Qiita Teams that are logged in
You are not logged in to any team

Log in to Qiita Team
Community
OrganizationAdvent CalendarQiitadon (β)
Service
Qiita JobsQiita ZineQiita Blog
2
Help us understand the problem. What is going on with this article?
@daikumatan

OpenSSH: SSH ホストベース認証(HostbasedAuthentication) を実際に触ってみる

More than 3 years have passed since last update.

0. はじめに

今更なのですが、SSHのホストベース認証の動作を理解する必要がでたので触ってみました。

  • 今更感ありますが、インフラエンジニアでもネットワークエンジニアでもないので、やっぱり触る機会あまりないです。これを言い訳に記事としてみます
  • 公開のモチベーションとして、このドキュメントどおりコピペすれば、誰でもはまらずに体験することができるというのをめざしました

0.1 やりたいこと

もともとのモチベーションとして、System AはWebサービスを構成するあるシステムであり、そこからインターネット経由で別のシステムBと連携することを目指しました。ちなみにSystem B は、REST-API をもたない伝統的なシステムです。

要件としては、

  • System B の各ユーザになって、アプリケーションをキックする必要がある
  • 運用時、System B のroot権限はない
  • System A は one-user にしたい

Kobito.UpCclJ.png

0.2 参考にしたページ

下記(1)は本当に分かりやすかった。ありがとうございます!!
感謝の意味を込めて、本文の一番下ではなく、ここでご紹介したく・・・・

  1. 入門OpenSSH: 6.6. Hostbased 認証 を使う
  2. sshでHostbasedAuthenticationを有効にする場合の落とし穴

0.3 テスト環境

linux環境を2台用意するために、AWS上から以下の ubuntu-16.04 を2台使いました。これでマシン調達を楽にできます。

  • AMI: ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-20170414 (ami-afb09dc8)

1. 設定概要 (Overview)

概要を §1 に示します。詳細は、§2から示します。

1.1 Server Side

/etc/ssh/sshd_config: DNS設定ではまらないよう今回はIPアドレスに限定 (UseDNS no)。rootのログインを認めるとまた設定が変わるので注意

設定例
HostbasedAuthentication yes
IgnoreRhosts yes
IgnoreUserKnownHosts yes
UseDNS no

/etc/ssh/shosts.equiv: <'クライアントの許可するIPアドレス'> <'クライアント側の許可するユーザ名'> の順に登録する

設定例
10.100.0.87 ubuntu

/etc/ssh/ssh_known_hosts: Client側の ssh_host_rsa_key.pub をサーバに登録する

設定例
10.100.0.87 ssh-rsa AAAAB3NzaC1yc2EA7yzqGd ~~~省略~~~ YJgMfV3wKbL

1.2 Client Side

/etc/ssh/ssh_config: 下記2つの項目は必ず設定が必要

設定例
HostbasedAuthentication yes
EnableSSHKeysign yes

2. ServerSide の設定 (detail)

2.1 事前準備

IPアドレス
echo "export IP_CLIENT='10.100.0.87'" >> ~/.bashrc
echo "export IP_SERVER='10.100.0.20'" >> ~/.bashrc
source ~/.bashrc
確認
cat << ETX

IP_CLIENT: ${IP_CLIENT}
IP_SERVER: ${IP_SERVER}

ETX

2.2 /etc/ssh/sshd_config の設定

sshd_configの編集
sudo vi /etc/ssh/sshd_config
設定内容
HostbasedAuthentication yes
IgnoreRhosts yes
IgnoreUserKnownHosts yes
UseDNS no
設定例
# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin prohibit-password
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
#IgnoreRhosts no
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
HostbasedAuthentication yes
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

# if no, you can only use IP address.
UseDNS no
設定確認
cat /etc/ssh/sshd_config | grep -vE ^# | grep "HostbasedAuthentication"
cat /etc/ssh/sshd_config | grep -vE ^# | grep "IgnoreRhosts"
cat /etc/ssh/sshd_config | grep -vE ^# | grep "IgnoreUserKnownHosts"
cat /etc/ssh/sshd_config | grep -vE ^# | grep "UseDNS"

2.3 /etc/ssh/ssh_known_hostsの設定

クライアントの公開鍵を取得
PUBLIC_KEY=$(ssh-keyscan -t rsa ${IP_CLIENT}) && echo ${PUBLIC_KEY}
結果例
# 10.100.0.87:22 SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
10.100.0.87 ssh-rsa AAAAB3NzaC1yc2EA7yzqGd ~~~省略~~~ YJgMfV3wKbL
ssh_known_hostsの作成
sudo sh -c "echo ${PUBLIC_KEY} >> /etc/ssh/ssh_known_hosts" && cat /etc/ssh/ssh_known_hosts

2.4 /etc/ssh/shosts.equiv の設定

現状の確認
cat /etc/ssh/shosts.equiv
クライアントの追加
sudo sh -c "echo \"${IP_CLIENT} ubuntu\" > /etc/ssh/shosts.equiv" && cat /etc/ssh/shosts.equiv

2.5 sshd再起動

sshd再起動
sudo /etc/init.d/ssh restart
結果例
[ ok ] Restarting ssh (via systemctl): ssh.service.

