Hi, is it possible to use SSHFP DNS records to enable password-free host-based login? What I already got working is to use SSHFP DNS records to verify the server host keys. debug1: found 2 secure fingerprints in DNS debug1: matching host key fingerprint found in DNS But hostbased login does not work and I still need to supply a password to log in. (Or to configure a known_hosts file on the server where my host key can be checked. But it is exactly this file that I want to get rid of because keeping this file up to date on a large cluster is a pain.) Or is this impossible by design because only fingerprints are stored in SSHFP records, and not the public keys themselves? Regards, Dominik -- GMX Kostenlose Spiele: Einfach online spielen und Spa? haben mit Pastry Passion! http://games.entertainment.gmx.net/de/entertainment/games/free/puzzle/6169196
On Fri, 17 Oct 2008, Dominik Epple wrote:> Hi, > > is it possible to use SSHFP DNS records to enable password-free > host-based login?No - SSHFP is currently only used to publicise the server's key to the client and can't be used to identify the client to the server. It might be possible to adapt it for use by hostbased authentication, but I don't think there is much sense in extending it until DNSSEC is deployed more extensively. -d
Apparently Analagous Threads
- Hostbased authentication without known_hosts file?
- directories not correctly recognized rsync-3.0.4
- CIDR address/masklen matching support for permitopen="host:port" restrictions?
- CIDR address/masklen matching support for permitopen="host:port"
- rsync-3.0.3 crashes with protection exception