OpenSSH Hostbased Authentication

user-pic
By Pank on June 8, 2016 1:15 AM Vote 0 Votes

SSH 的認證方式, 其實有很多種, 用 ssh -oPreferredAuthentications=none host 可以取得 Server 端所支援的認證方式,
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password,hostbased).
輸出類似這樣, 看到 Permission denied 是正常的
比較常見的是 password、publickey, 而 hostbased 比較少用的原因可能是需求變少了, 且 sshd_config 中預設也沒開
hostbased 認證使用時機是當 Host C 中的很多用戶, 都要用免密碼連到 Host S, 管理者只要設定好,
Host C 用戶就能直接 ssh 到 Host S (同帳號)
環境 Host C's hostname is host-c, Host S's hostname is host-s

Client /etc/ssh/ssh_config
HostbasedAuthentication yes
EnableSSHKeysign yes
Client /etc/hosts
192.168.0.6 host-c
加入自已的 IP Hostname 對應, 若沒有會出現 get_socket_address: getnameinfo 8 failed: Name or service not known

Server sshd_config
HostbasedAuthentication yes
HostbasedUsesNameFromPacketOnly yes
IgnoreRhosts no # 若要讓 root 也能連入
Server /etc/ssh/ssh_known_hosts 這個檔要有 Client 端的 /etc/ssh/ssh_host_rsa_key.pub
ssh-keyscan host-c >> /etc/ssh/ssh_known_hosts
編輯 /etc/ssh/ssh_known_hosts
在 Host C IP 前加入 host-c, 重要, 因為 hostbased 是認 Hostname, 若沒加會找不到 Key
host-c,192.0.2.102 ssh-rsa AAAAB3NzaC1yc2EAAAABIw ... qqU24CcgzmM=
Server /etc/ssh/shosts.equiv
加入 host-c
若要讓 root 也能連入, /root/.shosts 要加入 host-c

Categories:

Recent Entries

About this Entry

This page contains a single entry by Pank published on June 8, 2016 1:15 AM.

PowerShell OpenSSH was the previous entry in this blog.

PuTTY and OpenSSH share a key is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Categories

Monthly Archives