| All Forums |
Register |
Login |
Search |
Subscriptions |
My Profile |
Inbox |
| Tool Warehouse |
FAQs |
Resources |
Help |
Member List |
Address Book |
Logout |
|
|
ssh hostbased authentication (passwordless)
|
Logged in as: Guest |
| Users viewing this topic: none |
|
Login  |
|
|
 ssh hostbased authentication (passwordless) - Apr. 18, '06, 2:26:36 PM
|
|
|
Ron
Posts: 77
Joined: May 21, '03,
Status: offline
|
Here is yet another ssh question 
I'm trying to set up hostbased authentication between two hosts, one SUA (Win2003 R2), the other UNIX.
I can log into from one to the other without any problem using either password or publickey authentication. I'm trying to setup host based passwordless login since we have many users and setting up and maintaining publickey authentication for each user would be a real pain.
Openssh 4.3 was installed via pkg_update and is being started up by init from /etc/rc2.d and the sshd user is the local administrator (UID 197108). Here's the catch, the home directories of the SUA users are on a network drive.
A couple of thoughts:
1) is there an option to disable checking of the home directory? The checking of the directory could happen after sshd has completed the authentication.
2) would running sshd as the domain user help since this user has access to every home directory?
Here is the verbose output from ssh (run from the UNIX host):
quote:
$ ssh -v cpgdevnet
OpenSSH_4.0p1, OpenSSL 0.9.7g 11 Apr 2005
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to cpgdevnet [10.129.22.10] port 22.
debug1: Connection established.
debug1: identity file /u/users/rmacneil/.ssh/identity type -1
debug1: identity file /u/users/rmacneil/.ssh/id_rsa type 1
debug1: identity file /u/users/rmacneil/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.0
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'cpgdevnet' is known and matches the RSA host key.
debug1: Found key in /u/users/rmacneil/.ssh/known_hosts:19
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive,hostbased
debug1: Next authentication method: hostbased
debug1: Remote: Rhosts authentication refused for RMacNeil: no home directory /net/cslrhdata/users/RMacNeil
debug1: Authentications that can continue: publickey,password,keyboard-interactive,hostbased
debug1: Remote: Rhosts authentication refused for RMacNeil: no home directory /net/cslrhdata/users/RMacNeil
debug1: Authentications that can continue: publickey,password,keyboard-interactive,hostbased
debug1: No more client hostkeys for hostbased authentication.
debug1: Next authentication method: publickey
debug1: Trying private key: /u/users/rmacneil/.ssh/identity
debug1: Offering public key: /u/users/rmacneil/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive,hostbased
debug1: Trying private key: /u/users/rmacneil/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive,hostbased
debug1: Next authentication method: password
rmacneil@cpgdevnet's password:
|
|
|
|
 RE: ssh hostbased authentication (passwordless) - Apr. 18, '06, 2:44:52 PM
|
|
|
Rodney
Posts: 3728
Joined: Jul. 9, '02,
From: /Tools lab
Status: offline
|
The whole network access thing was resolved quite a while ago
(I think about 18 month ago now) for when the ~/.ssh directory is accessed.
The daemon must run as local Administrator to have the "root" powers.
quote:
I'm trying to setup host based passwordless login since we have many users and setting up and maintaining publickey authentication for each user would be a real pain.
Exactly how are your trying to do this? By the ".rhosts" file?
I may have this explicitly turned off in my build since it's ranked as dangerous.
|
|
|
|
|
RE: ssh hostbased authentication (passwordless) - Apr. 18, '06, 3:14:47 PM
|
|
|
Ron
Posts: 77
Joined: May 21, '03,
Status: offline
|
Yup, as I mentioned the daemon is running as local Admin. And I do realise that you've addressed the network access of ~/.ssh a while ago, that's why I noted that I can log in using password or publickey auth. without problem with the net home directories, but I think there is something missing when it comes to hostbased auth.
Hostbased authentication is analogous to rsh's /etc/hosts.equiv and ~/.rhosts.
Hostbased auth. is considered safe so long as you trust that the authentication that was first performed by the client can be trusted by the server. Compared to the alternative (rsh with hosts.equiv) it is definitely better.
Setup info can be found here:
http://www.snailbook.com/faq/trusted-host-howto.auto.html
http://www.omega.telia.net/vici/openssh/
I'm not sure if I missed any steps below...