3. ClientSide の設定 (detail)

3.1 事前設定

IPアドレス
echo "export IP_CLIENT='10.100.0.87'" >> ~/.bashrc
echo "export IP_SERVER='10.100.0.20'" >> ~/.bashrc
source ~/.bashrc
確認
cat << ETX

IP_CLIENT: ${IP_CLIENT}
IP_SERVER: ${IP_SERVER}

ETX

3.2 /etc/ssh/ssh_configの編集

編集
sudo vi /etc/ssh/ssh_config
設定内容
HostbasedAuthentication yes
EnableSSHKeysign yes
設定例
# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options.  For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

Host *
#   ForwardAgent no
#   ForwardX11 no
#   ForwardX11Trusted yes
#   RhostsRSAAuthentication no
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
    HostbasedAuthentication yes
    EnableSSHKeysign yes
#   GSSAPIAuthentication no
#   GSSAPIDelegateCredentials no
#   GSSAPIKeyExchange no
#   GSSAPITrustDNS no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   IdentityFile ~/.ssh/id_ecdsa
#   IdentityFile ~/.ssh/id_ed25519
#   Port 22
#   Protocol 2
#   Cipher 3des
#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
#   EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
#   VisualHostKey no
#   ProxyCommand ssh -q -W %h:%p gateway.example.com
#   RekeyLimit 1G 1h
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials no
    PreferredAuthentications hostbased,publickey,keyboard-interactive,password
設定確認
cat /etc/ssh/ssh_config | grep -vE ^# | grep "HostbasedAuthentication"
cat /etc/ssh/ssh_config | grep -vE ^# | grep "EnableSSHKeysign"

4. 動作テスト

4.1 テストユーザ作成 (サーバー)

ユーザ作成
sudo adduser tanaka
sudo adduser suzuki

4.2 ログイン確認 (クライアント)

テストはうまくいくのですが、get_socket_address: getnameinfo 8 failed: Name or service not known のエラーがでます。

この原因の追求まではいたらず・・・だれが知っている方教えて・・・

現ユーザ確認
whoami
結果
ubuntu

from ubuntu@CLIENT to (指定なし)@SERVER

ユーザ指定なし
ubuntu@ip-10-100-0-87:~$ ssh ${IP_SERVER}
get_socket_address: getnameinfo 8 failed: Name or service not known
get_socket_address: getnameinfo 8 failed: Name or service not known
get_socket_address: getnameinfo 8 failed: Name or service not known
get_socket_address: getnameinfo 8 failed: Name or service not known
get_socket_address: getnameinfo 8 failed: Name or service not known
get_socket_address: getnameinfo 8 failed: Name or service not known
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-1013-aws x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  Get cloud support with Ubuntu Advantage Cloud Guest:
    http://www.ubuntu.com/business/services/cloud

0 packages can be updated.
0 updates are security updates.


Last login: Sun Jun 18 06:21:59 2017 from 106.184.21.20
ubuntu@ip-10-100-0-20:~$ whoami
ubuntu

from ubuntu@CLIENT to tanaka@SERVER

tanakaを指定
ubuntu@ip-10-100-0-87:~$ ssh tanaka@${IP_SERVER}
get_socket_address: getnameinfo 8 failed: Name or service not known
get_socket_address: getnameinfo 8 failed: Name or service not known
get_socket_address: getnameinfo 8 failed: Name or service not known
get_socket_address: getnameinfo 8 failed: Name or service not known
get_socket_address: getnameinfo 8 failed: Name or service not known
get_socket_address: getnameinfo 8 failed: Name or service not known
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-1013-aws x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  Get cloud support with Ubuntu Advantage Cloud Guest:
    http://www.ubuntu.com/business/services/cloud

0 packages can be updated.
0 updates are security updates.



The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

tanaka@ip-10-100-0-20:~$ whoami
tanaka

from ubuntu@CLIENT to suzuki@SERVER

suzukiを指定
ubuntu@ip-10-100-0-87:~$ ssh suzuki@${IP_SERVER}
get_socket_address: getnameinfo 8 failed: Name or service not known
get_socket_address: getnameinfo 8 failed: Name or service not known
get_socket_address: getnameinfo 8 failed: Name or service not known
get_socket_address: getnameinfo 8 failed: Name or service not known
get_socket_address: getnameinfo 8 failed: Name or service not known
get_socket_address: getnameinfo 8 failed: Name or service not known
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-1013-aws x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  Get cloud support with Ubuntu Advantage Cloud Guest:
    http://www.ubuntu.com/business/services/cloud

0 packages can be updated.
0 updates are security updates.



The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

suzuki@ip-10-100-0-20:~$ whoami
suzuki
suzuki
2
Help us understand the problem. What is going on with this article?
Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
daikumatan
2002-2015: Fujixerox, Numerical simulation Engineer 2015-2016: NVIDIA Japan, BD Manager 2016-2020: Rescale Japan, Evangelist 2020-Present: XTREME-D, CTO

Comments

No comments
Sign up for free and join this conversation.
Sign Up
If you already have a Qiita account Login
2
Help us understand the problem. What is going on with this article?