Yes, for the ssh1/RSA protocol. I haven't looked at the source but I seem to
remember that it does NOT support it for ssh2/DSA connections, in fact the sshd
manpage only mentions rhosts for v1/ssh1. This has to do with it not being an
option in the IETF Draft proposal for SSH, thus it is not supported. It is
supported in v1/ssh1 for compatibility with ssh1 from ssh.com and the initial
source base for OpenSSH (ssh1 v1.2.12).
You will need to allow it in the sshd_config file. There are several options:
IgnoreRhosts
Specifies that .rhosts and .shosts files will not be used in au�
thentication. /etc/hosts.equiv and /etc/ssh/shosts.equiv are
still used. The default is ``yes''.
IgnoreUserKnownHosts
Specifies whether sshd should ignore the user's
$HOME/.ssh/known_hosts during RhostsRSAAuthentication. The de�
fault is ``no''.
RhostsAuthentication
Specifies whether authentication using rhosts or /etc/hosts.equiv
files is sufficient. Normally, this method should not be permit�
ted because it is insecure. RhostsRSAAuthentication should be
used instead, because it performs RSA-based host authentication
in addition to normal rhosts or /etc/hosts.equiv authentication.
The default is ``no''.
RhostsRSAAuthentication
Specifies whether rhosts or /etc/hosts.equiv authentication to�
gether with successful RSA host authentication is allowed. The
default is ``no''.
These are from the sshd man page. If you are trying to connect to a machine
that you do not manage, then you will need to look in the config file, if it is
accessible, to see if the SysAdmin has allowed this type of connection. It is
normally in /etc, /etc/ssh, or /usr/local/etc. If you are the SysAdmin then
make the changes, else try to convince the SysAdmin to allow it and then get
him/her to change it. Good luck if he/she has explicitly disabled this type of
access for security reasons...
Now, there are 2 ways to allow host based authentication: insecure and slightly
more secure. Insecure is nothing more than allowing .rhosts access with no
verification of remote host except its ip address. This is highly vulnurable to
ip address spoofing. To do this set the above options as follows:
IgnoreRhosts no
IgnoreUserKnownHosts no # or leave out since default
# not used anyway for this type
RhostsAuthentication yes
RhostsRSAAuthentication yes
This allows access just as rsh/rlogin/rcp did. There is a slight variation of
this that allows a little more security: change "IgnoreRhosts" to yes. This
still has the same problems mentioned above about IP Spoofing, but only looks in
the system /etc/hosts.equiv and shosts.equiv--in same dir (system dependent) as
sshd_config.
A more secure way of doing host based authentication is similar to the above,
but it doesn't trust IP addreesses, but instead depends on the remote systems
public RSA key matching that found in ssh_known_hosts or .ssh/known_hosts. To
allow this and not the less secure ip address only way, change
"RhostsAuthentication" to no above. This will allow the access from a remote
machine only if the remote machine's public key is found in ssh_known_hosts or
.ssh/known_hosts and there is an entry in hosts.equiv, shosts.equiv, ~/.rhosts,
or ~/.shosts.
You can play around with the 4 options above to get a combination that satisfies
your needs.
Now that all of this has been said, I highly recommend you learn about personal
authentication using RSA keys for the ssh1 protocol (if you must use ssh1), or
using DSA keys for the ssh2 protocol.
Good luck!
--Dave
PS> Make sure the client connects using v1 (ssh1) when doing host based
authentication. If the Protocol option is set to '2,1' in the system ssh_config
file, then create ~/.ssh/ssh_config with the following lines:
~/.ssh/ssh_config:
# 2 examples
# Can also add single lines to override to individual hosts
Host remhost1
Protocol 1,2
# Use version 1 then 2, reverse of system settings in /etc/ssh_config
# Default all hosts
Host *
Protocol 1,2
>Date: Thu, 28 Dec 2000 15:47:42 -0800
>From: Shuang Hou <[EMAIL PROTECTED]>
>X-Accept-Language: en
>MIME-Version: 1.0
>To: [EMAIL PROTECTED]
>Subject: Does OpenSSH support hostbased authentication?
>Content-Transfer-Encoding: 7bit
>
>Does OpenSSH support hostbased authentication and how to set up?
>
>Thanks,
>shuang
>
--
David Knight French
Black Mountain Computer Consulting
Voice: (858)279-4862
Email: [EMAIL PROTECTED]
