Hostbased Access Control
A limited type of per-account configuration is possible in OpenSSH if you use hostbased authentication rather than public-key authentication. Specifically, you can permit SSH access to your account based on the client’s remote username and hostname via the system files /etc/shosts.equiv and /etc/hosts.equiv, and personal files ~/.rhosts and ~/.shosts. A line like:
+client.example.com jones
permits hostbased SSH access by the user jones@client.example.com. Since we’ve already covered the details of these four files, we won’t repeat the information in this chapter. [3.6.2]
Per-account configuration with hostbased authentication is similar to using host access control in your OpenSSH authorized_keys or Tectia authorization file. [8.2.4] Both methods may restrict SSH connections from particular hosts. The differences are shown in this table:
Feature | Hostbased access | Public-key host access |
|---|---|---|
Authenticate by hostname | Yes | Yes |
Authenticate by IP address | Yes | Yes |
Authenticate by remote username | Yes | No |
Wildcards in hostnames and IP | No | Yes |
Passphrase required for logins | No | Yes |
Use other public-key features | No | Yes |
Security | Less | More |
To use hostbased authentication for access control, all of the following conditions must be true:
Hostbased authentication is enabled in the server, both at compile time and in the serverwide configuration file.
Your desired client hosts aren’t specifically excluded by serverwide configuration, e.g., by
AllowHostsandDenyHosts.For OpenSSH, the server configuration ...
Get SSH, The Secure Shell: The Definitive Guide, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
