Description

This article is from the comp.security.unix and comp.security.misc FAQ, by Alan J Rosenthal flaps@dgp.toronto.edu with numerous contributions by others.

16 I can't get .rhosts/.shosts to work with ssh.

If ssh doesn't do what you want, the output of "ssh -v" may be helpful.

For .rhosts or .shosts (or hosts.equiv or shosts.equiv) to take effect with
ssh with the default configuration, a few somewhat unobvious things must be
the case. These are all good restrictions and the rationale is included here.

* The request must be coming in from a "privileged port"; thus, the ssh
client must be setuid. Without this restriction, any user could
masquerade (for the purposes of passwordless login) as any other on the
same source machine. (Even with it, root can; but there's no way to
restrict THAT without the user typing something or involving a third
machine (i.e. some hardware which root doesn't have access to).) Also,
the ssh client must be able to read /etc/ssh_host_key (the private one)
to be able to do the public key authentication thing to prove you're on
the host whose IP address you're using. N.B. that the 1.2.25 makefile
sometimes turns off the setuid bit on ssh when doing a "make install"
(it's a bug in the makefile, fixed in 1.2.26).

* .rhosts or .shosts must be owned by the appropriate user and not be
writable by group or others. Sshd does not check for the situation of
single-user groups common on some versions of unix these days (esp some
versions of GNU/linux); you have to chmod g-w .rhosts/.shosts if your
umask is 2. (There is no way for sshd to detect the single-user group
situation; current membership of size one doesn't tell you its history.)
Similarly, your home directory should not be writable by group or others.

* The source host must be in /etc/ssh_known_hosts or
~user/.ssh/known_hosts on the target machine.
This is the difference between "RhostsRSAAuthentication" (allowed by
default) and "RhostsAuthentication" (disallowed by default). Without
this, ssh is not gaining you any login security, although it is still
gaining you anti-sniffing security.

When all else fails, try "ssh -v".
Take further questions to comp.security.ssh.

Continue to:

• prev: 15 Tcp wrappers (tcpd) thinks all hosts are 0.0.0.0 in Solaris 8 or in some versions of AIX.
• Index
• next: 17 Should I block all ICMP at my firewall/router?