Hi, is there any way to use hostbased authentication without the need to have the SSH host keys stored in a known_hosts file? We run a large cluster where we need to have passwordless remote login available. We currently do that with hostbased SSH authentication. But it is error-prone and a lot of work to keep the known_hosts file up to date on all hosts. (This is the same situation like DNS vs /etc/hosts and LDAP vs /etc/passwd, and so on.) We know of the possibility to store SSH fingerprints in SSHFP records in DNS. But this currently does not allow hostbased authentication, it only allows the client to verify the server's host key. Is there any other possiblity? Thanks in advance, Dominik -- Psssst! Schon vom neuen GMX MultiMessenger geh?rt? Der kann`s mit allen: http://www.gmx.net/de/go/multimessenger
On Mon, 27 Oct 2008, Dominik Epple wrote:> Hi, > > is there any way to use hostbased authentication without the need to > have the SSH host keys stored in a known_hosts file? > > We run a large cluster where we need to have passwordless remote login > available. We currently do that with hostbased SSH authentication. But > it is error-prone and a lot of work to keep the known_hosts file up to > date on all hosts. (This is the same situation like DNS vs /etc/hosts > and LDAP vs /etc/passwd, and so on.) > > We know of the possibility to store SSH fingerprints in SSHFP records > in DNS. But this currently does not allow hostbased authentication, > it only allows the client to verify the server's host key. > > Is there any other possiblity?Kerberos or push out hostkey lists with rdist. -d
Hi, On Mon, 27 Oct 2008, Damien Miller wrote:> KerberosThis requires the users to obtain a ticket, I guess? Or is there a way to do password-less, ticket-less hostbased authentication which just uses kerberos host keys instead of ssh host keys to validate the remote host?> or push out hostkey lists with rdist.Our cluster is too large for this. This does not work well and we want do get rid of it.> > -dThanks for your reply. Regards, Dominik -- "Feel free" - 5 GB Mailbox, 50 FreeSMS/Monat ... Jetzt GMX ProMail testen: http://www.gmx.net/de/go/promail
Douglas E. Engert
2008-Oct-27 16:11 UTC
Hostbased authentication without known_hosts file?
Dominik Epple wrote:> Hi, > > On Mon, 27 Oct 2008, Damien Miller wrote: >> Kerberos > > This requires the users to obtain a ticket, I guess?Yes. You would need a Kerberos realm setup with users principals,and host principals. Each host has to have a keytab file. One way to use this is the user gets a ticket on the client, then you use the GSSAPI options of ssh. There are Windows ssh clients like SecureCRT and some versions of PuTTY that can do GSSAPI. Windows uses Kerberos so any AD users already have tickets.> Or is there a > way to do password-less, ticket-less hostbased authentication which > just uses kerberos host keys instead of ssh host keys to validate > the remote host? > >> or push out hostkey lists with rdist. > > Our cluster is too large for this. This does not work well and we > want do get rid of it. > >> -d > > Thanks for your reply. > > Regards, > Dominik > >-- Douglas E. Engert <DEEngert at anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444
Reasonably Related Threads
- Hostbased login based on SSHFP DNS records?
- hostbase authentication of hostcertificate
- known_hosts, IP, and port revisited
- OpenSSH_6.7p1 hostbased authentication failing on linux->linux connection. what's wrong with my config?
- [Bug 393] 'known_hosts' file should be indexed by IP:PORT, not just IP