Sorry about that! And thanks for the correction, Jarrod. I'll never stop learning.
_______________________________________________________________________ Kevin Keane | Systems Architect | University of San Diego ITS | [email protected] Maher Hall, 192 |5998 Alcalá Park | San Diego, CA 92110-2492 | 619.260.6859 | Text: 760-721-8339 *REMEMBER! **No one from IT at USD will ever ask to confirm or supply your password*. These messages are an attempt to steal your username and password. Please do not reply to, click the links within, or open the attachments of these messages. Delete them! On Tue, Jan 21, 2020 at 4:12 PM Imam Toufique <[email protected]> wrote: > Yes , it does mean something:-) I was a bit shaken by Kevin’s statement. > > Jarrod , if you find your notes , that would be very helpful. > > Thanks! > > On Tue, Jan 21, 2020 at 2:06 PM Jarrod Johnson <[email protected]> > wrote: > >> Actually, host based authentication using /etc/ssh/known_hosts does mean >> somethhing. >> >> >> >> Instead of using user keys, the user uses the host key and >> HostAuthentication uses the known_hosts as the repository of keys. >> >> >> >> I have to look again, but my plan was to introduce a postscript to use >> this with SSH CA in lieu of the current remoteshell postscript. Each >> /etc/ssh/known_hosts would consist only of the CA line(s) and each >> deployment would have the new ssh keys signed by a server to allow each to >> have a private known_hosts file without having to update it for key churn. >> >> >> >> It’s like rhosts/hosts.equiv, but with cryptographic assurance with the >> host key used instead of each user having to manage it. It is why >> ssh-keysign is setgid ssh_keys, to allow a user on a system to ask the host >> key to sign on their behalf if the sshd_config is so willing. >> >> >> >> Regrettably, I don’t see my notes handy, I’ll try to find my notes on >> this topic. >> >> >> >> *From:* Kevin Keane <[email protected]> >> *Sent:* Tuesday, January 21, 2020 4:00 PM >> *To:* xCAT Users Mailing list <[email protected]> >> *Subject:* [External] Re: [xcat-user] host based authentication >> >> >> >> The known_hosts file has nothing to do with host-based authentication. It >> is used to verify the identity of the host when using SSH with standard >> user-based authentication. >> >> >> >> I believe you are thinking of rhosts? Generally speaking, using >> host-based authentication is highly discouraged for security reasons, but >> in an xCAT scenario it can make sense. >> >> _______________________________________________________________________ >> Kevin Keane | Systems Architect | University of San Diego ITS | >> [email protected] >> Maher Hall, 192 |5998 Alcalá Park | San Diego, CA 92110 >> <https://www.google.com/maps/search/5998+Alcal%C3%A1+Park+%7C+San+Diego,+CA+92110?entry=gmail&source=g>-2492 >> | 619.260.6859 | Text: 760-721-8339 >> >> *REMEMBER! **No one from IT at USD will ever ask to confirm or supply >> your password*. >> These messages are an attempt to steal your username and password. Please >> do not reply to, click the links within, or open the attachments of these >> messages. Delete them! >> >> >> >> >> >> >> >> On Tue, Jan 21, 2020 at 12:52 PM Imam Toufique <[email protected]> >> wrote: >> >> Hi, >> >> >> >> Quick question, before I jump in finding my own solution. >> >> >> >> Is there anything in xcat that would allow setting up host based >> authentication? I know root can ssh from the mgmt. node to all the nodes >> in the cluster. I am referring to user authentication , based on >> /etc/ssh/known_hosts file, where there is a list of hosts and their >> respective keys. >> >> >> >> thanks. >> >> _______________________________________________ >> xCAT-user mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/xcat-user >> >> _______________________________________________ >> xCAT-user mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/xcat-user >> > -- > Regards, > *Imam Toufique* > *213-700-5485* > _______________________________________________ > xCAT-user mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/xcat-user >
_______________________________________________ xCAT-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/xcat-user
