Re: ssh version 3.4p1-1and RSA authentification
Le jeudi 21 novembre 2002 13:42 +0100, Fabrice Yerly écrivait:
> > I think you need 3 things set to enable this authentication method :
> > - Have "RhostsRSAAuthentication yes" in /etc/ssh/ssh_config on the
> > client.PublicKeyAuthentication
> > - Have "RhostsRSAAuthentication yes" in /etc/ssh/sshd_config on the
> > server.
> > - Have /usr/lib/ssh-keysign with the setuid bit set. You can achieve
> > this by answering yes to the question with "dpkg-reconfigure ssh".
> >
> The 3 steps are done. To avoid too much conflicts, I putted the
> PublicKeyAuthentication to off. the message given by ssh -v now no more try
> to use PublicKey, but it still doesn't work...
>
> /usr/lib/ssh-keysign with the setuid bit set OK.
First, I'm really stupid :) For host-based authentication with protocol
2, it's not "RhostsRSAAuthentication yes" but its
"HostbasedAuthentication yes" in both ssh_config and sshd_config...
Sorry.
Second, I did a few tests, and on my test systems, to get it to work,
its seems I have to also make the ssh binary setuid... I don't
understand this problem. I thought that it was needed only for protocol
1. And I don't know the security implications of doing this...
So you need to :
- Copy all the public dsa or rsa keys in /etc/ssh/ssh_known_hosts.
- Edit /etc/ssh/ssh_known_hosts to add the FQDN of each node in front
of the key.
- Add the nodes in /etc/ssh/shosts.equiv.
- Have "RhostsRSAAuthentication yes" in /etc/ssh/ssh_config on the
client.
- Have "HostbasedAuthentication yes" in /etc/ssh/sshd_config on the
server.
- Have /usr/lib/ssh-keysign with the setuid bit set. You can achieve
this by answering yes to the question with "dpkg-reconfigure ssh".
- Have /usr/bin/ssh with the setuid bit set.
It seems to be working on my test system with such a configuration.
--
Alexandre Vitrac ,''`.
CS-SI : :' :
OpenPGP key ID : C03A7DFE `. `'
`-
Reply to: