Note that the root user ignores /etc/ssh/shosts.equiv, root access is only through ~root/.shosts
Depending on how things are and what OS, the other thing I’ve seen is ssh-keysign permissions being off. You’d have to show permissions on the private keys and check the ssh-keysign permissions. Ssh-keysign being setgid to ssh_keys and having the ssh private host key being group readable by ssh_keys group for example. I don’t know if that was the issue, but if you have some info I might recognize. With FreeIPA, I assume you’d do kerberized ssh for user authentication? That’s generally good for node to node within a cluster. One limitation is that for a user coming in from outside, I think they would have to enter their password once on the way in to get a valid keytab. This isn’t too bad, but it’s a bit nicer if I can ssh in with my key and then be able to hop on over to other nodes. Of course, just like I connected CA approach to known_hosts with host based authentication as a strategy, I’m sure you could take FreeIPA host key information and do the same thing instead of an SSH CA. I intend to make SSH CA easier to use, but if you can do FreeIPA with no problem then that should be able to do the same thing. From: Imam Toufique <[email protected]> Sent: Wednesday, January 22, 2020 1:50 PM To: xCAT Users Mailing list <[email protected]> Subject: Re: [xcat-user] [External] Re: host based authentication thanks Jarrod and Joseph! Jarrod, I am in the process of trying out host-based authentication. I might have made an error somewhere, so it does not work yet for me. I guess I will keep on it. Josef, Since you are already using freeIPA, do you mind summarizing how it can help aid host-based authentication management for local accounts? I am very interested in it. thanks On Wed, Jan 22, 2020 at 5:39 AM Jarrod Johnson <[email protected]<mailto:[email protected]>> wrote: For completion, I'll document what I was discussing. I strangely can't find my notes, but here's some perspective on how my system looks: First is my global known hosts file. This works to not require a user to maintain known_hosts for its normal usage and a prelude for host based authentication: $ cat /etc/ssh/ssh_known_hosts @cert-authority * ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBum8H7Wf8k3vLBI8+mEZtvklpb0UxsLXrswMoXfLfELq70iLcmGqg3gcRSR7eUSyj/HQHxQYrH7l9/2mVrvn6M= root@leonidas With this, the associated set of private ssh keys with that line can use ssh-keygen to sign public keys. It does not allow all keys signed by the CA to authenticate, you will also need an /etc/shosts.equiv, which is just a list of ips and/or names. Unlike rhosts usage, wildcards are not allowed, so the list will have to ultimately have each and every node listed in it. For a client to use ssh client-side host based authentication: Host <entry> HostbasedAuthentication yes EnableSSHKeysign yes The EnableSSHKeysign is what tells ssh-keysign that it's ok to use the host private key on behalf of users. In sshd_config: HostbasedAuthentication yes HostbasedUsesNameFromPacketOnly yes IgnoreRhosts no (to use ~/.shosts) Some material on host based authentication https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Host-based_Authentication Mix and match with CA to get the above: https://www.lorier.net/docs/ssh-ca.html For reference, my plans are for a new node authentication scheme for provisioning (to enable some tighter security) and plan for it to always enable host based authentication (convenient for local accounts including node to node ssh as root if desired while using a moderately sane strategy for key management) and based on user configuration either nothing more, freeipa, or active directory joining. This would make control over the security behaviors a bit more straightforward and lock in some more hardened options than xCAT currently offers. As an aside, my current thinking in this future strategy is for the default behavior when not specifying a root password to change from 'not able to work' to 'deploy with root password access disabled, root access by key only'. -----Original Message----- From: Josef Dvoracek <[email protected]<mailto:[email protected]>> Sent: Wednesday, January 22, 2020 4:28 AM To: [email protected]<mailto:[email protected]> Subject: [External] Re: [xcat-user] host based authentication > I’m using FreeIPA too so the hostkeys are stored on LDAP, it's integrated. thanks for mentioning this. I was struggling to design simple AND secure hostkey deployment mechanism. Good to know freeIPA can manage this. cheers josef On 21. 01. 20 23:28, Vinícius Ferrão via xCAT-user wrote: ... Josef Dvoracek Institute of Physics | Czech Academy of Sciences cell: +420 608 563 558 | office: +420 266 052 669 | fzu phone nr. : 2669 _______________________________________________ xCAT-user mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/xcat-user _______________________________________________ xCAT-user mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/xcat-user -- Regards, Imam Toufique 213-700-5485
_______________________________________________ xCAT-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/xcat-user
