Extracted from:

SSHSecure Shell for Servers

Version 3.2

Administrator's Guide

Translated from this Word document.

Host-Based Authentication

The following terms will be used in this example: Remote is the SSH Secure Shell server to which you are

trying to connect. RemoteUser is the user name on the server into which you would like to login. Local is the machine running a SSH Secure Shell client. LocalUser is the user name on the client machine that should be allowed to login to Remote as RemoteUser.

1. First, install SSH Secure Shell on the Local and Remote machines. Do not forget to generate a

host key. If your installation took care of this automatically, or if you already have a copy of your

/etc/ssh2/hostkey and /etc/ssh2/hostkey.pub, you can skip the host-key generation.

Otherwise, give the following command:

# ssh-keygen2 -P /etc/ssh2/hostkey

Note: Beginning with SSH Secure Shell version 3.0, you can also use RSA keys.

2. Copy the Local machine's /etc/ssh2/hostkey.pub file over to the Remote machine and name

it like this:

/etc/ssh2/knownhosts/hostname.domain.ssh-dss.pub

Replace hostname.domain with the long host name of the Local machine (the fully qualified

domain name). You will run into problems if the system does not recognize the host name as

hostname.domain.somewhere.com but recognizes it only as hostname. You can find this

out while running sshd2 in verbose mode when trying to establish connections.

The Remote machine now has the Local machine's public key, so the Remote machine can verify the

Local machine's identity based on a public-key signature. By contrast, rsh only uses the IP address

for host authentication.

Note: If you use RSA keys, the name of Local's /etc/ssh2/hostkey.pub file which is copied

over to the Remote needs to be /etc/ssh2/knownhosts/hostname.domain.ssh-rsa.pub.

3. To make sure that SSH Secure Shell finds your complete domain name (not just the host name), edit

the following line in the /etc/ssh2/ssh2_config file on Local:

DefaultDomain yourdomain.com

Note: The keyword mentioned in this and the following steps will only be effective in the global

ssh2_config file.

4. On Remote, create a file in the home directory of RemoteUser named .shosts. The contents of this

file should be the long host name of Local, some tabs or spaces, and LocalUser's user name.

Contents of ?/.shosts:

localhostname.yourdomain.com LocalUser

Be sure to chown and chmod the .shosts file. The .shosts file must be owned by RemoteUser

and should have mode 0400.

5. Check the files /etc/ssh2/sshd2_config on Remote and /etc/ssh2/ssh2_config on Local.

Make sure that the AllowedAuthentications field contains the word hostbased. For

example, it may read:

AllowedAuthentications hostbased,password

It does not matter what other authentication methods are allowed. Just make sure that the hostbased

keyword is first in the list.

6. Also check that IgnoreRhosts is set to no in the /etc/ssh2/sshd2_config file on Remote:

IgnoreRhosts no

If you had to modify the sshd2_config file, you will have to send a HUP signal to sshd2 to make

the change take effect.

# kill -HUP 'cat /var/run/sshd2_22.pid'

or

# kill -HUP 'cat /etc/ssh2/sshd2_22.pid'

7. Now you should be all set.

On Local, log in as LocalUser and give the command:

ssh RemoteUser@Remote uptime

You should now get the results of uptime run on Remote.

The first time you run ssh to that particular server, you will have to answer yes when asked if you want

to connect to the server. This is because the local ssh does not yet have the remote server's public key.

For maximum security, it is highly recommended to verify the fingerprint of the remote host's public

key to avoid man-in-the-middle attacks. This will only be necessary when connecting for the first time.

Synopsis:

On Local system as root: (only do this once)

1. Generate hostkey

2. Make changes in /etc/ssh2/ssh2_config (DefaultDomain)

On Local system as LocalUser: (only do this once)

1. Generate LocalUser private and public keys

2. ftp LocalUser public key to Remote

On Remote system as root: (repeat for all remote systems)

1. FTP hostkey.pub from Local

2. Install Local's public hostkey with full-domain name

3. Make changes in /etc/ssh2/ssh2d_config (AllowedAuthentications, IgnoreRhosts)

4. Run kill -HUP to cause SSH Daemon to re-read configuration file

On Remote system as LocalUser: (repeat for all remote systems)

1. Install LocaUsers's public key

2. Create/update .shosts file with entry defining remote system.

On Local system as LocalUser:

1. Run SSH "uptime" test command and accept Remote's public key

2. Run SSH "uptime" test command again to verify no manual actions needed.