hostbased debugging

27/09/2006, 18h28

OK, here's the short version. I have many machines. They're all
pretty close to identical. Hostbased auth works on (and between) all
but one. I cannot log INTO the one where it doesn't work. I have:

* correct keys in ssh_host_*_key and ssh_host_*_key.pub
* those same keys correctly added to ssh_known_hosts (as hostname,
FQDN, and IP)
* the host appearing (tried hostname, FQDN, and IP) in /etc/hosts
* the host appearing (tried hostname, FQDN, and IP) in shosts.equiv
and /root/.shosts
* trying both as root and regular user
* hostbased on in both ssh_config and sshd_config

I'm running OpenSSH 3.6.1p2. There is one thing that makes this
machine different from the others. They others form a private network
with one acting as the gateway. This machine is just a regular machine
outside that network. I would think that would make things EASIER,
though. It's also possible that something has become munged in the
tweeking process. I have removed and reinstalled sshd. I'm
contemplating a full system reinstall, but would certainly rather not
do that.

I'm including below (cleansed) snippets of the output from "sshd -d -d
-d" and "ssh -vvv thehost". It's clear that hostbased is failing with
"key 0x8772d40 is disallowed" but I don't know WHY. Any or other
things to try would be much appreciated.

-Michael

Server:

debug1: userauth-request for user ash service ssh-connection method
hostbaseddebug1: attempt 1 failures 1
debug2: input_userauth_request: try method hostbased
debug1: userauth_hostbased: cuser ash chost serv. pkalg ssh-dss slen 55
debug3: mm_key_allowed entering
debug3: mm_request_send entering: type 20
debug3: monitor_read: checking request 20
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 0x8772d40
debug2: userauth_hostbased: chost serv. resolvedname serv ipaddr
125.135.21.115
debug2: auth_rhosts2: clientuser ash hostname serv. ipaddr serv.
debug1: temporarily_use_uid: 578/578 (e=0/0)
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
debug3: mm_request_receive_expect entering: type 21
debug3: mm_request_receive entering
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 578/578 (e=0/0)
debug1: restore_uid: 0/0
debug3: mm_answer_keyallowed: key 0x8772d40 is disallowed
debug3: mm_request_send entering: type 21
debug3: mm_request_receive entering
debug2: userauth_hostbased: authenticated 0
Failed hostbased for ash from 125.135.21.115 port 33514 ssh2
debug1: userauth-request for user ash service ssh-connection method
hostbaseddebug1: attempt 2 failures 2
debug2: input_userauth_request: try method hostbased
debug1: userauth_hostbased: cuser ash chost serv. pkalg ssh-rsa slen
143
debug3: mm_key_allowed entering
debug3: mm_request_send entering: type 20
debug3: monitor_read: checking request 20
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 0x8772d50
debug2: userauth_hostbased: chost serv. resolvedname serv ipaddr
125.135.21.115
debug2: auth_rhosts2: clientuser ash hostname serv. ipaddr serv.
debug1: temporarily_use_uid: 578/578 (e=0/0)
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 578/578 (e=0/0)
debug1: restore_uid: 0/0
debug3: mm_answer_keyallowed: key 0x8772d50 is disallowed
debug3: mm_request_send entering: type 21
debug3: mm_request_receive entering
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
debug3: mm_request_receive_expect entering: type 21
debug3: mm_request_receive entering
debug2: userauth_hostbased: authenticated 0
Failed hostbased for ash from 125.135.21.115 port 33514 ssh2

Client:

debug1: Next authentication method: hostbased
debug2: userauth_hostbased: chost serv.
debug2: ssh_keysign called
debug3: ssh_msg_send: type 2
debug3: ssh_msg_recv entering
debug2: we sent a hostbased packet, wait for reply
debug1: Authentications that can continue:
publickey,password,keyboard-interactive,hostbased
debug2: userauth_hostbased: chost ocplservice.
debug2: ssh_keysign called
debug3: ssh_msg_send: type 2
debug3: ssh_msg_recv entering
debug2: we sent a hostbased packet, wait for reply
debug1: Authentications that can continue:
publickey,password,keyboard-interactive,hostbased
debug1: No more client hostkeys for hostbased authentication.

01/10/2006, 05h12

A hostbased authentication request contains the name of the client host as
supplied by the client. OpenSSH normally compares this against a reverse
lookup on the client IP address, and fails authentication if they don't
match. There's little point to this behavior, since the real security
lies in the hostname/key match and signature verification. And it causes
breakage in your situation, where many hosts are coming through a NAT
gateway with the same IP address.

You can turn off the DNS check with the undocumented sshd option:

HostbasedUsesNameFromPacketOnly yes

However... this feature has a bug. OpenSSH normally strips the trailing
dot from the supplied hostname. It fails to do this if this option is
set, causing it to cease matching any hostnames in the known-hosts file
(which of course do not have the technically-correct trailing dots).
Here's a diff for fixing it:

--------------------------------------------------------------------------------
--- auth2-hostbased.c.~1.1.1.2~ 2006-10-01 00:00:03.247144000 -0400
+++ auth2-hostbased.c.~1.2~ 2006-09-30 23:58:23.255270000 -0400
@@ -142,15 +142,25 @@
debug2("userauth_hostbased: chost %s resolvedname %s ipaddr %s",
chost, resolvedname, ipaddr);

+ /* DESCO local mod
+
+ This stanza was mistakenly inside the following "else" clause,
+ with the result that setting hostbased_uses_name_from_packet_only
+ would actually cause hostbased authentication to cease working,
+ since no one has domain names with dots on the end in their
+ known_hosts files.
+
+ */
+ if (((len = strlen(chost)) > 0) && chost[len - 1] == '.') {
+ debug2("stripping trailing dot from chost %s", chost);
+ chost[len - 1] = '\0';
+ }
+
if (options.hostbased_uses_name_from_packet_only) {
if (auth_rhosts2(pw, cuser, chost, chost) == 0)
return 0;
lookup = chost;
} else {
- if (((len = strlen(chost)) > 0) && chost[len - 1] == '.') {
- debug2("stripping trailing dot from chost %s", chost);
- chost[len - 1] = '\0';
- }
if (strcasecmp(resolvedname, chost) != 0)
logit("userauth_hostbased mismatch: "
"client sends %s, but we resolve %s to %s",
--------------------------------------------------------------------------------

--
Richard Silverman
res@qoxp.net

27/09/2006, 18h28	#1
mstenner@gmail.com Messages: n/a Hébergeur:	hostbased debugging OK, here's the short version. I have many machines. They're all pretty close to identical. Hostbased auth works on (and between) all but one. I cannot log INTO the one where it doesn't work. I have: * correct keys in ssh_host__key and ssh_host__key.pub * those same keys correctly added to ssh_known_hosts (as hostname, FQDN, and IP) * the host appearing (tried hostname, FQDN, and IP) in /etc/hosts * the host appearing (tried hostname, FQDN, and IP) in shosts.equiv and /root/.shosts * trying both as root and regular user * hostbased on in both ssh_config and sshd_config I'm running OpenSSH 3.6.1p2. There is one thing that makes this machine different from the others. They others form a private network with one acting as the gateway. This machine is just a regular machine outside that network. I would think that would make things EASIER, though. It's also possible that something has become munged in the tweeking process. I have removed and reinstalled sshd. I'm contemplating a full system reinstall, but would certainly rather not do that. I'm including below (cleansed) snippets of the output from "sshd -d -d -d" and "ssh -vvv thehost". It's clear that hostbased is failing with "key 0x8772d40 is disallowed" but I don't know WHY. Any or other things to try would be much appreciated. -Michael Server: debug1: userauth-request for user ash service ssh-connection method hostbaseddebug1: attempt 1 failures 1 debug2: input_userauth_request: try method hostbased debug1: userauth_hostbased: cuser ash chost serv. pkalg ssh-dss slen 55 debug3: mm_key_allowed entering debug3: mm_request_send entering: type 20 debug3: monitor_read: checking request 20 debug3: mm_answer_keyallowed entering debug3: mm_answer_keyallowed: key_from_blob: 0x8772d40 debug2: userauth_hostbased: chost serv. resolvedname serv ipaddr 125.135.21.115 debug2: auth_rhosts2: clientuser ash hostname serv. ipaddr serv. debug1: temporarily_use_uid: 578/578 (e=0/0) debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED debug3: mm_request_receive_expect entering: type 21 debug3: mm_request_receive entering debug1: restore_uid: 0/0 debug1: temporarily_use_uid: 578/578 (e=0/0) debug1: restore_uid: 0/0 debug3: mm_answer_keyallowed: key 0x8772d40 is disallowed debug3: mm_request_send entering: type 21 debug3: mm_request_receive entering debug2: userauth_hostbased: authenticated 0 Failed hostbased for ash from 125.135.21.115 port 33514 ssh2 debug1: userauth-request for user ash service ssh-connection method hostbaseddebug1: attempt 2 failures 2 debug2: input_userauth_request: try method hostbased debug1: userauth_hostbased: cuser ash chost serv. pkalg ssh-rsa slen 143 debug3: mm_key_allowed entering debug3: mm_request_send entering: type 20 debug3: monitor_read: checking request 20 debug3: mm_answer_keyallowed entering debug3: mm_answer_keyallowed: key_from_blob: 0x8772d50 debug2: userauth_hostbased: chost serv. resolvedname serv ipaddr 125.135.21.115 debug2: auth_rhosts2: clientuser ash hostname serv. ipaddr serv. debug1: temporarily_use_uid: 578/578 (e=0/0) debug1: restore_uid: 0/0 debug1: temporarily_use_uid: 578/578 (e=0/0) debug1: restore_uid: 0/0 debug3: mm_answer_keyallowed: key 0x8772d50 is disallowed debug3: mm_request_send entering: type 21 debug3: mm_request_receive entering debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED debug3: mm_request_receive_expect entering: type 21 debug3: mm_request_receive entering debug2: userauth_hostbased: authenticated 0 Failed hostbased for ash from 125.135.21.115 port 33514 ssh2 Client: debug1: Next authentication method: hostbased debug2: userauth_hostbased: chost serv. debug2: ssh_keysign called debug3: ssh_msg_send: type 2 debug3: ssh_msg_recv entering debug2: we sent a hostbased packet, wait for reply debug1: Authentications that can continue: publickey,password,keyboard-interactive,hostbased debug2: userauth_hostbased: chost ocplservice. debug2: ssh_keysign called debug3: ssh_msg_send: type 2 debug3: ssh_msg_recv entering debug2: we sent a hostbased packet, wait for reply debug1: Authentications that can continue: publickey,password,keyboard-interactive,hostbased debug1: No more client hostkeys for hostbased authentication.

