Table of Contents
In this article I will share the steps to configure Host based authentication in
ssh_config for Linux server and client and a comparison between Host based Authentication vs Public Key Authentication.
Host Based authentication vs Public key based authentication
Host based authentication is different compared to SSH Public Key Authentication in terms of configuration, although in the backend both perform secure connection using public host key authentication.
Below I have consolidated a list of comparison and difference between Host Key Authentication vs Public key Authentication
|SSH Host Based Authentication||SSH Public Key Authentication|
|Authentication happens at host level by default||Authentication happens at User level by default|
|All the users on the server are allowed to authenticate once enabled and configured (unless restricted using ||The private and public key pair is configured on per user level (Unless same key is used by all the users by placing the private and public key in respective locations)|
|Uses Public private key combination for secure connection||Uses Public private key combination for secure connection|
|Public and private key pair are created under ||Public and private key pair is manually created using |
|Private key is by default stored under home directory of the user ||Private Key is stored under the default location i.e. |
|Public key is copied and the content is appended in ||Public key is copied to the server and the content is appended in |
|Preferred tool to copy public key is ||Preferred tool to copy public key is |
|Enabled via ||Enabled via |
|Only public and private key pair matching is performed for SSH public key Authentication|
My Lab Environment
I am using RHEL 7 and 8 Linux hosts to configure Host based authentication. Here
rhel-7 will be my client using which I will initiate the SSH connection while
rhel-8 will act as a server.
[root@rhel-7 ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.10.10.7 rhel-8.example.com rhel-8 10.10.10.10 rhel-7.example.com rhel-7
I have disabled selinux for this article on both my nodes.
Configure Host Based Authentication for Host
On Client side (ssh_config)
On the client or source host, this file must be configured and in addition at least one host key must exist under
/etc/ssh/ssh_config- allow clients to request host-based authentication
Enable below values in
/etc/ssh/ssh_config on the client trying host key authentication to all machines:
Host * EnableSSHKeySign yes HostbasedAuthentication yes
ssh-keysignis disabled by default and can only be enabled in the global client configuration file
At least one of the following files must exist on the server and contain the appropriate private key. The private key used should match the public key stored in the server or target host's
ssh_known_hosts file. Any of the four types can be used, RSA, ECDSA, or Ed25519. DSA should no longer be used. These keys under
/etc/ssh are then created automatically when the openssh package is installed.
-rw-------. 1 root root 668 Dec 4 12:12 ssh_host_dsa_key -rw-r--r--. 1 root root 613 Dec 4 12:12 ssh_host_dsa_key.pub -rw-r-----. 1 root ssh_keys 227 Jul 20 16:30 ssh_host_ecdsa_key -rw-r--r--. 1 root root 162 Jul 20 16:30 ssh_host_ecdsa_key.pub -rw-r-----. 1 root ssh_keys 387 Jul 20 16:30 ssh_host_ed25519_key -rw-r--r--. 1 root root 82 Jul 20 16:30 ssh_host_ed25519_key.pub -rw-------. 1 root root 988 Dec 4 12:12 ssh_host_key -rw-r--r--. 1 root root 653 Dec 4 12:12 ssh_host_key.pub -rw-------. 1 root root 1679 Dec 4 12:13 ssh_host_rsa_key -rw-r--r--. 1 root ssh_keys 405 Dec 4 12:13 ssh_host_rsa_key.pub
Next restart the
sshd service to activate the changes
[root@rhel-7 ~]# systemctl restart sshd
On Server side (sshd_config)
Three files on the server or target host must be modified to get host-based authentication working:
/etc/ssh/ssh_known_hosts- hold the identities of the clients
/etc/ssh/sshd_config- turn on host key authentication
/root/.shosts- Only required to enable login for root user using key
Enable Host based authentication in
/etc/ssh/sshd_config by modifying the below values
[root@rhel-8 ~]# egrep ^'HostbasedAuthentication|IgnoreRhosts' /etc/ssh/sshd_config HostbasedAuthentication yes IgnoreRhosts no
[root@rhel-8 ~]# cat /etc/ssh/shosts.equiv rhel-7.example.com root
/usr/libexec/openssh/ssh-keysignis used by ssh to access the local host keys and generate the digital signature required during host key authentication. They should be owned by root, readable only by root, and not accessible to others.
