SSH without password
Greetings all.
I'm having trouble trying to implement ssh without password: http://www.cs.umd.edu/~arun/misc/ssh.html I have followed the exact steps, but at the end sss the_remote_host still asked the password. If I gave the password, I would login normaly, but that was not intention. I wonder if I missed some settings. Please guide me to solve this problem. Lot of Thanks. PS: The client was VectorLinux 4.0 RC4, trying to login to Redhat 9.0 remote host. |
1. Firstly, generate your public/private keys using ssh-keygen
% ssh-keygen -t rsa You must use the -t option to specify that you are producing keys for SSHv2 using RSA. This will generate your id_rsa and id_rsa.pub in the .ssh directory in your home directory. I strongly suggest using a passphrase. 2. Now copy the id_rsa.pub to the .ssh directory of the remote host you want to logon to as authorized_keys2 . [Note: If you have more than one host from which you want to connect to the remote host, you need to add the local host's id_rsa.pub as one line in the authorised_keys2 file of the remote host, i.e., you can have more than one entry. Thanks to Jinn Koriech for pointing out that this isn't obvious.Also you need to 'chmod 644 authorized_keys2' to make it unwritable to everybody apart from the user. Thanks to Matthew Lohbihler for making this known. ] You are basically telling the sshd daemon on the remote machine to encrypt the connection with this public key and that this key is authorized for version 2 of the ssh protocol. Try using something secure like scp for this copying. % scp ~box/.ssh/id_rsa.pub box@secondmachine:~box/.ssh/authorized_keys2 3. Your public key based authentication has been setup. You won't be asked your password on the remote machine. However, you need a program that manages your keys for you called an agent. You need to start the agent, tell it your passphrase, and hook up to the agent whenever you need to connect to the remote machine. 4. We shall assume the following situation: You logon to a console and then startx as in say, an out-of-the-box Linux installation. You should figure out what exactly has to be done for your specific machine's X initialization. All the following steps are to be done on your local machine, in this case- localmachine.secondmachine. 5. Fire your favourite editor, and pull up your .profile file. Add the following line to the file: alias startx='ssh-agent startx' This means that every child of startx (i.e. anything under X) would be able to hookup to the agent. 6. Edit your .xinitrc file by adding the following lines: DISPLAY="localmachine.cs.umd.edu:0" SSH_ASKPASS="/usr/libexec/openssh/x11-ssh-askpass" ssh-add < /dev/null # Change this to whatever window manager you use under X # or leave whatever was there unchanged. startkde .xinitrc is the init file for X. Unfortunately, as ssh-add doesn't have a controlling terminal, it needs to be told to read input from an external source. When you specify, /dev/null, the program pops up a d-box program specified by $SSH_ASKPASS and ask you for your passphrase. The d-box can be as simple as an xterm, but you could use the x11-ssh-askpass that comes with your openssh installation. The DISPLAY is usually automatically set, but just in case. Nota Bene: If you had to create .xinitrc, then you must add something after the ssh-add statement to start the window-manager/desktop/whatever. Otherwise, X will simply terminate after asking for the password. If you don't know how to set this up, you might want to dig in your /etc/X11/init.d files for the appropriate init sequences. 7. Now when you startx, a dialog box should pop up and ask you for your passphrase. You are all set. Open up an xterm, and say % ssh secondmachine Voila ! You'll be logged in without typing in your password. You'll have to re-enter your passphrase, everytime you start X. The passphrase can be side-stepped by giving the empty string, but I'd rather you don't. 8. As a fringe benefit, you can execute any GUI based programs on the remote machine for free, no setting up $DISPLAY , no need to xhost+ etc. Cool, eh ? |
Thanks joseph.
But your posting is exactly the article I have followed and not worked. I have been searching the google for "+ssh +without-password", there are a lot of the same problems, without clear solution. |
Wow, is it right, but those step were i used to create like your case but everything went ok.
|
Kocil,
A little stab in the dark. Is it the standard password prompt? (user@machine's password: ) On the server, is AuthorizedKeysFile option set in /etc/ssh/sshd_config? It may be that the ~/.ssh/authorized_keys2 file is not being processed. That file is depreciated in openssh v.3. What versions of ssh are on each machine? If that doesn't help, can you post the output of ssh -vvv user@machine (ssh -vvv 2>debugfile ) and cancel when you get the password prompt. I don't think it has anything sensitive in it, but you should check first. (a public key fingerprint, i think, and you can redo your keys after you get it working :) ) I'll take a look, and see if I can't reproduce your log. I've been intrigued by the key system lately. Good luck, chris edit: forgot my signoff |
Hi all.
Thanks for the answers. I found the problem from http://www.cag.lcs.mit.edu/~rugina/ssh-procedures/ quote: ---------- Note: If you do have write permissions for either the .ssh directory or for the authorized_keys file on the remote machine, then sshd will consider that the procedure is not safe enough, so it will abort the RSA challenge-authentication mode (mode 3) and will go to the default mode (mode 5) asking you for the password on the remote machine. ---------- Last time I was failed because I did 'chmod 644 authorized_keys2' but not the the ~/.ssh it self. I fixed it and ssh-without-password is working fine now. Thanks all ...... :cool: |
I am facing exactly the same problem ..
the output of ssh -vvv cmu 2>debugfile.1 follows. OpenSSH_3.7.1p2, SSH protocols 1.5/2.0, OpenSSL 0.9.7b 10 Apr 2003 debug1: Reading configuration data /etc/ssh/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to cmu [128.2.13.176] port 22. debug1: Connection established. debug1: identity file /home/nsahoo/.ssh/identity type -1 debug3: Not a RSA1 key file /home/nsahoo/.ssh/id_rsa. debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: missing keytype debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: missing keytype debug1: identity file /home/nsahoo/.ssh/id_rsa type 1 debug1: identity file /home/nsahoo/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.4+p1+gssapi+OpenSSH_3.7buf_fix debug1: match: OpenSSH_3.4+p1+gssapi+OpenSSH_3.7buf_fix pat OpenSSH_3.2*,OpenSSH_3.3*,OpenSSH_3.4*,OpenSSH_3.5* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.7.1p2 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 124/256 debug2: bits set: 1583/3191 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /home/nsahoo/.ssh/known_hosts debug3: check_host_in_hostfile: match line 11 debug3: check_host_in_hostfile: filename /home/nsahoo/.ssh/known_hosts debug3: check_host_in_hostfile: match line 7 debug1: Host 'cmu' is known and matches the RSA host key. debug1: Found key in /home/nsahoo/.ssh/known_hosts:11 debug2: bits set: 1617/3191 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/nsahoo/.ssh/identity ((nil)) debug2: key: /home/nsahoo/.ssh/id_rsa (0x808c240) debug2: key: /home/nsahoo/.ssh/id_dsa ((nil)) debug1: Authentications that can continue: external-keyx,gssapi,publickey,password,keyboard-interactive debug3: start over, passed a different list external-keyx,gssapi,publickey,password,keyboard-interactive debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Trying private key: /home/nsahoo/.ssh/identity debug3: no such identity: /home/nsahoo/.ssh/identity debug1: Offering public key: /home/nsahoo/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: external-keyx,gssapi,publickey,password,keyboard-interactive debug1: Trying private key: /home/nsahoo/.ssh/id_dsa debug3: no such identity: /home/nsahoo/.ssh/id_dsa debug2: we did not send a packet, disable method debug3: authmethod_lookup keyboard-interactive debug3: remaining preferred: password debug3: authmethod_is_enabled keyboard-interactive debug1: Next authentication method: keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug1: Authentications that can continue: external-keyx,gssapi,publickey,password,keyboard-interactive debug3: userauth_kbdint: disable: no info_req_seen debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: debug3: authmethod_is_enabled password debug1: Next authentication method: password and in the remote machine % ls -ld .ssh drw-r--r-- 2 nsahoo staff 2048 Dec 16 15:40 .ssh % ls -l .ssh total 4 -rw-r--r-- 1 nsahoo staff 223 Dec 16 15:55 authorized_keys -rw-r--r-- 1 nsahoo staff 2603 Dec 10 17:37 known_hosts Any help? |
All times are GMT -5. The time now is 11:28 AM. |