OpenSSH 3.4p1 hostbased auth - howto?
Ben Lindstrom
mouring at etoh.eviladmin.org
Wed Jul 24 08:26:59 EST 2002
I believe I've stated this before, but I will again:
- markus at cvs.openbsd.org 2002/06/26 22:27:32
[ssh-keysign.c]
bug #304, xfree(data) called to early; openssh at sigint.cs.purdue.edu
Please try the current snapshots.
- ben
On Tue, 23 Jul 2002, Kevin DeGraaf wrote:
> > Use ssh_known_hosts
> > You will have to edit ssh_known_hosts
> > Now the shosts.equiv file (does not need to be world readable)
> > Not quite what you wanted to do.
> > To fix box2, remove the keys and generate new keys.
> > Each machine must have different keys.
> > Now put the public key from all your machines in ssh_known_hosts and
> > distribute ssh_known_hosts and shosts.equiv to each machine.
>
> Okay, I removed all the old configuration and did this:
>
> 1. On m1.ohm.calvin.edu and m2.ohm.calvin.edu, I generated new hostkeys
> (SSH1-RSA, SSH2-RSA, and SSH2-DSA).
>
> 2. On both machines, I created /etc/ssh/ssh_known_hosts:
>
> m1,m1.ohm.calvin.edu,192.168.1.1 ssh-dsa AAAAB3Nza ... =
> m2,m2.ohm.calvin.edu,192.168.1.2 ssh-dsa AAAAB3Nza ... =
>
> 3. On both machines, I created /etc/shosts.equiv:
>
> m1
> m2
> m1.ohm.calvin.edu
> m2.ohm.calvin.edu
>
> 4. On both machines, I created /etc/ssh/ssh_config:
>
> Host *
> HostbasedAuthentication yes
>
> 5. On both machines, I created /etc/ssh/sshd_config:
>
> Port 22
> Protocol 2
>
> HostKey /etc/ssh/ssh_host_rsa_key
> HostKey /etc/ssh/ssh_host_dsa_key
>
> PermitRootLogin without-password
>
> RhostsAuthentication yes
> IgnoreRhosts no
> HostbasedAuthentication yes
>
> PermitEmptyPasswords no
> ChallengeResponseAuthentication no
>
> PrintMotd no
> PrintLastLog no
> UsePrivilegeSeparation yes
>
> Subsystem sftp /usr/local/libexec/sftp-server
>
> 6. On both machines, I restarted sshd:
>
> m1# service sshd restart
> m2# service sshd restart
>
> 7. I attemped a passwordless, keyless, hostbased connection:
>
> debug1: authentications that can continue: publickey,password,hostbased
> debug1: next auth method to try is hostbased
> debug1: Remote: Accepted for m1.ohm.calvin.edu [192.168.1.1] by
> /etc/hosts.equiv.
> debug1: authentications that can continue: publickey,password,hostbased
> debug1: Remote: Accepted for m1.ohm.calvin.edu [192.168.1.1] by
> /etc/hosts.equiv.
> debug1: authentications that can continue: publickey,password,hostbased
> debug1: userauth_hostbased: no more client hostkeys
> debug1: next auth method to try is publickey
> debug1: userauth_pubkey_agent: testing agent key /home/kevin/.ssh/id_dsa
> debug1: authentications that can continue: publickey,password,hostbased
> debug1: try privkey: /home/kevin/.ssh/identity
> debug1: try privkey: /home/kevin/.ssh/id_rsa
> debug1: try pubkey: /home/kevin/.ssh/id_dsa
> debug1: authentications that can continue: publickey,password,hostbased
> debug1: next auth method to try is password
> kevin at m2's password:
>
> Again, any pointers regarding how my configuration differs from the
> necessary configuration will be most appreciated.
>
> (In case you're wondering: yes, I realize that there are no
> publically-available 'A' records for m1/m2.ohm.calvin.edu, but be assured
> there are copies of dnscache and tinydns running on 'm1' that provide
> these records to my Beowulf cluster machines).
>
> --
> Kevin DeGraaf
>
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>
More information about the openssh-unix-dev
mailing list