Ssh with host-based authentication 2006 November 19 19:13
Posted by diamond in : Skynet , trackbackThe documentation for this appears to be badly scattered, so i thought i’d collect the bits i’d found. The most useful reference by far was, unsurprisingly, on the website of an o’reilly book: SSH: The Secure Shell (The Definitive Guide). However, it’s slightly out of date, and doesn’t cover a one of the important steps.
What i wanted to do was allow any users on host A be able to ssh to host B using ssh v2 and be automatically logged in. So, these are the steps i took:
- On A, i added the following to /etc/ssh/ssh_config:
Host *
EnableSSHKeysign yes
Host B.example.com
HostbasedAuthentication yes
- Also on A, I made sure that ssh-keysign was installed and suid root
-rwsr-xr-x 1 root root 131640 2006-10-31 23:03 /usr/lib/ssh-keysign
- On B, i set the following config options in /etc/ssh/sshd_config:
IgnoreRhosts yesRemember to reload the sshd config after editing
HostbasedAuthentication yes
- On B, i added the fqdn of A to /etc/ssh/shosts.equiv:
A.exmaple.com - On B, i used the following to add the public RSA key of A to ssh_known_hosts:
ssh-keyscan -vt dsa A.example.com >> /etc/ssh/ssh_known_hosts
Note: the fqdn of A used above has to be the same as the result of a reverse dns lookup on it’s IP.
And that’s all folks.
Comments»
There was a discrepancy between dsa and rsa keys IMO. Although going via ssh would login fine without prompting to accept a key, in order to get pine to autologin, a rsa key had to be added.
On host A:
ssh-keyscan -vt rsa B.example.com >> /etc/ssh/ssh_known_hosts
That worked it -)