How to specify chost (client hostname) used for hostbased authentication?

[Gert Doering]

Hi,

On Fri, Sep 05, 2025 at 12:44:09PM +0200, Jan Schermer wrote:
> I???m sorry, I was mostly thinking out loud.
> I understand (mostly) how it technically works, but it seems a bit weird to invoke a SUID binary over client???s connection backwards. I???d expect it to be a completely separate and isolatd connection outside of the client???s control.

The client is supposed to present credentials (= a nonce signed with
a host key) that it has no access to.  So it asks a local helper binary
to produce that signature.  If that binary produces a signature that
matches, the client has proof that it's "running on the host that
it claims to be".

Earlier versions tied this to "the rsh client is suid root and can connect
from a privileged port" but that's way less secure than an isolated binary
that can be well audited and does one thing only.

> It???s just that the whole concept looks more like ???more trustworthy identd???, which would make more sense if the target (server) sshd daemon did a callback instead of how it actually works, whence my thoughts on it and I wonder if the original authors were thinking about it that way.

Identd is no more or less trustworthy than "any other root-owned binary",
but there's much more room for network interference.

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             gert at greenie.muc.de