Hostbased authentication without known_hosts file?

Damien Miller djm at mindrot.org
Mon Oct 27 23:43:42 EST 2008


On Mon, 27 Oct 2008, Dominik Epple wrote:

> Hi,
> 
> is there any way to use hostbased authentication without the need to
> have the SSH host keys stored in a known_hosts file?
> 
> We run a large cluster where we need to have passwordless remote login
> available. We currently do that with hostbased SSH authentication. But
> it is error-prone and a lot of work to keep the known_hosts file up to
> date on all hosts. (This is the same situation like DNS vs /etc/hosts
> and LDAP vs /etc/passwd, and so on.)
> 
> We know of the possibility to store SSH fingerprints in SSHFP records
> in DNS. But this currently does not allow hostbased authentication,
> it only allows the client to verify the server's host key.
> 
> Is there any other possiblity?

Kerberos or push out hostkey lists with rdist.

-d


More information about the openssh-unix-dev mailing list