I would like to get the word on how to best set up my sshd server to allow root on a single client hostbased authorization to several servers - as securely as possible. I have a requirement to have unattended root access to these systems. I need to have hostbased work for root only. No non-root users should be able to use hostbased, but kerberos instead. I would be using openssh 4.3p2. Is there anything wrong or poorly configured with what I have below? As I see it, I would configure the server with the 3 config files .... /etc/ssh/sshd_config: # Essential for Hostbased for root - PermitRootLogin without-password HostbasedAuthentication yes IgnoreUserKnownHosts yes IgnoreRhosts no # For Kerberos - non-root KerberosAuthentication yes GSSAPIAuthentication yes # Optionally StrictModes yes RSAAuthentication no PubkeyAuthentication no # I would augment access control with pam_access. UsePAM yes -------- /root/.shosts: <my_trusted client> -------- /etc/ssh/ssh_known_hosts: <my_trusted client> <rsa/dsa key>
