Host-based authentication lets one server authenticate to another based on the client machine’s host key rather than user keys. I use it for automated backup systems, Ansible/Puppet, monitoring that executes remote commands, database replication, and CI/CD pipelines.
Warning
Only use this in controlled environments where you fully trust the client machines. It’s a complement to user key auth for specific automation use cases, not a replacement.
Prerequisites: Root access on both machines, DNS or /etc/hosts entries for hostname resolution.
Step 1: Enable on Server
Edit /etc/ssh/sshd_config on the server:
HostbasedAuthentication yesHostbasedUsesNameFromPacketOnly yesHostbasedAcceptedKeyTypes ssh-ed25519,rsa-sha2-512,rsa-sha2-256IgnoreRhosts noIgnoreUserKnownHosts nosudo systemctl restart sshdStep 2: Configure Trusted Hosts on Server
Create /etc/ssh/shosts.equiv:
# Format: hostname [username]backup-server.example.com deployermonitoring.example.com monitorci-runner-01.example.com jenkinssudo chmod 600 /etc/ssh/shosts.equivsudo chown root:root /etc/ssh/shosts.equivFor per-user trust, use ~/.shosts with the same format.
Step 3: Configure Client
Edit /etc/ssh/ssh_config on the client:
HostbasedAuthentication yesEnableSSHKeysign yesPreferredAuthentications hostbased,publickey,passwordStep 4: Configure ssh-keysign
ssh-keysign must be setuid root to access host keys:
sudo chmod 4711 /usr/lib/openssh/ssh-keysign# orsudo chmod 4711 /usr/libexec/openssh/ssh-keysignStep 5: Distribute Host Public Keys
On the client, get the host public key:
sudo cat /etc/ssh/ssh_host_ed25519_key.pubAdd it to /etc/ssh/ssh_known_hosts on the server:
# Format: hostname,ip key-type public-keybackup-server.example.com,192.168.1.10 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILo...sudo chmod 644 /etc/ssh/ssh_known_hostssudo chown root:root /etc/ssh/ssh_known_hostsStep 6: Test
ssh -v deployer@production-server.example.com# Look for: "Authentication succeeded (hostbased)"Automation Script
Save as /usr/local/bin/distribute-host-keys.sh on the server to collect keys from multiple clients:
#!/bin/bashKNOWN_HOSTS="/etc/ssh/ssh_known_hosts"TEMP_KEYS="/tmp/host_keys_collection.txt"
CLIENTS=( "backup-server.example.com" "monitoring.example.com" "ci-runner-01.example.com")
> $TEMP_KEYS
for client in "${CLIENTS[@]}"; do IP=$(dig +short $client | tail -1) KEY=$(ssh-keyscan -t ed25519 $client 2>/dev/null)
if [ -n "$KEY" ]; then echo "$client,$IP $(echo $KEY | awk '{print $2, $3}')" >> $TEMP_KEYS else echo "Failed to get key from $client" fidone
[ -f $KNOWN_HOSTS ] && cp $KNOWN_HOSTS ${KNOWN_HOSTS}.backup.$(date +%F)
cat $TEMP_KEYS >> $KNOWN_HOSTSsort -u $KNOWN_HOSTS -o $KNOWN_HOSTSchmod 644 $KNOWN_HOSTSsudo chmod +x /usr/local/bin/distribute-host-keys.shsudo /usr/local/bin/distribute-host-keys.shReal-World Example: Backup Server
On production servers (/etc/ssh/sshd_config):
HostbasedAuthentication yesMatch User backup HostbasedAuthentication yes PasswordAuthentication noOn production servers (/etc/ssh/shosts.equiv):
backup-server.example.com backupOn backup server (/etc/ssh/ssh_config):
Host prod-* HostbasedAuthentication yes PreferredAuthentications hostbased User backupNow the backup server can pull automatically:
rsync -avz prod-web-01:/var/www/ /backup/web-01/Security Notes
Combining with user key auth is the safest approach:
AuthenticationMethods publickey,hostbasedReview /etc/ssh/shosts.equiv monthly. Ensure LogLevel VERBOSE is set so host-based authentications are logged. Restrict SSH access by firewall to trusted client IPs only.
Revoking Access
# Remove from shosts.equivsudo nano /etc/ssh/shosts.equiv
# Remove from known_hostssudo ssh-keygen -R hostname.example.com -f /etc/ssh/ssh_known_hosts
sudo systemctl restart sshdTroubleshooting
# Server logssudo journalctl -u sshd -n 50 | grep hostbased
# Verify hostname resolutionhostname -f # must match what's in shosts.equiv
# Check ssh-keysign permissionsls -l /usr/lib/openssh/ssh-keysign# Should be: -rws--x--x (4711)
# Verify host key on serversudo grep "$(hostname)" /etc/ssh/ssh_known_hosts
# Full debug from clientssh -vvv -o PreferredAuthentications=hostbased user@serverNext Steps
Proceed to the Security Monitoring guide.