Yes , it does mean something:-) I was a bit shaken by Kevin’s statement. Jarrod , if you find your notes , that would be very helpful.
Thanks! On Tue, Jan 21, 2020 at 2:06 PM Jarrod Johnson <[email protected]> wrote: > Actually, host based authentication using /etc/ssh/known_hosts does mean > somethhing. > > > > Instead of using user keys, the user uses the host key and > HostAuthentication uses the known_hosts as the repository of keys. > > > > I have to look again, but my plan was to introduce a postscript to use > this with SSH CA in lieu of the current remoteshell postscript. Each > /etc/ssh/known_hosts would consist only of the CA line(s) and each > deployment would have the new ssh keys signed by a server to allow each to > have a private known_hosts file without having to update it for key churn. > > > > It’s like rhosts/hosts.equiv, but with cryptographic assurance with the > host key used instead of each user having to manage it. It is why > ssh-keysign is setgid ssh_keys, to allow a user on a system to ask the host > key to sign on their behalf if the sshd_config is so willing. > > > > Regrettably, I don’t see my notes handy, I’ll try to find my notes on this > topic. > > > > *From:* Kevin Keane <[email protected]> > *Sent:* Tuesday, January 21, 2020 4:00 PM > *To:* xCAT Users Mailing list <[email protected]> > *Subject:* [External] Re: [xcat-user] host based authentication > > > > The known_hosts file has nothing to do with host-based authentication. It > is used to verify the identity of the host when using SSH with standard > user-based authentication. > > > > I believe you are thinking of rhosts? Generally speaking, using host-based > authentication is highly discouraged for security reasons, but in an xCAT > scenario it can make sense. > > _______________________________________________________________________ > Kevin Keane | Systems Architect | University of San Diego ITS | > [email protected] > Maher Hall, 192 |5998 Alcalá Park | San Diego, CA 92110 > <https://www.google.com/maps/search/5998+Alcal%C3%A1+Park+%7C+San+Diego,+CA+92110?entry=gmail&source=g>-2492 > | 619.260.6859 | Text: 760-721-8339 > > *REMEMBER! **No one from IT at USD will ever ask to confirm or supply > your password*. > These messages are an attempt to steal your username and password. Please > do not reply to, click the links within, or open the attachments of these > messages. Delete them! > > > > > > > > On Tue, Jan 21, 2020 at 12:52 PM Imam Toufique <[email protected]> > wrote: > > Hi, > > > > Quick question, before I jump in finding my own solution. > > > > Is there anything in xcat that would allow setting up host based > authentication? I know root can ssh from the mgmt. node to all the nodes > in the cluster. I am referring to user authentication , based on > /etc/ssh/known_hosts file, where there is a list of hosts and their > respective keys. > > > > thanks. > > _______________________________________________ > xCAT-user mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/xcat-user > > _______________________________________________ > xCAT-user mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/xcat-user > -- Regards, *Imam Toufique* *213-700-5485*
_______________________________________________ xCAT-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/xcat-user
