A related question: Is there a way to limit the use of a key by user /and/
hostname?
Thanks,
Noel
[EMAIL PROTECTED] on 2000.05.25 14:56:37
To: [EMAIL PROTECTED]
cc: [EMAIL PROTECTED] (bcc: Noel L Yap)
Subject: Re: Difficulty with host based authentication and v2.1.0 on RedHat 6.x
I finally got our auth. working with help from SSH. ..It sounds like you're
doing
a mix of ssh1 and ssh2 host-based and also user-based auth. With host-based,
you're relying on the $HOME/.shosts file and the
/etc/ssh2/knownhosts/client.ssh-dss.pub. file. With user-based, you're relying
on
the $HOME/.ssh2/authorization, identification and client.pub files. With ssh1
host-based, you use the .equiv file.
We could never get host-based to work with AIX -- this is probably a bug
with
ssh & AIX. User-based worked just fine. You may have a script in your source
directory that can do this for you. -Here's some stuff I wrote up on the
user-based with this script:
==========
Here are the easy steps for getting SSH2 user-based authentication to work:
(As root) In your ssh2 source directory, go to the /apps/ssh
directory.
Copy the file: ssh-pubkeymgr to /usr/local/bin. Go to /usr/local/bin and do a
'chmod 555' on that file.
Get out of root and log in as the user account that will be doing the
file transfers. Make sure that /usr/local/bin is in your path.
Execute the command "ssh-pubkeymgr". It will first create your public
and
private keys. It may take a while, depending on the speed of your system.
When it asks you for a passphrase, hit Enter. Hit Enter again when it
prompts you to repeat the passphrase.
The rest of pubkey script execution should be pretty straightforward.
Take the default of [yes] when prompted with questions about adding remote
hosts, uploading the key, adding remote hosts to your list, etc., and
give the appropriate information. Entering cntrl-D when you're done with one
task
will continue the script on to the next task.
Now cd to your account's .ssh2 directory. Check the name of the remote
host's .pub file with the name of that .pub file in the 'authorization' file. If
necessary, change the (short?) hostname of the .pub file to match the
(long?) hostname in the authorization file. The ssh-pubkeymgr script also needs
to
be run at the server site with that system admin logged on to the
account
that you'll be transferring files to.
Now you'll be ready to set up a script to do the file transfer. You
will
use the scp2 command to do your transfers (not sftp2). Refer to the man pages
for scp2 for assistance in structuring your transfer command.
BOFH wrote:
> To preface myself, I first checked the FAQ's (master and all mirrors) and
> the section that would appear to deal with the issue at hand is missing
> from all of them (section 3.5). I also looked for a list archive, but if
> there is one, it's obfuscated.
>
> I then read all of the updated man pages for ssh2, sshd2 and ssh-agent,
> and proceeded to follow the instructions therin.
>
> To wit:
>
> I have two machines, the host (192.168.1.11) and the client
> (192.168.1.10), both living on the same 192.168.1.0/24 network.
>
> My goal is to allow a process which uses the root account on .10 to access
> .11 without having to send the password.
>
> I proceeded in several steps:
>
> 1. ssh2'd from each machine to the other, using the root account to
create
> local public keys.
>
> 2. added a .shosts entry containing "192.168.1.10 root" in root's ~/ on
> 192.168.1.11
>
> 3. ensured that sshd2_config on .11 included "hostbased" in the line
> "AllowedAuthentications"
>
> 4. Restarted sshd2 on .11 and tested with "ssh2 -l root 192.168.1.11"
from
> .10, no luck.
>
> 5. ran ssh-keygen2 as root on the .10, creating a file named
> id_dsa_1024_a.pub with a NULL password, which I then scp'd to .11
>
> 6. created an "/etc/shosts.equiv" and copied id_dsa_1024_a.pub to
> "/etc/ssh2/knownhosts/192.168.1.10.ssh-dsa.pub" on .11
>
> 7. Restarted sshd2 on .11 and tested with "ssh2 -l root 192.168.1.11"
from
> .10, no luck.
>
> 8. Copied id_dsa_1024_a.pub to root's ~/.ssh2/ and created an
> "authorization" file with an entry of "Key<TAB>
> id_dsa_1024_a.pub" on the first line.
>
> 9. Restarted sshd2 on .11 and tested with "ssh2 -l root 192.168.1.11"
from
> .10, no luck.
>
> Debug messages were never generated by sshd2. I did modify the ssh2
> script in "/etc/rc.d/init.d" to start sshd2 with debug and in verbose
> mode.
>
> At this point, feeling a bit frustrated, I paused for the evening.
>
> ssh2-2.1.0.pl2 was compiled with:
>
> "./configure --prefix=/usr --sysconfdir=/etc/ssh2 --enable-debug"
>
> using gcc v2.95.2
>
> I'll admit it, I'm stumped.
>
> Anyone have a suggestion or two??
>
> - Ed
--
Vicki Lonell Hain
Systems Programming - AIS
Unix Distributed Computing
UNC-Chapel Hill, NC 27588-1150
[EMAIL PROTECTED]
(919)966-1901
www.ais.unc.edu/info/sys/vlh.html
This communication is for informational purposes only. It is not intended as
an offer or solicitation for the purchase or sale of any financial instrument
or as an official confirmation of any transaction. All market prices, data
and other information are not warranted as to completeness or accuracy and
are subject to change without notice. Any comments or statements made herein
do not necessarily reflect those of J.P. Morgan & Co. Incorporated, its
subsidiaries and affiliates.
