Hostbased SSH Authentication

[Philip Papadopoulos]

Folks,

I'm debugging host-based authentication for CentOS7.

I'm wondering if I'm missing something ---

I believe this is correct, but maybe somebody has a different solution

1.  For hostbased auth to work, the ssh-keysign executable must be able to read the host's

private key (/etc/ssh/ssh_host_rsa_key).  

2. In CentOS6,
          ssh-keysign was setgroupid and the group it belonged to was ssh-keys

          /etc/ssh_host_rsa_key was set group readable and group membership of ssh-keys

3. in CentOS7, sshd will refuse any key with "open" permissions. That means that the

host key CANNOT be group readable.

--> ssh-keysign must be setuid so that it can read the host key.

IS there another way around this?  (some configuration option in sshd that says, THIS key is allowed to be group readable?).

If folks have any insights, let me know.

-P

======================================================

Here are the warnings that you get if permissions are group readable
 ssh rockstar-0-0
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
key_load_private_cert: bad permissions
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
key_load_private_type: bad permissions
Rocks 7.0 (Manzanita)
Profile built 08:35 23-Oct-2017

Kickstarted 08:55 23-Oct-2017
[root@rockstar-0-0 ~]#

--

Philip Papadopoulos, Ph.D

ppapad...@ucsd.edu

(858) 822-3628