Host-Based User Authentication
Host-based authentication uses the public host key of the client machine
to authenticate a user to the remote server daemon (sshd2
). This
provides a non-interactive form of authentication, and is best used in
scripts and automated processes, such as cron jobs. Host-based
authentication can be used to automate backups and file transfers, or in
other situations where a user will not be present to input
authentication information.
The nature of any non-interactive login is inherently insecure. Whenever
authentication without user challenge is permitted, some level of risk
must be assumed. If feasible, public-key authentication with ssh-agent2
and ssh-add2
are preferred. SSH Tectia Server provides host-based
authentication as a form of non-interactive login that is more secure
than the .rhosts
method used by the Berkeley 'r' commands, but
it cannot resolve the inherent insecurity of non-interactive logins.
This means that you should take aggressive measures to ensure that any
client machine set up for host-based authentication is adequately
secured, both by software and hardware, to prevent unauthorized logins
to your server.
In the following instructions, ClientUser
is the user's
username on the local client machine and ServerUser
is the
user's username on the remote server machine.