On 11/2/14, Gary Dale <garyd...@torfree.net> wrote:
> On 01/11/14 05:50 PM, Bhasker C V wrote:
>> Hi all
>>
>> I have a system in a cluster (experimental) and there are a lot of
>> debian machines which depend on this system and must be able to ssh into
>> this system
>>
>> I wanted password-less authentication and looked on the internet.
>> Almost all the examples and help shown involves setting up
>> ssh_known_hosts which I am trying to avoid (cumbersome in a large
>> network where we dont know who will need access).
>>
>> Anyone got this working just plain without adding known hosts ? I do not
>> want to add each and every host to ssh_known_host. Essentially I want to
>> have an open access to one of the servers via ssh.
>>
>> I tried running sshd as root and adding
>>
>> auth sufficient pam_rootok.so
>>
>> to pam ssh and login
>> but that did not help.
>>
>> Thanks
>>
>> Bhasker C V
>
> Trying hard to understand what you want but failing. It almost sounds
> like you want anyone to be able to connect ("don't know who will need
> access" "want to have open to one of the servers") from anywhere (I do
> want to add each and every host to ssh_known_host). Which begs the
> question why use any kind of security?
>
> However, if you want to protect the network traffic, have you tried to
> use ssl/tls and close down the unencrypted access?
There is host-based authentication in sshd where users on one host are
vouched for on another. It is a little fiddly to set up
http://en.wikibooks.org/wiki/OpenSSH/Cookbook/Host-based_Authentication
but once in place it allows users to move seamlessly around in the
pool of servers, assuming all the users / uids are the same throughout
the pool.
Regardless of whether you do that method or another, there will need
to be some data synchornization. Are you using puppet, ansible or
something similar?
Regards,
/Lars
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive:
https://lists.debian.org/cacq_q0dn9khx1vud0zp6ejyzhub61jz+3l+6qg_cqj6cl7a...@mail.gmail.com
