From owner-freebsd-hackers@FreeBSD.ORG Mon Oct 18 17:41:22 2004 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DCE0B16A4CE for ; Mon, 18 Oct 2004 17:41:22 +0000 (GMT) Received: from maile.cesta.com (maile.cesta.com [64.65.85.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8A2AB43D53 for ; Mon, 18 Oct 2004 17:41:22 +0000 (GMT) (envelope-from julian@lava.net) Received: from [192.168.1.100] (tesla.cesta.com [64.65.85.14]) by maile.cesta.com (Postfix) with ESMTP id 24B3053C017 for ; Mon, 18 Oct 2004 07:41:21 -1000 (HST) Mime-Version: 1.0 (Apple Message framework v619) In-Reply-To: <20041017234802.33563.qmail@web53301.mail.yahoo.com> References: <20041017234802.33563.qmail@web53301.mail.yahoo.com> Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Julian Cowley Date: Mon, 18 Oct 2004 07:41:19 -1000 To: freebsd-hackers@freebsd.org X-Mailer: Apple Mail (2.619) Subject: Re: [Hackers] passwordless ssh logins with shared _HOST_ keys - not working. X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Oct 2004 17:41:23 -0000 On 17 Oct, 2004, at 13:48, Joe Schmoe wrote: > (I have asked this several times on -questions and > gotten nothing ...) > > I am trying to allow _all users_ on CLIENT to login to > SERVER without a password. > > IMPORTANT: I am not interested in user keys _at all_ > - at no point in this process should I ever be dealing > with any keys in /home/user/.ssh - I am only > interested in doing this with HOST keys - where I copy > one key between SERVER and CLIENT, and _all_ users on > CLIENT can login to SERVER without a password. Don't > even mention user keys. > > My /etc/sshd/sshd_config is exactly the same on both > SERVER and CLIENT: > > #VersionAddendum FreeBSD-20020629 > > #Port 22 > #Protocol 2,1 > #ListenAddress 0.0.0.0 > #ListenAddress :: > > # Authentication: > > IgnoreRhosts yes > #RhostsRSAAuthentication no > HostbasedAuthentication yes > IgnoreUserKnownHosts yes > > ChallengeResponseAuthentication no If you are using OpenSSH 3.6 or later, turn on the EnableSSHKeysign option (see ssh-keysign for more information). Also, make sure your forward and reverse DNS is correct on both the client and the server. > Further, SERVER has CLIENT in its /etc/hosts.equiv, > and CLIENT has SERVER in its /etc/hosts.equiv > > Finally, I have run: > > ssh-keyscan SERVER >> /etc/ssh/ssh_known_hosts > > on the CLIENT, and run: > > ssh-keyscan CLIENT >> /etc/ssh/ssh_known_hosts > > on the SERVER. So the keys are properly shared. > > The permissions on /etc/ssh/known_hosts on each system > are: > > 2 -rw-r--r-- 1 root wheel > > So that's it. The options are set in sshd_config, the > keys have been exchanged, hosts.equiv are populated > and permissions are correct. > > SO now I go to CLIENT and run: > > ssh user@SERVER > > and I get a password prompt!!! > > So what am I doing wrong ? Again - NO user keys are > used and I am not interested in user keys _AT ALL_. > DOn't even mention the /home/user/.ssh directory. The > goal here is to share one public key between SERVER > and CLIENT and allow _all_ users on CLIENT to log into > SERVER without a password. > > So what am I doing wrong ? > > thanks. > > > > __________________________________ > Do you Yahoo!? > Yahoo! Mail Address AutoComplete - You start. We finish. > http://promotions.yahoo.com/new_mail > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to > "freebsd-hackers-unsubscribe@freebsd.org"