Subject: Re: [libssh2] query regarding HostBasedAuth

Re: [libssh2] query regarding HostBasedAuth

From: Sara Golemon <>
Date: Wed, 07 Mar 2007 08:58:31 -0800

> I need a clarification here from you all regarding the functionality of
> HostBasedAuthentication.
> 1) If the remote SFTP server admin wants to allow only Host based
> authentication, then the remote sshd_config should have
> 'HostBasedAuthentication' set to yes, and the rest set to no, like
> 'PasswordAuthentication'. But should it also need to have
> 'PubKeyAuthentication' set to yes? Because the definition of HostBased
> authentication is that it involves authenticating the client host *and*
> the client public key authentication.
> I tried setting 'HostBasedAuthentication' to yes, and rest of the two to
> no at server side sshd_config. I was not able to connect to the remote
> server, using the standard UNIX sftp utility itself. When I set the
> 'PubKeyauthentication' also to yes at server sshd_config, only then
> the sftp utility at client side was able to login.
HostBased and PublicKey auth methods are two different methods (although
they use the same underlying principles).


   Client signs a one-time token with their personal private key proving
to the server that they are that specific person.


   Client signs a one-time token with their host-machine's private key
(which is shared by all users on that machine -- though typically owned
and only readable by root). Along with this signature, client sends a
message saying "I affirm that the user connecting to you is _____". The
server doesn't get direct confirmation that you are you, but the server
trusts your host enough to believe it.

   I suspect that you're not actually using any HostBased authentication
in your setup. More likely you have a personal private key and are only
using the PublicKey authentication method.

   Note that in both methods (and password method for that matter), the
identity of the server is always confirmed* before the authentication
stage is ever reached. (* Assuming you know the server's public key
fingerprint ahead of time and validate that)

> 2) Is the list of supported authentication methods, which libssh2
> library receives from the remote SFTP server, generated on basis of
> which all auth methods are set to yes in sshd_config?


Take Surveys. Earn Cash. Influence the Future of IT
Join's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
libssh2-devel mailing list
Received on 2007-03-07