[techtalk] OpenSSH Trusted Host Setup Question

Pete Durst pdurst at bigfoot.com
Wed May 23 06:38:50 EST 2001


Hi Again,

I tried your suggestions, but have not had any success.  I generated the 
keys on each system, and collected them into one file, and then put that as 
/etc/ssh_known_hosts on all systems.  Then I modified the 
/etc/ssh/sshd_config to allow for the sshd to use the file, and I still can 
not get it to work.  I did a verbose output, and it didn't help much.  Here 
is a sample, in case it might help:

[root at linus /root]# slogin -v ipc
OpenSSH_2.5.2p2, SSH protocols 1.5/2.0, OpenSSL 0x0090581f
debug1: Seeding random number generator
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: ssh_connect: getuid 0 geteuid 0 anon 1
debug1: Connecting to ipc [10.1.1.202] port 22.
debug1: Connection established.
debug1: identity file /root/.ssh/identity type 0
debug1: unknown identity file /root/.ssh/id_rsa
debug1: identity file /root/.ssh/id_rsa type -1
debug1: unknown identity file /root/.ssh/id_dsa
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_2.5.2p2
debug1: match: OpenSSH_2.5.2p2 pat ^OpenSSH
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_2.5.2p2
debug1: send KEXINIT
debug1: done
debug1: wait KEXINIT
debug1: got kexinit: 
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug1: got kexinit: ssh-rsa,ssh-dss
debug1: got kexinit: 
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se
debug1: got kexinit: 
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se
debug1: got kexinit: 
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug1: got kexinit: 
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug1: got kexinit: none,zlib
debug1: got kexinit: none,zlib
debug1: got kexinit:
debug1: got kexinit:
debug1: first kex follow: 0
debug1: reserved: 0
debug1: done
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: Sending SSH2_MSG_KEX_DH_GEX_REQUEST.
debug1: Wait SSH2_MSG_KEX_DH_GEX_GROUP.
debug1: Got SSH2_MSG_KEX_DH_GEX_GROUP.
debug1: dh_gen_key: priv key bits set: 139/256
debug1: bits set: 1015/2049
debug1: Sending SSH2_MSG_KEX_DH_GEX_INIT.
debug1: Wait SSH2_MSG_KEX_DH_GEX_REPLY.
debug1: Got SSH2_MSG_KEXDH_REPLY.
debug1: Host 'ipc' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts2:3
debug1: bits set: 1038/2049
debug1: ssh_rsa_verify: signature correct
debug1: Wait SSH2_MSG_NEWKEYS.
debug1: GOT SSH2_MSG_NEWKEYS.
debug1: send SSH2_MSG_NEWKEYS.
debug1: done: send SSH2_MSG_NEWKEYS.
debug1: done: KEX2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: publickey,password
debug1: next auth method to try is publickey
debug1: try privkey: /root/.ssh/id_rsa
debug1: try privkey: /root/.ssh/id_dsa
debug1: next auth method to try is password
root at ipc's password:
debug1: ssh-userauth2 successful: method password
debug1: channel 0: new [client-session]
debug1: send channel open 0
debug1: Entering interactive session.
debug1: client_init id 0 arg 0
debug1: channel request 0: shell
debug1: channel 0: open confirm rwindow 0 rmax 16384
Last login: Tue May 22 18:54:17 2001 from ipc.plsoft.org
[root at ipc /root]#

Hoping that will help....  Thanks a bunch!

Pete


At 08:57 PM 22/05/2001 +0100, you wrote:
>On Tue, May 22, 2001 at 01:13:10PM +1200 or so it is rumoured hereabouts,
>Mark Foster thought:
> > As far as im aware, OpenSSH2 uses /etc/hosts.allow ?
> >
> > [blakjak at phoenix blakjak]$ telnet localhost 22
> > Trying 127.0.0.1...
> > Connected to phoenix.
> > Escape character is '^]'.
> > SSH-1.99-OpenSSH_2.3.0p1
> >
> > Other than that, chec out the config files in /etc/ssh ?
>
>Or you could look at using /etc/ssh_known_hosts and
>$HOME/.ssh/authorized_keys  These files contain the public keys for the
>hosts and users who are allowed connect without passwords.
>
>for example...
>
>host foo        users tim, john
>host bar        users tim, john
>
>in foo:/etc/ssh_known_hosts you have the public host key for bar
>in foo:/home/tim/.ssh/authorized_keys you have the public key for tim at bar
>
>in bar:/etc/ssh_known_hosts you have the public host key for foo
>in bar:/home/tim/.ssh/authorized_keys you have the public key for tim at foo
>
>for each host on your network, /etc/ssh_known_hosts contains the public
>host keys for all the other hosts.
>
>For each user on your network, $HOME/.ssh/authorized_keys contains the
>user's public key which can be the same on all machines on your network or
>can be different.
>
>The easiest way to get this going is to use ssh-keygen on each host to
>generate the host key.  When you have all host keys generated, copy *all*
>of the .pub keys to a /etc/ssh_known_hosts file on one host.  Then copy
>this file to all machines in your network.
>
>For each user, use ssh-keygen to create *one* key pair.  Copy the .pub
>key to $HOME/.ssh/authorized_keys  Now copy the .ssh *directory* including
>the authorized_keys file to the user's home directory on *all* hosts.
>
>If you wish to use DSA keys rather than RSA, use ssh-keygen -d to create
>the keys and use the filenames ssh_known_hosts2 and authorized_keys2
>
>I *think* that'll do it...
>
>Conor
>--
>Conor Daly <conor.daly at oceanfree.net>
>
>Domestic Sysadmin :-)
>---------------------
>Faenor.cod.ie
>   8:35pm  up 3 days,  8:43,  0 users,  load average: 0.08, 0.02, 0.01
>Hobbiton.cod.ie
>   8:36pm  up 2 days,  9:37,  2 users,  load average: 0.00, 0.00, 0.00
>
>_______________________________________________
>techtalk mailing list
>techtalk at linuxchix.org
>http://www.linux.org.uk/mailman/listinfo/techtalk

==============================================
Pete Durst

Sun Certified System Administrator
Sun Certified Network Administrator
Sun Certified Instructor
Advanced UNIX Instructor

Pete.Durst at learnix.com

Learnix, a division of TMI
2650 Queensview Drive
Suite 160, Ottawa, Ontario
K2B 8H6

Tel: (613)828-5007 ext. 4313
Fax: (613)721-0599

http://www.learnix.com

==============================================





More information about the Techtalk mailing list