From owner-freebsd-hackers@FreeBSD.ORG Sun Oct 17 23:48:03 2004 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CFC7816A4CE for ; Sun, 17 Oct 2004 23:48:03 +0000 (GMT) Received: from web53301.mail.yahoo.com (web53301.mail.yahoo.com [206.190.39.230]) by mx1.FreeBSD.org (Postfix) with SMTP id 5D03143D45 for ; Sun, 17 Oct 2004 23:48:03 +0000 (GMT) (envelope-from non_secure@yahoo.com) Message-ID: <20041017234802.33563.qmail@web53301.mail.yahoo.com> Received: from [24.94.23.114] by web53301.mail.yahoo.com via HTTP; Sun, 17 Oct 2004 16:48:02 PDT Date: Sun, 17 Oct 2004 16:48:02 -0700 (PDT) From: Joe Schmoe To: freebsd-hackers@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailman-Approved-At: Mon, 18 Oct 2004 12:12:32 +0000 Subject: passwordless ssh logins with shared _HOST_ keys - not working. X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Oct 2004 23:48:04 -0000 (I have asked this several times on -questions and gotten nothing ...) I am trying to allow _all users_ on CLIENT to login to SERVER without a password. IMPORTANT: I am not interested in user keys _at all_ - at no point in this process should I ever be dealing with any keys in /home/user/.ssh - I am only interested in doing this with HOST keys - where I copy one key between SERVER and CLIENT, and _all_ users on CLIENT can login to SERVER without a password. Don't even mention user keys. My /etc/sshd/sshd_config is exactly the same on both SERVER and CLIENT: #VersionAddendum FreeBSD-20020629 #Port 22 #Protocol 2,1 #ListenAddress 0.0.0.0 #ListenAddress :: # Authentication: IgnoreRhosts yes #RhostsRSAAuthentication no HostbasedAuthentication yes IgnoreUserKnownHosts yes ChallengeResponseAuthentication no Further, SERVER has CLIENT in its /etc/hosts.equiv, and CLIENT has SERVER in its /etc/hosts.equiv Finally, I have run: ssh-keyscan SERVER >> /etc/ssh/ssh_known_hosts on the CLIENT, and run: ssh-keyscan CLIENT >> /etc/ssh/ssh_known_hosts on the SERVER. So the keys are properly shared. The permissions on /etc/ssh/known_hosts on each system are: 2 -rw-r--r-- 1 root wheel So that's it. The options are set in sshd_config, the keys have been exchanged, hosts.equiv are populated and permissions are correct. SO now I go to CLIENT and run: ssh user@SERVER and I get a password prompt!!! So what am I doing wrong ? Again - NO user keys are used and I am not interested in user keys _AT ALL_. DOn't even mention the /home/user/.ssh directory. The goal here is to share one public key between SERVER and CLIENT and allow _all_ users on CLIENT to log into SERVER without a password. So what am I doing wrong ? thanks. __________________________________ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail