Date: Mon, 11 Oct 2004 07:44:15 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Joe Schmoe <non_secure@yahoo.com> Cc: freebsd-questions@freebsd.org Subject: Re: host-based ssh authentication (no password) not working ... help needed Message-ID: <20041011064415.GA89022@happy-idiot-talk.infracaninophile.co.uk> In-Reply-To: <20041010211432.14123.qmail@web53306.mail.yahoo.com> References: <20041010193656.GA8450@happy-idiot-talk.infracaninophile.co.uk> <20041010211432.14123.qmail@web53306.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--9jxsPFA5p3P2qPhR
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sun, Oct 10, 2004 at 02:14:32PM -0700, Joe Schmoe wrote:
>=20
> --- Matthew Seaman <m.seaman@infracaninophile.co.uk>
> wrote:
>=20
> > For ssh(1) to work using key based auth, all of the
> > files in
> > ~user/.ssh on the server must have the correct
> > permissions, and the
> > host public keys for the server should be known to
> > the client machine,
> > and vice versa.
>=20
>=20
> No no ... I was talking about _host_ keys, not user
> keys - no user home directories should be involved at
> all. I am simply sharing host keys so that all users
> on CLIENT can login to SERVER with no passwords ... am
> I missing something here ?
Errr... That's not recommended, but it should be possible. They are
your systems, and you can do whatever you want with them. The
procedure I gave about using sshd with all the debug flags turned on
should still be helpful for debugging the setup.
You'll also need
HostbasedAuthentication yes
but you should have
#RhostsRSAAuthentication no
because you don't want to be using SSH1 if you can avoid it. Plus you
maybe want:
IgnoreRhosts yes
IgnoreUserKnowHosts yes
in your /etc/ssh/sshd_config on the server.
=20
> I think my problem is that I gave the public _host_
> key of the CLIENT to the SERVER, but really I should
> give the public _host_ key of the SERVER to the CLIENt
> ... is that my problem ?
Yes, you will need to populate /etc/ssh/ssh_known_hosts on both client
and server.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
--9jxsPFA5p3P2qPhR
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)
iD8DBQFBaiu/iD657aJF7eIRAirMAJ9k4QxeOW/b5awhXSJ8OluyYJ+p4wCeN1Fb
S0q3aRQBLZmiHrbzvMaRTVw=
=xcqX
-----END PGP SIGNATURE-----
--9jxsPFA5p3P2qPhR--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041011064415.GA89022>