host-based ssh authentication (no password) not working ... help needed

Matthew Seaman m.seaman at infracaninophile.co.uk
Sun Oct 10 23:44:23 PDT 2004 

On Sun, Oct 10, 2004 at 02:14:32PM -0700, Joe Schmoe wrote:
> 
> --- Matthew Seaman <m.seaman at infracaninophile.co.uk>
> wrote:
> 
> > For ssh(1) to work using key based auth, all of the
> > files in
> > ~user/.ssh on the server must have the correct
> > permissions, and the
> > host public keys for the server should be known to
> > the client machine,
> > and vice versa.
> 
> 
> No no ... I was talking about _host_ keys, not user
> keys - no user home directories should be involved at
> all.  I am simply sharing host keys so that all users
> on CLIENT can login to SERVER with no passwords ... am
> I missing something here ?

Errr... That's not recommended, but it should be possible.  They are
your systems, and you can do whatever you want with them.  The
procedure I gave about using sshd with all the debug flags turned on
should still be helpful for debugging the setup.

You'll also need

    HostbasedAuthentication yes

but you should have

    #RhostsRSAAuthentication no

because you don't want to be using SSH1 if you can avoid it.  Plus you
maybe want:

    IgnoreRhosts yes
    IgnoreUserKnowHosts yes

in your /etc/ssh/sshd_config on the server.
 
> I think my problem is that I gave the public _host_
> key of the CLIENT to the SERVER, but really I should
> give the public _host_ key of the SERVER to the CLIENt
> ... is that my problem ?

Yes, you will need to populate /etc/ssh/ssh_known_hosts on both client
and server.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20041011/9ffefbca/attachment.bin

More information about the freebsd-questions mailing list