OpenSSH: How to do RhostsRSAAuthentication?
Hi,
please help before I tear my hair out. I'm trying to get
RhostsRSAAuthentication to work. What I want is to be able to ssh
between the machines on my home network without having to supply a
passphrase/-word (also supplying it once with ssh-agent I'd like to
avoid). The docs I've found on OpenSSH don't say much about this special
method, but from what I gleaned from them, RhostsRSAAuthentication would
give me what I want. However, since the info is scarce, I'm not even
sure if it in fact does what I think it does. Although I'm on a rather
secure home network I don't want to use RhostsAuthentication, since I
want to learn how to configure OpenSSH properly, and rhosts-only
authentication is insecure. Also, there's always the possibility that
one time I'll allow ssh access from my external interface, and I don't
want to have to reconfigure it then. In any way, if I set
"RhostsAuthentication yes" in sshd_config it doesn't work either.
This is what I've done:
I've generated the host keys with
root@ONE:/etc/ssh# ssh-keygen -t dsa -f ssh_host_dsa_key (with empty
passphrase)
(now send ONE's /etc/ssh/ssh_host_dsa_key.pub to root@TWO)
root@TWO:~# mv ssh_host_dsa_key.pub /etc/ssh/ssh_known_hosts2
I did this for the other host, too. Then I prepared
/etc/ssh/ssh_known_hosts2 on both hosts by adding the hostname field as
described in man sshd (SSH_KNOWN_HOSTS FILE FORMAT).
I've also generated user keys and distributed them
user@TWO:~/.ssh$ ssh-keygen -t dsa
(now send ~/.ssh/id_dsa.pub to user@ONE)
user@ONE:~$ mv id_dsa.pub .ssh/authorized_keys2
(and vice versa)
This is my config:
root@ONE:/etc/ssh# cat sshd_config
(excerpt)
Protocol 2,1
HostKey /etc/ssh/ssh_host_dsa_key
IgnoreRhosts yes
IgnoreUserKnownHosts yes
RhostsAuthentication no
RhostsRSAAuthentication yes
RSAAuthentication yes
PasswordAuthentication yes
root@TWO:/etc/ssh# cat ssh_config
(excerpt)
Host ONE
RhostsAuthentication no
RhostsRSAAuthentication yes
RSAAuthentication yes
PasswordAuthentication yes
FallBackToRsh no
UseRsh no
IdentityFile ~/.ssh/id_dsa
Protocol 2,1
root@ONE:/etc# cat hosts.equiv
+TWO
root@ONE:/etc# ls -l hosts.equiv
-rw-r--r-- 1 root root 13 Apr 20 12:17 ../hosts.equiv
root@TWO:/etc# cat hosts.equiv
+ONE
root@TWO:/etc# ls -l hosts.equiv
-rw-r--r-- 1 root root 13 Apr 20 12:18 ../hosts.equiv
Now I can ssh from TWO to ONE, and the host is already known to ssh,
although there is no ~/.ssh/known_hosts2. Therefore I think that the
host keys work. However, I still get asked for authentication:
user@TWO:~$ ls .ssh
authorized_keys2 id_dsa id_dsa.pub
user@TWO:~$ ssh ONE
Enter passphrase for key '/home/user/.ssh/id_dsa':[Enter]
user@ONE's password:[Enter]
Permission denied, please try again.
user@ONE's password:[Enter]
Permission denied, please try again.
user@ONE's password:[Enter]
Permission denied (publickey,password).
user@TWO:~$
It would be very nice if someone reviewed my config and told me if I've
commited mistakes somewhere (I'm afraid I wouldn't see it myself by now,
I'm already a bit dizzy after staring at the config files for hours).
Do I need a /etc/ssh/authorized_keys2, too. That is not mentioned in man
sshd, but still.
Any input is greatly appreciated.
--
I did not vote for the Austrian government
Reply to: