HPE Community
Server Management - Systems Insight Manager
1836607 Members
1977 Online
110102 Solutions
New Discussion

OpenSSH .shosts hostbased authentication

 
Ben Anderson
Occasional Advisor

‎05-05-2004 09:10 PM

‎05-05-2004 09:10 PM

OpenSSH .shosts hostbased authentication

This is slightly off topic, but I'm hoping to be able to configure the openssh version which ships with SIM in order that a management system in our environment can execute scripted (and scheduled) ssh commands. Normally we would use psexec from pstools, but in this instance the target machine is behind a firewall.

Eg. ssh -l username remotehost command_to_execute

The default install of openssh requires password authentication, but openssh is capable of host based authentication to negate this (and thus stop the interactive password requirement).

Has anyone managed to get this functionality working with the hp openssh implementation?

TIA

Ben
0 Kudos
Reply
3 REPLIES 3
Rob Buxton
Honored Contributor

‎05-06-2004 09:19 AM

‎05-06-2004 09:19 AM

Re: OpenSSH .shosts hostbased authentication

Ben,
OpenSSH should be OpenSSH, so there should be typically no difference. I downloaded OpenSSH and am using that.

The fact it's behind a firewall should make no difference except that you have to allow the SSH traffic through the firewall.

Alas, I'm still battling the fun of OpenSSH within IM. But, you should be able to test login etc. to SSH via any of the standard utilities, e.g. the SSH Client or Putty.
0 Kudos
Reply
Ben Anderson
Occasional Advisor

‎05-06-2004 07:49 PM

‎05-06-2004 07:49 PM

Re: OpenSSH .shosts hostbased authentication

Rob,

I agree, the firewall is not an issue, ssh is allowed through. Standard ssh logins work very well, what I am attempting to do is allow a login without any user interaction.

The reason I'm attempting to do this is because I need the ability to remotely execute commands on the target machine but in a scripted manner. Normally we would use psexec from the pstools suite, but this requires MSRPC and a lot of shoehorning in order to work across a firewall.

The default install of openssh requires an interactive login so as it stands is not viable for a scripted solution.... but, openssh supports .rhosts and .shosts hostbased login (which requires no interactive logon), I'm having difficulty getting this to work and just wondered if anyone else had managed it in a windows environment before.

Thanks for your response,

Ben
0 Kudos
Reply
Gordon Morrison
Trusted Contributor

‎11-11-2004 02:28 AM

‎11-11-2004 02:28 AM

Re: OpenSSH .shosts hostbased authentication

I know this thread is rather old, but I just found it. There doesn't seem to be a solution posted however, and I have got this working. I was searching the forums to try and find out what .shosts is for, as this solution doesn't use it.
anyway...
First, on host1 you need to make sure that a directory called .ssh exists in the user's home directory (we'll assume root). To keep it secure, create it with 700 permissions:

mkdir -m 700 .ssh

Then you need to generate a public/private key pair:

ssh-keygen -t dsa -f ~/.ssh/id_dsa

Now copy the public key to host2:

cd .ssh
scp id_dsa.pub root@host2:~/.ssh/id_dsa.tmp
(You still need to supply the password at this point)

Now on host2, add that public key to the list of authorised keys:

ssh host2
(Password still needed)
cd .ssh
cat id_dsa.tmp >> authorized_keys
(Note American spelling!!! "authorized" with a zed)
chmod 640 authorized_keys

root on host1 can now login to host2 without a password.

To get this working in both directions (i.e. root on host2 can also log in to host1 without a password), you basically do the same thing in reverse: Create a public key on host2 and copy it to host1.
NOTE: Do not overwrite the original id_dsa.pub file, or you will have un-done all of the above. also, do not overwrite the authorized_keys file: just append to it.

Basically the key in id_dsa.pub on the local host must match an entry in the authorized_keys file on the remote host for the password to be skipped. The authorized_keys file can contain several entries. Just keep appending to it as shown above.

Hope that helps
Gordon
What does this button do?
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.