openssh unix dev - Oct 2003 - EnableSSHKeysign

It looks like host based authentication will not work if you
attempt to set EnableSSHKeysign on a per host basis.

Ie. This does not work.
-------
Host ou8
  HostName ou8.somedomain.com
  HostbasedAuthentication yes
  EnableSSHKeysign yes
  NoHostAuthenticationForLocalhost yes
-------

Unless you also add
-----
Host *
  EnableSSHKeysign yes
-----

Is this the intended behavior?

-- 
Tim Rice				Multitalents	(707) 887-1469
tim at multitalents.net

ssh-keysign don't know host => only
...
Host *
EnableSSHKeysign yes
...
in "host_config_file (.../ssh_config)" is valid.

Tim Rice wrote:
>It looks like host based authentication will not work if you
>attempt to set EnableSSHKeysign on a per host basis.
>
>Ie. This does not work.
>-------
>Host ou8
>  HostName ou8.somedomain.com
>  HostbasedAuthentication yes
>  EnableSSHKeysign yes
>  NoHostAuthenticationForLocalhost yes
>-------
>
>Unless you also add
>-----
>Host *
>  EnableSSHKeysign yes
>-----
>
>Is this the intended behavior?
>
Yes.
>
>  
>

yes, it's intentional. ssh-keysign
does not know the target host.

EnableSSHKeysign is intended to protect
the private host key.

perhaps this should be better documented...

On Mon, Oct 06, 2003 at 09:59:26PM -0700, Tim Rice
wrote:
> 
> It looks like host based authentication will not work if you
> attempt to set EnableSSHKeysign on a per host basis.
> 
> Ie. This does not work.
> -------
> Host ou8
>   HostName ou8.somedomain.com
>   HostbasedAuthentication yes
>   EnableSSHKeysign yes
>   NoHostAuthenticationForLocalhost yes
> -------
> 
> Unless you also add
> -----
> Host *
>   EnableSSHKeysign yes
> -----
> 
> Is this the intended behavior?
> 
> -- 
> Tim Rice				Multitalents	(707) 887-1469
> tim at multitalents.net
> 
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev