[Beowulf] Password less ssh

Robert G. Brown rgb at phy.duke.edu
Wed Dec 8 16:01:18 EST 2004


On Wed, 8 Dec 2004, Suvendra Nath Dutta wrote:

> This is exactly the steps I followed from another past email in this list. 
> But it didn't work for me. Which is why I wondered if something was 
> different about this particular version of OpenSSH or SUSE.

I doubt it, although I don't use SUSE so I cannot be certain.

I think (in agreement with several others on the list) that the problem
is that you were doing things as root that are really dangerous, really
bad things to do as root.  For example, if you REALLY copied root's
/root/.ssh directory to all your users' directories and had set root's
directory up so that password-free login was possible, it is quite
possible that now all of your users can login as root without a
password.

EACH user has to set up password-free logins for THEMSELVES, one at a
time.  You cannot do this for them, or well, I suppose you could but
you'd need to do it by running the keygen-thing one user at a time, as
those users.  Not something you really want to be doing.

The best that you could do is wrap it up in a script for users to run to
do it in one step without knowing what they are doing.  This would give
you a degree of control over certain choices such as rsa vs dsa, number
of bits in the key.

   rgb

> 
> Suvendra
> 
> 
> On Wed, 8 Dec 2004, Sean Dilda wrote:
> 
> > Suvendra Nath Dutta wrote:
> >> On this note, I know this has been rehashed many times before, but using 
> >> OpenSSH 3.8 on SUSE 9.1, I couldn't get host authentication to work. I 
> >> followed all the instructions out in the web but everything failed. I ended 
> >> up copying the root's dsa key to every user's ssh directory and using 
> >> public-key authentication. Has someone successfully implemented host 
> >> authentication using SSH (hopefully v2) 
> >
> > Yes
> >
> > and has written it up in a
> >> nice How To?
> >
> > No :)
> >
> > Some stuff that might be useful:
> >
> > in ssh_config:
> >
> > HostbasedAuthentication yes
> > EnableSSHKeysign yes  # This may not be needed, depending on your version of 
> > ssh
> >
> > and the 'HostbasedAuthentication' flag needs to be set in sshd_config as 
> > well.
> >
> > You also need to make sure all the appropriate keys are in 
> > /etc/ssh/ssh_known_hosts
> >
> > And /etc/ssh/shosts.equiv needs to be setup.  I did mine with netgroups.
> >
> > And if you want root to be able to ssh in with host based, you need to setup 
> > /root/.shosts as well.
> >
> > I did this on RHL9 and RHEL3.
> >
> _______________________________________________
> Beowulf mailing list, Beowulf at beowulf.org
> To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf
> 

-- 
Robert G. Brown	                       http://www.phy.duke.edu/~rgb/
Duke University Dept. of Physics, Box 90305
Durham, N.C. 27708-0305
Phone: 1-919-660-2567  Fax: 919-660-2525     email:rgb at phy.duke.edu


_______________________________________________
Beowulf mailing list, Beowulf at beowulf.org
To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf



More information about the Beowulf mailing list