Hostbased authentication without known_hosts file?

Douglas E. Engert deengert at anl.gov
Tue Oct 28 03:11:26 EST 2008



Dominik Epple wrote:
> Hi,
> 
> On Mon, 27 Oct 2008, Damien Miller wrote:
>> Kerberos
> 
> This requires the users to obtain a ticket, I guess?

Yes. You would need a Kerberos realm setup with users principals,and host
principals. Each host has to have a keytab file. One way to use this
is the user gets a ticket on the client, then you use the GSSAPI
options of ssh. There are Windows ssh clients like SecureCRT and some versions
of PuTTY that can do GSSAPI. Windows uses Kerberos so any AD users already
have tickets.

> Or is there a
> way to do password-less, ticket-less hostbased authentication which
> just uses kerberos host keys instead of ssh host keys to validate
> the remote host?
> 
>> or push out hostkey lists with rdist.
> 
> Our cluster is too large for this. This does not work well and we
> want do get rid of it.
> 
>> -d
> 
> Thanks for your reply.
> 
> Regards,
> Dominik
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


More information about the openssh-unix-dev mailing list