Hostbased authentication without known_hosts file?
Douglas E. Engert
deengert at anl.gov
Thu Oct 30 02:16:06 EST 2008
Sergio Gelato wrote:
> * Douglas E. Engert [2008-10-27 11:11:26 -0500]:
>> Dominik Epple wrote:
>>> On Mon, 27 Oct 2008, Damien Miller wrote:
>>> This requires the users to obtain a ticket, I guess?
>> Yes. You would need a Kerberos realm setup with users principals,and host
>> principals. Each host has to have a keytab file. One way to use this
>> is the user gets a ticket on the client, then you use the GSSAPI
>> options of ssh. There are Windows ssh clients like SecureCRT and some versions
>> of PuTTY that can do GSSAPI. Windows uses Kerberos so any AD users already
>> have tickets.
> Don't you also need Simon Wilkinson's GSSAPI key exchange patch for
> OpenSSH to bypass the known_hosts-based host key checks? It's a minor caveat
> since many distributors already apply that patch, but as far as I know
> the feature isn't included in vanilla OpenSSH yet.
That would help a lot and I wish OpenSSH would include Simon's mods,
as all the vendors we use in our environment have it.
We had tested something like this is in a user's .ssh/config on the client side:
#test to not use the known host keys
where this files has no keys and has -r------- permissions only.
so sshd can not save a new key, and the next time a user goes to the
host there is no old key for sshd to check.
You should be able to put this under a Host section in the .ssh/config file
to limit to only selected hosts where you are using GSSAPI.
But I would check the man pages on this and the StrickHostKeyChecking.
Since in the environment in which I work we use GSSAPI exclusively and don't
rely on host keys.
>>> Or is there a
>>> way to do password-less, ticket-less hostbased authentication which
>>> just uses kerberos host keys instead of ssh host keys to validate
>>> the remote host?
> In principle that ought to be feasible with a helper program similar to
> ssh-keysign that accesses a keytab and uses its contents to initiate the
> GSS exchange, but I don't think anyone has implemented it yet.
> (I don't find it a particularly desirable feature: I'd rather
> authenticate the user than the client host.)
> Another solution might be for you to use rsh over IPsec (and either a
> public-key infrastructure or Kerberos to establish the security associations;
> PKI is more widely supported).
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
More information about the openssh-unix-dev