SFTP auto login works one way only?

jchambers · 10-01-2008, 06:26 AM

Hello all.

I have read many posts on auto login for SSH but can not figure this one out.

Code:

#ssh-keygen -t rsa

-rw-r--r-- 1 root root  415 2008-10-01 04:07 authorized_keys
-rw------- 1 root root 1.7K 2008-09-30 18:47 id_rsa
-rw-r--r-- 1 root root  413 2008-09-30 18:47 id_rsa.pub
-rw-r--r-- 1 root root  884 2008-10-01 03:33 known_hosts

Example:

Server A cannot auto login (sftp) to server B

Server B can auto login (sftp) to server A

Server A: Debian (etch)
Linux 2.6.18-4-amd64 #1 SMP Mon Mar 26 11:36:53 CEST 2007 x86_64 GNU/Linux

Server B: Debian (etch)
Linux 2.6.18-5-686 #1 SMP Fri Jun 1 00:47:00 UTC 2007 i686 GNU/Linux

My only thought is that something changed in the newest version of Etch.
Any ideas?

Jon

ilikejam · 10-01-2008, 08:43 AM

Hi.

Check the permissions on the home directories as well as the .ssh directories and the keys.

Also, try running ssh -vvv in both directions to see if there's anything interesting.

Dave

jchambers · 10-01-2008, 01:14 PM

Thank you for the reply.

I keep getting blacklisted on the server I am trying to auto ssh to.
/var/logs/auth.log

Oct 1 10:43:50 www sshd[2444]: Public key 4f:d7:71:27:51:bf:5e:a9:b7:af:2c:82:0d:2a:bb:53 blacklisted (see ssh-vulnkey(1))

You got me on the right track, though it turns out it is a problem between the new version of open-ssh and prior versions. From what I read if both servers do not have the newest version it will not work. I upgraded both servers with openssl_0.9.8.

http://www.ducea.com/2008/05/14/ssh-vulnkey-a/

My problem is that my x86_64 version wil not upgrade to the newest version.

64 bit

Code:

ii  openssh-blacklist                 0.1.1                                list of blacklisted OpenSSH RSA and DSA keys
ii  openssh-client                    1:4.7p1-8                            secure shell client, an rlogin/rsh/rcp repla
ii  openssh-server                    1:4.7p1-8                            secure shell server, an rshd replacement
ii  ssh                               1:5.1p1-2                            secure shell client and server (metapackage)
ii  openssl                           0.9.8c-4etch3                        Secure Socket Layer (SSL) binary and related

i686

Code:

ri  openssh-blacklist                 0.1.1                                list of blacklisted OpenSSH RSA and DSA keys
ii  openssh-client                    4.3p2-9etch3                         Secure shell client, an rlogin/rsh/rcp repla
ii  openssh-server                    4.3p2-9etch3                         Secure shell server, an rshd replacement
ii  ssh                               4.3p2-9etch3                         Secure shell client and server (transitional
openssl                           0.9.8c-4etch3                        Secure Socket Layer (SSL) binary and related

Anyway to bypass the black list?

ilikejam · 10-02-2008, 05:49 AM

You can get around this by regenerating your host keys. Should be something like:

# ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa
# ssh-keygen -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa

This will cause any client to shout about key fingerprints when the SSH/SFTP in, which may break automated pub-priv key logins until the new host fingerprints are accepted, so be warned.

Dave

jchambers · 10-08-2008, 12:33 PM

Well I figured it out.

http://www.debian.org/security/2008/dsa-1571

http://wiki.debian.org/SSLkeys

Turns out that I needed to do this:

Code:

rm /etc/ssh/ssh_host_*
dpkg-reconfigure openssh-server

Then it recreated the keys without black listing them.

Thanks for your help Dave.
Your suggestions led me to the answer.

Jon

saleemsupra · 01-02-2009, 04:03 AM

i am using fedora7 64 i want to login to other machine by rsh without password. there is no xinetd in my /etc dir. rsh appears only in /usr/bin/rsh or in pam.d directory.

please help me how can i configure rsh and login using rsh command?

Thanks

Saleemsupra

jchambers · 01-03-2009, 01:29 PM

Hi saleemsupra.

I setup ssh using "ssh-keygen -t rsa", then copied the id_rsa.pub key to the authorized_keys file of the remote server/user to connect to. Manually login once using ssh or sftp to the remote server. After that is setup it seems to work well for me.

#rsh -l [remote user] -p [remote port] [url / IP] [command]

#rsh -l myuser -p 22 192.168.2.55 echo

I hope that helps to answer your question.

Jon