ssh host-based authentication

https://cs.uwaterloo.ca/twiki/view/CF/SSHHostBasedAuthentication

Client side:

  1. enable host-based authentication and keysigning in ssh client configuration file /etc/ssh/ssh_config
    • HostbasedAuthentication yes
    • EnableSSHKeysign        yes
  2. Your host should have a key pair of files (normally in /etc/ssh )
    • ssh_host_TYPE_key
      • Replace TYPE with one of ( rsa dsa ecdsa ed25519 )
    • ssh_host_TYPE_key.pub
      • Replace TYPE with one of ( rsa dsa ecdsa ed25519 )
  3. If there isn't, generate it with: ssh-keygen -tTYPE run as root (when it prompts you for a filename, use/etc/ssh/ssh_host_TYPE_key )
    • Replace TYPE with one of ( rsa dsa ecdsa ed25519 )
  4. adjust ownership and permission on those keys to allow user to read them.

Server side:

  1. /etc/ssh/sshd_config should enable host-based authentication:
    • HostbasedAuthentication yes
    • IgnoreRhosts no
  2. service sshd restart
  3. copy client's public key into the server's global ssh_known_hosts file (linux client: /etc/ssh/ssh_host_rsa_key.pub ; linux server: /etc/ssh/ssh_known_hosts ; )
  4. copy client's full hostname to /etc/hosts.equiv (possibly already set up for rsh).

Client side implementation for CIT-LIGO dqr flow

Con client side, we need to sign with the CA one of the machine's certificates (i.e.: /etc/ssh/ssh_host_<TYPE>_key.pub). The CA may be the IPA certificate, or a new one, unbundling the two meccanisms. Once signed, the signed certificate should be places in the client machine, in the /etc/ssh/ folder

# ssh-keygen -s <CA_private> -I <clientName> -h -n <clientHostname>,<clientFQDN> -V +52w /path/to/ssh_host_<TYPE_key>.pub

The user that will be used for interaction with the CIT machine, should enable the usage of the SignedKeys and the hostbased authentication. This can be done locally for the user, putting the following code on the ~/.ssh/config file, or can be enabled for any user by putting the code in the /etc/ssh/ssh_config file

Host <targetHost>
HostbasedAuthentication yes
EnableSSHKeysign yes

In order to allow the user to use the machine SSHKeys, this should be added to a particular group ssh_keys

# usermod -a -G ssh_keys <username>
Topic revision: r2 - 22 May 2023, Kraja
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Wiki_Virgo_LSC? Send feedback