![[Note]](../../../../../asciidoc/images/icons/note.png){kind=icon} | |
hostbased authentication is deprecated to pass-phrase authentication. |
How do I get hostbased authentication to work with SSH2 and SSH1
http://www.onsight.com/faq/ssh/ssh-faq-9.html#ss9.4.5
Here, I'll use the following terms:
- The Server is the SSH server into which you're trying to connect.
- The ServerUser is the username on the Server into which you'd like to login.
- The Client is the machine running a SSH client.
- The ClientUser is the username on the Client that you'd like to allow to login to the Server as the Server User.
As an example, our backups are done via username "backup" on host Tapeserv. On our Authserv server, user "root" is trying to connect to Tapeserv to make Authserv's backups on Tapeserv's tape drive. This means that the Server is Tapeserv, the ServerUser is backup, the Client is Authserv, and the ClientUser is "root".
On the Client, cat the file /etc/ssh_host_key.pub and copy-n-paste it into Notepad or some other text editor. It will look something like this:
1024 35 1255908028087833976430... root@authserv
(the actual number will be much longer)
Remove the root@Client from the end and add the Client hostname to the beginning:
authserv 1024 35 1255908028087833976430...
Then copy-n-paste this single, very long line into Server's /etc/ssh_known_hosts file.
This gives the Server the Client's public key so the Server can verify the Client's identity based on a public key signature. By contrast, rsh only uses the IP address for authentication.
Copy the Client's /etc/ssh2/hostkey.pub file over to the Server and name it /etc/ssh2/knownhosts/authserv.ssh-dss.pub
Of course, since your host isn't named Authserv, use your own hostname. Generally, you'll want to use the "short" hostname and not the fully qualified hostname.
This gives the Server the Client's public key so the Server can verify the Client's identity based on a public key signature. By contrast, rsh only uses the IP address for authentication.
On the Server, create a file in the ServerUser's home directory named ".shosts". The contents of this file should be the Client hostname, some tabs or spaces, and the ClientUser username.
For example, to allow root@Authserv to log into backup@Tapeserv, I'd place this .shosts file into backup's home directory on Tapeserv:
authserv root
Be sure to chown and chmod the .shosts file. The .shosts file must be owned by the remote user and should be mode 0400.
Make sure that this line exists in /etc/sshd_config:
RhostsRSAAuthentication yes
This enables the SSH1 daemon to do what we need it to do.
For safety, you may also want to verify this line:
RhostsAuthentication no
This disables the use of rhosts-style authentication without corresponding public key authentisation.
If you had to modify the sshd_config file, you have to HUP the sshd to make the change take effect.
Check the file /etc/ssh2/sshd2_config and make sure that AllowedAuthentications contains the word "hostbased" For example, it may read:
AllowedAuthentications hostbased,password
If you had to modify the sshd2_config file, you'll have to HUP the sshd to make the change take effect.
You should be all set.
On the Client, log in as the ClientUser and try this:
ssh ServerUser@Server uptime
You should get back the results of "uptime" run on the remote server.
The first time you run ssh to that particular server, you'll have to answer "yes" when asked if you want to connect to the server. This is because the local ssh doesn't yet have the remote server's SSH public key. This will only hapen the first time.
