SSH Host-based Authentication questions?

Fri, 31 Oct 2008 10:54:54 -0500 

On Fri, Oct 31, 2008 at 11:32:07AM -0400, Kyle McDonald wrote:
> Reading through the docs, I foudn that it's not seen as secure enough to 
> be enabled by default, but in searching the web I haven't been able to 
> find a real discussion of what the risks and/or concerns were, and what 
> other steps can be taken to reduce or eliminate them.
> Any thoughts?

It's not that it's not secure, but that it has a different threat model
than pubkey/gssapi-* and even password/keyboard-interactive userauth.

The latter assume only that clients used by legitimate users aren't
compromised by third parties.  The former assumes that trusted clients
are not compromised at all, not even by legitimate users.

Also, the most difficult part of configuring host-based userauth is
gathering all the trusted client host keys and making them available to
all the servers.

So if no one cared about the threat model difference it'd still be
impossible for us to make sure that host-based userauth works out of the
box -- the customer has to provide the list of known, trusted client
host public keys, and the list of "equiv" hosts.

> Reading the docs about the configuration settings that be set on this, I 
> had decided to try this combo:
> 
>       Protocol 2
>       HostbasedAuthentication yes
>       IgnoreRhosts yes
> 
> There seem to be other (somewhat related) options, but unless I'm 
> reading things wrong, they only apply to Version 1 of the protocol.

sshd_config(4) says:

     HostbasedAuthentication

         Specifies whether  to  try  rhosts-based  authentication
         with public key authentication. The argument must be yes
         or no. The default is no. This option applies to  proto-
         col  version 2 only and is similar to RhostsRSAAuthenti-
         cation. See sshd(1M) for guidelines on setting up  host-
         based authentication.

...

     IgnoreRhosts

         Specifies that .rhosts and .shosts files are not used in
         authentication.  /etc/hosts.equiv  and /etc/shosts.equiv
         are still used.  The  default  is  yes.  This  parameter
         applies to both protocol versions 1 and 2.

So that what you posted will work for SSHv2.

> Is there a better way to do all this? Maybe I'm just missing something?
> Any thoughts? advice?

The Solaris "System Administration Guide: Security Services," chapter
19 tells you how to configure host-based userauth.  See:

http://docs.sun.com/app/docs/doc/816-4557/sshuser-1?a=browse
http://docs.sun.com/app/docs/doc/816-4557/sshuser-12?a=view

Nico
--

Reply via email to