On Mon, 2004-10-18 at 17:19, martin f krafft wrote: > Yes, you read right, I want all the machines in a cluster to trust > each other, based on SSH keys and IPs. But I am not arriving. This > is with Sarge and SSHv1 disabled, so only protocol two. > > So let's say I have two hosts, .1 and .2. I take the > ssh_host_rsa_key.pub and put it into the /etc/ssh/ssh_known_hosts > file on .2. Then I enable HostbasedAuthentication in > /etc/ssh/sshd_config on .2 and put .1's IP into > /etc/ssh/shosts.equiv, prefixed with a '+'. > > From what I can tell, this is all that I need to do. However, it's > not working at all. Could anyone help me figure out the problem, > please? >
What is it doing to indicate that it is not working?
If it is still prompting you for a password, you could try disabling challenge response in sshd_config:
ChallengeResponseAuthentication no
-davidc
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
I had a similar problem using SSH keys to rsync two remote servers, and I found out it was due to gnarly permissions on the users home/.ssh dirs. Check your auth log for errors;
cat /var/log/auth.log | grep refused
You're looking for a line something like this: Authentication refused: bad ownership or modes for directory
I had to use the ssh-copy-id app to get the keys hither, thither and yon to get the permissions set up properly, which meant I had to temporarily enable password auth in order to share the keys.
If you're worried about security, sshd_config, PAM and hosts.[allow|deny] will enable to lock your machine down very tightly indeed. One thing I think that is definitely missing from the default sshd_config file provided with Debian is the "AllowGroups" parameter, which I use to kick off any users who aren't members of the "remoteadmin" group.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]