[Beowulf] Password less ssh

Robert G. Brown rgb at phy.duke.edu
Thu Dec 9 11:04:48 EST 2004


On Thu, 9 Dec 2004, Sean Dilda wrote:

> Robert G. Brown wrote:
> 
> > 
> > Try it not as root.  In fact, if you've copied the same keypairs into
> > all your user's directories:
> 
> Rob, I believe you've responded to the wrong person.  The original 
> poster, named akhtar Rasool, did a really weird and potentially 
> dangerous thing with user keys.  Then later on Suvendra Nath Dutat asked 
> about hostbased authentication in ssh which uses host keys instead of 
> user keys.  These are two different people with two different setups.

Maybe I misread things, sorry.

> As for sshing as different users.  I know that the hostbased will not 
> let you do that, as I'm using hostbased in my cluster.

Actually, the only difference between host based and user based ssh
authentication is where the host keys were stored and how reliable they
are likely to be (see e.g. man sshd).  In fact I recall a time where
passwordless login only tended to be permitted by sysadmins if you DID
have a ssh_known_hosts table, as this is the only form of host
authentication likely to be valid.

In host based, host keys are collected by the sysadmin (presumably a
trusted and perfectly knowledgeable agent) and put in
/etc/ssh/ssh_known_hosts on all hosts.  Doing this actualy allows users
to skip the silly tell-me-again step where it asks users to verify that
the host key of the host they are connecting to the first time is
correct (as if they have any way they are every likely to use to tell,
or even CAN use without connecting to the host in question first).  At
best, building up ~user/.ssh/known_hosts in this way adds a questionable
amount to the overall security of any LAN.  At worst over a WAN it is
probably an open but unnoticed invitation for MitM attacks.

I suspect that the thing that prevents users from using authorized key
based (passwordless) authentication is a PAM setting or setting in
/etc/ssh/ssh*.config, but pam is really hard for me to untangle in a
truly deterministic way (too many settings, too many complicated
interactions).  sshd_config is pretty deterministic, though; look at:

 PermitEmptyPasswords 
 PermitRootLogin

which enable/disable most of the stuff we've been talking about and
which have settings that vary according to the whim of the packager in
any given distribution for their defaults.

Usually I just tweak these settings a bit (and sometimes end up having
to mess with PAM) and eventually find a combination that permits user
and/or root login with or without passwords required, as the environment
and my needs seems to require.

FWIW, I just did another simple experiment and proved that I could
(still) install ssh_known_hosts on two nodes in my home cluster (running
pretty much stock dulug RH 9), delete the host entries in my
~/.ssh/known_hosts file, copy my id_dsa.pub into a son's authorized_keys
file, and ssh directly to my son's account without either typing a
password or "approving" the host key and having a new table entry in my
~/.ssh/known_hosts.  So I'm >>certain<< that this isn't actually
relevant to passworded vs passwordless login in the authentication stack
or the dangerous elements of sharing keypairs among different
individuals with a desire not to have their mail or files or ssh
encrypted datastreams (all keyed to this pair) openly accessible to
others.

ssh_keyscan can be used to easily gather ssh host keys and build an
ssh_known_hosts file.  Doing this likely marginally increases the
security of your ssh connections (IF you do it under circumstances that
you know cannot be spoofed, e.g. inside a firewall and not over a WAN
connection, of course) and keeps users from having to constantly
"validate" host keys.  If you keep it well-maintained, you can also
avoid having ten users complain about the man-in-the-middle warning (and
having to tell them what to do about it) that inevitably pops up after a
reinstall unless you carefully preserve and restore the old keypairs.

   rgb

-- 
Robert G. Brown	                       http://www.phy.duke.edu/~rgb/
Duke University Dept. of Physics, Box 90305
Durham, N.C. 27708-0305
Phone: 1-919-660-2567  Fax: 919-660-2525     email:rgb at phy.duke.edu


_______________________________________________
Beowulf mailing list, Beowulf at beowulf.org
To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf



More information about the Beowulf mailing list