Opened 14 years ago

Closed 12 years ago

#23 closed enhancement (fixed)

Host-based auth for inter-scripts-server login?

Reported by: broder Owned by: quentin
Priority: minor Milestone:
Component: web Keywords:
Cc:

Description

Get around the logview bug where it doesn't display errors for both servers by allowing one server to login to the other.

(Taken from RT #464449)

Change History (4)

comment:1 Changed 14 years ago by broder

It occured to me that one way to work around the logview bug (that it only displays the results on the current server, usually scripts4), and to increase users' ability to investigate any differences between the two servers, is to allow host-based authentication between the scripts servers. This would allow you to "ssh scripts3" from scripts4 (the primary), and run logview there.

I believe this involves adding "HostbasedAuthentication? yes" to /etc/ssh/{ssh,sshd}_config "EnableSSHKeysign yes" to /etc/ssh_config all the servers' names to /etc/ssh/shosts.equiv /etc/ssh/ssh_host_dsa_key.pub to /etc/ssh/ssh_known_hosts and possibly code to print out instructions at the top of mbash.

There's also an RhostsRSAAuthentication. As best as I can tell, this is for SSH 1 instead of SSH 2, so we can ignore it, but another person with more SSH security clue should figure out whether the solution I propose is secure and reasonable.

As best as I can tell I don't think this introduces any security vulnerabilities; it's already more or less easy to gain access as the same user to the other scripts servers, by modifying some code and getting the other server to run it. Even root logins via this method don't seem like they'd pose a problem, since we're only trusting scripts servers, not any other servers.

-- Geoffrey Thomas geofft@…

comment:2 Changed 14 years ago by price

This looks like a sound and very doable approach to one half of the problem in #49. This alone would give users would get twice the error messages they get now, and twice the joy!

comment:3 Changed 13 years ago by quentin

  • Owner set to quentin
  • Status changed from new to assigned

I've worked on implementing this. I believe everything is configured correctly, but sshd spews this error:

       userauth_hostbased mismatch: client sends old-faithful.mit.edu, but we resolve 172.21.0.53 to 172.21.0.53
       Failed hostbased for quentin from 172.21.0.53 port 40800 ssh2
       userauth_hostbased mismatch: client sends old-faithful.mit.edu, but we resolve 172.21.0.53 to 172.21.0.53
       Failed hostbased for quentin from 172.21.0.53 port 40800 ssh2

I've already put 172.21.0.53 in /etc/hosts with the name old-faithful.mit.edu, but sshd doesn't seem to be honoring that.

comment:4 Changed 12 years ago by mitchb

  • Resolution set to fixed
  • Status changed from assigned to closed

This totally works now. It spews at us, but "meh." I tried all the options I could find, including HostbasedUsesNameFromPacketOnly?. We can get it to decrease the spew from 3 messages to 1 message, but we don't seem to be able to get rid of the last one. Oh, well. At least people can use it.

Note: See TracTickets for help on using tickets.