation during the next start of the sshd.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh host (get host, get domaine) EDDY1 Linux - Newbie 9 09-11-2010 11:06 PM
ssh: connect to host .....No route to host soumyacs Linux - Newbie 5 10-27-2009 10:03 AM
try install host ; bind9-host uninstalled , how to undo sudo apt-get install host? shojaru Linux - Newbie 0 06-11-2009 12:45 AM
Fedora 10/unable to ssh out from box to remote host (SSH within LAN ok) huskeypm Linux - Networking 3 04-14-2009 07:37 PM
How to setup a host.deny and host.allow for SSH? explorer1979 Linux - Security 2 01-31-2005 05:28 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:31 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration