Page tree
Skip to end of metadata
Go to start of metadata

Make some hosts equivalent with respect to ssh logins

In the following we will refer to the $SSHCONF directory where files like sshd_config reside. This directory varies, depending on your installation. In order to find it, have a look at /etc/ssh, /etc or /usr/local/etc.

We will assume that all hosts use SSH Protocol 2 with the OpenSSH program. The versions 4.5p1 and 4.6p1 of this program have been tested with this HOWTO. It should also be applicable to SunSSH (for the relationship of SunSSH to OpenSSH, see http://www.opensolaris.org/os/community/security/projects/SSH).

Server side

  1. In $SSHCONF/sshd_config,
    • set HostbasedAuthentication to yes
    • have a good look at IgnoreUserKnownHosts, IgnoreRhosts and HostbasedUsesNameFromPacketOnly and see whether they fit what you want
  2. Ensure the host's RSA key is in $SSHCONF/ssh_known_hosts. The easiest way to get all relevant keys is to login to any computer that should allow host-based authentication and then to use ~/.ssh/known_host as a basis. However, sometimes hosts can have different names and then all names should be included in $SSHCONF/ssh_known_hosts, separated by coma. It usually doesn't hurt to also include the IP addresses into that list.
  3. Enter all hosts that should be allowed host-based authentication into $SSHCONF/shosts.equiv. You can add + in front, but you don't have to. If you do, ensure that + doesn't stand alone, because that means all hosts are allowed host-based authentication.

Client side

  1. In the global section of $SSHCONF/ssh_config, the following keys need to be set to yes:
    • HostbasedAuthentication
    • EnableSSHKeysign (note that for some reason this key is missing in the template file, but it is absolutely necessary to set it because otherwise the ssh program has no way to read the private part of the host key)
  2. Ensure that the program ssh-keysign, which is part of OpenSSH, is executable by everyone and SUID root (permissions 4755). Where exactly this program can be found depends on your installation. /etc/lib/ssh and /usr/libexec are promising locations to look at.