LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices



Reply
 
Search this Thread
Old 12-30-2009, 11:33 PM   #1
balakrishnay
Member
 
Registered: Sep 2009
Posts: 31

Rep: Reputation: 15
Public key authentication with ssh -- With out Password


Hi,

I configured Public key authentication with ssh . But every time when i try to connect it is prompting for password .

Can any one have any idea on this ?

testinst1.koel.co.in/apps12i]ssh -v oracle@testinst3.koel.co.in
OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to testinst3.koel.co.in [10.1.1.151] port 22.
debug1: Connection established.
debug1: identity file /apps12i/.ssh/identity type -1
debug1: identity file /apps12i/.ssh/id_rsa type -1
debug1: identity file /apps12i/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.9p1
debug1: match: OpenSSH_3.9p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.9p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'testinst3.koel.co.in' is known and matches the RSA host key.
debug1: Found key in /apps12i/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: publickey
debug1: Trying private key: /apps12i/.ssh/identity
debug1: Trying private key: /apps12i/.ssh/id_rsa
debug1: Trying private key: /apps12i/.ssh/id_dsa
debug1: Next authentication method: password
oracle@testinst3.koel.co.in's password:

Regards

Bala
 
Old 12-31-2009, 01:36 AM   #2
Jerre Cope
Member
 
Registered: Oct 2003
Location: Texas (central)
Distribution: ubuntu,Slackware,knoppix
Posts: 323

Rep: Reputation: 37
If your key is not id_rsa, try using the -i to explicitly name your private key so it doesn't rotate through all your keys in the .ssh and give up
 
Old 12-31-2009, 01:52 AM   #3
balakrishnay
Member
 
Registered: Sep 2009
Posts: 31

Original Poster
Rep: Reputation: 15
Thanks for your reply .. i am not able to understand what you have suggested.

i have tried both dsa & rsa both are giving me same issues .

testinst1.koel.co.in/apps12i]ssh-keygen -i dsa
Too many arguments.
Usage: ssh-keygen [options]

Regards

Bala

Regards

Bala

Quote:
Originally Posted by Jerre Cope View Post
If your key is not id_rsa, try using the -i to explicitly name your private key so it doesn't rotate through all your keys in the .ssh and give up
 
Old 12-31-2009, 04:04 AM   #4
wolfgangsz
LQ Newbie
 
Registered: Dec 2009
Location: Birmingham, UK
Distribution: Debian, Fedora, ...
Posts: 7

Rep: Reputation: 0
By default, ssh uses the keys that are available in the .ssh folder in the current user's home folder (in a normal environment for a normal user that would be /home/<user>/.ssh). In order for this to work, you need several things:

a) your sshd on the remote side must be configured to allow publickey authentication. According to the debug output this is the case.
b) The public key that matches the private key on the local side must be present in the remote side's authorized_hosts file. This file is located in the .ssh folder located in the home folder of the account you want to log into. In your case this would be (probably) /home/oracle/.ssh/authorized_keys. This seems not to be the case here.

When you add the public key to the remote host's authorized_keys file, make sure there are no additional line feeds or newline characters in the key. You must also make sure that the key starts with the correct type identifier and finishes with the correct username/host identifier. If your key was generated using ssh_keygen, this should usually be the case, but there is no harm in checking.
 
Old 12-31-2009, 05:07 AM   #5
balakrishnay
Member
 
Registered: Sep 2009
Posts: 31

Original Poster
Rep: Reputation: 15
Hi,

I have followed this document. http://pigtail.net/LRP/printsrv/keygen.html . i have did everything in this document but still the same problem .

Regards

Bala

Quote:
Originally Posted by wolfgangsz View Post
By default, ssh uses the keys that are available in the .ssh folder in the current user's home folder (in a normal environment for a normal user that would be /home/<user>/.ssh). In order for this to work, you need several things:

a) your sshd on the remote side must be configured to allow publickey authentication. According to the debug output this is the case.
b) The public key that matches the private key on the local side must be present in the remote side's authorized_hosts file. This file is located in the .ssh folder located in the home folder of the account you want to log into. In your case this would be (probably) /home/oracle/.ssh/authorized_keys. This seems not to be the case here.

When you add the public key to the remote host's authorized_keys file, make sure there are no additional line feeds or newline characters in the key. You must also make sure that the key starts with the correct type identifier and finishes with the correct username/host identifier. If your key was generated using ssh_keygen, this should usually be the case, but there is no harm in checking.
 
Old 12-31-2009, 06:04 AM   #6
evo2
Guru
 
Registered: Jan 2009
Location: Japan
Distribution: Mostly Debian and Scientific Linux
Posts: 5,591

Rep: Reputation: 1244Reputation: 1244Reputation: 1244Reputation: 1244Reputation: 1244Reputation: 1244Reputation: 1244Reputation: 1244Reputation: 1244
Please check the logs on the ssh sever machine. You don't say what os it is running, but on a Debian based system you should look at /var/log/auth.log. If that does not reveal what the problem is please start the ssh server in debug mode: "sshd -d".

Cheers,

Evo2.
 
Old 01-01-2010, 09:34 AM   #7
wolfgangsz
LQ Newbie
 
Registered: Dec 2009
Location: Birmingham, UK
Distribution: Debian, Fedora, ...
Posts: 7

Rep: Reputation: 0
Please also check that your public key (id_rsa.pub) is actually present in testinst3.koel.co.in:/home/oracle/.ssh/authorized_keys.
I am not sure how the user "oracle" was created. You must make sure that the ".ssh/authorized_keys" path is present in that user's home folder. You can check where that is by typing
"getent passwd oracle<enter>" (on testinst3.koel.co.in). The result should look like this:

guest:x:1001:100:Guest User,,,,:/home/guest:/bin/bash

(this example is fort a guest user on one of my machines). The string between the second to last and the last colon is the home folder for that user. Not all users have their home folder in /home (especially if they are actually system users), and oracle sounds a little like the oracle system account. If this is the case it's probably not such a brilliant idea to log into it anyway. Rather use a normal user account and sudo/su to oracle.
 
Old 01-01-2010, 08:15 PM   #8
karatedog
LQ Newbie
 
Registered: May 2004
Location: Hungary
Distribution: Ubuntu 9.10
Posts: 13

Rep: Reputation: 0
Proper ssh key generation requires you to provide a passphrase for the key (that way it is not stored as clear text), and you will be required to provide that passphrase every time you log in using ssh key.
I saw that the page you linked advises you to create a ssh key without passphrase, but I don't recommend it.

If you generated an RSA key maybe you can post your /home/apps12i/.ssh/id_rsa, /home/apps12i/.ssh/id_rsa.pub and /home/oracle/.ssh/authorized_keys here (right after you changed those keys, of course :-)

Last edited by karatedog; 01-01-2010 at 08:27 PM. Reason: need more info on the problem
 
Old 01-02-2010, 01:06 PM   #9
vendtagain
Member
 
Registered: Sep 2009
Distribution: Slackware, Debian, Mac OS X, Zenwalk, Puppy, Gentoo
Posts: 199

Rep: Reputation: 32
This SSH guide is a good document on SSH.
Its not really a quick setup guide, but if you read through it you'll get a good understanding of everything.

SSH Definitive Guide from O'reilly
http://docstore.mik.ua/orelly/networ.../ssh/index.htm

Last edited by vendtagain; 01-02-2010 at 01:07 PM.
 
Old 01-02-2010, 01:37 PM   #10
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
Read though the /etc/ssh/sshd_config file. Look at the paragraph above the "UsePAM yes" line. It details the three variables you need to set to use PAM for session control but not authentication.

Just so you understand, the passphrase is used at the client, and not the server. It encodes your private key. If it is lost or stolen that will help protect the server.

You can use ssh-agent so that you only need to enter the passphrase once per session.
example:
eval $(ssh-agent)
ssh-add
<enter passphrase>

Now you can ssh into the server several times, or to several servers and not need to enter the passphrase anymore.

Your distro my have a way of configuring your login manager to request the passphrase when you log in.
Check /etc/X11/xdm/sys.session for the "usessh" line for example.

If you want one server to connect to another server as part of a cron job, and the server is unattended, then you are justified in not passphrase protecting the private key. If a client server is compromised, you will need to assume that the ssh servers it can connect to are compromised as well. Physical security will be important as well as network security.

Last edited by jschiwal; 01-02-2010 at 01:40 PM.
 
Old 01-03-2010, 11:41 PM   #11
balakrishnay
Member
 
Registered: Sep 2009
Posts: 31

Original Poster
Rep: Reputation: 15
Hi,

Thanks for your reply .. your update seems to be more related but i am not able to find these.

Check /etc/X11/xdm/sys.session for the "usessh" line for example.

Actually the reason why i am trying to Generate SSH Public Keys Authentication is , i need to communicate with two server interactively for Ex:-

I have two nodes (i.e Node1 & Node2)

I am doing some job in Node1 once this is completed successfully only then Node1 should invoke another Job in Node2 , after completing these two jobs on both the Nodes , i need to compare both logfiles from the both the Nodes.

This is my requirement.I hope i am clear .

Regards

Bala





Quote:
Originally Posted by jschiwal View Post
Read though the /etc/ssh/sshd_config file. Look at the paragraph above the "UsePAM yes" line. It details the three variables you need to set to use PAM for session control but not authentication.

Just so you understand, the passphrase is used at the client, and not the server. It encodes your private key. If it is lost or stolen that will help protect the server.

You can use ssh-agent so that you only need to enter the passphrase once per session.
example:
eval $(ssh-agent)
ssh-add
<enter passphrase>

Now you can ssh into the server several times, or to several servers and not need to enter the passphrase anymore.

Your distro my have a way of configuring your login manager to request the passphrase when you log in.
Check /etc/X11/xdm/sys.session for the "usessh" line for example.

If you want one server to connect to another server as part of a cron job, and the server is unattended, then you are justified in not passphrase protecting the private key. If a client server is compromised, you will need to assume that the ssh servers it can connect to are compromised as well. Physical security will be important as well as network security.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH public key authentication Jeroen1000 Linux - Security 12 09-07-2009 05:14 AM
Public key authentication with ssh elnacho12 Linux - Networking 3 12-18-2007 09:38 AM
Private/Public key vs. Password authentication w/ SSH MykeV Linux - Security 5 11-25-2007 12:49 PM
Public Key Authentication with SSH edafe Ubuntu 1 08-26-2006 12:06 PM
Can't use public key authentication with SSH Noob69 Linux - General 5 01-06-2006 07:27 AM


All times are GMT -5. The time now is 06:53 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration