1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
John Blinka wrote: |
5 |
> Hi, folks, |
6 |
> |
7 |
> I'd like to get host based ssh authentication working within |
8 |
> all the gentoo boxes on my home network. I've had no |
9 |
> success yet - I hope someone can enlighten me! |
10 |
> |
11 |
> What I've done so far on the server side is: |
12 |
> |
13 |
> set HostbasedAuthentication yes in sshd_config |
14 |
> set HostbasedAuthentication yes in ssh_config |
15 |
> added /etc/ssh/shosts.equiv containing names of client boxes |
16 |
> added /etc/ssh/ssh_known_hosts containing public host keys of |
17 |
> client boxes |
18 |
> |
19 |
> Client boxes are configured similarly. |
20 |
> |
21 |
> When I try to ssh from one box to another, I always get a request |
22 |
> for a password, which is what I'm trying to avoid. |
23 |
|
24 |
If you just want to be able to log into each system without using a |
25 |
password, why not set up publickey authentication instead of |
26 |
hostbased? The principle is essentially the same, except the |
27 |
authentication key is tied to the user instead of the system. |
28 |
> |
29 |
> Below is an excerpt from an attempt to ssh from one box to another |
30 |
> while requesting the maximum amount of debugging info. It looks |
31 |
> like ssh is trying to use host based authentication, but for some |
32 |
> reason it fails. I'd appreciate any ideas about what might be |
33 |
> going wrong. |
34 |
[ .... SNIP SSH DEBUG INFO .... ] |
35 |
|
36 |
I haven't done too much hostbased authentication, because it's |
37 |
historically insecure. But if I understand the man page correctly, |
38 |
the following needs to be in place: |
39 |
|
40 |
1. Assumption: "myserver" is the ssh server, and "tobey" is the ssh |
41 |
client. |
42 |
2. "tobey" must be in /etc/hosts.equiv or /etc/ssh/shosts.equiv on |
43 |
"myserver" |
44 |
3. a. The current user attempting to login to myserver from tobey |
45 |
must exist on myserver and is the account being logged into through |
46 |
the ssh session OR |
47 |
b. the account being logged into on myserver must have a |
48 |
~/.rhosts or ~/.shosts file containing the name of the ssh client |
49 |
(tobey) in its home directory |
50 |
4. tobey's host key must be located in /etc/ssh/ssh_known_hosts |
51 |
and/or ~/.ssh/known_hosts on myserver |
52 |
|
53 |
Please verify that you have all of the above set up for each client |
54 |
and server pair. You might be better off trying one system as the |
55 |
server and one system as the client until you are able to get a |
56 |
successful connection. |
57 |
|
58 |
- -- |
59 |
gentux |
60 |
echo "hfouvyyAhnbjm/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge' |
61 |
|
62 |
gentux's gpg fingerprint ==> 5495 0388 67FF 0B89 1239 D840 4CF0 39E2 |
63 |
18D3 4A9E |
64 |
-----BEGIN PGP SIGNATURE----- |
65 |
Version: GnuPG v1.4.4 (GNU/Linux) |
66 |
|
67 |
iD8DBQFEzEB5TPA54hjTSp4RAmQiAJ4sT7GUXAghXG4uqMKMlIkliQWhIACglJNP |
68 |
PDOWDdzPYguBhPIzbC8vTmM= |
69 |
=YDMQ |
70 |
-----END PGP SIGNATURE----- |
71 |
|
72 |
-- |
73 |
gentoo-user@g.o mailing list |