This authentication method closes security holes due to IP spoofing, DNS spoofing and routing spoofing. It means that if the login would be permitted by $HOME/.rhosts, $HOME/.shosts, /etc/hosts.equiv, or /etc/shosts.equiv, and if additionally the server can verify the client’s host key (see /etc/ssh_known_hosts and $HOME/.ssh/known_hosts in the FILES section), only then is login permitted. “The second authentication method is the rhosts or hosts.equiv method combined with RSA-based host authentication. Instead, there’s a more complex solution that involves both using “rhosts” combined with RSA authentication. Most smart admins will automatically axe any ‘.rhosts’ or “hosts.equiv” files either in /etc (hugely dangerous) or in an individual user’s home directory (still pretty dangerous). This form of authentication alone is normally not allowed by the server because it is not secure.”Īs they say, this isn’t a particularly secure method at all, and has lots of holes that leave you open to exploitive hacks. shosts exists in the user’s home directory on the remote machine and contains a line containing the name of the client machine and the name of the user on that machine, the user is permitted to log in. “First, if the machine the user logs in from is listed in /etc/hosts.equiv or /etc/shosts.equiv on the remote machine, and the user names are the same on both sides, the user is immediately permitted to log in. If you can add data files on both your system and the remote system you’ll be connecting to, you can try adding data to the /etc/hosts.equiv or /etc/shosts.equiv files. However, there are a couple of ways that I think you could explore to make SSH completely script-friendly: When I worked with sftp for my book Wicked Cool Shell Scripts I actually ended up deciding that it was easier and more secure to actually prompt for the password rather than save it in a data file or similar. For all that the SSH program suite is wonderful, one of its weaknesses is that it’s not at all easy to specify a password to allow you to include it (or its file transfer cousin sftp) in a shell script.
0 Comments
Leave a Reply. |