![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Hostbased authentication with OpenSSH
Jun. 4th, 2007 09:32 pm
If a host is multi-homed, the host key entry in authorized_keys or /etc/ssh_known_hosts must contain a reference to every possible IP and interface name. These should be specified in a comma separated list at the start of the line containing the host key entry. For example, a host with two interfaces might look something like this:
foo,foo-ge,10.0.0.1,192.168.0.1 ssh-rsa XXXX
The HostbasedAuthentication parameter should be set to "yes" in /etc/ssh/sshd_config on the servers and /etc/ssh/ssh_config on the clients. The PreferredAuthentications should be set to something like hostbased,publickey,password to ensure that host keys are tried before any other method of authentication.
The parameter IgnoreRhosts should be set to "no" in /etc/ssh/sshd_config on the servers. This deals with situations where the system lacks a central hosts.equiv file and makes it possible to authenticate the root user via hostbased methods, should you feel sufficiently blasé.
If none of this works, the best way to debug the configuration is by running the command:
ssh -v -o PreferredAuthentications=hostbased foo
This prevents ssh from falling back on password or public key authentication, which generally makes it easier to determine where the fault lies.
