Why is /etc/*hosts.equiv needed in Host Based Authentication?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Host based authentication requires the client host's public key to be
installed on the server host. If the client host holds the
corresponding private key, then the client host is trusted.

This seems to take care of everything, so why does Host Based
Authentication also require the presence of the /etc/hosts.equiv or
/etc/shosts.equiv files?

These files are needed for the weaker Trusted Host Authentication which
does not use keys, but I can't see why the files should be required for
Host Based Authentication.

Re: Why is /etc/*hosts.equiv needed in Host Based Authentication?

Quoted text here. Click to load it

No idea what you're talking about here.

Quoted text here. Click to load it

It's authentication vs authorization.  The known-hosts file enables
authentication, securely verifying the identity of the client host.  The
shosts files establish authorization: which client hosts are trusted, and
for what source/destination account pairs.

  Richard Silverman

Re: Why is /etc/*hosts.equiv needed in Host Based Authentication?

cbdeja@my-deja.com writes:

Quoted text here. Click to load it

For some meanings of "trusted".

Quoted text here. Click to load it

Here is an example.  I have a network of solaris systems.  This
includes servers and client systems.  I want to be able to do
host-base authentication to the client systems from the servers.
That's used for updating software on clients, and similar purposes.
Therefore the server needs to have a copy of the client host keys
(public keys).

However, it doesn't follow that I trust those client systems
sufficiently to allow unrestricted host based authentication to the
server system.  The principle user of the client system can setup his
own host-based authentication using $HOME/.shosts .  But there is no
reason to allow him to break into a different account on his client
system and then use that for host based authentication to gain access
to that different account on the server.

Re: Why is /etc/*hosts.equiv needed in Host Based Authentication?

Ah, right. So for Trusted Host Authentication it is the
/etc/hosts.equiv file(s) which actually grant or deny access to the
hosts specified in the files.

This is therefore exactly the same as in the weaker Trusted Host

But, with Host Based Authentication the client's public host key
installed on the server is just an extra check to ensure that the
client really IS the machine it claims to be. The keys actually say
nothing about which machines are allowed access to the server.

Trusted Host Authentication can therfore only succeed if the client
host "X" is granted access in the /etc/hosts.equiv file(s), AND the
client can prove that it really is "X".

Thanks. That makes it a lot clearer.

Site Timeline