In this article I will share the steps to configure Host based authentication in sshd_config
and ssh_config
for Linux server and client and a comparison between Host based Authentication vs Public Key Authentication.
Host Based authentication vs Public key based authentication
Host based authentication is different compared to SSH Public Key Authentication in terms of configuration, although in the backend both perform secure connection using public host key authentication.
Below I have consolidated a list of comparison and difference between Host Key Authentication vs Public key Authentication
SSH Host Based Authentication | SSH Public Key Authentication |
---|---|
Authentication happens at host level by default | Authentication happens at User level by default |
All the users on the server are allowed to authenticate once enabled and configured (unless restricted using Match directive in sshd_config ) |
The private and public key pair is configured on per user level (Unless same key is used by all the users by placing the private and public key in respective locations) |
Uses Public private key combination for secure connection | Uses Public private key combination for secure connection |
Public and private key pair are created under /etc/ssh as soon as openssh rpm is installed |
Public and private key pair is manually created using ssh-keyen utility |
Private key is by default stored under home directory of the user ~/.ssh/ (on the client) |
Private Key is stored under the default location i.e. /etc/ssh for the host (on the client) |
Public key is copied and the content is appended in /etc/ssh/ssh_known_hosts file |
Public key is copied to the server and the content is appended in authorized_keys file of the respective user's home directory. For example: ~/.ssh/authorized_keys |
Preferred tool to copy public key is ssh-keyscan , although any other tol such as rsync, sftp, etc can be used |
Preferred tool to copy public key is ssh-copy-id although it can be done manually using scp, rsync or similar tool |
Enabled via HostbasedAuthentication in /etc/ssh/sshd_config |
Enabled via PubkeyAuthentication in /etc/ssh/sshd_config |
ssh-keysign is used by ssh to access the local host keys and generate the digital signature required during host based authentication |
Only public and private key pair matching is performed for SSH public key Authentication |
More details on SSH Public Key Authentication (with and without password) in Linux
My Lab Environment
I am using RHEL 7 and 8 Linux hosts to configure Host based authentication. Here rhel-7
will be my client using which I will initiate the SSH connection while rhel-8
will act as a server.
[root@rhel-7 ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.10.10.7 rhel-8.example.com rhel-8 10.10.10.10 rhel-7.example.com rhel-7
I have disabled selinux for this article on both my nodes.
Configure Host Based Authentication for Host
On Client side (ssh_config)
On the client or source host, this file must be configured and in addition at least one host key must exist under /etc/ssh
:
/etc/ssh/ssh_config
- allow clients to request host-based authentication
Enable below values in /etc/ssh/ssh_config
on the client trying host key authentication to all machines:
Host * EnableSSHKeySign yes HostbasedAuthentication yes
ssh-keysign
is disabled by default and can only be enabled in the global client configuration file /etc/ssh/ssh_config
by setting EnableSSHKeysign
to yes
At least one of the following files must exist on the server and contain the appropriate private key. The private key used should match the public key stored in the server or target host's ssh_known_hosts
file. Any of the four types can be used, RSA, ECDSA, or Ed25519. DSA should no longer be used. These keys under /etc/ssh
are then created automatically when the openssh package is installed.
-rw-------. 1 root root 668 Dec 4 12:12 ssh_host_dsa_key -rw-r--r--. 1 root root 613 Dec 4 12:12 ssh_host_dsa_key.pub -rw-r-----. 1 root ssh_keys 227 Jul 20 16:30 ssh_host_ecdsa_key -rw-r--r--. 1 root root 162 Jul 20 16:30 ssh_host_ecdsa_key.pub -rw-r-----. 1 root ssh_keys 387 Jul 20 16:30 ssh_host_ed25519_key -rw-r--r--. 1 root root 82 Jul 20 16:30 ssh_host_ed25519_key.pub -rw-------. 1 root root 988 Dec 4 12:12 ssh_host_key -rw-r--r--. 1 root root 653 Dec 4 12:12 ssh_host_key.pub -rw-------. 1 root root 1679 Dec 4 12:13 ssh_host_rsa_key -rw-r--r--. 1 root ssh_keys 405 Dec 4 12:13 ssh_host_rsa_key.pub
Next restart the sshd
service to activate the changes
[root@rhel-7 ~]# systemctl restart sshd
On Server side (sshd_config)
Three files on the server or target host must be modified to get host-based authentication working:
/etc/ssh/shosts.equiv
/etc/ssh/ssh_known_hosts
- hold the identities of the clients/etc/ssh/sshd_config
- turn on host key authentication/root/.shosts
- Only required to enable login for root user using key
Enable Host based authentication in /etc/ssh/sshd_config
by modifying the below values
[root@rhel-8 ~]# egrep ^'HostbasedAuthentication|IgnoreRhosts' /etc/ssh/sshd_config HostbasedAuthentication yes IgnoreRhosts no
Next provide the client <hostname>
and root
user in ssh shosts.equiv
file as shown below. Here my clien't hostname is rhel-7.example.com
[root@rhel-8 ~]# cat /etc/ssh/shosts.equiv rhel-7.example.com root
/usr/libexec/openssh/ssh-keysign
is used by ssh to access the local host keys and generate the digital signature required during host key authentication. They should be owned by root, readable only by root, and not accessible to others.Next allow a public key for the client and append the keys to /etc/ssh/ssh_known_hosts
using ssh-keyscan
ecdsa
. To specify a key type use -t
followed by the <key_type>
for example ssh-rsa
[root@rhel-8 ~]# ssh-keyscan rhel-7.example.com >> /etc/ssh/ssh_known_hosts # rhel-7.example.com:22 SSH-2.0-OpenSSH_7.4 # rhel-7.example.com:22 SSH-2.0-OpenSSH_7.4 # rhel-7.example.com:22 SSH-2.0-OpenSSH_7.4
Since we have selected default key type, this command will get the public host key from the client node /etc/ssh/ssh_host_ecdsa_key.pub
and append the same to /etc/ssh/ssh_known_hosts
on the server node to enable host key authentication.
