Setting up hostbased authentication for passphraseless SSH communication.


Reuti,; Philipps-University of Marburg, Germany


1.1 -- 2010-04-15 Initial release, comments and corrections are welcome



To copy files inside a cluster either between nodes or for some kind of file staging it is often set up by use of a passwordless SSH by an SSH-keypair without a passphrase (hence the correct description would be passphraseless SSH, although the name passwordless SSH is also used often) and putting the public part of the key in each user’s ~/.ssh/authorized_keys file. This might give the user the idea to copy the private part of the key also to some of their workstations in addition, and so gain passwordless login to the headnode of the cluster. While this is convenient for the user at the first glance, it lacks any security once the private part of the SSH-keypair was in the wild. Setting up a hostbased passphraseless SSH can avoid this, as it will work without putting any SSH keys in each user’s ~/.ssh directory.

General Setup

The Howto targets only the hostbased authentication and not the SSH setup in general. Hence before applying all outlined settings here, an ssh login secured by password or passphrase must be working already. It could later be disabled of course, when the hostbased authentication is working.


This Howto will show you how to setup a hostbased authentication inside the cluster, which will avoid the necessity to create any SSH keys for the user at all, and also avoids that the user’s ~/.ssh/known_hosts file will have to contain any of the machines in the cluster.

Necessary settings on the source machine
Adjustments to ssh and sshd have to be done at two locations. First the source machine setup will be described:

Necessary settings on the target machine
Several files exit in the directory /etc to define the machines which are eligible to connect to this one, depending on the protocol used for the connection: If you want to allow hostbased authentication also for the account of the root user, it is necessary to put the hostname of  all allowed hosts in a file called /root/.shosts on all machines. As root’s home is usually not shared in a cluster, this must be copied to each machine.

Side notes
Often it is suggested, to keep the entries in ~/.ssh/known_hosts hashed (this can be done once by ssh-keygen -H [or automatically for each new entry]; further access for manipulation of this file can then be achived by commands like ssh-keygen -F hostname or ssh-keygen -R hostname), so that an intruder wouldn't know the machines to which you connect to usually. But as these logins are also recorded most likely in the ~/.bash_history, it would imply to disable the recording of such commands like ssh and scp by a line like:

export HISTIGNORE="ssh*:scp*"

in your setup in one of the files the Bash sources during startup. Having done so, there is another pitfall: the file ~/.ssh/config. This is often used in case you want to use abbrevations to your login destinations, while also using an alternative port and/or login name for certain destinations can be defined there. The file may look like:

Host fast
    User my_surname
    Port 455

Host default
    Hostname machine.local.demo

Host node*
    ForwardX11 no
    ForwardX11Trusted no

Host *
    ForwardAgent yes
    ForwardX11 yes
    ForwardX11Trusted yes
    Compression yes
    NoHostAuthenticationForLocalhost yes
    ServerAliveInterval 900

When you decide to use such a handy setup, there seems to be no way to hide this information from an intruder. If you want to use this in a cluster as general setup, at least the last two blocks could better be placed in the common /etc/ssh/ssh_config where they will be honored by all users by default

Although it’s not in the range of this Howto, the use of an ssh-agent running on your local machine may ease the connection to several remote clusters and even allow copying between two remote clusters without the need of entering any authentication credentials. A  good explanation of the underlying machanism can be found at