From 87f63fc909a17aa84ed0d0bafc7fd5047329d032 Mon Sep 17 00:00:00 2001 From: Konrad Bucheli Date: Tue, 30 May 2023 17:13:46 +0200 Subject: [PATCH] document ssh host trust --- admin-guide/configuration.md | 1 + admin-guide/configuration/ssh_host_hopping.md | 25 +++++++++++++++++++ 2 files changed, 26 insertions(+) create mode 100644 admin-guide/configuration/ssh_host_hopping.md diff --git a/admin-guide/configuration.md b/admin-guide/configuration.md index a5100b4d..9f4546ef 100644 --- a/admin-guide/configuration.md +++ b/admin-guide/configuration.md @@ -7,4 +7,5 @@ Here starts a so far small collections of configuration guides for sysadmins of - [Custom Nameservers](configuration/custom_nameservers) ## Special Installations +- [SSH Host Hopping as Root (e.g. between cluster members)](configuration/ssh_host_hopping) - [Install Citrix VDA](configuration/citrix_vda) diff --git a/admin-guide/configuration/ssh_host_hopping.md b/admin-guide/configuration/ssh_host_hopping.md new file mode 100644 index 00000000..79960cb3 --- /dev/null +++ b/admin-guide/configuration/ssh_host_hopping.md @@ -0,0 +1,25 @@ +# SSH Host Hopping as Root (e.g. between cluster members) + +This is to allow the user `root` on a given machine to log in as `root` onto another machine without using a password or a similar authentication. + + +The `ssh_server::root_host_trust` list in Hiera configures from which devices root is allowed to connect without special configuration: +``` +ssh_server::root_host_trust: + - 'lxdev04.psi.ch' + - 'lxdev05.psi.ch' +``` +From security perspective this nodes should have the same or stricter security rules/setup that the target host. + +To actually use host trust the client also needs to configure that while connecting, e.g. in Hiera: + +``` +ssh_client::try_host_trust: true +``` + +or spontaneously on the ssh command line with: +``` +ssh -o HostbasedAuthentication=yes ... +``` +or by setting `HostbasedAuthentication yes` in the appropriate place in the ssh configuration (e.g. `~/.ssh/config`). +