Make some hosts equivalent with respect to
In the following we will refer to the
$SSHCONF directory where files like
sshd_config reside. This directory varies, depending on your installation. In order to find it, have a look at
We will assume that all hosts use SSH Protocol 2 with the OpenSSH program. The versions 4.5p1 and 4.6p1 of this program have been tested with this HOWTO. It should also be applicable to SunSSH (for the relationship of SunSSH to OpenSSH, see http://www.opensolaris.org/os/community/security/projects/SSH).
- have a good look at
HostbasedUsesNameFromPacketOnlyand see whether they fit what you want
- Ensure the host's RSA key is in
$SSHCONF/ssh_known_hosts. The easiest way to get all relevant keys is to login to any computer that should allow host-based authentication and then to use
~/.ssh/known_hostas a basis. However, sometimes hosts can have different names and then all names should be included in
$SSHCONF/ssh_known_hosts, separated by coma. It usually doesn't hurt to also include the IP addresses into that list.
- Enter all hosts that should be allowed host-based authentication into
$SSHCONF/shosts.equiv. You can add
+in front, but you don't have to. If you do, ensure that
+doesn't stand alone, because that means all hosts are allowed host-based authentication.
- In the global section of
$SSHCONF/ssh_config, the following keys need to be set to
EnableSSHKeysign(note that for some reason this key is missing in the template file, but it is absolutely necessary to set it because otherwise the
sshprogram has no way to read the private part of the host key)
- Ensure that the program
ssh-keysign, which is part of OpenSSH, is executable by everyone and SUID root (permissions 4755). Where exactly this program can be found depends on your installation.
/usr/libexecare promising locations to look at.