Set up SSH host-based authentication between OpenSolaris and Solaris 10

Setting this up was way more hassle than it should have been thanks to some pretty ambiguous documentation.

I am using an OpenSolaris snv_134 x64 client to connect to a Solaris 10 u8 x64 server without the use of a password. Before starting, make sure that you have identical user accounts on both the server and client, and that hostname lookups are functioning normally. Also note that if you cock this up you run the risk of locking yourself out of SSH logins to the system.

(Official docs are at: http://docs.sun.com/app/docs/doc/816-4557/sshuser-12?a=view)

 

1) On the client, add the following to /etc/ssh/ssh_config:

HostBasedAuthentication yes

 

2) On the server, add the following to /etc/ssh/sshd_config:

HostBasedAuthentication yes

 

3) On the server, create the file /etc/ssh/shosts.equiv (if it does not exist) and add the hostname(s) of the authorised client(s). If you are using DNS, then use the DNS host name of the client, for example:

afterburner, or, afterburner.example.com

 

4) Set IgnoreRhosts to no in the server’s /etc/ssh/sshd_config file

 

5) Set PasswordAuthentication to no in the server’s /etc/ssh/sshd_config file

 

6) Set PAMAuthenticationViaKBDInt to no in the server’s /etc/ssh/sshd_config file

 

7) On the server, create the file /etc/ssh/ssh_known_hosts (if it does not exist)

 

8) Copy the host RSA public key from the client (on OpenSolaris snv_134 x64 this is /etc/ssh/ssh_host_rsa_key.pub) into the /etc/ssh/ssh_known_hosts file on the server

 

9) Edit the host RSA public key entry in /etc/ssh/ssh_known_hosts such that the first field in the file is the host name of the connecting client. If you are using DNS, then use the DNS host name of the client, for example:

afterburner, or, afterburner.example.com

ssh_known_hosts file

 

10) On the server, restart the ssh service:

# svcadm -v restart ssh

 

Done. Now test:

$ ssh ledstorm
Last login: Wed May 26 21:41:30 2010 from afterburner
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
$
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s