Verify the content of your ssh_known_hosts
file, the content should be same as /etc/ssh/ssh_host_ecdsa_key.pub
from the client node
[root@rhel-8 ~]# cat /etc/ssh/ssh_known_hosts rhel-7.example.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINMVXhySksiT4SiRUJ4uDyjWb0MAQ79biNYSFReELxqt rhel-7.example.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAmATinLkAUc6xcbdVOeNVaUS2LeWyKwks/CBZqMfk+Z7odrPwOiVcCpjz2eoQENWzKnQO7UxR2TzQuTls4n4Zk=
Below is the content from client node
[root@rhel-7 ssh]# cat /etc/ssh/ssh_host_ecdsa_key.pub ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAmATinLkAUc6xcbdVOeNVaUS2LeWyKwks/CBZqMfk+Z7odrPwOiVcCpjz2eoQENWzKnQO7UxR2TzQuTls4n4Zk=
To enable host key authentication for root user provide the client <hostname>
and root
user name in a new file under root's home directory .shosts
[root@rhel-8 ~]# cat ~/.shosts rhel-7.example.com root
Next restart the sshd
service to activate the changes
[root@rhel-8 ~]# systemctl restart sshd
Now our configuration to setup host key authentication is complete. You can try to connect from rhel-7
to rhel-8
using any user
[root@rhel-7 ~]# ssh -v rhel-8.example.com .. debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,password,hostbased debug1: Next authentication method: hostbased .. debug1: Authentication succeeded (hostbased). Authenticated to rhel-8.example.com ([10.10.10.7]:22). .. debug1: Sending env LANG = en_US.UTF-8 Last login: Thu Nov 21 23:50:06 2019 from rhel-7.example.com [root@rhel-8 ~]#
You can also try to connect using a non root user
[root@rhel-7 ~]# ssh -v rhel-8.example.com -l deepak .. debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,password,hostbased debug1: Next authentication method: hostbased .. debug1: Authentication succeeded (hostbased). Authenticated to rhel-8.example.com ([10.10.10.7]:22). .. Last login: Thu Nov 21 23:49:48 2019 from rhel-7.example.com [deepak@rhel-8 ~]$
So our host key authentication is working as expected..
Configure Host Based Authentication per User
Now using the above configuration you enable all the users on your server to be able to authenticate without passphrase and password for Host key Authentication. But you can also apply filter or limit for host based authentication per user or group using "Match
" directive
Assuming I have two users on my server (rhel-8
)
- deepak → Allow host key authentication and disable Public Key Authentication
- rahul → Allow Public Key Authentication and disable Host Key and password based authentication
- All other → For all other users on the system only allow password based authentication
To achieve this you can add below entry in your /etc/ssh/sshd_config
Match User deepak PasswordAuthentication no HostbasedAuthentication yes Match User rahul HostbasedAuthentication no PasswordAuthentication no PubkeyAuthentication yes Match all PasswordAuthentication yes
Next restart your sshd service
[root@rhel-8 ~]# systemctl restart sshd
Now if you attempt to connect using user rahul
from the client node
[root@rhel-7 ~]# ssh rhel-8.example.com -l rahul
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
As you see it does not supports host and password based authentication
Similarly for root user now the tool prompts for password
[root@rhel-7 ~]# ssh rhel-8.example.com root@rhel-8.example.com's password:
You can enable debug mode and get more details on supported authentication modes.
And lastly we are able to connect to our server using Host based authentication for deepak
user
[root@rhel-7 ~]# ssh rhel-8.example.com -l deepak Last login: Thu Nov 21 23:54:21 2019 from rhel-7.example.com [deepak@rhel-8 ~]$
sshd_config
file or else by default those will be preferred over these values. For example if you specify PasswordAuthentication
as yes
in your sshd_config
file and again in the same file you use Match
directive and provide PasswordAuthentication
as no
then it may not work.
Troubleshooting Host Key Authentication
While configuring host based authentication I faced some error:
Error:
userauth_hostbased mismatch: client sends rhel-7.example.com, but we resolve 10.10.10.10 to rhel-7
Solution:
This occurs because we have disabled UseDNS
directive which is why the sshd_config
fails to resolve hostname. Once you enable this directive in sshd_config
, this should be fixed.
Lastly I hope the steps from the article to configuring and understanding host based authentication vs Public key Authentication on RHEL/CentOS 7 and 8 Linux was helpful. So, let me know your suggestions and feedback using the comment section.
References:
Host Based Authentication Wiki