-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
John Blinka wrote:
> Hi, folks,
>
> I'd like to get host based ssh authentication working within
> all the gentoo boxes on my home network. I've had no
> success yet - I hope someone can enlighten me!
>
> What I've done so far on the server side is:
>
> set HostbasedAuthentication yes in sshd_config
> set HostbasedAuthentication yes in ssh_config
> added /etc/ssh/shosts.equiv containing names of client boxes
> added /etc/ssh/ssh_known_hosts containing public host keys of
> client boxes
>
> Client boxes are configured similarly.
>
> When I try to ssh from one box to another, I always get a request
> for a password, which is what I'm trying to avoid.
If you just want to be able to log into each system without using a
password, why not set up publickey authentication instead of
hostbased? The principle is essentially the same, except the
authentication key is tied to the user instead of the system.
>
> Below is an excerpt from an attempt to ssh from one box to another
> while requesting the maximum amount of debugging info. It looks
> like ssh is trying to use host based authentication, but for some
> reason it fails. I'd appreciate any ideas about what might be
> going wrong.
[ .... SNIP SSH DEBUG INFO .... ]
I haven't done too much hostbased authentication, because it's
historically insecure. But if I understand the man page correctly,
the following needs to be in place:
1. Assumption: "myserver" is the ssh server, and "tobey" is the ssh
client.
2. "tobey" must be in /etc/hosts.equiv or /etc/ssh/shosts.equiv on
"myserver"
3. a. The current user attempting to login to myserver from tobey
must exist on myserver and is the account being logged into through
the ssh session OR
b. the account being logged into on myserver must have a
~/.rhosts or ~/.shosts file containing the name of the ssh client
(tobey) in its home directory
4. tobey's host key must be located in /etc/ssh/ssh_known_hosts
and/or ~/.ssh/known_hosts on myserver
Please verify that you have all of the above set up for each client
and server pair. You might be better off trying one system as the
server and one system as the client until you are able to get a
successful connection.
- --
gentux
echo "hfouvyyAhnbjm/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge'
gentux's gpg fingerprint ==> 5495 0388 67FF 0B89 1239 D840 4CF0 39E2
18D3 4A9E
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFEzEB5TPA54hjTSp4RAmQiAJ4sT7GUXAghXG4uqMKMlIkliQWhIACglJNP
PDOWDdzPYguBhPIzbC8vTmM=
=YDMQ
-----END PGP SIGNATURE-----
--
[email protected] mailing list
