thanks Jarrod and Joseph! Jarrod, I am in the process of trying out host-based authentication. I might have made an error somewhere, so it does not work yet for me. I guess I will keep on it.
Josef, Since you are already using freeIPA, do you mind summarizing how it can help aid host-based authentication management for local accounts? I am very interested in it. thanks On Wed, Jan 22, 2020 at 5:39 AM Jarrod Johnson <[email protected]> wrote: > For completion, I'll document what I was discussing. > > I strangely can't find my notes, but here's some perspective on how my > system looks: > First is my global known hosts file. This works to not require a user to > maintain known_hosts for its normal usage and a prelude for host based > authentication: > $ cat /etc/ssh/ssh_known_hosts > @cert-authority * ecdsa-sha2-nistp256 > AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBum8H7Wf8k3vLBI8+mEZtvklpb0UxsLXrswMoXfLfELq70iLcmGqg3gcRSR7eUSyj/HQHxQYrH7l9/2mVrvn6M= > root@leonidas > > With this, the associated set of private ssh keys with that line can use > ssh-keygen to sign public keys. It does not allow all keys signed by the > CA to authenticate, you will also need an /etc/shosts.equiv, which is just > a list of ips and/or names. Unlike rhosts usage, wildcards are not > allowed, so the list will have to ultimately have each and every node > listed in it. > > > For a client to use ssh client-side host based authentication: > Host <entry> > HostbasedAuthentication yes > EnableSSHKeysign yes > > The EnableSSHKeysign is what tells ssh-keysign that it's ok to use the > host private key on behalf of users. > > In sshd_config: > HostbasedAuthentication yes > HostbasedUsesNameFromPacketOnly yes > IgnoreRhosts no (to use ~/.shosts) > > Some material on host based authentication > https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Host-based_Authentication > > Mix and match with CA to get the above: > https://www.lorier.net/docs/ssh-ca.html > > > For reference, my plans are for a new node authentication scheme for > provisioning (to enable some tighter security) and plan for it to always > enable host based authentication (convenient for local accounts including > node to node ssh as root if desired while using a moderately sane strategy > for key management) and based on user configuration either nothing more, > freeipa, or active directory joining. This would make control over the > security behaviors a bit more straightforward and lock in some more > hardened options than xCAT currently offers. > > As an aside, my current thinking in this future strategy is for the > default behavior when not specifying a root password to change from 'not > able to work' to 'deploy with root password access disabled, root access by > key only'. > > -----Original Message----- > From: Josef Dvoracek <[email protected]> > Sent: Wednesday, January 22, 2020 4:28 AM > To: [email protected] > Subject: [External] Re: [xcat-user] host based authentication > > > I’m using FreeIPA too so the hostkeys are stored on LDAP, it's > integrated. > > thanks for mentioning this. I was struggling to design simple AND secure > hostkey deployment mechanism. Good to know freeIPA can manage this. > > cheers > > josef > > On 21. 01. 20 23:28, Vinícius Ferrão via xCAT-user wrote: > ... > > Josef Dvoracek > Institute of Physics | Czech Academy of Sciences > cell: +420 608 563 558 | office: +420 266 052 669 | fzu phone nr. : 2669 > > > > _______________________________________________ > xCAT-user mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/xcat-user > > _______________________________________________ > xCAT-user mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/xcat-user > -- Regards, *Imam Toufique* *213-700-5485*
_______________________________________________ xCAT-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/xcat-user
