How do you enable hostbased authentication in OpenSSH? I have two Red Hat 7.3 machines running openssh-3.4p1, and I would like to be able to ssh from either of the machines to the other, as any user, without using passwords or per-user keys. My /etc/ssh/sshd_config contains: [...] IgnoreRhosts no HostbasedAuthentication yes [...] My /etc/ssh/ssh_config contains: [...] HostbasedAuthentication yes [...] I created the known hosts file like so: box1# cd /etc/ssh box1# cp ssh_host_dsa_key.pub ssh_known_hosts2 I replicated the config directory: box2# rm -rf /etc/ssh box2# mkdir /etc/ssh box2# chown 0755 /etc/ssh box2# rcp box1:/etc/ssh/* /etc/ssh I restarted the daemons: box1# /sbin/service sshd restart box2# /sbin/service sshd restart Here's the client debugging output: [...] debug1: authentications that can continue: publickey,password,hostbased debug1: next auth method to try is hostbased debug1: Remote: Accepted by .rhosts. debug1: Remote: Accepted host ohm-master1 ip 192.168.1.1 client_user root server_user root debug1: authentications that can continue: publickey,password,hostbased debug1: Remote: Accepted by .rhosts. debug1: Remote: Accepted host ohm-master1 ip 192.168.1.1 client_user root server_user root debug1: authentications that can continue: publickey,password,hostbased debug1: userauth_hostbased: no more client hostkeys debug1: next auth method to try is publickey debug1: try privkey: /root/.ssh/identity debug1: try privkey: /root/.ssh/id_rsa debug1: try privkey: /root/.ssh/id_dsa debug1: next auth method to try is password root at m2's password: What did I miss? -- Kevin DeGraaf
On Fri, 19 Jul 2002, Kevin DeGraaf wrote:> How do you enable hostbased authentication in OpenSSH? > > I have two Red Hat 7.3 machines running openssh-3.4p1, and I would like to > be able to ssh from either of the machines to the other, as any user, > without using passwords or per-user keys. > > My /etc/ssh/sshd_config contains: > [...] > IgnoreRhosts no > HostbasedAuthentication yes > [...] > > My /etc/ssh/ssh_config contains: > [...]Host * HostbasedAuthentication yes or Host box1 HostName box1.kevindegraaf.net HostbasedAuthentication yes Host box2 HostName box2.kevindegraaf.net HostbasedAuthentication yes> HostbasedAuthentication yes > [...] > > I created the known hosts file like so: > box1# cd /etc/ssh > box1# cp ssh_host_dsa_key.pub ssh_known_hosts2Use ssh_known_hosts You will have to edit ssh_known_hosts It will look like box1,box1.kevindegraaf.net,192.168.99.1 ssh-dss _box1's_key_here box2,box2.kevindegraaf.net,192.168.99.2 ssh-dss _box2's_key_here Now the shosts.equiv file (does not need to be world readable) box1.kevindegraaf.net box2.kevindegraaf.net> > I replicated the config directory: > > box2# rm -rf /etc/ssh > box2# mkdir /etc/ssh > box2# chown 0755 /etc/ssh > box2# rcp box1:/etc/ssh/* /etc/sshNot quite what you wanted to do. To fix box2, remove the keys and generate new keys. Each machine must have different keys. Now put the public key from all your machines in ssh_known_hosts and distribute ssh_known_hosts and shosts.equiv to each machine. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net