OpenSSH 3.4p1 hostbased auth - howto?

Kevin DeGraaf kevin at kevindegraaf.net
Wed Jul 24 08:07:28 EST 2002 

> Use ssh_known_hosts
> You will have to edit ssh_known_hosts
> Now the shosts.equiv file (does not need to be world readable)
> Not quite what you wanted to do.
> To fix box2, remove the keys and generate new keys.
> Each machine must have different keys.
> Now put the public key from all your machines in ssh_known_hosts and
> distribute ssh_known_hosts and shosts.equiv to each machine.

Okay, I removed all the old configuration and did this:

1. On m1.ohm.calvin.edu and m2.ohm.calvin.edu, I generated new hostkeys
(SSH1-RSA, SSH2-RSA, and SSH2-DSA).

2. On both machines, I created /etc/ssh/ssh_known_hosts:

m1,m1.ohm.calvin.edu,192.168.1.1 ssh-dsa AAAAB3Nza ... =
m2,m2.ohm.calvin.edu,192.168.1.2 ssh-dsa AAAAB3Nza ... =

3. On both machines, I created /etc/shosts.equiv:

m1
m2
m1.ohm.calvin.edu
m2.ohm.calvin.edu

4. On both machines, I created /etc/ssh/ssh_config:

Host *
  HostbasedAuthentication yes

5. On both machines, I created /etc/ssh/sshd_config:

Port 22
Protocol 2

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key

PermitRootLogin without-password

RhostsAuthentication yes
IgnoreRhosts no
HostbasedAuthentication yes

PermitEmptyPasswords no
ChallengeResponseAuthentication no

PrintMotd no
PrintLastLog no
UsePrivilegeSeparation yes

Subsystem       sftp    /usr/local/libexec/sftp-server

6. On both machines, I restarted sshd:

  m1# service sshd restart
  m2# service sshd restart

7. I attemped a passwordless, keyless, hostbased connection:

debug1: authentications that can continue: publickey,password,hostbased
debug1: next auth method to try is hostbased
debug1: Remote: Accepted for m1.ohm.calvin.edu [192.168.1.1] by
/etc/hosts.equiv.
debug1: authentications that can continue: publickey,password,hostbased
debug1: Remote: Accepted for m1.ohm.calvin.edu [192.168.1.1] by
/etc/hosts.equiv.
debug1: authentications that can continue: publickey,password,hostbased
debug1: userauth_hostbased: no more client hostkeys
debug1: next auth method to try is publickey
debug1: userauth_pubkey_agent: testing agent key /home/kevin/.ssh/id_dsa
debug1: authentications that can continue: publickey,password,hostbased
debug1: try privkey: /home/kevin/.ssh/identity
debug1: try privkey: /home/kevin/.ssh/id_rsa
debug1: try pubkey: /home/kevin/.ssh/id_dsa
debug1: authentications that can continue: publickey,password,hostbased
debug1: next auth method to try is password
kevin at m2's password:

Again, any pointers regarding how my configuration differs from the
necessary configuration will be most appreciated.

(In case you're wondering: yes, I realize that there are no
publically-available 'A' records for m1/m2.ohm.calvin.edu, but be assured
there are copies of dnscache and tinydns running on 'm1' that provide
these records to my Beowulf cluster machines).

--
Kevin DeGraaf

More information about the openssh-unix-dev mailing list