Setting up passwordless ssh

blackdragonblood · 01-22-2006, 02:34 PM

I made the suggested changes and still get the same error.

Code:

#	$OpenBSD: sshd_config,v 1.72 2005/07/25 11:59:40 markus Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#Protocol 2,1
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile	.ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
PermitEmptyPasswords no
PasswordAuthentication no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication mechanism. 
# Depending on your PAM configuration, this may bypass the setting of 
# PasswordAuthentication, PermitEmptyPasswords, and 
# "PermitRootLogin without-password". If you just want the PAM account and 
# session checks to run without PAM authentication, then enable this but set 
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes

#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#ShowPatchLevel no

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem	sftp	/usr/libexec/openssh/sftp-server

Hangdog42 · 01-23-2006, 07:14 AM

I guess if I were in your place, I would re-install the ssh RPM. From what I can gather googling on your error messages, there may be some sort of problem between ssh and Kerberos. Assuming that Red Hat distributes a functioning ssh program a re-install of that RPM might do the trick.

blackdragonblood · 01-23-2006, 01:57 PM

I made the changes and now I'm asked for a password.

sshd_config update:

Code:

#	$OpenBSD: sshd_config,v 1.72 2005/07/25 11:59:40 markus Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#Protocol 2,1
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile	.ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
PermitEmptyPasswords yes
PasswordAuthentication no

# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes
#ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
GSSAPIAuthentication no
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication mechanism. 
# Depending on your PAM configuration, this may bypass the setting of 
# PasswordAuthentication, PermitEmptyPasswords, and 
# "PermitRootLogin without-password". If you just want the PAM account and 
# session checks to run without PAM authentication, then enable this but set 
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes

#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#ShowPatchLevel no

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem	sftp	/usr/libexec/openssh/sftp-server

Hangdog42 · 01-23-2006, 02:01 PM

Did you restart the sshd server after making the changes? If so, then something is SERIOUSLY screwed up because your config file clearly shows that it shouldn't accept passwords.

blackdragonblood · 01-23-2006, 02:12 PM

Yep, I restarted sshd after each change. Should I reinstall the ssh package?

Hangdog42 · 01-23-2006, 02:29 PM

That is what I would do. Something isn't quite right here.

blackdragonblood · 01-24-2006, 04:41 PM

I reinstalled all of the openssh packages. I made the following changes and still get the same error as before.

Code:

PermitRootLogin no
PasswordAuth no

Here is /etc/ssh/sshd_config:

Code:

#	$OpenBSD: sshd_config,v 1.72 2005/07/25 11:59:40 markus Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#Protocol 2,1
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile	.ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication mechanism. 
# Depending on your PAM configuration, this may bypass the setting of 
# PasswordAuthentication, PermitEmptyPasswords, and 
# "PermitRootLogin without-password". If you just want the PAM account and 
# session checks to run without PAM authentication, then enable this but set 
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes

#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#ShowPatchLevel no

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem	sftp	/usr/libexec/openssh/sftp-server

Hangdog42 · 01-24-2006, 04:59 PM

OK, if it isn't the sshd install and config and it isn't the permissions on the ~ and .ssh directories, then about the only thing left is the authorized_keys file on the server. Each key MUST be on a single line in order to work. Each key in mine looks something like this:

ssh-dss AAAAB3NzaC1kc3M yada yada yada p7PS4QP52ALMmLkiZiLa8S2ZVQ== username@computername

(only everything actually is on a single line)

ftenario · 01-25-2006, 12:36 AM

Shouldn't it be like .ssh/authorized_keys2 and not .ssh/authorized_keys
Try to cp authorized_keys to authorized_keys2

Hangdog42 · 01-25-2006, 06:53 AM

If you look at the sshd_config that has been posted you'll see the daemon is looking for the authorized_keys file, not authorized_keys2.

rpdillon · 01-25-2006, 05:07 PM

BlackDragonBlood-

I messed with this for over an hour recently on FC4. In the end, I found that NONE of the defaults needed to be changed in either ssh_config or sshd_config.

Instead, tail'ing /var/log/secure I found that while the permissions on ~/.ssh and ~.ssh/authorized_keys were fine, sshd was barfing because of permission on my home directory.

To fix, I ended up setting permission on the keys file "authorized_keys" to 600, as well as 700 for the ~.ssh directory. In the end, I set my home directory permissions to 700 as well, and it fixed the problem.

To others: after having read the man page, it appears options like PasswordAuthentication merely enable or disable the types of authtication ALLOWED, not those that are used by default. If you disable password authentication, for example, you'll end up locking out anny users thare are NOT using ssh-agent, including yourself if you log in the reomte machine from a computer that is not using ssh-agent. The authentication priorities are set up in FC4 to, by default, use ssh-agent if available.

blackdragonblood · 01-26-2006, 09:04 PM

I tried remaking authorized_keys. Let's make sure I get this right.

1.Generate key on client
2.Copy key to server
3.cat id_rsa.pub > authourized_keys
4.Client no longer needs a password

This the above correct?

rpdillon · 01-27-2006, 12:04 AM

It seems you've made a distinction between two steps when there is none.

1) Generate keys. I used "ssh-keygen -t dsa" and used a password, but used the default file names.
2) Copy the ~/.ssh/id_dsa.pub to the server computer in your home directory as a file under .ssh called "authorized_keys" (you mispelled this above. Spelling matter when you're actually creating the file.)
3) Start ssh-agent on the client machine. This means you have to either spwan a shell using it ("ssh-agent bash") or spawn your X session off of ssh-agent (put "exec ssh-agent startkde" in you .xinitrc file, if you're using KDE, for example)
4) Add the key to the ssh-agent ("ssh-add" and then enter the password you used to create the key)
5) NOW you can login to the server with no password. If it doesn't work, check the /var/log/secure on your server and see why.

Rick

Hangdog42 · 01-27-2006, 07:09 AM

I wonder how different the various distro are in this because I can get keys to work on my Slackware box with only steps 1-3 in your procedure (however I don't use a passphrase when I generate the key pair in step 1). I've also gotten it to work on a couple of friends Ubuntu boxes without messing with ssh-agent. Still, given the complete lack of success my advice has produced so far, trying out Rick's procedure sure couldn't hurt.

blackdragonblood · 01-27-2006, 09:09 AM

I do not plan on using ssh-agent. One of the tutorials that I'm following is from Red Hat Fedora Linux 3 Bible p.571. It does not mention ssh-agent when setting up passwordless ssh. I'll double check my spelling and try copying the key as authorized_keys.