The following notes on HostbasedAuthentication apply to OpenSSH.
These files are checked in the following order on the remote system if HostbasedAuthentication is enabled:
Relevant sshd_config directives
HostbasedAuthentication Specifies whether rhosts or /etc/hosts.equiv authentication together with successful public key client host authentication is allowed (host-based authentication). This option is similar to RhostsRSAAuthentication and applies to protocol version 2 only. The default is “no”. HostbasedUsesNameFromPacketOnly Specifies whether or not the server will attempt to perform a reverse name lookup when matching the name in the ~/.shosts, ~/.rhosts, and /etc/hosts.equiv files during HostbasedAuthentication. A setting of “yes” means that sshd(8) uses the name supplied by the client rather than attempting to resolve the name from the TCP connection itself. The default is “no”. IgnoreRhosts Specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication. /etc/hosts.equiv and /etc/ssh/shosts.equiv are still used. The default is “yes”. IgnoreUserKnownHosts Specifies whether sshd(8) should ignore the user’s ~/.ssh/known_hosts during RhostsRSAAuthentication or HostbasedAuthentication. The default is “no”. Protocol Specifies the protocol versions sshd(8) supports. The possible values are ‘1’ and ‘2’. Multiple versions must be comma-sepa‐ rated. The default is “2,1”. Note that the order of the proto‐ col list does not indicate preference, because the client selects among multiple protocol versions offered by the server. Specify‐ ing “2,1” is identical to “1,2”. RhostsRSAAuthentication Specifies whether rhosts or /etc/hosts.equiv authentication together with successful RSA host authentication is allowed. The default is “no”. This option applies to protocol version 1 only.
HostbasedAuthentication with the root user
If you want to use HostbasedAuthentication with the root user, you must:
- Place the fully-qualified domain name of the trusted system in ~root/.shosts or ~root/.rhosts on the remote system.
- Set IgnoreRhosts no in sshd_config on the remote system.
The system-wide /etc/rhosts.equiv or /etc/ssh/shosts.equiv files will not work with HostbasedAuthentication of the root user.
- If any of the four files used in HostbasedAuthentication contain a + in either the hostname(s) or user name(s), the line is ignored.
debug1: Remote: Ignoring wild host/user names in /etc/hosts.equiv. debug1: Remote: Ignoring wild host/user names in /etc/ssh/shosts.equiv. debug1: Remote: Ignoring wild host/user names in $HOME/.shosts. debug1: Remote: Ignoring wild host/user names in $HOME/.rhosts.