[Bug 3615] Host Based Authentication is failing

[bugzilla-daemon at mindrot.org]

https://bugzilla.mindrot.org/show_bug.cgi?id=3615

--- Comment #28 from Darren Tucker <dtucker at dtucker.net> ---
(In reply to Richard Kreutzer from comment #25)
[...]
> I will now have to add the fqdn to the beginning of each key in the
> .pub files after pasting then in them in the ssh_known_hosts file
> for each server.  And since all the machines are both clients and
> servers, that means every machine, which I certainly can do.

Is there a reason you couldn't just list every machine in one file then
distribute that file to all machines?

> But it surprises me that there is not a built-in way to do this, or
> is there?  Something like "ssh-copy-id".

Not that I know of.  ssh-copy-id is as user-specific setup tool that
users can self-provision with, whereas hostbased authentication is a
system-wide configuration that affects all users and thus is part of
system administration.  You can use whatever you use for other system
administration tasks, be that vi or something like puppet or chef.

Anyway I suspect hostbased doesn't get used much an more.  It was a
drop-in replacement for rlogin hosts.equiv and that implies a bit more
trust than exists in most environments these days.

> Thank you so much!  I would never have found this requirement, as it
> does not seem to be mentioned in any of the HBA guides I found.
> 
> Please confirm that my above strategy is correct, and that there is
> no better way to do this, before I start writing a script to
> automate it.

What you describe looks correct to me.

(In reply to Richard Kreutzer from comment #26)
> P.S.  What about ssh-keyscan?  Is that what it is for?

ssh-keyscan is for populating known_hosts files over the network, eg
for bootstrapping one that you'll then change control.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.