Non-interactive root access via hostbased using shosts.equiv

[Joe Berry]

Hello all!

I'm looking for a solution to the following problem -
I need to be able to use OpenSSH from root on one
system to perform work on several dozen other systems
using some automation.  The restrictions that have to
be met to keep the business happy are that no
cleartext passwords or unencrypted private keys can be
stored on disk.  Since this is within an automated
environment, there is no opportunity for human
intervention to type in passwords or passphrases.

The original intent was to use host-based
authentication via the shosts.equiv file.  This is
essentially a drop-in replacement for what is already
being done, just replacing rsh with OpenSSH.  However,
OpenSSH is hard-coded to *not* check
hosts.equiv/shosts.equiv if the target uid is 0.  It
is possible to get around this by setting
"IgnoreRhosts" to no, and putting a .shosts file in
the root directory, but this has the highly undesired
side-effect of allowing users to create their own
.rhosts/.shosts files as well.

I modified the source to provide a new option
"PermitRootViaHostBased" that would permit the desired
behavior, while leaving the default behavior as-is. 
But there is apparently some reluctance to add these
changes to the official source tree.

I've also suggested making the change conditional via
#ifdef blocks, but this has also met with resistance.

As things stand, I'll be forced to make this
modification locally each and every time we desire to
upgrade OpenSSH, which seems to be counter to what
open source is all about.

So it was suggested that I present the problem to this
list for any other suggestions or comments.  Any and
all comments appreciated!

Joe


__________________________________________________
Do You Yahoo!?
Yahoo! Greetings - send holiday greetings for Easter, Passover
http://greetings.yahoo.com/