On the client side setup the following:
1) make the ssh_config (often found under /usr/local/etc) to look like this:
Host *
HostbasedAuthentication yes
EnableSSHKeysign yes
On the server side setup the following:
1) set the following in sshd_config and restart sshd
HostbasedAuthentication yes
2) in /etc/hosts.equiv put the hostname of the client
3) generate ssh_known_hosts2 as follows:
ssh-keyscan -t rsa -f /etc/hosts.equiv >/usr/local/etc/ssh_known_hosts2
|
|
|
|
|
RE: ssh hostbased authentication (passwordless) - Apr. 18, '06, 3:27:11 PM
|
|
|
Rodney
Posts: 3728
Joined: Jul. 9, '02,
From: /Tools lab
Status: offline
|
I'll try setting it up and testing it here (that'll be a little while though).
|
|
|
|
|
RE: ssh hostbased authentication (passwordless) - Apr. 18, '06, 6:36:32 PM
|
|
|
Rodney
Posts: 3728
Joined: Jul. 9, '02,
From: /Tools lab
Status: offline
|
What did you set "IgnoreUserKnownHosts" and "IgnoreRhosts" as?
|
|
|
|
|
RE: ssh hostbased authentication (passwordless) - Apr. 19, '06, 5:28:04 AM
|
|
|
Rodney
Posts: 3728
Joined: Jul. 9, '02,
From: /Tools lab
Status: offline
|
The network disk access fix was for when a password is supplied.
With the rhosts method, of course, there is no password given.
So the daemon cannot "be the user" to get the network access to read
the rhosts file. When the disk/HOME is local to the machine there is no
problem. Sshd does insist that the usernames match (unlike rsh).
To go back to your original questions:
1) Wouldn't work since to create a networked enabled token a password is needed.
2) Same as (1), but just delayed because the end token would have no network access.
I might be able to make some changes that would leverage off regpwd.
That would involve each user logging into the target machine at least once
by password and running regpwd. Does that seem acceptable?
(No guarantees since I haven't tried this, but it's an idea).
|
|
|
|
|
RE: ssh hostbased authentication (passwordless) - Apr. 19, '06, 9:46:16 AM
|
|
|
Ron
Posts: 77
Joined: May 21, '03,
Status: offline
|
>What did you set "IgnoreUserKnownHosts" and "IgnoreRhosts" as?
I tried them set as 'yes' and 'no', with no difference unfortunately.
I need to take a moment to clarify my original question #2 since I mis-typed it (oops); what I meant to ask was:
2) would running sshd as the domain _administrator_ (not user) help since this user has access to every home directory?
But I think your answer would still be no, but perhaps for different reasons. I can think of a couple, since it is still possible that the domain admin would not have access to the user's home directory, which is unlike UNIX where root has access to every directory regardless of ownership or access permissions, and secondly many administrators probably would not like to have their sshd daemon running as domain admin even if it did have the possibility of getting hostbased authentication to work.
So that leaves us to your idea of leveraging regpwd. It is an interesting one, one that seems most acceptable. It wouldn't be any more work in setting up as it is for rshd.
Ron
|
|
|
|
|
RE: ssh hostbased authentication (passwordless) - Apr. 19, '06, 12:26:00 PM
|
|
|
Rodney
Posts: 3728
Joined: Jul. 9, '02,
From: /Tools lab
Status: offline
|
> I need to take a moment to clarify my original question #2 ...
Still doesn't make a difference by the end of it.
Running as a user with network access (doesn't matter which) could access
the network drive. Assume, to be optimistic, this user could read the
".rhosts" file and the request is validated: the user token is going
to be created without a password which means no network access. The
running user process is now not allowed access to HOME. Different paths
to the same result.
|
|
|
|
|
RE: ssh hostbased authentication (passwordless) - Apr. 28, '06, 4:52:27 AM
|
|
|
gzfh4t
Posts: 5
Joined: Dec. 1, '05,
Status: offline
|
We have managed to perform passwordless ssh but with no resulting network access, I guess due to the issue mentioned by Rodney.
From a Solaris box, the user can access the Windows machine via HostbasedAuthentication, and doesn't need to supply a password. Unfortunately, once logged on to the Windows box, the user isn't able to access any network locations, even though the uid is correct for that user. If I subsequently su to the same user within the ssh session, then everything works fine, and all network connections are accessible.
We tried running the sshd daemon as the domain adminstrator, but kept receiving "openpty: permission denied" error messages, which prevented passwordless connections. The sshd daemon only seems to work properly when run as the localadmin account.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
|
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
|
Printable Version
