hostbased: key xxxx is disallowed - why?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

I'm trying to use hostbased authentication between two Suse 8.0/8.1
machines with OpenSSH (OpenSSH_3.4p1, patched with all Suse security
patches). I doesn't work in any direction, I get the same error from both.

I'm getting a "no more client keys" with ssh -v from the first try until
now. I changed several settings, worked along the lines of the snailbook,
checked latest man pages at, used Google and Deja (there are a
lot of cries for help about this, but most weren't resolved), but it boils
down to the same failure again and again: no more client keys. I also
stopped the firewall, just in case.

I skip quoting here all the ssh config files since it's obvious that
hostbased authentication *is* getting used - but fails. The host is
correctly identified:

debug2: userauth_hostbased: chost resolvedname ipaddr ::ffff:IP no.
debug2: stripping trailing dot from chost
debug2: auth_rhosts2: clientuser root hostname ipaddr
::ffff:IP no.


debug1: temporarily_use_uid: 0/0 (e=0)
debug1: restore_uid
debug1: temporarily_use_uid: 0/0 (e=0)
debug1: restore_uid
debug3: mm_answer_keyallowed: key 0x80ad9d8 is disallowed

But this doesn't help, since I don't know why it shouldn't be allowed.

The question is: why is this key disallowed? And does this indicate that
it finds a key matching the hostname in known_hosts and "disallows" it or
doesn't it find one at all?

The relevant config file portions are (real domain name changed):

/etc/shosts.equiv: root
nh12 root

nh12,,IP no. ssh-rsa <key hash here>

(known_hosts was made up by hand because OpenSSH adds the key twice for
each hostname "version")


Conactive Internet Services, Berlin, Germany

Site Timeline