Openssh - HOWTO

 

Configuring Hostbased Authentication

 

 

·    Note:  I did not write this, just did some tidying.  SOL, 2003/10/14

 

 

 

 

TABLE OF  CONTENTS:

 

1     Introduction

 

2     SSH client configuration

 

3     SSH daemon configuration

 

4     HostBased authentication by IP address

 

5     Usefull resources for further ssh configuration details

 

6     Appendix A

 

 

 

1        Introduction

 

 

 

This document describes a short, and very basic ssh version 2 configuration procedure using OpenSSH in order to allow Hostbased authentication method.

 

 

 

The ssh daemon configuration, detailed below, has been tested on the following operating systems and OpenSSH versions:

 

§        RedHat 7.[2,3] with OpenSSH versions 3.1p1, 3.5p1, 3.6p1

 

§        SunOS 5.8 (SOLARIS8) with OpenSSH versions 2.9p1, 3.4p1

 

§        BSD/OS 4.1 with OpenSSH version 3.4p1

 

NOTE: This paper does not contain details about other SSH authentication methods ( e.g password authentication is allowed in default in the examples) , and only deal with OpenSSH binaries which is an open source implementation of SSH network connectivity tools.

 

 

 

2        SSH client configuration

 

 Regarding the Hostbased authentication ssh login method, the “trusted machines” will be the clients in this client-server model.

 

 On the client side, the following files should be created, configured:

 

§        <dir-of-ssh-conf-files> /ssh_config

 

In this file:

 

·   HostbasedAuthenication yes

·  EnableSSHKeysign yes

 

The same effect can be reached by specifying the method at the initiation of the ssh session:

 

ssh -o HostBasedAuthentication=yes target.hostbasedauth.org

 

 §        <dir-of-ssh-conf-files> /ssh_host_rsa_key

 

<dir-of-ssh-conf-files> /ssh_host_rsa_key.pub

 

These files, should be created automatically during the OpenSSH package installation. If these files are not exist, then these have to be created with ssh-keygen tool:

 

ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ””

 

 

Depending on which operating system has been installed on the client machine, the

 

<dir-of-ssh-conf-files> directory could differ:

 

  I.         On RedHat the /etc/ssh directory

 

  II.         On SOLARIS and BSD/OS the /etc directory

 

 

 

3        SSH daemon configuration

 

 

The servers (regarding this ssh client server model ) are that target machines, which should be reached from the “trusted machines” by using the host based SSH authentication method.

 

On the server side, the following files should be created-configured:

 

§        <dir-of-ssh-conf-files> /sshd_config

 

Even if the same OpenSSH version used, and only some line should be added-modified in the ssh daemon configuration, the ssh daemon configuration can differ in some options on the different OS-es. These differences could appear, because of different compilation options used at the creation of OpenSSH binaries.

 

For example in case of BSD/OS 4.1 the UsePrivilegeSeparation no have to be added because the SSH daemon did not run as root. For more about this feature see the reference link [4] .

 

The simplified sshd_config files for the different OS-es can be found in Appendix A .

 

 Beside the necessary default settings the following sshd_config statements should explicitly be set up:

 

·   HostbasedAuthentication yes

 

·  IgnoreRhosts no - read the /root/.shosts file at authentication. It have to be specified only for root, but other users also will be enabled automatically by this setting.

 

§        /etc/hosts.equiv

 

This file, should contain the full DNS name of the “trusted machines” (from which the users  will be allowed to ssh to the target machine.

 

For example on target.hostbasedauth.org “target machine” it should look like if  3 “trusted machine” will be host based authenticated:

 

[root@ target root]# cat /etc/hosts.equiv

 trustedmachine1.hostbasedauth.org

 trustedmachine2.hostbasedauth.org

 trustedmachine3.hostbasedauth.org

 

§        /root/.shosts

 

This file have to be the same content of /etc/hosts.equiv  file, with . Only the root should have read-write acces to this file:

 

[root@ target root]# chmod 600 /etc/hosts.equiv

 

 §        <dir-of-ssh-conf-files> /ssh_known_hosts2

 

This file have to contain the rsa public key of the “trusted machine”. The file could be created by using the ssh-keyscan tool:

 

ssh-keyscan -t rsa -f /etc/hosts.equiv >  <dir-of-ssh-conf-files>/ssh_known_hosts2

 

 

The tool will fetch the public rsa key of “trusted machines” in the necessary syntax, if the machines are alive and the appropriate keys are already creatred on that. If this key fetching is failed for any of the “trusted machines” because of the missing public ssh keys, then read the rsa key generation process in chapter SSH client configuration .

