rhostsauthentication fails. (Or why I hate poorly documented software.)

jeff at ntcor.com jeff at ntcor.com
Tue Jul 4 07:18:18 EST 2000


Ok after a bit of work. I've done the following:

created a new RSA key with blank passphrase. copied the .pub RSA key
to the $HOME/.ssh/authorized_keys file.

Set RhostsRSAAuthentication and RSAAuthentication to yes on the server
and client.

and it works fine.

But this doesn't seem to provide RhostsRSAauthentication.

It only provided RSAAuthentication.

If I change RSAAuthentication to no (keeping RhostsRSAAuthentication as yes)
on the server everything breaks again.

I guess I don't get this whole thing.  I would think somebody besides me
would need a secure method of remote login/shell capabilities without
having to enter passwords all the time.  Tons of people need daily rsync
abilities.

However, If I use RSA Authentication with a blank passphrase then I
wouldn't consider this anymore secure than plain rhosts authentication
because as soon as somebody steals my private key (which isn't really
private because its got a blank passphrase) then they have the same
level of security as rhosts.

And then why should I be using protocol 1 at all? why not use DSAauthentication
with a blank passphrase?

So then I guess my question is...

Why have rhosts/RSA authentication implemented at all? it doesn't seem to
work (because ssh doesn't seem to really support rhosts authentication) and furthermore DSAAuthentication is exactly the same as RhostsRSAAuth. if used
with /etc/hosts.allow and /etc/hosts.deny. Even better because I can disable
Protocol 1.

Any thoughts on the subject are appreciated. Maybe I'm missing something
fundamental.

Does anybody else *just* rhosts authentication in OpenSSH working? Is it
something that needs to be explicitly enabled/included during compile time?

- Jeff

John Hardin wrote:
> 
> jeff at ntcor.com wrote:
> >
> > However, I want to get something that will work with rsync without having
> > to manually enter passwords, passphrases, or enter such information hardcoded
> > in scripts.
> 
> Try an RSA authenticated connection, without a passphrase on the key...
> (explicitly set a blank passphrase)
> 
> --
>         John Hardin
>         Internal Systems Administrator
>         Apropos Retail Management Systems, Inc.
>         <johnh at aproposretail.com>





More information about the openssh-unix-dev mailing list