hostbased authentication and the root account

Ed Phillips ed at UDel.Edu
Thu Apr 25 02:27:17 EST 2002 

On Wed, 24 Apr 2002 rene.klootwijk at nl.abnamro.com wrote:

> Date: Wed, 24 Apr 2002 17:56:51 +0200
> From: rene.klootwijk at nl.abnamro.com
> To: openssh-unix-dev at mindrot.org
> Subject: hostbased authentication and the root account
>
> We have a problem using hostbased authentication in combination with the
> root account. We use hostbased authentication to hop from a 'management
> server' where we use strong authentication to several systems in a cluster.
> The management server is defined in shosts.equiv and the public key of this
> server is defined in ssh_known_hosts. This setup works for all users except

The ssh_known_hosts file is a means for the client to check hostkeys when
connecting to some sshd on some other system.  If you put the managment
server's public key (sshd_host_rsa_key.pub) in the /etc/ssh_known_hosts
file on the other machines, you're ensuring that you can connect to the
management server from the other machines with ssh without a manual
hostkey check.  From what you're describing, unless I'm reading wrong, it
seems like you are wanting to make ssh connections from the management
server to the other machines... in which case you need all of the other
machines' hostkeys installed in /etc/ssh_known_hosts on the management
server.

> for the root user (which is needed for maintenance scripts to work). We've
> got it working for the root account by specifying the management server in
> the /root/.shosts file and setting the IgnoreRhosts option to no. This is
> not what we want, we want to ignore user specific shost files, so setting
> the IgnoreRhosts option to yes. In the source of auth-rhosts.c, line 205,
> an if statement specifies that the central shosts.equiv file is only
> checked for accounts other than root. Why is this?

I don't know why... but the way we do this kind of thing is to create a
keypair for the root user on the management server, store the private key
in a "protected" file (mode 0600, owner root, on a local disk) with no
passphrase, and copy the public key to /.ssh/authorized_keys2 on each
system where we want to run something as root using ssh from the
management server.  I think this is the preferred way, as opposed to
putting a passphrase in a file that would then be used to decrypt a
private key, or resorting to something like .shosts or .rhosts.  I think
the main reason it's preferred is because it is less (not?) susceptable to
IP spoofing, assuming you can keep the hostkeys secure.

Sorry to leave your question unanswered, but I hope this helps
nonetheless. ;-)

	Ed

Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082
Systems Programmer III, Network and Systems Services
finger -l ed at polycut.nss.udel.edu for PGP public key

More information about the openssh-unix-dev mailing list