 

 After the keyscan, the <dir-of-ssh-conf-files> /ssh_known_hosts2 file will contain the rsa host key assigned to the appropriate DNS name:

 

 trustedmachine1.hostbasedauth.org ssh-rsa AAAAB3NzaC1y...

trustedmachine2.hostbasedauth.org ssh-rsa AAAAB3NzaC1y...

trustedmachine3.hostbasedauth.org ssh-rsa AAAAB3NzaC1y...

 

 NOTE:  If the ssh-keyscan tool is not installed on the appropriate “target machine”, then the  ssh_known_hosts2 file can get from another “target machine”, even if it run with different operating system.

 

 

Depending on which operating system has been installed on the client machine, the

 

<dir-of-ssh-conf-files> directory could differ:

 

                        I.         On RedHat the /etc/ssh directory

 

                      II.         On SOLARIS and BSD/OS the /etc directory

 

 

 

   After the creation-configuration of the necessary files, the ssh daemon should be restarted on the target machine, and the hostbased ssh login should work.

 

 

 

4        HostBased authentication by IP address

 

 

 

The Hostbased configuration mentioned above based on the precondition, that DNS name resolution works well both on the client and server side. It also could be useful to make hostbased authentication work if DNS resolving does not work on the server side.

 

    Lets regard the example if a machine can be accessed remotely only by ssh hostbased authentication, and the machine is using only the DNS resolver daemon running on the localhost. If the DNS service shut down somehow on the localhost, then the machine will be remotely inaccessible.

 

    In this case the usage of HostbasedUsesNameFromPacketOnly yes sshd configuration option is advised on several useful website like on reference page [1] , but it never worked on any of the platforms tried by me.  

 

 

 

    In order to make hostbased authentication working with pure IP addresses without using any DNS name resolving, the following additional settings should be done on the server side:

 

 

 

§        As the DNS names, the IP addresses of the “trusted machines” should be added to the  /etc/hosts.equiv and /root /.shosts files.

 

 

 

§        The ”trusted machines” IP addreses also should be registered in

 

<dir-of-ssh-conf-files> /ssh_known_hosts2 file.  Lets regard the ”trusted machines”  (trustedmachine[1-3].hostbasedauth.org ) wich are using 10.10.10.[1-3] private IP addresses respectively. Then this file should be modified like:

 

 

 

trustedmachine1.hostbasedauth.org ,10.10.10.1 ssh-rsa AAAAB3NzaC1y...

 

trustedmachine2.hostbasedauth.org ,10.10.10.2 ssh-rsa AAAAB3NzaC1y...

 

trustedmachine3.hostbasedauth.org ,10.10.10.3 ssh-rsa AAAAB3NzaC1y...

 

 

 

 

 

5        Usefull resources for further ssh configuration details

 

 

 

[1]  http://www.snailbook.com/faq/trusted-host-howto.auto.html  

 

[2]  http://www.openssh.org/

 

[3]  http://www.ssh.com/

 

[4]  http://www.citi.umich.edu/u/provos/ssh/privsep-faq.html

 

 

 

 

 

 

 

6        Appendix A

 

 

 

On RedHat 7.2, 7.3 with OpenSSH_3.1p1 and OpenSSH_3.5p1 the used /etc/ssh/sshd_config file:

 

 

 

#

 

# /etc/ssh/sshd_config v 1.0 2003/04/24 23:39:07 vici@mailbox.hu

 

# Hostbased authentication enabled for the trusted hosts see /etc/hosts.equiv

 

#

 

SyslogFacility AUTHPRIV

 

LogLevel ERROR

 

IgnoreRhosts no

 

HostbasedAuthentication yes

 

PrintMotd yes

 

 

 

 

 

On BSD/OS 4.1 with OpenSSH_3.4p1 the used /etc/sshd_config file:

 

 

 

#

 

# /etc/sshd_config v 1.0 2003/04/24 23:39:07 vici@mailbox.hu

 

# Hostbased authentication enabled for the trusted hosts see /etc/hosts.equiv

 

#

 

SyslogFacility AUTHPRIV

 

UsePrivilegeSeparation no

 

LogLevel INFO

 

IgnoreRhosts no

 

HostbasedAuthentication yes

 

PrintMotd yes

 

 

 

 

 

On SOLARIS8 with OpenSSH_2.9p2 and OpenSSH_3.4p1 the used /etc/sshd_config file:

 

 

 

#

 

# /etc/sshd_config v 1.0 2003/04/24 23:39:07 vici@mailbox.hu

 

# Hostbased authentication enabled for the trusted hosts see /etc/hosts.equiv

 

#

 

SyslogFacility DAEMON

 

LogLevel INFO

 

IgnoreRhosts no

 

HostbasedAuthentication yes

 

PrintMotd yes

 

 

Page visited times

Last modified: May 13, 2003

Maintained by István Viczián