What you need to do is set up ssh-agent and agent forwarding to do what you want to do. ssh-agent is well documented on the web go forth and read. Have fun
On Fri, Apr 20, 2001 at 03:22:25PM +0200, Mario Vukelic wrote: > Hi, > > please help before I tear my hair out. I'm trying to get > RhostsRSAAuthentication to work. What I want is to be able to ssh > between the machines on my home network without having to supply a > passphrase/-word (also supplying it once with ssh-agent I'd like to > avoid). The docs I've found on OpenSSH don't say much about this special > method, but from what I gleaned from them, RhostsRSAAuthentication would > give me what I want. However, since the info is scarce, I'm not even > sure if it in fact does what I think it does. Although I'm on a rather > secure home network I don't want to use RhostsAuthentication, since I > want to learn how to configure OpenSSH properly, and rhosts-only > authentication is insecure. Also, there's always the possibility that > one time I'll allow ssh access from my external interface, and I don't > want to have to reconfigure it then. In any way, if I set > "RhostsAuthentication yes" in sshd_config it doesn't work either. > > This is what I've done: > > I've generated the host keys with > [EMAIL PROTECTED]:/etc/ssh# ssh-keygen -t dsa -f ssh_host_dsa_key (with empty > passphrase) > (now send ONE's /etc/ssh/ssh_host_dsa_key.pub to [EMAIL PROTECTED]) > [EMAIL PROTECTED]:~# mv ssh_host_dsa_key.pub /etc/ssh/ssh_known_hosts2 > > I did this for the other host, too. Then I prepared > /etc/ssh/ssh_known_hosts2 on both hosts by adding the hostname field as > described in man sshd (SSH_KNOWN_HOSTS FILE FORMAT). > > I've also generated user keys and distributed them > [EMAIL PROTECTED]:~/.ssh$ ssh-keygen -t dsa > (now send ~/.ssh/id_dsa.pub to [EMAIL PROTECTED]) > [EMAIL PROTECTED]:~$ mv id_dsa.pub .ssh/authorized_keys2 > (and vice versa) > > This is my config: > [EMAIL PROTECTED]:/etc/ssh# cat sshd_config > (excerpt) > Protocol 2,1 > HostKey /etc/ssh/ssh_host_dsa_key > IgnoreRhosts yes > IgnoreUserKnownHosts yes > RhostsAuthentication no > RhostsRSAAuthentication yes > RSAAuthentication yes > PasswordAuthentication yes > > [EMAIL PROTECTED]:/etc/ssh# cat ssh_config > (excerpt) > Host ONE > RhostsAuthentication no > RhostsRSAAuthentication yes > RSAAuthentication yes > PasswordAuthentication yes > FallBackToRsh no > UseRsh no > IdentityFile ~/.ssh/id_dsa > Protocol 2,1 > > [EMAIL PROTECTED]:/etc# cat hosts.equiv > +TWO > [EMAIL PROTECTED]:/etc# ls -l hosts.equiv > -rw-r--r-- 1 root root 13 Apr 20 12:17 ../hosts.equiv > > [EMAIL PROTECTED]:/etc# cat hosts.equiv > +ONE > [EMAIL PROTECTED]:/etc# ls -l hosts.equiv > -rw-r--r-- 1 root root 13 Apr 20 12:18 ../hosts.equiv > > Now I can ssh from TWO to ONE, and the host is already known to ssh, > although there is no ~/.ssh/known_hosts2. Therefore I think that the > host keys work. However, I still get asked for authentication: > [EMAIL PROTECTED]:~$ ls .ssh > authorized_keys2 id_dsa id_dsa.pub > [EMAIL PROTECTED]:~$ ssh ONE > Enter passphrase for key '/home/user/.ssh/id_dsa':[Enter] > [EMAIL PROTECTED]'s password:[Enter] > Permission denied, please try again. > [EMAIL PROTECTED]'s password:[Enter] > Permission denied, please try again. > [EMAIL PROTECTED]'s password:[Enter] > Permission denied (publickey,password). > [EMAIL PROTECTED]:~$ > > > It would be very nice if someone reviewed my config and told me if I've > commited mistakes somewhere (I'm afraid I wouldn't see it myself by now, > I'm already a bit dizzy after staring at the config files for hours). > Do I need a /etc/ssh/authorized_keys2, too. That is not mentioned in man > sshd, but still. > Any input is greatly appreciated. > > -- > > I did not vote for the Austrian government > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- Random numbers are to computers what freewill is to humans. RAH I'm afraid it is you who are mistaken about a great many things. Palpatine
pgph6hBUVMvG9.pgp
Description: PGP signature
