topic OpenSSH .shosts hostbased authentication in Server Management - Systems Insight Manager

OpenSSH .shosts hostbased authentication

Ben Anderson — Thu, 06 May 2004 04:10:00 GMT

This is slightly off topic, but I'm hoping to be able to configure the openssh version which ships with SIM in order that a management system in our environment can execute scripted (and scheduled) ssh commands. Normally we would use psexec from pstools, but in this instance the target machine is behind a firewall.

Eg. ssh -l username remotehost command_to_execute

The default install of openssh requires password authentication, but openssh is capable of host based authentication to negate this (and thus stop the interactive password requirement).

Has anyone managed to get this functionality working with the hp openssh implementation?

TIA

Ben

Re: OpenSSH .shosts hostbased authentication

Rob Buxton — Thu, 06 May 2004 16:19:27 GMT

Ben,
OpenSSH should be OpenSSH, so there should be typically no difference. I downloaded OpenSSH and am using that.

The fact it's behind a firewall should make no difference except that you have to allow the SSH traffic through the firewall.

Alas, I'm still battling the fun of OpenSSH within IM. But, you should be able to test login etc. to SSH via any of the standard utilities, e.g. the SSH Client or Putty.

Re: OpenSSH .shosts hostbased authentication

Ben Anderson — Fri, 07 May 2004 02:49:36 GMT

Rob,

I agree, the firewall is not an issue, ssh is allowed through. Standard ssh logins work very well, what I am attempting to do is allow a login without any user interaction.

The reason I'm attempting to do this is because I need the ability to remotely execute commands on the target machine but in a scripted manner. Normally we would use psexec from the pstools suite, but this requires MSRPC and a lot of shoehorning in order to work across a firewall.

The default install of openssh requires an interactive login so as it stands is not viable for a scripted solution.... but, openssh supports .rhosts and .shosts hostbased login (which requires no interactive logon), I'm having difficulty getting this to work and just wondered if anyone else had managed it in a windows environment before.

Thanks for your response,

Ben

Re: OpenSSH .shosts hostbased authentication

Gordon Morrison — Thu, 11 Nov 2004 10:28:00 GMT

I know this thread is rather old, but I just found it. There doesn't seem to be a solution posted however, and I have got this working. I was searching the forums to try and find out what .shosts is for, as this solution doesn't use it.
anyway...
First, on host1 you need to make sure that a directory called .ssh exists in the user's home directory (we'll assume root). To keep it secure, create it with 700 permissions:

mkdir -m 700 .ssh

Then you need to generate a public/private key pair:

ssh-keygen -t dsa -f ~/.ssh/id_dsa

Now copy the public key to host2:

cd .ssh
scp id_dsa.pub root@host2:~/.ssh/id_dsa.tmp
(You still need to supply the password at this point)

Now on host2, add that public key to the list of authorised keys:

ssh host2
(Password still needed)
cd .ssh
cat id_dsa.tmp >> authorized_keys
(Note American spelling!!! "authorized" with a zed)
chmod 640 authorized_keys

root on host1 can now login to host2 without a password.

To get this working in both directions (i.e. root on host2 can also log in to host1 without a password), you basically do the same thing in reverse: Create a public key on host2 and copy it to host1.
NOTE: Do not overwrite the original id_dsa.pub file, or you will have un-done all of the above. also, do not overwrite the authorized_keys file: just append to it.

Basically the key in id_dsa.pub on the local host must match an entry in the authorized_keys file on the remote host for the password to be skipped. The authorized_keys file can contain several entries. Just keep appending to it as shown above.

Hope that helps
Gordon