Case study of new possibilities with PartialAuth and HostbasedAuth

Carson Gaspar carson at taltos.org
Wed Apr 25 17:27:02 EST 2001


Finally all the pieces are in place to allow strong user and host 
authentication with SSH2 and the latest OpenSSH code (plus my partial auth 
patch). Herein I describe one problem case, and a possible solution thereof.

Target: Allow user logins from host charles to host steve using passwords

Previously, you would have had to trust the IP headers to authenticate 
charles. If charles had a dynamic IP address, or was behind dynamic NAT or 
a non-transparent firewall, you lost. If someone could spoof charles' IP 
address, you lost. Now, you can solve this securely (assuming charles' host 
security is good!).

on steve:

sshd_config:

HostbasedAuthentication yes
HostbasedUsesNameFromPacketOnly yes
PasswordAuthentication yes
# if you don't want users to add clients, you either need to stop parsing 
.[rs]hosts
IgnoreRhosts yes
# or control which hosts have trusted keys with
IgnoreUserKnownHosts yes
# or both
AuthOrder2 hostbased:password

ssh_known_hosts2:

charles.dom.ain.,charles.dom.ain ssh-dss [charles_dsa_public_key]

shosts.equiv:

charles.dom.ain
charles.dom.ain.

NOTE: trailing dot form included in ssh_known_hosts2 and shosts.equiv to 
work around a bug in the current codebase.

On charles:

ssh must have access to ssh_host_dsa_key. For now this means ssh must be 
setuid root.

ssh_config:

Host steve
  HostbasedAuthentication yes
  PasswordAuthentication yes

At this point, you should be good to go!

-- 
Carson Gaspar - carson at taltos.org
Queen trapped in a butch body



More information about the openssh-unix-dev mailing list