How to configure ssh host based authentication per user (CentOS/RHEL 7/8)

In this article I will share the steps to configure Host based authentication in sshd_config and ssh_config for Linux server and client and a comparison between Host based Authentication vs Public Key Authentication.

 

Host Based authentication vs Public key based authentication

Host based authentication is different compared to SSH Public Key Authentication in terms of configuration, although in the backend both perform secure connection using public host key authentication.

Below I have consolidated a list of comparison and difference between Host Key Authentication vs Public key Authentication

SSH Host Based AuthenticationSSH Public Key Authentication
Authentication happens at host level by defaultAuthentication happens at User level by default
All the users on the server are allowed to authenticate once enabled and configured (unless restricted using Match directive in sshd_config)The private and public key pair is configured on per user level (Unless same key is used by all the users by placing the private and public key in respective locations)
Uses Public private key combination for secure connectionUses Public private key combination for secure connection
Public and private key pair are created under /etc/ssh as soon as openssh rpm is installedPublic and private key pair is manually created using ssh-keyen utility
Private key is by default stored under home directory of the user ~/.ssh/ (on the client)Private Key is stored under the default location i.e. /etc/ssh for the host (on the client)
Public key is copied and the content is appended in /etc/ssh/ssh_known_hosts filePublic key is copied to the server and the content is appended in authorized_keys file of the respective user's home directory. For example: ~/.ssh/authorized_keys
Preferred tool to copy public key is ssh-keyscan, although any other tol such as rsync, sftp, etc can be usedPreferred tool to copy public key is ssh-copy-id although it can be done manually using scp, rsync or similar tool
Enabled via HostbasedAuthentication in /etc/ssh/sshd_configEnabled via PubkeyAuthentication in /etc/ssh/sshd_config
ssh-keysign is used by ssh to access the local host keys and generate the digital signature required during host based authenticationOnly public and private key pair matching is performed for SSH public key Authentication

More details on SSH Public Key Authentication (with and without password) in Linux

 

My Lab Environment

I am using RHEL 7 and 8 Linux hosts to configure Host based authentication. Here rhel-7 will be my client using which I will initiate the SSH connection while rhel-8 will act as a server.

[root@rhel-7 ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
10.10.10.7      rhel-8.example.com      rhel-8
10.10.10.10     rhel-7.example.com	rhel-7

I have disabled selinux for this article on both my nodes.

 

Configure Host Based Authentication for Host

On Client side (ssh_config)

On the client or source host, this file must be configured and in addition at least one host key must exist under /etc/ssh:

  • /etc/ssh/ssh_config - allow clients to request host-based authentication

Enable below values in /etc/ssh/ssh_config on the client trying host key authentication to all machines:

Host *
   EnableSSHKeySign yes
   HostbasedAuthentication yes
NOTE:

ssh-keysign is disabled by default and can only be enabled in the global client configuration file /etc/ssh/ssh_config by setting EnableSSHKeysign to yes

At least one of the following files must exist on the server and contain the appropriate private key. The private key used should match the public key stored in the server or target host's ssh_known_hosts file. Any of the four types can be used, RSA, ECDSA, or Ed25519. DSA should no longer be used. These keys under /etc/ssh are then created automatically when the openssh package is installed.

-rw-------. 1 root root        668 Dec  4 12:12 ssh_host_dsa_key
-rw-r--r--. 1 root root        613 Dec  4 12:12 ssh_host_dsa_key.pub
-rw-r-----. 1 root ssh_keys    227 Jul 20 16:30 ssh_host_ecdsa_key
-rw-r--r--. 1 root root        162 Jul 20 16:30 ssh_host_ecdsa_key.pub
-rw-r-----. 1 root ssh_keys    387 Jul 20 16:30 ssh_host_ed25519_key
-rw-r--r--. 1 root root         82 Jul 20 16:30 ssh_host_ed25519_key.pub
-rw-------. 1 root root        988 Dec  4 12:12 ssh_host_key
-rw-r--r--. 1 root root        653 Dec  4 12:12 ssh_host_key.pub
-rw-------. 1 root root       1679 Dec  4 12:13 ssh_host_rsa_key
-rw-r--r--. 1 root ssh_keys    405 Dec  4 12:13 ssh_host_rsa_key.pub

Next restart the sshd service to activate the changes

[root@rhel-7 ~]# systemctl restart sshd

 

On Server side (sshd_config)

Three files on the server or target host must be modified to get host-based authentication working:

  • /etc/ssh/shosts.equiv
  • /etc/ssh/ssh_known_hosts - hold the identities of the clients
  • /etc/ssh/sshd_config - turn on host key authentication
  • /root/.shosts - Only required to enable login for root user using key

Enable Host based authentication in /etc/ssh/sshd_config by modifying the below values

[root@rhel-8 ~]# egrep ^'HostbasedAuthentication|IgnoreRhosts' /etc/ssh/sshd_config
HostbasedAuthentication yes
IgnoreRhosts no

Next provide the client <hostname> and root user in ssh shosts.equiv file as shown below. Here my clien't hostname is rhel-7.example.com

[root@rhel-8 ~]# cat /etc/ssh/shosts.equiv
rhel-7.example.com      root
NOTE:

Here /usr/libexec/openssh/ssh-keysign is used by ssh to access the local host keys and generate the digital signature required during host key authentication. They should be owned by root, readable only by root, and not accessible to others.

