VMware Cloud Community
averlon
Enthusiast
Enthusiast
‎04-07-2013 03:10 AM

ssh hostbased not possible to root

Hi,

I am already dealing a long time with ssh scenarios from clients to servers with authentication via public keys but also hostbased (without password).

Within my ubuntu environment I meanwhile have a setup to allow both, depending on the need.

I have managed to setup the same with my esxi.

As always, there is a but!!!

I am able to run a hostbased ssh-connection from my client to a user <> root on the esxi.

Like: ssh user2@esxihost

This works. And the log messages say the hostbased (passordless) login works.

When I do it from my client (same user) to root at the esxi host, a hostbased ssh connection fails, but with no real helpful message in the logs although loglevel = debug.

A ssh connection to root via RSA-key works fine.

Since the configuration is setup the way to try several methods, hostbased first but publickey and keyboard-interactive as next, the ssh-connection works anyhow since publickey works fine.

Is there anything anyone can tell me why a ssh-connection to root@esxihost could be blocked?

In sshd_config the PermitRootLogin = yes is set.

Help or hints welcome

Regards

Karl-Heinz

Regards Karl-Heinz
0 Kudos
1 Reply
averlon
Enthusiast
Enthusiast
‎04-08-2013 10:12 AM

Hi Community,

I found the answer myself.

A look at the manpages for "hosts.equiv" which is identical to "/etc/ssh/shosts.equiv" but only for ssh insted of rsh shows:

"

The file uses the following format:

       [ + | - ] [hostname] [username]

       The hostname is the name of a host which is logically equivalent to the
       local host.  Users logged into that host are allowed  to  access  like-
       named  user  accounts  on  the local host without supplying a password.
       The hostname may be (optionally) preceded by a plus (+) sign.   If  the
       plus  sign is used alone it allows any host to access your system.  You
       can explicitly deny access to a host by preceding  the  hostname  by  a
       minus  (-)  sign.   Users from that host must always supply a password.
       For security reasons you should always use the FQDN of the hostname and
       not the short hostname.

       The  username  entry grants a specific user access to all user accounts
       (except root) without supplying a password.
"

That's the answer.

Keep it in mind - I will!
Regards Karl-Heinz
0 Kudos