hey, no worries. I will never stop learning too :-)
On Tue, Jan 21, 2020 at 4:46 PM Kevin Keane <[email protected]> wrote: > Sorry about that! And thanks for the correction, Jarrod. I'll never stop > learning. > > _______________________________________________________________________ > Kevin Keane | Systems Architect | University of San Diego ITS | > [email protected] > Maher Hall, 192 |5998 Alcalá Park | San Diego, CA 92110-2492 | 619.260.6859 > | Text: 760-721-8339 > > *REMEMBER! **No one from IT at USD will ever ask to confirm or supply > your password*. > These messages are an attempt to steal your username and password. Please > do not reply to, click the links within, or open the attachments of these > messages. Delete them! > > > > > On Tue, Jan 21, 2020 at 4:12 PM Imam Toufique <[email protected]> wrote: > >> Yes , it does mean something:-) I was a bit shaken by Kevin’s statement. >> >> Jarrod , if you find your notes , that would be very helpful. >> >> Thanks! >> >> On Tue, Jan 21, 2020 at 2:06 PM Jarrod Johnson <[email protected]> >> wrote: >> >>> Actually, host based authentication using /etc/ssh/known_hosts does mean >>> somethhing. >>> >>> >>> >>> Instead of using user keys, the user uses the host key and >>> HostAuthentication uses the known_hosts as the repository of keys. >>> >>> >>> >>> I have to look again, but my plan was to introduce a postscript to use >>> this with SSH CA in lieu of the current remoteshell postscript. Each >>> /etc/ssh/known_hosts would consist only of the CA line(s) and each >>> deployment would have the new ssh keys signed by a server to allow each to >>> have a private known_hosts file without having to update it for key churn. >>> >>> >>> >>> It’s like rhosts/hosts.equiv, but with cryptographic assurance with the >>> host key used instead of each user having to manage it. It is why >>> ssh-keysign is setgid ssh_keys, to allow a user on a system to ask the host >>> key to sign on their behalf if the sshd_config is so willing. >>> >>> >>> >>> Regrettably, I don’t see my notes handy, I’ll try to find my notes on >>> this topic. >>> >>> >>> >>> *From:* Kevin Keane <[email protected]> >>> *Sent:* Tuesday, January 21, 2020 4:00 PM >>> *To:* xCAT Users Mailing list <[email protected]> >>> *Subject:* [External] Re: [xcat-user] host based authentication >>> >>> >>> >>> The known_hosts file has nothing to do with host-based authentication. >>> It is used to verify the identity of the host when using SSH with standard >>> user-based authentication. >>> >>> >>> >>> I believe you are thinking of rhosts? Generally speaking, using >>> host-based authentication is highly discouraged for security reasons, but >>> in an xCAT scenario it can make sense. >>> >>> _______________________________________________________________________ >>> Kevin Keane | Systems Architect | University of San Diego ITS | >>> [email protected] >>> Maher Hall, 192 |5998 Alcalá Park | San Diego, CA 92110 >>> <https://www.google.com/maps/search/5998+Alcal%C3%A1+Park+%7C+San+Diego,+CA+92110?entry=gmail&source=g>-2492 >>> | 619.260.6859 | Text: 760-721-8339 >>> >>> *REMEMBER! **No one from IT at USD will ever ask to confirm or supply >>> your password*. >>> These messages are an attempt to steal your username and password. >>> Please do not reply to, click the links within, or open the attachments of >>> these messages. Delete them! >>> >>> >>> >>> >>> >>> >>> >>> On Tue, Jan 21, 2020 at 12:52 PM Imam Toufique <[email protected]> >>> wrote: >>> >>> Hi, >>> >>> >>> >>> Quick question, before I jump in finding my own solution. >>> >>> >>> >>> Is there anything in xcat that would allow setting up host based >>> authentication? I know root can ssh from the mgmt. node to all the nodes >>> in the cluster. I am referring to user authentication , based on >>> /etc/ssh/known_hosts file, where there is a list of hosts and their >>> respective keys. >>> >>> >>> >>> thanks. >>> >>> _______________________________________________ >>> xCAT-user mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/xcat-user >>> >>> _______________________________________________ >>> xCAT-user mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/xcat-user >>> >> -- >> Regards, >> *Imam Toufique* >> *213-700-5485* >> _______________________________________________ >> xCAT-user mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/xcat-user >> > _______________________________________________ > xCAT-user mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/xcat-user > -- Regards, *Imam Toufique* *213-700-5485*
_______________________________________________ xCAT-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/xcat-user
