Re: [Hackers] passwordless ssh logins with shared _HOST_ keys - not working.

Mon, 18 Oct 2004 10:41:31 -0700

On 17 Oct, 2004, at 13:48, Joe Schmoe wrote: 
(I have asked this several times on -questions and
gotten nothing ...)

I am trying to allow _all users_ on CLIENT to login to
SERVER without a password.

IMPORTANT:  I am not interested in user keys _at all_
- at no point in this process should I ever be dealing
with any keys in /home/user/.ssh - I am only
interested in doing this with HOST keys - where I copy
one key between SERVER and CLIENT, and _all_ users on
CLIENT can login to SERVER without a password.  Don't
even mention user keys.

My /etc/sshd/sshd_config is exactly the same on both
SERVER and CLIENT:

#VersionAddendum FreeBSD-20020629

#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

# Authentication:

IgnoreRhosts yes
#RhostsRSAAuthentication no
HostbasedAuthentication yes
IgnoreUserKnownHosts yes

ChallengeResponseAuthentication no

If you are using OpenSSH 3.6 or later, turn on the EnableSSHKeysign option (see ssh-keysign for more information). Also, make sure your forward and reverse DNS is correct on both the client and the server.

Further, SERVER has CLIENT in its /etc/hosts.equiv,
and CLIENT has SERVER in its /etc/hosts.equiv

Finally, I have run:

ssh-keyscan SERVER >> /etc/ssh/ssh_known_hosts

on the CLIENT, and run:

ssh-keyscan CLIENT >> /etc/ssh/ssh_known_hosts

on the SERVER.  So the keys are properly shared.

The permissions on /etc/ssh/known_hosts on each system
are:

2 -rw-r--r--  1 root  wheel

So that's it.  The options are set in sshd_config, the
keys have been exchanged, hosts.equiv are populated
and permissions are correct.

SO now I go to CLIENT and run:

ssh [EMAIL PROTECTED]

and I get a password prompt!!!

So what am I doing wrong ?  Again - NO user keys are
used and I am not interested in user keys _AT ALL_.
DOn't even mention the /home/user/.ssh directory.  The
goal here is to share one public key between SERVER
and CLIENT and allow _all_ users on CLIENT to log into
SERVER without a password.

So what am I doing wrong ?

thanks.



__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail
_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[EMAIL PROTECTED]" 

_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to