Go to main content

Managing Secure Shell Access in Oracle® Solaris 11.3

Exit Print View

Updated: October 2019

How to Set Up Host-Based Authentication for Secure Shell

The following procedure sets up a public key system where the client's public key is used for authentication on the Secure Shell server. The user must also create a public/private key pair.

In the procedure, the terms client and local host refer to the system where a user types the ssh command. The terms server and remote host refer to the system that the client is trying to reach.

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

  1. On the client, enable host-based authentication.

    In the client configuration file, /etc/ssh/ssh_config, add the following entry:

    HostbasedAuthentication yes

    For the syntax of the file, see the ssh_config (4) man page.

  2. On the Secure Shell server, enable host-based authentication.

    In the server configuration file, /etc/ssh/sshd_config, add the same entry:

    HostbasedAuthentication yes
  3. On the server, either you or the user should configure a file that enables the client to be recognized as a trusted host.

    For more information, see the FILES section of the sshd (1M) man page.

    • If you are doing the configuration, add the client as an entry to the server's /etc/ssh/shosts.equiv file.
    • If your users are doing the configuration, they should add an entry for the client to their ~/.shosts file on the server.
  4. On the server, ensure that the sshd daemon can access the list of trusted hosts.

    Set IgnoreRhosts to no in the /etc/ssh/sshd_config file.

    ## sshd_config
    IgnoreRhosts no
  5. Ensure that users of Secure Shell at your site have accounts on both hosts.
  6. Put the client's public key on the server using one of the following methods:
    • Modify the sshd_config file on the server, then instruct your users to add the client's public host keys to their ~/.ssh/known_hosts file.
      ## sshd_config
      IgnoreUserKnownHosts no

      For user instructions, see How to Generate a Public/Private Key Pair for Use With Secure Shell.

    • Copy the client's public key to the server.

      The host keys are stored in the /etc/ssh directory. The keys are typically generated by the sshd daemon on first boot.

      1. Add the key to the /etc/ssh/ssh_known_hosts file on the server.

        On the client, type the following command on one line with no backslash.

        # cat /etc/ssh/ssh_host_rsa_key.pub | ssh RemoteSys \
        'cat >> /etc/ssh/ssh_known_hosts && echo "Host key copied"'

        Note -  If host keys are missing from the server, using Secure Shell generates an error message similar to the following:
        Client and server could not agree on a key exchange algorithm:
        client "diffie-hellman-group-exchange-sha256,diffie-hellman-group-
        server "gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==". Make sure host keys 
        are present and accessible by the server process. For more information, see 
        the description of the HostKey keyword in ssd_config(4). 

      2. When you are prompted, supply your login password.

        When the file is copied, the message "Host key copied" is displayed.

      3. Prepend RemoteHost to the copied entry in the ssh_known_hosts file.

        Each line in the /etc/ssh/ssh_known_hosts file consists of fields that are separated by spaces:

        hostnames algorithm-name publickey comment

        Place RemoteHost in the hostnames field.

        ## /etc/ssh/ssh_known_hosts File
        RemoteHost <copied entry>
Example 2  Setting Up Host-based Authentication

    In the following example, each host is configured as a server and as a client. A user on either host can initiate an ssh connection to the other host. The following configuration makes each host a server and a client:

  • On each host, the Secure Shell configuration files contain the following entries:

    ## /etc/ssh/ssh_config
    HostBasedAuthentication yes
    ## /etc/ssh/sshd_config
    HostBasedAuthentication yes
    IgnoreRhosts no
  • On each host, the shosts.equiv file contains an entry for the other host:

    ## /etc/ssh/shosts.equiv on system2
    ## /etc/ssh/shosts.equiv on system1
  • The public key for each host is in the /etc/ssh/ssh_known_hosts file on the other host:

    ## /etc/ssh/ssh_known_hosts on system2
    ... system1
    ## /etc/ssh/ssh_known_hosts on system1
    ... system2
  • Users have an account on both hosts. For example, the following information would appear for user Jane Doe:

    ## /etc/passwd on system1
    jdoe:x:3111:10:J Doe:/home/jdoe:/bin/sh
    ## /etc/passwd on system2
    jdoe:x:3111:10:J Doe:/home/jdoe:/bin/sh