Configuring automatic ssh login between all users of two hosts
While some may consider it unsafe, giving users the ability to automatically login between two different SSH host is important in clustered situations. If configuring it through Kerberos is feasible, I recommend it before this method (though it may be more complex).
This documentation is for OpenSSH 3.8p1 (SUSE 9.1), which is slightly more paranoid and complex than previous revisions with the new ssh-keysign capabilities.
Server
Collecting public keys
Pick a node to be the "master" node. This node will contain the SSH configuration that we will sync everywhere else. The SSH public key database is held in /etc/ssh/ssh_known_hosts. OpenSSH now comes with a great utility named ssh-keyscan that we will use. Simply pass it the list of all of the machines you wish to be able to automatically login from, and redirect it.
ssh-keyscan -t rsa beigetwin1.chem.indiana.edu beigetwin2.chem.indiana.edu > /etc/ssh/ssh_known_hosts
PLEASE NOTE - You may run into problems if you use short hostnames. Please use the fully qualified domain names that DNS reports back for reverse resolution. If you have entries for these hosts in /etc/hosts, please make sure the FQDN comes first.
hosts.equiv
Using the ssh_known_hosts file, we can configure a list of machines which have identical username's to this one. This is what actually configures the ring of trust:
cat /etc/ssh/ssh_known_hosts | cut -d" " -f1 > /etc/hosts.equiv
Configuring sshd_config
sshd does not respect hosts.equiv by default. Add these two lines to /etc/ssh/sshd_config
RhostsRSAAuthentication yes HostbasedAuthentication yes
Client
The client now must be configured as well. Add this line to /etc/ssh/ssh_config
HostbasedAuthentication yes
If the client is running OpenSSH 3.7 or higher, you will need to do a little more work. You need to also add this line to /etc/ssh/ssh_config:
EnableSSHKeysign yes
You will also need to enable setuid on the keysign binary. If you are on a 64-bit system, use lib64 instead:
chmod u+s /usr/lib/ssh/ssh-keysign
Debugging
ssh: ssh-keysign not enabled in /etc/ssh/ssh_config
On the client side, you haven't configured ssh_config properly for OpenSSH 3.8. See above for the correct instructions.
ssh: could not open any host key
For ssh-keysign to work, you must ensure that the binary is setuid root on each client host. For security reasons, this is not the default.
chmod u+s /usr/lib/ssh/ssh-keysign
If you are on a 64-bit system, you may need to use /usr/lib64 instead.
auto-login doesn't work for root
Automatic root logins are not supported by just enabling HostAuthentication. If you wish to allow automatic root login, add this to /etc/ssh/sshd_config
IgnoreRhosts no
Then copy /etc/hosts.equiv to the .shosts file within root's home directory. You will want to ensure that this file is only readable by root.
login's don't work at all
Typically, this is a DNS related issue. You may want to try setting up /etc/hosts so that the fully qualified name comes up before the short name, and update /etc/hosts.equiv and /etc/ssh/ssh_known_hosts to include the FQDN names.
If this does not help, try running the server in debug mode. Kill the first sshd process, and run:
/usr/sbin/sshd -d -d
No comments:
Post a Comment