Ssh HostbasedAuthentication
From Brandonhutchinson.com
(Difference between revisions)
(→HostbasedAuthentication high-level overview) |
(→Allowing HostbasedAuthentication on the client system) |
||
| (7 intermediate revisions not shown.) | |||
| Line 55: | Line 55: | ||
default is “no”. This option applies to protocol version 1 only. | default is “no”. This option applies to protocol version 1 only. | ||
| - | + | == HostbasedAuthentication with the root user == | |
| + | |||
| + | If you want to use HostbasedAuthentication with the root user, you must: | ||
| + | * Place the fully-qualified domain name of the trusted system in '''~root/.shosts''' or '''~root/.rhosts''' on the remote system. | ||
| + | * Set '''IgnoreRhosts no''' in '''sshd_config''' on the remote system. | ||
| + | |||
| + | The system-wide '''/etc/rhosts.equiv''' or '''/etc/ssh/shosts.equiv''' files will not work with HostbasedAuthentication of the root user. | ||
| + | |||
| + | == Allowing HostbasedAuthentication on the client system == | ||
| + | |||
| + | Even if HostbasedAuthentication is properly enabled on the server, it may denied as a form of authentication on the client system. | ||
| + | |||
| + | For example, on RHEL 5, HostbasedAuthentication is implicitly denied on clients, as the default is "no". | ||
| + | |||
| + | To enable, modify the site-wide or user-specific ssh configuration file as appropriate. | ||
| + | |||
| + | == Reverse DNS == | ||
| + | |||
| + | By default (see ''HostbasedUsesNameFromPacketOnly'' above), OpenSSH will not trust the client's self-identifying hostname in the hostbased authentication request, and will perform a reverse DNS lookup of the IP address. | ||
| + | |||
| + | e.g., ''/var/log/auth.log'' | ||
| + | Jul 14 16:44:24 ''ssh_server'' sshd[10794]: userauth_hostbased mismatch: client sends host.example.com, but we resolve 192.216.212.193 to 192.216.212.193 | ||
| + | |||
| + | In this case, I needed to add 193.212.216.192.in-addr.arpa to DNS. | ||
| + | |||
| + | * [http://www.snailbook.com/faq/trusted-host-howto.auto.html How do I get trusted-host (SSH-2 "hostbased", SSH-1 "RhostsRSA") authentication working?] | ||
== Miscellaneous notes == | == Miscellaneous notes == | ||
| Line 64: | Line 89: | ||
debug1: Remote: Ignoring wild host/user names in ''$HOME''/.shosts. | debug1: Remote: Ignoring wild host/user names in ''$HOME''/.shosts. | ||
debug1: Remote: Ignoring wild host/user names in ''$HOME''/.rhosts. | debug1: Remote: Ignoring wild host/user names in ''$HOME''/.rhosts. | ||
| - | |||
| - | * The fully-qualified domain name of the trusted host '''must''' exist in the four files used in ''HostbasedAuthentication''. | ||
Current revision
Contents |
Overview
The following notes on HostbasedAuthentication apply to OpenSSH.
HostbasedAuthentication files
These files are checked in the following order on the remote system if HostbasedAuthentication is enabled:
- /etc/hosts.equiv
- /etc/ssh/shosts.equiv
- ~/.shosts
- ~/.rhosts
Relevant sshd_config directives
HostbasedAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication
together with successful public key client host authentication is
allowed (host-based authentication). This option is similar to
RhostsRSAAuthentication and applies to protocol version 2 only.
The default is “no”.
HostbasedUsesNameFromPacketOnly
Specifies whether or not the server will attempt to perform a
reverse name lookup when matching the name in the ~/.shosts,
~/.rhosts, and /etc/hosts.equiv files during
HostbasedAuthentication. A setting of “yes” means that sshd(8)
uses the name supplied by the client rather than attempting to
resolve the name from the TCP connection itself. The default is
“no”.
IgnoreRhosts
Specifies that .rhosts and .shosts files will not be used in
RhostsRSAAuthentication or HostbasedAuthentication.
/etc/hosts.equiv and /etc/ssh/shosts.equiv are still used. The
default is “yes”.
IgnoreUserKnownHosts
Specifies whether sshd(8) should ignore the user’s
~/.ssh/known_hosts during RhostsRSAAuthentication or
HostbasedAuthentication. The default is “no”.
Protocol
Specifies the protocol versions sshd(8) supports. The possible
values are ‘1’ and ‘2’. Multiple versions must be comma-sepa‐
rated. The default is “2,1”. Note that the order of the proto‐
col list does not indicate preference, because the client selects
among multiple protocol versions offered by the server. Specify‐
ing “2,1” is identical to “1,2”.
RhostsRSAAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication
together with successful RSA host authentication is allowed. The
default is “no”. This option applies to protocol version 1 only.
HostbasedAuthentication with the root user
If you want to use HostbasedAuthentication with the root user, you must:
- Place the fully-qualified domain name of the trusted system in ~root/.shosts or ~root/.rhosts on the remote system.
- Set IgnoreRhosts no in sshd_config on the remote system.
The system-wide /etc/rhosts.equiv or /etc/ssh/shosts.equiv files will not work with HostbasedAuthentication of the root user.
Allowing HostbasedAuthentication on the client system
Even if HostbasedAuthentication is properly enabled on the server, it may denied as a form of authentication on the client system.
For example, on RHEL 5, HostbasedAuthentication is implicitly denied on clients, as the default is "no".
To enable, modify the site-wide or user-specific ssh configuration file as appropriate.
Reverse DNS
By default (see HostbasedUsesNameFromPacketOnly above), OpenSSH will not trust the client's self-identifying hostname in the hostbased authentication request, and will perform a reverse DNS lookup of the IP address.
e.g., /var/log/auth.log
Jul 14 16:44:24 ssh_server sshd[10794]: userauth_hostbased mismatch: client sends host.example.com, but we resolve 192.216.212.193 to 192.216.212.193
In this case, I needed to add 193.212.216.192.in-addr.arpa to DNS.
Miscellaneous notes
- If any of the four files used in HostbasedAuthentication contain a + in either the hostname(s) or user name(s), the line is ignored.
debug1: Remote: Ignoring wild host/user names in /etc/hosts.equiv. debug1: Remote: Ignoring wild host/user names in /etc/ssh/shosts.equiv. debug1: Remote: Ignoring wild host/user names in $HOME/.shosts. debug1: Remote: Ignoring wild host/user names in $HOME/.rhosts.
