Carson Gaspar
2001-Apr-25 07:27 UTC
Case study of new possibilities with PartialAuth and HostbasedAuth
Finally all the pieces are in place to allow strong user and host authentication with SSH2 and the latest OpenSSH code (plus my partial auth patch). Herein I describe one problem case, and a possible solution thereof. Target: Allow user logins from host charles to host steve using passwords Previously, you would have had to trust the IP headers to authenticate charles. If charles had a dynamic IP address, or was behind dynamic NAT or a non-transparent firewall, you lost. If someone could spoof charles' IP address, you lost. Now, you can solve this securely (assuming charles' host security is good!). on steve: sshd_config: HostbasedAuthentication yes HostbasedUsesNameFromPacketOnly yes PasswordAuthentication yes # if you don't want users to add clients, you either need to stop parsing .[rs]hosts IgnoreRhosts yes # or control which hosts have trusted keys with IgnoreUserKnownHosts yes # or both AuthOrder2 hostbased:password ssh_known_hosts2: charles.dom.ain.,charles.dom.ain ssh-dss [charles_dsa_public_key] shosts.equiv: charles.dom.ain charles.dom.ain. NOTE: trailing dot form included in ssh_known_hosts2 and shosts.equiv to work around a bug in the current codebase. On charles: ssh must have access to ssh_host_dsa_key. For now this means ssh must be setuid root. ssh_config: Host steve HostbasedAuthentication yes PasswordAuthentication yes At this point, you should be good to go! -- Carson Gaspar - carson at taltos.org Queen trapped in a butch body
Apparently Analagous Threads
- Minor bug in HostbasedAuthentication
- Initial patch to implement partial auth with SSH2
- Updated partial auth patch against CVS
- [Bug 376] New: HostbasedAuthentication, followed snailbook but not working! :-(
- hostbased failing and can't derive reason of failure in debugging output
Wisdom of the Ancients
