[Beowulf] Passwordless ssh - strange problem

Sat Sep 15 11:08:34 PDT 2007

> I haven't had to do this before. Can you explain a bit more (I'm
> reading the man page now).

ssh-agent is a very nice way to use ssh very securely.  "very securely"
here means that you use a pubkey with a passphrase.  but instead of 
having to re-type the passphrase every time the pk is used, ssh-agent
acts as a proxy to do it for you.  this is a form of two-factor
authentication.

the alternative is a passphrase-less pk, which is then exactly 
analogous to a physical key, and is one-factor.  if someone gets 
a copy of your private key, they 0wn your accounts.

in the context of a cluster, passphraseless pk seems to be fairly
commonly used to permit no-password logins among nodes.  oscar,
iirc, goes so far as to screw with your .authorized_keys file to 
make this work.

if you want passphraseless login among a set of machines, IMO it's 
much more sensible to just use the hostbased mode of ssh.  basically,
hosts always mutually authenticate themselves (that's what the 
known_hosts stuff is all about), so you just add trusted hosts to 
/etc/ssh/shosts.equiv.  (hostbased is not normally a default config,
since it's inappropriate in normal server farms, but is not hard to 
setup:
 	- fill in /etc/ssh/ssh_known_hosts (perhaps via ssh-keyscan).
 	- list trusted hosts in shosts.equiv.
 	- add "HostbasedAuthentication yes" to /etc/ssh/sshd_config
 	and ssh_config, and "EnableSSHKeysign yes" to sshd_config.

I think hostbased ssh is very appropriate within a cluster or perhaps 
even within any single domain of administrative control.  I strongly 
recommend users use ssh-agent and passphrase-protected pk to login, though.

regards, mark hahn.