HPE Community
Operating System - HP-UX
1836636 Members
1878 Online
110102 Solutions
New Discussion

Re: ssh without asking for the password

 
Sergejs Svitnevs
Honored Contributor

‎06-20-2004 08:40 PM

‎06-20-2004 08:40 PM

ssh without asking for the password

I have 10 unix machines and many users on each machine. And they need to be able to log from one host to another without password.
Is the a simple way to allow password-less logins via ssh2 for multiple users on multiple machines?

Sergejs
P.S.
1. I already have "Using H/P's Secure Shell & Secure Copy" doc.
2. I understand that password-less logins is a security risk.
0 Kudos
Reply
2 REPLIES 2
Joseph Loo
Honored Contributor

‎06-20-2004 08:53 PM

‎06-20-2004 08:53 PM

Re: ssh without asking for the password

hi,

you may like to read this post:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=244540

glad that you acknowledged the security risk involve without password authentication.

regards.
what you do not see does not mean you should not believe
0 Kudos
Reply
Sundar_7
Honored Contributor

‎06-21-2004 02:22 PM

‎06-21-2004 02:22 PM

Re: ssh without asking for the password

1) Setup the client to try host based authentication if the
server offers it:

Edit /opt/ssh/etc/ssh_config (or $HOME/.ssh/config) by adding a new
line:

HostbasedAuthentication yes


2) Copy the clients public DSA host key to the server:

scp /opt/ssh/etc/ssh_host_dsa_key.pub server:/opt/ssh/etc/client.key

NOTE: Be careful to not accidentally overwrite the server host key!

3) On the server add the client host key copied over in step 2 to
the servers file /opt/ssh/etc/ssh_known_hosts. If the file does
not exist, you can create it with owner root and mode 600. When
adding the client's public key, it must be preceded with the clients
hostname as:

client.mydomain.com ssh-dss AAAAB3NzaC1kc3M.....

^^^^^^^^^^^^^^^^^^^ The clients (canonical) hostname needs to be added
manually !

4) On the server, add the clients hostname (and optionally a user name)
to one of:

/opt/ssh/etc/shosts.equiv*
/etc/hosts.equiv*
$HOME/.rhosts**
$HOME/.shosts**

* For the "root" user SSH cannot grant access to the "root" account
via /etc/hosts.equiv or /opt/ssh/etc/shosts.equiv; you must use
~root/.[rs]hosts. Remember to set "IgnoreRhosts no".

** These files may be used only if the server has been configured
to allow them via the sshd option "IgnoreRhosts no". By default,
they will be ignored.


Using the file "/opt/ssh/etc/shosts.equiv" is generally the best option as
it enables ssh host based authentication without potentially also enabling
automatic login for remote shell and rlogin.

Example:
$ cat /opt/ssh/etc/shosts.equiv
client.mydomain.com wilford
$

5) On the server, enable host based authentication by editing
/opt/ssh/etc/sshd_config:

Change:
#HostbasedAuthentication no
To:
HostbasedAuthentication yes

6) On the server, force the ssh daemon to re-read the configuration file

$ kill -HUP `cat /var/run/sshd.pid`

Learn What to do ,How to do and more importantly When to do ?
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.