01/10/2006, 05h12	#2
Richard E. Silverman Messages: n/a Hébergeur:	Re: hostbased debugging A hostbased authentication request contains the name of the client host as supplied by the client. OpenSSH normally compares this against a reverse lookup on the client IP address, and fails authentication if they don't match. There's little point to this behavior, since the real security lies in the hostname/key match and signature verification. And it causes breakage in your situation, where many hosts are coming through a NAT gateway with the same IP address. You can turn off the DNS check with the undocumented sshd option: HostbasedUsesNameFromPacketOnly yes However... this feature has a bug. OpenSSH normally strips the trailing dot from the supplied hostname. It fails to do this if this option is set, causing it to cease matching any hostnames in the known-hosts file (which of course do not have the technically-correct trailing dots). Here's a diff for fixing it: -------------------------------------------------------------------------------- --- auth2-hostbased.c.~1.1.1.2~ 2006-10-01 00:00:03.247144000 -0400 +++ auth2-hostbased.c.~1.2~ 2006-09-30 23:58:23.255270000 -0400 @@ -142,15 +142,25 @@ debug2("userauth_hostbased: chost %s resolvedname %s ipaddr %s", chost, resolvedname, ipaddr); + /* DESCO local mod + + This stanza was mistakenly inside the following "else" clause, + with the result that setting hostbased_uses_name_from_packet_only + would actually cause hostbased authentication to cease working, + since no one has domain names with dots on the end in their + known_hosts files. + + */ + if (((len = strlen(chost)) > 0) && chost[len - 1] == '.') { + debug2("stripping trailing dot from chost %s", chost); + chost[len - 1] = '\0'; + } + if (options.hostbased_uses_name_from_packet_only) { if (auth_rhosts2(pw, cuser, chost, chost) == 0) return 0; lookup = chost; } else { - if (((len = strlen(chost)) > 0) && chost[len - 1] == '.') { - debug2("stripping trailing dot from chost %s", chost); - chost[len - 1] = '\0'; - } if (strcasecmp(resolvedname, chost) != 0) logit("userauth_hostbased mismatch: " "client sends %s, but we resolve %s to %s", -------------------------------------------------------------------------------- -- Richard Silverman res@qoxp.net

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email