Hi,
I am already dealing a long time with ssh scenarios from clients to servers with authentication via public keys but also hostbased (without password).
Within my ubuntu environment I meanwhile have a setup to allow both, depending on the need.
I have managed to setup the same with my esxi.
As always, there is a but!!!
I am able to run a hostbased ssh-connection from my client to a user <> root on the esxi.
Like: ssh user2@esxihost
This works. And the log messages say the hostbased (passordless) login works.
When I do it from my client (same user) to root at the esxi host, a hostbased ssh connection fails, but with no real helpful message in the logs although loglevel = debug.
A ssh connection to root via RSA-key works fine.
Since the configuration is setup the way to try several methods, hostbased first but publickey and keyboard-interactive as next, the ssh-connection works anyhow since publickey works fine.
Is there anything anyone can tell me why a ssh-connection to root@esxihost could be blocked?
In sshd_config the PermitRootLogin = yes is set.
Help or hints welcome
Regards
Karl-Heinz
Hi Community,
I found the answer myself.
A look at the manpages for "hosts.equiv" which is identical to "/etc/ssh/shosts.equiv" but only for ssh insted of rsh shows:
"
The file uses the following format: [ + | - ] [hostname] [username] The hostname is the name of a host which is logically equivalent to the local host. Users logged into that host are allowed to access like- named user accounts on the local host without supplying a password. The hostname may be (optionally) preceded by a plus (+) sign. If the plus sign is used alone it allows any host to access your system. You can explicitly deny access to a host by preceding the hostname by a minus (-) sign. Users from that host must always supply a password. For security reasons you should always use the FQDN of the hostname and not the short hostname. The username entry grants a specific user access to all user accounts (except root) without supplying a password.
"
That's the answer.
Keep it in mind - I will!