| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
John Blinka wrote: |
| 5 |
> Hi, folks, |
| 6 |
> |
| 7 |
> I'd like to get host based ssh authentication working within |
| 8 |
> all the gentoo boxes on my home network. I've had no |
| 9 |
> success yet - I hope someone can enlighten me! |
| 10 |
> |
| 11 |
> What I've done so far on the server side is: |
| 12 |
> |
| 13 |
> set HostbasedAuthentication yes in sshd_config |
| 14 |
> set HostbasedAuthentication yes in ssh_config |
| 15 |
> added /etc/ssh/shosts.equiv containing names of client boxes |
| 16 |
> added /etc/ssh/ssh_known_hosts containing public host keys of |
| 17 |
> client boxes |
| 18 |
> |
| 19 |
> Client boxes are configured similarly. |
| 20 |
> |
| 21 |
> When I try to ssh from one box to another, I always get a request |
| 22 |
> for a password, which is what I'm trying to avoid. |
| 23 |
|
| 24 |
If you just want to be able to log into each system without using a |
| 25 |
password, why not set up publickey authentication instead of |
| 26 |
hostbased? The principle is essentially the same, except the |
| 27 |
authentication key is tied to the user instead of the system. |
| 28 |
> |
| 29 |
> Below is an excerpt from an attempt to ssh from one box to another |
| 30 |
> while requesting the maximum amount of debugging info. It looks |
| 31 |
> like ssh is trying to use host based authentication, but for some |
| 32 |
> reason it fails. I'd appreciate any ideas about what might be |
| 33 |
> going wrong. |
| 34 |
[ .... SNIP SSH DEBUG INFO .... ] |
| 35 |
|
| 36 |
I haven't done too much hostbased authentication, because it's |
| 37 |
historically insecure. But if I understand the man page correctly, |
| 38 |
the following needs to be in place: |
| 39 |
|
| 40 |
1. Assumption: "myserver" is the ssh server, and "tobey" is the ssh |
| 41 |
client. |
| 42 |
2. "tobey" must be in /etc/hosts.equiv or /etc/ssh/shosts.equiv on |
| 43 |
"myserver" |
| 44 |
3. a. The current user attempting to login to myserver from tobey |
| 45 |
must exist on myserver and is the account being logged into through |
| 46 |
the ssh session OR |
| 47 |
b. the account being logged into on myserver must have a |
| 48 |
~/.rhosts or ~/.shosts file containing the name of the ssh client |
| 49 |
(tobey) in its home directory |
| 50 |
4. tobey's host key must be located in /etc/ssh/ssh_known_hosts |
| 51 |
and/or ~/.ssh/known_hosts on myserver |
| 52 |
|
| 53 |
Please verify that you have all of the above set up for each client |
| 54 |
and server pair. You might be better off trying one system as the |
| 55 |
server and one system as the client until you are able to get a |
| 56 |
successful connection. |
| 57 |
|
| 58 |
- -- |
| 59 |
gentux |
| 60 |
echo "hfouvyyAhnbjm/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge' |
| 61 |
|
| 62 |
gentux's gpg fingerprint ==> 5495 0388 67FF 0B89 1239 D840 4CF0 39E2 |
| 63 |
18D3 4A9E |
| 64 |
-----BEGIN PGP SIGNATURE----- |
| 65 |
Version: GnuPG v1.4.4 (GNU/Linux) |
| 66 |
|
| 67 |
iD8DBQFEzEB5TPA54hjTSp4RAmQiAJ4sT7GUXAghXG4uqMKMlIkliQWhIACglJNP |
| 68 |
PDOWDdzPYguBhPIzbC8vTmM= |
| 69 |
=YDMQ |
| 70 |
-----END PGP SIGNATURE----- |
| 71 |
|
| 72 |
-- |
| 73 |
gentoo-user@g.o mailing list |
Archives