Hostbased authentication without known_hosts file?

Douglas E. Engert deengert at
Thu Oct 30 02:16:06 EST 2008

Sergio Gelato wrote:
> * Douglas E. Engert [2008-10-27 11:11:26 -0500]:
>> Dominik Epple wrote:
>>> Hi,
>>> On Mon, 27 Oct 2008, Damien Miller wrote:
>>>> Kerberos
>>> This requires the users to obtain a ticket, I guess?
>> Yes. You would need a Kerberos realm setup with users principals,and host
>> principals. Each host has to have a keytab file. One way to use this
>> is the user gets a ticket on the client, then you use the GSSAPI
>> options of ssh. There are Windows ssh clients like SecureCRT and some versions
>> of PuTTY that can do GSSAPI. Windows uses Kerberos so any AD users already
>> have tickets.
> Don't you also need Simon Wilkinson's GSSAPI key exchange patch for
> OpenSSH to bypass the known_hosts-based host key checks? It's a minor caveat
> since many distributors already apply that patch, but as far as I know
> the feature isn't included in vanilla OpenSSH yet.

That would help a lot and I wish OpenSSH would include Simon's mods,
as all the vendors we use in our environment have it.

We had tested something like this is in a user's .ssh/config on the client side:

#test to not use the known host keys
StrictHostKeyChecking no
UserKnownHostsFile /.ssh/

where this files has no keys and has -r------- permissions only.
so sshd can not save a new key, and the next time a user goes to the
host there is no old key for sshd to check.

You should be able to put this under a Host section in the .ssh/config file
to limit to only selected hosts where you are using GSSAPI.
But I would check the man pages on this  and the StrickHostKeyChecking.

Since in the environment in which I work we use GSSAPI exclusively and don't
rely on host keys.

>>> Or is there a
>>> way to do password-less, ticket-less hostbased authentication which
>>> just uses kerberos host keys instead of ssh host keys to validate
>>> the remote host?
> In principle that ought to be feasible with a helper program similar to
> ssh-keysign that accesses a keytab and uses its contents to initiate the 
> GSS exchange, but I don't think anyone has implemented it yet.
> (I don't find it a particularly desirable feature: I'd rather
> authenticate the user than the client host.)
> Another solution might be for you to use rsh over IPsec (and either a
> public-key infrastructure or Kerberos to establish the security associations;
> PKI is more widely supported). 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the openssh-unix-dev mailing list