Next allow a public key for the client and append the keys to
[root@rhel-8 ~]# ssh-keyscan rhel-7.example.com >> /etc/ssh/ssh_known_hosts # rhel-7.example.com:22 SSH-2.0-OpenSSH_7.4 # rhel-7.example.com:22 SSH-2.0-OpenSSH_7.4 # rhel-7.example.com:22 SSH-2.0-OpenSSH_7.4
Since we have selected default key type, this command will get the public host key from the client node
/etc/ssh/ssh_host_ecdsa_key.pub and append the same to
/etc/ssh/ssh_known_hosts on the server node to enable host key authentication.
Verify the content of your
ssh_known_hosts file, the content should be same as
/etc/ssh/ssh_host_ecdsa_key.pub from the client node
[root@rhel-8 ~]# cat /etc/ssh/ssh_known_hosts rhel-7.example.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINMVXhySksiT4SiRUJ4uDyjWb0MAQ79biNYSFReELxqt rhel-7.example.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAmATinLkAUc6xcbdVOeNVaUS2LeWyKwks/CBZqMfk+Z7odrPwOiVcCpjz2eoQENWzKnQO7UxR2TzQuTls4n4Zk=
Below is the content from client node
[root@rhel-7 ssh]# cat /etc/ssh/ssh_host_ecdsa_key.pub ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAmATinLkAUc6xcbdVOeNVaUS2LeWyKwks/CBZqMfk+Z7odrPwOiVcCpjz2eoQENWzKnQO7UxR2TzQuTls4n4Zk=
To enable host key authentication for root user provide the client
root user name in a new file under root's home directory
[root@rhel-8 ~]# cat ~/.shosts rhel-7.example.com root
Next restart the
sshd service to activate the changes
[root@rhel-8 ~]# systemctl restart sshd
Now our configuration to setup host key authentication is complete. You can try to connect from
rhel-8 using any user
[root@rhel-7 ~]# ssh -v rhel-8.example.com .. debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,password,hostbased debug1: Next authentication method: hostbased .. debug1: Authentication succeeded (hostbased). Authenticated to rhel-8.example.com ([10.10.10.7]:22). .. debug1: Sending env LANG = en_US.UTF-8 Last login: Thu Nov 21 23:50:06 2019 from rhel-7.example.com [root@rhel-8 ~]#
You can also try to connect using a non root user
[root@rhel-7 ~]# ssh -v rhel-8.example.com -l deepak .. debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,password,hostbased debug1: Next authentication method: hostbased .. debug1: Authentication succeeded (hostbased). Authenticated to rhel-8.example.com ([10.10.10.7]:22). .. Last login: Thu Nov 21 23:49:48 2019 from rhel-7.example.com [deepak@rhel-8 ~]$
So our host key authentication is working as expected..
Configure Host Based Authentication per User
Now using the above configuration you enable all the users on your server to be able to authenticate without passphrase and password for Host key Authentication. But you can also apply filter or limit for host based authentication per user or group using "
Assuming I have two users on my server (
- deepak → Allow host key authentication and disable Public Key Authentication
- rahul → Allow Public Key Authentication and disable Host Key and password based authentication
- All other → For all other users on the system only allow password based authentication
To achieve this you can add below entry in your
Match User deepak PasswordAuthentication no HostbasedAuthentication yes Match User rahul HostbasedAuthentication no PasswordAuthentication no PubkeyAuthentication yes Match all PasswordAuthentication yes
Next restart your sshd service
[root@rhel-8 ~]# systemctl restart sshd
Now if you attempt to connect using user
rahul from the client node
[root@rhel-7 ~]# ssh rhel-8.example.com -l rahul Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
As you see it does not supports host and password based authentication
Similarly for root user now the tool prompts for password
[root@rhel-7 ~]# ssh rhel-8.example.com email@example.com's password:
You can enable debug mode and get more details on supported authentication modes.
And lastly we are able to connect to our server using Host based authentication for
[root@rhel-7 ~]# ssh rhel-8.example.com -l deepak Last login: Thu Nov 21 23:54:21 2019 from rhel-7.example.com [deepak@rhel-8 ~]$
sshd_configfile or else by default those will be preferred over these values. For example if you specify
sshd_configfile and again in the same file you use
Matchdirective and provide
nothen it may not work.
Troubleshooting Host Key Authentication
While configuring host based authentication I faced some error:
userauth_hostbased mismatch: client sends rhel-7.example.com, but we resolve 10.10.10.10 to rhel-7
This occurs because we have disabled
UseDNS directive which is why the
sshd_config fails to resolve hostname. Once you enable this directive in
sshd_config, this should be fixed.
Lastly I hope the steps from the article to configuring and understanding host based authentication vs Public key Authentication on RHEL/CentOS 7 and 8 Linux was helpful. So, let me know your suggestions and feedback using the comment section.
Host Based Authentication Wiki