Hi, please help before I tear my hair out. I'm trying to get RhostsRSAAuthentication to work. What I want is to be able to ssh between the machines on my home network without having to supply a passphrase/-word (also supplying it once with ssh-agent I'd like to avoid). The docs I've found on OpenSSH don't say much about this special method, but from what I gleaned from them, RhostsRSAAuthentication would give me what I want. However, since the info is scarce, I'm not even sure if it in fact does what I think it does. Although I'm on a rather secure home network I don't want to use RhostsAuthentication, since I want to learn how to configure OpenSSH properly, and rhosts-only authentication is insecure. Also, there's always the possibility that one time I'll allow ssh access from my external interface, and I don't want to have to reconfigure it then. In any way, if I set "RhostsAuthentication yes" in sshd_config it doesn't work either.
This is what I've done: I've generated the host keys with [EMAIL PROTECTED]:/etc/ssh# ssh-keygen -t dsa -f ssh_host_dsa_key (with empty passphrase) (now send ONE's /etc/ssh/ssh_host_dsa_key.pub to [EMAIL PROTECTED]) [EMAIL PROTECTED]:~# mv ssh_host_dsa_key.pub /etc/ssh/ssh_known_hosts2 I did this for the other host, too. Then I prepared /etc/ssh/ssh_known_hosts2 on both hosts by adding the hostname field as described in man sshd (SSH_KNOWN_HOSTS FILE FORMAT). I've also generated user keys and distributed them [EMAIL PROTECTED]:~/.ssh$ ssh-keygen -t dsa (now send ~/.ssh/id_dsa.pub to [EMAIL PROTECTED]) [EMAIL PROTECTED]:~$ mv id_dsa.pub .ssh/authorized_keys2 (and vice versa) This is my config: [EMAIL PROTECTED]:/etc/ssh# cat sshd_config (excerpt) Protocol 2,1 HostKey /etc/ssh/ssh_host_dsa_key IgnoreRhosts yes IgnoreUserKnownHosts yes RhostsAuthentication no RhostsRSAAuthentication yes RSAAuthentication yes PasswordAuthentication yes [EMAIL PROTECTED]:/etc/ssh# cat ssh_config (excerpt) Host ONE RhostsAuthentication no RhostsRSAAuthentication yes RSAAuthentication yes PasswordAuthentication yes FallBackToRsh no UseRsh no IdentityFile ~/.ssh/id_dsa Protocol 2,1 [EMAIL PROTECTED]:/etc# cat hosts.equiv +TWO [EMAIL PROTECTED]:/etc# ls -l hosts.equiv -rw-r--r-- 1 root root 13 Apr 20 12:17 ../hosts.equiv [EMAIL PROTECTED]:/etc# cat hosts.equiv +ONE [EMAIL PROTECTED]:/etc# ls -l hosts.equiv -rw-r--r-- 1 root root 13 Apr 20 12:18 ../hosts.equiv Now I can ssh from TWO to ONE, and the host is already known to ssh, although there is no ~/.ssh/known_hosts2. Therefore I think that the host keys work. However, I still get asked for authentication: [EMAIL PROTECTED]:~$ ls .ssh authorized_keys2 id_dsa id_dsa.pub [EMAIL PROTECTED]:~$ ssh ONE Enter passphrase for key '/home/user/.ssh/id_dsa':[Enter] [EMAIL PROTECTED]'s password:[Enter] Permission denied, please try again. [EMAIL PROTECTED]'s password:[Enter] Permission denied, please try again. [EMAIL PROTECTED]'s password:[Enter] Permission denied (publickey,password). [EMAIL PROTECTED]:~$ It would be very nice if someone reviewed my config and told me if I've commited mistakes somewhere (I'm afraid I wouldn't see it myself by now, I'm already a bit dizzy after staring at the config files for hours). Do I need a /etc/ssh/authorized_keys2, too. That is not mentioned in man sshd, but still. Any input is greatly appreciated. -- I did not vote for the Austrian government
