Re: [xcat-user] [External] Re: host based authentication

2020-01-21 Thread Imam Toufique 
hey, no worries. I will never stop learning too :-)



On Tue, Jan 21, 2020 at 4:46 PM Kevin Keane  wrote:

> Sorry about that! And thanks for the correction, Jarrod. I'll never stop
> learning.
>
> ___
> Kevin Keane | Systems Architect | University of San Diego ITS |
> kke...@sandiego.edu
> Maher Hall, 192 |5998 Alcalá Park | San Diego, CA 92110-2492 | 619.260.6859
> | Text: 760-721-8339
>
> *REMEMBER! **No one from IT at USD will ever ask to confirm or supply
> your password*.
> These messages are an attempt to steal your username and password. Please
> do not reply to, click the links within, or open the attachments of these
> messages. Delete them!
>
>
>
>
> On Tue, Jan 21, 2020 at 4:12 PM Imam Toufique  wrote:
>
>> Yes , it does mean something:-) I was a bit shaken by Kevin’s statement.
>>
>> Jarrod , if you find your notes , that would be very helpful.
>>
>> Thanks!
>>
>> On Tue, Jan 21, 2020 at 2:06 PM Jarrod Johnson 
>> wrote:
>>
>>> Actually, host based authentication using /etc/ssh/known_hosts does mean
>>> somethhing.
>>>
>>>
>>>
>>> Instead of using user keys, the user uses the host key and
>>> HostAuthentication uses the known_hosts as the repository of keys.
>>>
>>>
>>>
>>> I have to look again, but my plan was to introduce a postscript to use
>>> this with SSH CA in lieu of the current remoteshell postscript.  Each
>>> /etc/ssh/known_hosts would consist only of the CA line(s) and each
>>> deployment would have the new ssh keys signed by a server to allow each to
>>> have a private known_hosts file without having to update it for key churn.
>>>
>>>
>>>
>>> It’s like rhosts/hosts.equiv, but with cryptographic assurance with the
>>> host key used instead of each user having to manage it.  It is why
>>> ssh-keysign is setgid ssh_keys, to allow a user on a system to ask the host
>>> key to sign on their behalf if the sshd_config is so willing.
>>>
>>>
>>>
>>> Regrettably, I don’t see my notes handy, I’ll try to find my notes on
>>> this topic.
>>>
>>>
>>>
>>> *From:* Kevin Keane 
>>> *Sent:* Tuesday, January 21, 2020 4:00 PM
>>> *To:* xCAT Users Mailing list 
>>> *Subject:* [External] Re: [xcat-user] host based authentication
>>>
>>>
>>>
>>> The known_hosts file has nothing to do with host-based authentication.
>>> It is used to verify the identity of the host when using SSH with standard
>>> user-based authentication.
>>>
>>>
>>>
>>> I believe you are thinking of rhosts? Generally speaking, using
>>> host-based authentication is highly discouraged for security reasons, but
>>> in an xCAT scenario it can make sense.
>>>
>>> ___
>>> Kevin Keane | Systems Architect | University of San Diego ITS |
>>> kke...@sandiego.edu
>>> Maher Hall, 192 |5998 Alcalá Park | San Diego, CA 92110
>>> -2492
>>> | 619.260.6859 | Text: 760-721-8339
>>>
>>> *REMEMBER! **No one from IT at USD will ever ask to confirm or supply
>>> your password*.
>>> These messages are an attempt to steal your username and password.
>>> Please do not reply to, click the links within, or open the attachments of
>>> these messages. Delete them!
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Tue, Jan 21, 2020 at 12:52 PM Imam Toufique 
>>> wrote:
>>>
>>> Hi,
>>>
>>>
>>>
>>> Quick question, before I jump in finding my own solution.
>>>
>>>
>>>
>>> Is there anything in xcat that would allow setting up host based
>>> authentication?  I know root can ssh from the mgmt. node to all the nodes
>>> in the cluster.  I am referring to user authentication , based on
>>> /etc/ssh/known_hosts file, where there is a list of hosts and their
>>> respective keys.
>>>
>>>
>>>
>>> thanks.
>>>
>>> ___
>>> xCAT-user mailing list
>>> xCAT-user@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/xcat-user
>>>
>>> ___
>>> xCAT-user mailing list
>>> xCAT-user@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/xcat-user
>>>
>> --
>> Regards,
>> *Imam Toufique*
>> *213-700-5485*
>> ___
>> xCAT-user mailing list
>> xCAT-user@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/xcat-user
>>
> ___
> xCAT-user mailing list
> xCAT-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/xcat-user
>


-- 
Regards,
*Imam Toufique*
*213-700-5485*
___
xCAT-user mailing list
xCAT-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xcat-user

Re: [xcat-user] [External] Re: host based authentication

2020-01-21 Thread Kevin Keane 
Sorry about that! And thanks for the correction, Jarrod. I'll never stop
learning.

___
Kevin Keane | Systems Architect | University of San Diego ITS |
kke...@sandiego.edu
Maher Hall, 192 |5998 Alcalá Park | San Diego, CA 92110-2492 | 619.260.6859
| Text: 760-721-8339

*REMEMBER! **No one from IT at USD will ever ask to confirm or supply your
password*.
These messages are an attempt to steal your username and password. Please
do not reply to, click the links within, or open the attachments of these
messages. Delete them!




On Tue, Jan 21, 2020 at 4:12 PM Imam Toufique  wrote:

> Yes , it does mean something:-) I was a bit shaken by Kevin’s statement.
>
> Jarrod , if you find your notes , that would be very helpful.
>
> Thanks!
>
> On Tue, Jan 21, 2020 at 2:06 PM Jarrod Johnson 
> wrote:
>
>> Actually, host based authentication using /etc/ssh/known_hosts does mean
>> somethhing.
>>
>>
>>
>> Instead of using user keys, the user uses the host key and
>> HostAuthentication uses the known_hosts as the repository of keys.
>>
>>
>>
>> I have to look again, but my plan was to introduce a postscript to use
>> this with SSH CA in lieu of the current remoteshell postscript.  Each
>> /etc/ssh/known_hosts would consist only of the CA line(s) and each
>> deployment would have the new ssh keys signed by a server to allow each to
>> have a private known_hosts file without having to update it for key churn.
>>
>>
>>
>> It’s like rhosts/hosts.equiv, but with cryptographic assurance with the
>> host key used instead of each user having to manage it.  It is why
>> ssh-keysign is setgid ssh_keys, to allow a user on a system to ask the host
>> key to sign on their behalf if the sshd_config is so willing.
>>
>>
>>
>> Regrettably, I don’t see my notes handy, I’ll try to find my notes on
>> this topic.
>>
>>
>>
>> *From:* Kevin Keane 
>> *Sent:* Tuesday, January 21, 2020 4:00 PM
>> *To:* xCAT Users Mailing list 
>> *Subject:* [External] Re: [xcat-user] host based authentication
>>
>>
>>
>> The known_hosts file has nothing to do with host-based authentication. It
>> is used to verify the identity of the host when using SSH with standard
>> user-based authentication.
>>
>>
>>
>> I believe you are thinking of rhosts? Generally speaking, using
>> host-based authentication is highly discouraged for security reasons, but
>> in an xCAT scenario it can make sense.
>>
>> ___
>> Kevin Keane | Systems Architect | University of San Diego ITS |
>> kke...@sandiego.edu
>> Maher Hall, 192 |5998 Alcalá Park | San Diego, CA 92110
>> -2492
>> | 619.260.6859 | Text: 760-721-8339
>>
>> *REMEMBER! **No one from IT at USD will ever ask to confirm or supply
>> your password*.
>> These messages are an attempt to steal your username and password. Please
>> do not reply to, click the links within, or open the attachments of these
>> messages. Delete them!
>>
>>
>>
>>
>>
>>
>>
>> On Tue, Jan 21, 2020 at 12:52 PM Imam Toufique 
>> wrote:
>>
>> Hi,
>>
>>
>>
>> Quick question, before I jump in finding my own solution.
>>
>>
>>
>> Is there anything in xcat that would allow setting up host based
>> authentication?  I know root can ssh from the mgmt. node to all the nodes
>> in the cluster.  I am referring to user authentication , based on
>> /etc/ssh/known_hosts file, where there is a list of hosts and their
>> respective keys.
>>
>>
>>
>> thanks.
>>
>> ___
>> xCAT-user mailing list
>> xCAT-user@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/xcat-user
>>
>> ___
>> xCAT-user mailing list
>> xCAT-user@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/xcat-user
>>
> --
> Regards,
> *Imam Toufique*
> *213-700-5485*
> ___
> xCAT-user mailing list
> xCAT-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/xcat-user
>
___
xCAT-user mailing list
xCAT-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xcat-user

Re: [xcat-user] host based authentication

2020-01-21 Thread Vinícius Ferrão via xCAT-user 
I have it working in place.

The process is a little bit cumbersome but it’s woking. I’m using FreeIPA too 
so the hostkeys are stored on LDAP, it's integrated.

The only issue that I’ve is that I needed to disable the remoteshell script 
from xCAT and use another one that we have created and unfortunately all the 
nodes shares the same hostkeys.

I can describe exactly what we have done if you want, but it’s tied to FreeIPA.

> On 21 Jan 2020, at 17:51, Imam Toufique  wrote:
> 
> Hi, 
> 
> Quick question, before I jump in finding my own solution.
> 
> Is there anything in xcat that would allow setting up host based 
> authentication?  I know root can ssh from the mgmt. node to all the nodes in 
> the cluster.  I am referring to user authentication , based on 
> /etc/ssh/known_hosts file, where there is a list of hosts and their 
> respective keys. 
> 
> thanks.
> ___
> xCAT-user mailing list
> xCAT-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/xcat-user


___
xCAT-user mailing list
xCAT-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xcat-user

Re: [xcat-user] [External] Re: host based authentication

2020-01-21 Thread Imam Toufique 
Yes , it does mean something:-) I was a bit shaken by Kevin’s statement.

Jarrod , if you find your notes , that would be very helpful.

Thanks!

On Tue, Jan 21, 2020 at 2:06 PM Jarrod Johnson  wrote:

> Actually, host based authentication using /etc/ssh/known_hosts does mean
> somethhing.
>
>
>
> Instead of using user keys, the user uses the host key and
> HostAuthentication uses the known_hosts as the repository of keys.
>
>
>
> I have to look again, but my plan was to introduce a postscript to use
> this with SSH CA in lieu of the current remoteshell postscript.  Each
> /etc/ssh/known_hosts would consist only of the CA line(s) and each
> deployment would have the new ssh keys signed by a server to allow each to
> have a private known_hosts file without having to update it for key churn.
>
>
>
> It’s like rhosts/hosts.equiv, but with cryptographic assurance with the
> host key used instead of each user having to manage it.  It is why
> ssh-keysign is setgid ssh_keys, to allow a user on a system to ask the host
> key to sign on their behalf if the sshd_config is so willing.
>
>
>
> Regrettably, I don’t see my notes handy, I’ll try to find my notes on this
> topic.
>
>
>
> *From:* Kevin Keane 
> *Sent:* Tuesday, January 21, 2020 4:00 PM
> *To:* xCAT Users Mailing list 
> *Subject:* [External] Re: [xcat-user] host based authentication
>
>
>
> The known_hosts file has nothing to do with host-based authentication. It
> is used to verify the identity of the host when using SSH with standard
> user-based authentication.
>
>
>
> I believe you are thinking of rhosts? Generally speaking, using host-based
> authentication is highly discouraged for security reasons, but in an xCAT
> scenario it can make sense.
>
> ___
> Kevin Keane | Systems Architect | University of San Diego ITS |
> kke...@sandiego.edu
> Maher Hall, 192 |5998 Alcalá Park | San Diego, CA 92110
> -2492
> | 619.260.6859 | Text: 760-721-8339
>
> *REMEMBER! **No one from IT at USD will ever ask to confirm or supply
> your password*.
> These messages are an attempt to steal your username and password. Please
> do not reply to, click the links within, or open the attachments of these
> messages. Delete them!
>
>
>
>
>
>
>
> On Tue, Jan 21, 2020 at 12:52 PM Imam Toufique 
> wrote:
>
> Hi,
>
>
>
> Quick question, before I jump in finding my own solution.
>
>
>
> Is there anything in xcat that would allow setting up host based
> authentication?  I know root can ssh from the mgmt. node to all the nodes
> in the cluster.  I am referring to user authentication , based on
> /etc/ssh/known_hosts file, where there is a list of hosts and their
> respective keys.
>
>
>
> thanks.
>
> ___
> xCAT-user mailing list
> xCAT-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/xcat-user
>
> ___
> xCAT-user mailing list
> xCAT-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/xcat-user
>
-- 
Regards,
*Imam Toufique*
*213-700-5485*
___
xCAT-user mailing list
xCAT-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xcat-user

Re: [xcat-user] [External] Re: host based authentication

2020-01-21 Thread Jarrod Johnson 
Actually, host based authentication using /etc/ssh/known_hosts does mean 
somethhing.

