Date: Mon, 18 Oct 2004 07:41:19 -1000 From: Julian Cowley <julian@lava.net> To: freebsd-hackers@freebsd.org Subject: Re: [Hackers] passwordless ssh logins with shared _HOST_ keys - not working. Message-ID: <EB4CAE64-212C-11D9-97DD-000393754804@lava.net> In-Reply-To: <20041017234802.33563.qmail@web53301.mail.yahoo.com> References: <20041017234802.33563.qmail@web53301.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 17 Oct, 2004, at 13:48, Joe Schmoe wrote: > (I have asked this several times on -questions and > gotten nothing ...) > > I am trying to allow _all users_ on CLIENT to login to > SERVER without a password. > > IMPORTANT: I am not interested in user keys _at all_ > - at no point in this process should I ever be dealing > with any keys in /home/user/.ssh - I am only > interested in doing this with HOST keys - where I copy > one key between SERVER and CLIENT, and _all_ users on > CLIENT can login to SERVER without a password. Don't > even mention user keys. > > My /etc/sshd/sshd_config is exactly the same on both > SERVER and CLIENT: > > #VersionAddendum FreeBSD-20020629 > > #Port 22 > #Protocol 2,1 > #ListenAddress 0.0.0.0 > #ListenAddress :: > > # Authentication: > > IgnoreRhosts yes > #RhostsRSAAuthentication no > HostbasedAuthentication yes > IgnoreUserKnownHosts yes > > ChallengeResponseAuthentication no If you are using OpenSSH 3.6 or later, turn on the EnableSSHKeysign option (see ssh-keysign for more information). Also, make sure your forward and reverse DNS is correct on both the client and the server. > Further, SERVER has CLIENT in its /etc/hosts.equiv, > and CLIENT has SERVER in its /etc/hosts.equiv > > Finally, I have run: > > ssh-keyscan SERVER >> /etc/ssh/ssh_known_hosts > > on the CLIENT, and run: > > ssh-keyscan CLIENT >> /etc/ssh/ssh_known_hosts > > on the SERVER. So the keys are properly shared. > > The permissions on /etc/ssh/known_hosts on each system > are: > > 2 -rw-r--r-- 1 root wheel > > So that's it. The options are set in sshd_config, the > keys have been exchanged, hosts.equiv are populated > and permissions are correct. > > SO now I go to CLIENT and run: > > ssh user@SERVER > > and I get a password prompt!!! > > So what am I doing wrong ? Again - NO user keys are > used and I am not interested in user keys _AT ALL_. > DOn't even mention the /home/user/.ssh directory. The > goal here is to share one public key between SERVER > and CLIENT and allow _all_ users on CLIENT to log into > SERVER without a password. > > So what am I doing wrong ? > > thanks. > > > > __________________________________ > Do you Yahoo!? > Yahoo! Mail Address AutoComplete - You start. We finish. > http://promotions.yahoo.com/new_mail > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to > "freebsd-hackers-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?EB4CAE64-212C-11D9-97DD-000393754804>