Re: OpenSSH and 'HostBased' Authentication

Tue, 24 Jul 2007 08:37:19 -0700 

Sorry about the delayed response.
I have the 'same user different userids' situation working. It is just a
case of exchanging keys (public).

The other situation of 'super user' to any user - I did get that working in
a Linux to Linux environment.
I have IBM helping me on the MVS to Linux environment.
I did not have to copy any keys here. I just added an entry for the 'super
user' in /etc/ssh/shosts.equiv file.





             Mark Post
             <[EMAIL PROTECTED]
             >                                                          To
             Sent by: Linux on         [email protected]
             390 Port                                                   cc
             <[EMAIL PROTECTED]
             IST.EDU>                                              Subject
                                       Re: OpenSSH and 'HostBased'
                                       Authentication
             07/20/2007 02:14
             PM


             Please respond to
             Linux on 390 Port
             <[EMAIL PROTECTED]
                 IST.EDU>






>>> On Fri, Jul 20, 2007 at 10:00 AM, in message
<[EMAIL PROTECTED]>, RPN01 <[EMAIL PROTECTED]> wrote:
> Could the two sides just trade keys with each other, allowing ssh access
in
> either direction without specifying a password?

That's the theory, anyway.  Or, have one key pair for both endpoint and
spread those around.  I don't recommend that however.

> To do the "into any linux userid" part, you'd have to pass down a key for
> root to each of the linux boxes in question.

More than that, actually.  You'd need to put the superuser's public key
into every user's ./ssh/authorized_keys file, on every Linux box.  With a
little scripting you could automate that fairly easily:
Send the public key to the root user on each system
Have the root user create the .ssh directory for each user if it doesn't
already exist
Append the public key to the authorized_keys file in each of those
directories.

Make sure to exclude any accounts that shouldn't ever be logged on in the
first place, and you should be ready to go.


Mark Post

----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or
visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Reply via email to