Hostbased SSH authentication setup

Hostbased SSH authentication setup

Note: These instructions are now outdated as our ssh trust relations are now based on keys kept in LDAP.
These instructions are based on those given me by Rob Tuck when I was setting up SSH on my machines.

Hostbased SSH authentication has to be configured on both the client (to ask for it) and the server (to allow it).

Client-side configuration

The following options may be configured in either ~/.ssh/config or in the global ssh_config file (which lives in /etc/ssh under Linux and in /usr/local/etc under Solaris). 
    HostbasedAuthentication yes
    UsePrivilegedPort yes
Also needed some places is 
    PreferredAuthentications hostbased,publickey,keyboard-interactive,password
(The symptom observed was that SSH asked for a password several times, then allowed the user in without one if hostbased authentication was set up. May as well specify it explicitly.) Under Fedora Core 5, you now should also specify 
    EnableSSHKeysign yes

Server-side configuration

The following options should be configured in sshd_config (which lives in /etc/ssh under Linux and in /usr/local/etc under Solaris). 
    IgnoreRhosts yes
    HostbasedAuthentication yes
    IgnoreUserKnownHosts yes
Note: Some sshd config files have the default commented out. For example, 
#PermitRootLogin no
usually means that by default root logins are turned off. (As always check the man pages for the defaults.)

ssh_known_hosts2 (in /etc/ssh under Linux and in /usr/local/etc under Solaris) must have an entry for every client host to be allowed authentication on this machine. The entries should have the following format: 

    <hostname>,<hostname>,<ip address> ssh-rsa <host_key of client machine>
For example: 
    curly.rutgers.edu,curly,128.6.26.100  ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAxt26m5ssYnxX26BPNaesXQFU+a0aWpj7LvHuYJbjE8IW+GwfCJ/6wy/e7dI5G2tzQd8pZKXh/uffaRFIkHs0BstZkKZAap+DClJ6WjCCOjhxGQTLsqtGiaoMKNd1HHgX6BsTHE4XubX7G3Q70uEEYt6VWCuXa/kAN8a1i0rURFE= root@curly.rutgers.edu
This host key can be found in ssh_host_key_rsa.pub on the client machine.

I generate an ssh_known_hosts2 for hosts we are interested in allowing hostbased authentication from. Don't worry about editing the file I generate. A host also has to be in hosts.equiv to be allowed hostbased authentication. Nor should you worry about protecting ssh_known_hosts2. The public keys contained therein are meant to be published and are sent on initial SSH connection anyway.

And finally, /etc/hosts.equiv should contain netgroups and individual machines that are allowed to connect to this server.

This page last updated November 14, 2006. (Marked as oudated October 22, 2020.)