Re: OpenSSH: How to do RhostsRSAAuthentication?
I read your procedure and it sounds right. Here's mine:
this is all from one, and I don't really care what method ssh uses, so
long as it does what I asked, so am not specifying DSA
1) ssh-keygen (hit <cr> for the passphrase, ie none, then repeat)
2) scp ~/.ssh/identity.pub user@two:~/.ssh/authorized_keys
<enter password for hopefully the last time>
3) ssh-agent
4) ssh user@two
<no passphrase needed>
If you already have an authorized_keys on two, use the following
2a) scp ~/.ssh/identity.pub user@two:~/.ssh/foo
<enter password>
2b) ssh user@two "cat ~/.ssh/foo >> ~/.ssh/authorized_keys"
<enter password>
then remove ~/.ssh/foo off two however you wish to clean up
please note we're using a user account. Debian disallows remote root
logins by policy. You can override this in /etc/ssh/sshd_config, but I
recommend against it.
On 20 Apr 2001, Mario Vukelic wrote:
>Hi,
>
>please help before I tear my hair out. I'm trying to get
>RhostsRSAAuthentication to work. What I want is to be able to ssh
>between the machines on my home network without having to supply a
>passphrase/-word (also supplying it once with ssh-agent I'd like to
>avoid). The docs I've found on OpenSSH don't say much about this special
>method, but from what I gleaned from them, RhostsRSAAuthentication would
>give me what I want. However, since the info is scarce, I'm not even
>sure if it in fact does what I think it does. Although I'm on a rather
>secure home network I don't want to use RhostsAuthentication, since I
>want to learn how to configure OpenSSH properly, and rhosts-only
>authentication is insecure. Also, there's always the possibility that
>one time I'll allow ssh access from my external interface, and I don't
>want to have to reconfigure it then. In any way, if I set
>"RhostsAuthentication yes" in sshd_config it doesn't work either.
>
>This is what I've done:
>
>I've generated the host keys with
>root@ONE:/etc/ssh# ssh-keygen -t dsa -f ssh_host_dsa_key (with empty
>passphrase)
>(now send ONE's /etc/ssh/ssh_host_dsa_key.pub to root@TWO)
>root@TWO:~# mv ssh_host_dsa_key.pub /etc/ssh/ssh_known_hosts2
AHA! you're using known_hosts, use authorized_keys. known_hosts is a
list of hosts you've connected to. You don't have to do anything to get
an entry in known_hosts: you get one when you first connect.
authorized_keys is where you put DSA keys to do the automagic login...
>I did this for the other host, too. Then I prepared
>/etc/ssh/ssh_known_hosts2 on both hosts by adding the hostname field as
>described in man sshd (SSH_KNOWN_HOSTS FILE FORMAT).
>
>I've also generated user keys and distributed them
>user@TWO:~/.ssh$ ssh-keygen -t dsa
>(now send ~/.ssh/id_dsa.pub to user@ONE)
>user@ONE:~$ mv id_dsa.pub .ssh/authorized_keys2
Why are you appending a 2 to all of these? Are you trying to use ssh2
authentication or somesuch? There's no need to add a 2 to them, and it's
probably breaking things.
>(and vice versa)
>
>This is my config:
>root@ONE:/etc/ssh# cat sshd_config
>(excerpt)
>Protocol 2,1
>HostKey /etc/ssh/ssh_host_dsa_key
>IgnoreRhosts yes
>IgnoreUserKnownHosts yes
>RhostsAuthentication no
>RhostsRSAAuthentication yes
>RSAAuthentication yes
>PasswordAuthentication yes
>
>root@TWO:/etc/ssh# cat ssh_config
>(excerpt)
>Host ONE
>RhostsAuthentication no
>RhostsRSAAuthentication yes
>RSAAuthentication yes
>PasswordAuthentication yes
>FallBackToRsh no
>UseRsh no
>IdentityFile ~/.ssh/id_dsa
>Protocol 2,1
>
>root@ONE:/etc# cat hosts.equiv
>+TWO
>root@ONE:/etc# ls -l hosts.equiv
>-rw-r--r-- 1 root root 13 Apr 20 12:17 ../hosts.equiv
>
>root@TWO:/etc# cat hosts.equiv
>+ONE
>root@TWO:/etc# ls -l hosts.equiv
>-rw-r--r-- 1 root root 13 Apr 20 12:18 ../hosts.equiv
>
>Now I can ssh from TWO to ONE, and the host is already known to ssh,
>although there is no ~/.ssh/known_hosts2. Therefore I think that the
>host keys work. However, I still get asked for authentication:
>user@TWO:~$ ls .ssh
>authorized_keys2 id_dsa id_dsa.pub
>user@TWO:~$ ssh ONE
>Enter passphrase for key '/home/user/.ssh/id_dsa':[Enter]
>user@ONE's password:[Enter]
>Permission denied, please try again.
>user@ONE's password:[Enter]
>Permission denied, please try again.
>user@ONE's password:[Enter]
>Permission denied (publickey,password).
>user@TWO:~$
>
>
>It would be very nice if someone reviewed my config and told me if I've
>commited mistakes somewhere (I'm afraid I wouldn't see it myself by now,
>I'm already a bit dizzy after staring at the config files for hours).
>Do I need a /etc/ssh/authorized_keys2, too. That is not mentioned in man
>sshd, but still.
>Any input is greatly appreciated.
>
>
--
<a mailto:galt@inconnu.isu.edu>Who is John Galt?</a>
Failure is not an option. It comes bundled with your Microsoft product.
-- Ferenc Mantfeld
Reply to: