SSH without password
 

Greetings all.

I'm having trouble trying to implement ssh without password:
http://www.cs.umd.edu/~arun/misc/ssh.html

I have followed the exact steps, but at the end
sss the_remote_host
still asked the password.

If I gave the password, I would login normaly, but that was not intention.

I wonder if I missed some settings.
Please guide me to solve this problem.

Lot of Thanks.

PS:
The client was VectorLinux 4.0 RC4,
trying to login to Redhat 9.0 remote host.

1. Firstly, generate your public/private keys using ssh-keygen

% ssh-keygen -t rsa

You must use the -t option to specify that you are producing keys for SSHv2 using RSA. This will generate your id_rsa and id_rsa.pub in the .ssh directory in your home directory. I strongly suggest using a passphrase.

2. Now copy the id_rsa.pub to the .ssh directory of the remote host you want to logon to as authorized_keys2 . [Note: If you have more than one host from which you want to connect to the remote host, you need to add the local host's id_rsa.pub as one line in the authorised_keys2 file of the remote host, i.e., you can have more than one entry. Thanks to Jinn Koriech for pointing out that this isn't obvious.Also you need to 'chmod 644 authorized_keys2' to make it unwritable to everybody apart from the user. Thanks to Matthew Lohbihler for making this known. ] You are basically telling the sshd daemon on the remote machine to encrypt the connection with this public key and that this key is authorized for version 2 of the ssh protocol. Try using something secure like scp for this copying.

% scp ~box/.ssh/id_rsa.pub box@secondmachine:~box/.ssh/authorized_keys2



3. Your public key based authentication has been setup. You won't be asked your password on the remote machine. However, you need a program that manages your keys for you called an agent. You need to start the agent, tell it your passphrase, and hook up to the agent whenever you need to connect to the remote machine.

4. We shall assume the following situation: You logon to a console and then startx as in say, an out-of-the-box Linux installation. You should figure out what exactly has to be done for your specific machine's X initialization. All the following steps are to be done on your local machine, in this case- localmachine.secondmachine.

5. Fire your favourite editor, and pull up your .profile file. Add the following line to the file:

alias startx='ssh-agent startx'

This means that every child of startx (i.e. anything under X) would be able to hookup to the agent.

6. Edit your .xinitrc file by adding the following lines:

DISPLAY="localmachine.cs.umd.edu:0"
SSH_ASKPASS="/usr/libexec/openssh/x11-ssh-askpass"
ssh-add < /dev/null

# Change this to whatever window manager you use under X
# or leave whatever was there unchanged.
startkde

.xinitrc is the init file for X. Unfortunately, as ssh-add doesn't have a controlling terminal, it needs to be told to read input from an external source. When you specify, /dev/null, the program pops up a d-box program specified by $SSH_ASKPASS and ask you for your passphrase. The d-box can be as simple as an xterm, but you could use the x11-ssh-askpass that comes with your openssh installation. The DISPLAY is usually automatically set, but just in case.

Nota Bene: If you had to create .xinitrc, then you must add something after the ssh-add statement to start the window-manager/desktop/whatever. Otherwise, X will simply terminate after asking for the password. If you don't know how to set this up, you might want to dig in your /etc/X11/init.d files for the appropriate init sequences.

7. Now when you startx, a dialog box should pop up and ask you for your passphrase. You are all set. Open up an xterm, and say

% ssh secondmachine

Voila ! You'll be logged in without typing in your password. You'll have to re-enter your passphrase, everytime you start X. The passphrase can be side-stepped by giving the empty string, but I'd rather you don't.

8. As a fringe benefit, you can execute any GUI based programs on the remote machine for free, no setting up $DISPLAY , no need to xhost+ etc. Cool, eh ?

Thanks joseph.

But your posting is exactly the article I have followed and not worked.

I have been searching the google for "+ssh +without-password",
there are a lot of the same problems, without clear solution.

Wow, is it right, but those step were i used to create like your case but everything went ok.

Kocil,

A little stab in the dark.

Is it the standard password prompt? (user@machine's password: )

On the server, is AuthorizedKeysFile option set in /etc/ssh/sshd_config? It may be that the ~/.ssh/authorized_keys2 file is not being processed. That file is depreciated in openssh v.3.

What versions of ssh are on each machine?

If that doesn't help, can you post the output of ssh -vvv user@machine (ssh -vvv 2>debugfile ) and cancel when you get the password prompt. I don't think it has anything sensitive in it, but you should check first. (a public key fingerprint, i think, and you can redo your keys after you get it working :) )

I'll take a look, and see if I can't reproduce your log. I've been intrigued by the key system lately.

Good luck,
chris

edit: forgot my signoff

Hi all.

Thanks for the answers.
I found the problem from

http://www.cag.lcs.mit.edu/~rugina/ssh-procedures/

quote:
----------
Note: If you do have write permissions for either the .ssh directory or for the authorized_keys file on the remote machine, then sshd will consider that the procedure is not safe enough, so it will abort the RSA challenge-authentication mode (mode 3) and will go to the default mode (mode 5) asking you for the password on the remote machine.
----------

Last time I was failed because I did 'chmod 644 authorized_keys2'
but not the the ~/.ssh it self.

I fixed it and ssh-without-password is working fine now.

Thanks all ...... :cool:

I am facing exactly the same problem ..

the output of ssh -vvv cmu 2>debugfile.1 follows.

OpenSSH_3.7.1p2, SSH protocols 1.5/2.0, OpenSSL 0.9.7b 10 Apr 2003
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to cmu [128.2.13.176] port 22.
debug1: Connection established.
debug1: identity file /home/nsahoo/.ssh/identity type -1
debug3: Not a RSA1 key file /home/nsahoo/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/nsahoo/.ssh/id_rsa type 1
debug1: identity file /home/nsahoo/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.4+p1+gssapi+OpenSSH_3.7buf_fix
debug1: match: OpenSSH_3.4+p1+gssapi+OpenSSH_3.7buf_fix pat OpenSSH_3.2*,OpenSSH_3.3*,OpenSSH_3.4*,OpenSSH_3.5*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.7.1p2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 124/256
debug2: bits set: 1583/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/nsahoo/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 11
debug3: check_host_in_hostfile: filename /home/nsahoo/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 7
debug1: Host 'cmu' is known and matches the RSA host key.
debug1: Found key in /home/nsahoo/.ssh/known_hosts:11
debug2: bits set: 1617/3191
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/nsahoo/.ssh/identity ((nil))
debug2: key: /home/nsahoo/.ssh/id_rsa (0x808c240)
debug2: key: /home/nsahoo/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: external-keyx,gssapi,publickey,password,keyboard-interactive
debug3: start over, passed a different list external-keyx,gssapi,publickey,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/nsahoo/.ssh/identity
debug3: no such identity: /home/nsahoo/.ssh/identity
debug1: Offering public key: /home/nsahoo/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: external-keyx,gssapi,publickey,password,keyboard-interactive
debug1: Trying private key: /home/nsahoo/.ssh/id_dsa
debug3: no such identity: /home/nsahoo/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: Authentications that can continue: external-keyx,gssapi,publickey,password,keyboard-interactive
debug3: userauth_kbdint: disable: no info_req_seen
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred:
debug3: authmethod_is_enabled password
debug1: Next authentication method: password

and in the remote machine

% ls -ld .ssh
drw-r--r-- 2 nsahoo staff 2048 Dec 16 15:40 .ssh
% ls -l .ssh
total 4
-rw-r--r-- 1 nsahoo staff 223 Dec 16 15:55 authorized_keys
-rw-r--r-- 1 nsahoo staff 2603 Dec 10 17:37 known_hosts


Any help?