Re: SSH host-based auth in a cluster
At 22:55 18/10/2004, you wrote:
On Mon, 2004-10-18 at 17:19, martin f krafft wrote:
> Yes, you read right, I want all the machines in a cluster to trust
> each other, based on SSH keys and IPs. But I am not arriving. This
> is with Sarge and SSHv1 disabled, so only protocol two.
> So let's say I have two hosts, .1 and .2. I take the
> ssh_host_rsa_key.pub and put it into the /etc/ssh/ssh_known_hosts
> file on .2. Then I enable HostbasedAuthentication in
> /etc/ssh/sshd_config on .2 and put .1's IP into
> /etc/ssh/shosts.equiv, prefixed with a '+'.
> From what I can tell, this is all that I need to do. However, it's
> not working at all. Could anyone help me figure out the problem,
What is it doing to indicate that it is not working?
If it is still prompting you for a password, you could try disabling
challenge response in sshd_config:
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact email@example.com
I had a similar problem using SSH keys to rsync two remote servers, and I
found out it was due to gnarly permissions on the users home/.ssh dirs.
Check your auth log for errors;
cat /var/log/auth.log | grep refused
You're looking for a line something like this: Authentication refused: bad
ownership or modes for directory
I had to use the ssh-copy-id app to get the keys hither, thither and yon to
get the permissions set up properly, which meant I had to temporarily
enable password auth in order to share the keys.
If you're worried about security, sshd_config, PAM and hosts.[allow|deny]
will enable to lock your machine down very tightly indeed. One thing I
think that is definitely missing from the default sshd_config file provided
with Debian is the "AllowGroups" parameter, which I use to kick off any
users who aren't members of the "remoteadmin" group.