On Fri, Oct 31, 2008 at 12:27:33PM -0400, Kyle McDonald wrote: > >It's not that it's not secure, but that it has a different threat model > >than pubkey/gssapi-* and even password/keyboard-interactive userauth. > > > >The latter assume only that clients used by legitimate users aren't > >compromised by third parties. The former assumes that trusted clients > >are not compromised at all, not even by legitimate users. > > So mainly if I trust the users to keep their accounts secure (good > passwords, screen locks, etc.) then this is probably good enough. I know > the users probably aren't good enough at that for 100% security, but in > my case they're probably good enough at it for what it we're protecting. > > Did I miss something?
You also need to keep your clients secure, but you wanted to do that anyways. > >Also, the most difficult part of configuring host-based userauth is > >gathering all the trusted client host keys and making them available to > >all the servers. > > > Yep. I'm working all of that out now also. I know how to distribute it > once I collect it, but collecting it is the hard part. > Not to mention since many of my machines get re-installed often I've > have to either re-install the old keys, or re-collect any new ones > automatically. I think I have that sorted out too though. The SSHv2 w/ GSS-API stuff really helps here. It'd be great if we could make ssh-keyscan support fast scanning with GSS-API for host authentication! (Unfortunately there's no async version of gss_init_sec_context(), so we'd need lots of threads, but then, the mech_krb5 ccache stuff is *far* from MT-hot, so the whole thing would go slow.) > It wasn't really the Sun docs, but the other things I found on the web > that seemed to imply it was less secure, and that you might be taking a > risk using it. I just wasn't able to find any discussion of what those > risks were, when it might be ok to take those risks, and what other > steps could be taken to minimize those risks. Like I said: it has a different threat model. You choose whether that model applies to your environment (sounds like it does). > >So that what you posted will work for SSHv2. > > Yep I knew those were only v2. And I knew the others I'd discovered were > only v1 (RSAHostbasedAuthentication or something like that.) I was IgnoreRhosts is for v1 and v2. RSAHostbasedAuthentication is for v1 only. > asking if there were any other options I had missed that affect > HostbasedAuthentication that you or other experts might recommend I add > to the list above? See the ones I mentioned in my other reply to you just now.
