[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SSH host-based auth in a cluster

At 22:55 18/10/2004, you wrote:
On Mon, 2004-10-18 at 17:19, martin f krafft wrote:
> Yes, you read right, I want all the machines in a cluster to trust
> each other, based on SSH keys and IPs. But I am not arriving. This
> is with Sarge and SSHv1 disabled, so only protocol two.
> So let's say I have two hosts, .1 and .2. I take the
> ssh_host_rsa_key.pub and put it into the /etc/ssh/ssh_known_hosts
> file on .2. Then I enable HostbasedAuthentication in
> /etc/ssh/sshd_config on .2 and put .1's IP into
> /etc/ssh/shosts.equiv, prefixed with a '+'.
> From what I can tell, this is all that I need to do. However, it's
> not working at all. Could anyone help me figure out the problem,
> please?

What is it doing to indicate that it is not working?

If it is still prompting you for a password, you could try disabling
challenge response in sshd_config:

ChallengeResponseAuthentication no


To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

I had a similar problem using SSH keys to rsync two remote servers, and I found out it was due to gnarly permissions on the users home/.ssh dirs. Check your auth log for errors;

cat /var/log/auth.log | grep refused

You're looking for a line something like this: Authentication refused: bad ownership or modes for directory

I had to use the ssh-copy-id app to get the keys hither, thither and yon to get the permissions set up properly, which meant I had to temporarily enable password auth in order to share the keys.

If you're worried about security, sshd_config, PAM and hosts.[allow|deny] will enable to lock your machine down very tightly indeed. One thing I think that is definitely missing from the default sshd_config file provided with Debian is the "AllowGroups" parameter, which I use to kick off any users who aren't members of the "remoteadmin" group.

Reply to: