Hostbased authentication without known_hosts file?

Sergio Gelato Sergio.Gelato at
Wed Oct 29 19:05:57 EST 2008

* Douglas E. Engert [2008-10-27 11:11:26 -0500]:
> Dominik Epple wrote:
>> Hi,
>> On Mon, 27 Oct 2008, Damien Miller wrote:
>>> Kerberos
>> This requires the users to obtain a ticket, I guess?
> Yes. You would need a Kerberos realm setup with users principals,and host
> principals. Each host has to have a keytab file. One way to use this
> is the user gets a ticket on the client, then you use the GSSAPI
> options of ssh. There are Windows ssh clients like SecureCRT and some versions
> of PuTTY that can do GSSAPI. Windows uses Kerberos so any AD users already
> have tickets.

Don't you also need Simon Wilkinson's GSSAPI key exchange patch for
OpenSSH to bypass the known_hosts-based host key checks? It's a minor caveat
since many distributors already apply that patch, but as far as I know
the feature isn't included in vanilla OpenSSH yet.

>> Or is there a
>> way to do password-less, ticket-less hostbased authentication which
>> just uses kerberos host keys instead of ssh host keys to validate
>> the remote host?

In principle that ought to be feasible with a helper program similar to
ssh-keysign that accesses a keytab and uses its contents to initiate the 
GSS exchange, but I don't think anyone has implemented it yet.
(I don't find it a particularly desirable feature: I'd rather
authenticate the user than the client host.)

Another solution might be for you to use rsh over IPsec (and either a
public-key infrastructure or Kerberos to establish the security associations;
PKI is more widely supported). 

More information about the openssh-unix-dev mailing list