Next allow a public key for the client and append the keys to /etc/ssh/ssh_known_hosts using ssh-keyscan

[root@rhel-8 ~]# ssh-keyscan  rhel-7.example.com >> /etc/ssh/ssh_known_hosts
# rhel-7.example.com:22 SSH-2.0-OpenSSH_7.4
# rhel-7.example.com:22 SSH-2.0-OpenSSH_7.4
# rhel-7.example.com:22 SSH-2.0-OpenSSH_7.4

Since we have selected default key type, this command will get the public host key from the client node /etc/ssh/ssh_host_ecdsa_key.pub and append the same to /etc/ssh/ssh_known_hosts on the server node to enable host key authentication.

Verify the content of your ssh_known_hosts file, the content should be same as /etc/ssh/ssh_host_ecdsa_key.pub from the client node

[root@rhel-8 ~]# cat /etc/ssh/ssh_known_hosts
rhel-7.example.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINMVXhySksiT4SiRUJ4uDyjWb0MAQ79biNYSFReELxqt
rhel-7.example.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAmATinLkAUc6xcbdVOeNVaUS2LeWyKwks/CBZqMfk+Z7odrPwOiVcCpjz2eoQENWzKnQO7UxR2TzQuTls4n4Zk=

Below is the content from client node

[root@rhel-7 ssh]# cat /etc/ssh/ssh_host_ecdsa_key.pub
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAmATinLkAUc6xcbdVOeNVaUS2LeWyKwks/CBZqMfk+Z7odrPwOiVcCpjz2eoQENWzKnQO7UxR2TzQuTls4n4Zk=

To enable host key authentication for root user provide the client <hostname> and root user name in a new file under root's home directory .shosts

[root@rhel-8 ~]# cat ~/.shosts
rhel-7.example.com root

Next restart the sshd service to activate the changes

[root@rhel-8 ~]# systemctl restart sshd

Now our configuration to setup host key authentication is complete. You can try to connect from rhel-7 to rhel-8 using any user

[root@rhel-7 ~]# ssh -v rhel-8.example.com
..
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,password,hostbased
debug1: Next authentication method: hostbased
..
debug1: Authentication succeeded (hostbased).
Authenticated to rhel-8.example.com ([10.10.10.7]:22).
..
debug1: Sending env LANG = en_US.UTF-8
Last login: Thu Nov 21 23:50:06 2019 from rhel-7.example.com
[root@rhel-8 ~]#

You can also try to connect using a non root user

[root@rhel-7 ~]# ssh -v rhel-8.example.com -l deepak
..
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,password,hostbased
debug1: Next authentication method: hostbased
..
debug1: Authentication succeeded (hostbased).
Authenticated to rhel-8.example.com ([10.10.10.7]:22).
..
Last login: Thu Nov 21 23:49:48 2019 from rhel-7.example.com
[deepak@rhel-8 ~]$

So our host key authentication is working as expected..

 

Configure Host Based Authentication per User

Now using the above configuration you enable all the users on your server to be able to authenticate without passphrase and password for Host key Authentication. But you can also apply filter or limit for host based authentication per user or group using "Match" directive

Assuming I have two users on my server (rhel-8)

  • deepak → Allow host key authentication and disable Public Key Authentication
  • rahul → Allow Public Key Authentication and disable Host Key and password based authentication
  • All other → For all other users on the system only allow password based authentication

To achieve this you can add below entry in your /etc/ssh/sshd_config

Match User deepak
        PasswordAuthentication no
        HostbasedAuthentication yes
Match User rahul
        HostbasedAuthentication no
        PasswordAuthentication no
        PubkeyAuthentication yes
Match all
        PasswordAuthentication yes

Next restart your sshd service

[root@rhel-8 ~]# systemctl restart sshd

Now if you attempt to connect using user rahul from the client node

[root@rhel-7 ~]# ssh  rhel-8.example.com -l rahul
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

As you see it does not supports host and password based authentication

Similarly for root user now the tool prompts for password

[root@rhel-7 ~]# ssh  rhel-8.example.com
root@rhel-8.example.com's password:

You can enable debug mode and get more details on supported authentication modes.

And lastly we are able to connect to our server using Host based authentication for deepak user

[root@rhel-7 ~]# ssh  rhel-8.example.com -l deepak
Last login: Thu Nov 21 23:54:21 2019 from rhel-7.example.com
[deepak@rhel-8 ~]$
IMPORTANT NOTE:

To enable such user level restriction for host key authentication, you must comment out any entry of these directives from sshd_config file or else by default those will be preferred over these values. For example if you specify PasswordAuthentication as yes in your sshd_config file and again in the same file you use Match directive and provide PasswordAuthentication as no then it may not work.

 

Troubleshooting Host Key Authentication

While configuring host based authentication I faced some error:

Error:

userauth_hostbased mismatch: client sends rhel-7.example.com, but we resolve 10.10.10.10 to rhel-7

 
Solution:
This occurs because we have disabled UseDNS directive which is why the sshd_config fails to resolve hostname. Once you enable this directive in sshd_config, this should be fixed.

 

Lastly I hope the steps from the article to configuring and understanding host based authentication vs Public key Authentication on RHEL/CentOS 7 and 8 Linux was helpful. So, let me know your suggestions and feedback using the comment section.

 

References:
Host Based Authentication Wiki

 

Leave a Comment

Please use shortcodes <pre class=comments>your code</pre> for syntax highlighting when adding code.