Hostbased authentication without known_hosts file?
Damien Miller
djm at mindrot.org
Mon Oct 27 23:43:42 EST 2008
On Mon, 27 Oct 2008, Dominik Epple wrote:
> Hi,
>
> is there any way to use hostbased authentication without the need to
> have the SSH host keys stored in a known_hosts file?
>
> We run a large cluster where we need to have passwordless remote login
> available. We currently do that with hostbased SSH authentication. But
> it is error-prone and a lot of work to keep the known_hosts file up to
> date on all hosts. (This is the same situation like DNS vs /etc/hosts
> and LDAP vs /etc/passwd, and so on.)
>
> We know of the possibility to store SSH fingerprints in SSHFP records
> in DNS. But this currently does not allow hostbased authentication,
> it only allows the client to verify the server's host key.
>
> Is there any other possiblity?
Kerberos or push out hostkey lists with rdist.
-d
More information about the openssh-unix-dev
mailing list