Hostbased authentication without known_hosts file?
Douglas E. Engert
deengert at anl.gov
Tue Oct 28 03:11:26 EST 2008
Dominik Epple wrote:
> Hi,
>
> On Mon, 27 Oct 2008, Damien Miller wrote:
>> Kerberos
>
> This requires the users to obtain a ticket, I guess?
Yes. You would need a Kerberos realm setup with users principals,and host
principals. Each host has to have a keytab file. One way to use this
is the user gets a ticket on the client, then you use the GSSAPI
options of ssh. There are Windows ssh clients like SecureCRT and some versions
of PuTTY that can do GSSAPI. Windows uses Kerberos so any AD users already
have tickets.
> Or is there a
> way to do password-less, ticket-less hostbased authentication which
> just uses kerberos host keys instead of ssh host keys to validate
> the remote host?
>
>> or push out hostkey lists with rdist.
>
> Our cluster is too large for this. This does not work well and we
> want do get rid of it.
>
>> -d
>
> Thanks for your reply.
>
> Regards,
> Dominik
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the openssh-unix-dev
mailing list