For completion, I'll document what I was discussing. I strangely can't find my notes, but here's some perspective on how my system looks: First is my global known hosts file. This works to not require a user to maintain known_hosts for its normal usage and a prelude for host based authentication: $ cat /etc/ssh/ssh_known_hosts @cert-authority * ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBum8H7Wf8k3vLBI8+mEZtvklpb0UxsLXrswMoXfLfELq70iLcmGqg3gcRSR7eUSyj/HQHxQYrH7l9/2mVrvn6M= root@leonidas
With this, the associated set of private ssh keys with that line can use ssh-keygen to sign public keys. It does not allow all keys signed by the CA to authenticate, you will also need an /etc/shosts.equiv, which is just a list of ips and/or names. Unlike rhosts usage, wildcards are not allowed, so the list will have to ultimately have each and every node listed in it. For a client to use ssh client-side host based authentication: Host <entry> HostbasedAuthentication yes EnableSSHKeysign yes The EnableSSHKeysign is what tells ssh-keysign that it's ok to use the host private key on behalf of users. In sshd_config: HostbasedAuthentication yes HostbasedUsesNameFromPacketOnly yes IgnoreRhosts no (to use ~/.shosts) Some material on host based authentication https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Host-based_Authentication Mix and match with CA to get the above: https://www.lorier.net/docs/ssh-ca.html For reference, my plans are for a new node authentication scheme for provisioning (to enable some tighter security) and plan for it to always enable host based authentication (convenient for local accounts including node to node ssh as root if desired while using a moderately sane strategy for key management) and based on user configuration either nothing more, freeipa, or active directory joining. This would make control over the security behaviors a bit more straightforward and lock in some more hardened options than xCAT currently offers. As an aside, my current thinking in this future strategy is for the default behavior when not specifying a root password to change from 'not able to work' to 'deploy with root password access disabled, root access by key only'. -----Original Message----- From: Josef Dvoracek <[email protected]> Sent: Wednesday, January 22, 2020 4:28 AM To: [email protected] Subject: [External] Re: [xcat-user] host based authentication > I’m using FreeIPA too so the hostkeys are stored on LDAP, it's integrated. thanks for mentioning this. I was struggling to design simple AND secure hostkey deployment mechanism. Good to know freeIPA can manage this. cheers josef On 21. 01. 20 23:28, Vinícius Ferrão via xCAT-user wrote: ... Josef Dvoracek Institute of Physics | Czech Academy of Sciences cell: +420 608 563 558 | office: +420 266 052 669 | fzu phone nr. : 2669 _______________________________________________ xCAT-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/xcat-user _______________________________________________ xCAT-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/xcat-user