Instead of using user keys, the user uses the host key and HostAuthentication 
uses the known_hosts as the repository of keys.

I have to look again, but my plan was to introduce a postscript to use this 
with SSH CA in lieu of the current remoteshell postscript.  Each 
/etc/ssh/known_hosts would consist only of the CA line(s) and each deployment 
would have the new ssh keys signed by a server to allow each to have a private 
known_hosts file without having to update it for key churn.

It’s like rhosts/hosts.equiv, but with cryptographic assurance with the host 
key used instead of each user having to manage it.  It is why ssh-keysign is 
setgid ssh_keys, to allow a user on a system to ask the host key to sign on 
their behalf if the sshd_config is so willing.

Regrettably, I don’t see my notes handy, I’ll try to find my notes on this 
topic.

From: Kevin Keane 
Sent: Tuesday, January 21, 2020 4:00 PM
To: xCAT Users Mailing list 
Subject: [External] Re: [xcat-user] host based authentication

The known_hosts file has nothing to do with host-based authentication. It is 
used to verify the identity of the host when using SSH with standard user-based 
authentication.

I believe you are thinking of rhosts? Generally speaking, using host-based 
authentication is highly discouraged for security reasons, but in an xCAT 
scenario it can make sense.

___
Kevin Keane | Systems Architect | University of San Diego ITS | 
kke...@sandiego.edu
Maher Hall, 192 |5998 Alcalá Park | San Diego, CA 92110-2492 | 619.260.6859 | 
Text: 760-721-8339

REMEMBER! No one from IT at USD will ever ask to confirm or supply your 
password.
These messages are an attempt to steal your username and password. Please do 
not reply to, click the links within, or open the attachments of these 
messages. Delete them!




On Tue, Jan 21, 2020 at 12:52 PM Imam Toufique 
mailto:techie...@gmail.com>> wrote:
Hi,

Quick question, before I jump in finding my own solution.

Is there anything in xcat that would allow setting up host based 
authentication?  I know root can ssh from the mgmt. node to all the nodes in 
the cluster.  I am referring to user authentication , based on 
/etc/ssh/known_hosts file, where there is a list of hosts and their respective 
keys.

thanks.
___
xCAT-user mailing list
xCAT-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xcat-user
___
xCAT-user mailing list
xCAT-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xcat-user

Re: [xcat-user] host based authentication

2020-01-21 Thread Kevin Keane 
The known_hosts file has nothing to do with host-based authentication. It
is used to verify the identity of the host when using SSH with standard
user-based authentication.

I believe you are thinking of rhosts? Generally speaking, using host-based
authentication is highly discouraged for security reasons, but in an xCAT
scenario it can make sense.

___
Kevin Keane | Systems Architect | University of San Diego ITS |
kke...@sandiego.edu
Maher Hall, 192 |5998 Alcalá Park | San Diego, CA 92110-2492 | 619.260.6859
| Text: 760-721-8339

*REMEMBER! **No one from IT at USD will ever ask to confirm or supply your
password*.
These messages are an attempt to steal your username and password. Please
do not reply to, click the links within, or open the attachments of these
messages. Delete them!




On Tue, Jan 21, 2020 at 12:52 PM Imam Toufique  wrote:

> Hi,
>
> Quick question, before I jump in finding my own solution.
>
> Is there anything in xcat that would allow setting up host based
> authentication?  I know root can ssh from the mgmt. node to all the nodes
> in the cluster.  I am referring to user authentication , based on
> /etc/ssh/known_hosts file, where there is a list of hosts and their
> respective keys.
>
> thanks.
> ___
> xCAT-user mailing list
> xCAT-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/xcat-user
>
___
xCAT-user mailing list
xCAT-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xcat-user

[xcat-user] host based authentication

2020-01-21 Thread Imam Toufique 
Hi,

Quick question, before I jump in finding my own solution.

Is there anything in xcat that would allow setting up host based
authentication?  I know root can ssh from the mgmt. node to all the nodes
in the cluster.  I am referring to user authentication , based on
/etc/ssh/known_hosts file, where there is a list of hosts and their
respective keys.

thanks.
___
xCAT-user mailing list
xCAT-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xcat-user