sftp non-interactive login

Laertiades · 07-02-2012, 02:40 PM

I realize this is a common issue. I have read a number of other entries but nothing works for me.
I wish to automate file uploads to ipage.com using sftp. Man pages on sftp say I must use non-interactive login and give reference ssh-keygen. I used ssh-keygen to make two files. I put one in ~/.ssh/authorized_keys on server. when I run following script:

sftp -i ~/.ssh/id_rsa -P 2222 USER@ftp.ipage.com

I am still asked for password. I have tried several other things recommended at other forums to no avail. Perhaps ipage does not support passwordless login or ssh(1) or ssh(2). I don't know how to find out and customer service is not helpful.

Any help would help. Thanks in advance.

suicidaleggroll · 07-02-2012, 03:03 PM

make sure your authorized keys file has the proper permissions. If the permissions are too lax SSH won't use it.

Code:

chmod 750 ~
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

Also, you shouldn't have to pass the rsa key on the command line, it should do it automatically. Just run ssh-keygen, press enter a few times until you're back at the prompt (don't enter a passphrase), then copy the contents of the id_rsa.pub file into authorized_keys on the destination machine.

Laertiades · 07-02-2012, 03:31 PM

Thank you for the response. I changed file permissions as specified on client and server. sftp still wants password. I also used ssh-add to add identity. I remade the id_rsa files without the -t rsa option. I never get any error messages; just a prompt for my password no matter what I try.

suicidaleggroll · 07-02-2012, 03:45 PM

Try adding -v to your sftp call, it should print more info about why you're being prompted for a password.

Laertiades · 07-02-2012, 04:00 PM

Here is the output if you wouldn't mind giving your input. I am unable to interpret. I will substitute ?????? for data which seems to be of a sensitive nature.

OpenSSH_5.8p1 Debian-7ubuntu1, OpenSSL 1.0.0e 6 Sep 2011
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to ftp.ipage.com [66.96.147.100] port 2222.
debug1: Connection established.
debug1: identity file /home/jesse/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/jesse/.ssh/id_rsa-cert type -1
debug1: Remote protocol version 2.0, remote software version mod_sftp/0.9.8
debug1: no match: mod_sftp/0.9.8
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.8p1 Debian-7ubuntu1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA ?????????????????????????????????
debug1: Host '[ftp.ipage.com]:2222' is known and matches the RSA host key.
debug1: Found key in /home/jesse/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/jesse/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: Authentications that can continue: publickey,password
debug1: Offering RSA public key: /home/jesse/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: password
????????????@ftp.ipage.com's password:

Thank you in any case for all the help you have offered thus far.
I might add that customer service at ipage swears up and down that they do not support ssh.

suicidaleggroll · 07-02-2012, 04:17 PM

I just compared that to a working public key authentication on my own machine. The relevant part is below (differences versus your output in bold):

Code:

debug1: Next authentication method: publickey
debug1: Offering public key: /home/eggroll/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Offering public key: /home/eggroll/.ssh/id_dsa
debug1: Server accepts key: pkalg ssh-dss blen 433
debug1: read PEM private key done: type DSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending subsystem: sftp

So yours is sending the key, it's being accepted by the server, but it still doesn't let you in. In my experience this is usually caused by a permission issue. One difference in my setup is the authorized_keys file on the server is actually called "authorized_keys2", not sure if that would make a difference.

Laertiades · 07-02-2012, 04:39 PM

I have checked that there are write permissions are only for user on home/ .ssh/ and authorized_keys2 (I tried changing name. Which perhaps refers to protocol 2). Is there perhaps a way to ensure that the server has PubkeyAuthentication Yes and RSAAuthentication Yes?

chrism01 · 07-02-2012, 06:05 PM

Look into /etc/ssh/sshd_config; full docs here http://www.openssh.com/manual.html

Laertiades · 07-03-2012, 12:13 PM

I greatly appreciate your help suicidaleggroll and chrism01. I do not have sshd_config on my system. This file seems to be used by sshd, a server daemon which I do not have installed. I did find etc/ssh/ssh_config and I added the line:

PubkeyAuthentication yes

which changed the last five lines of my output to:

debug1: Offering RSA public key: /home/jesse/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: password

I also added the following to no effect (of course)

HostbasedAuthentication yes
IdentityFile ~/.ssh/id_rsa
EnableSSHKeysign yes

I would really like to implement this public key authentication. It seems like the appropriate way to protect a clients data when automating uploads to a webhost. Any further help, advise, or insight from anyone would be greatly appreciated. I will show my file permissions and my 2 bash scripts if that helps anyone:

sftp> pwd
Remote working directory: /.ssh
sftp> ls -al
drwx------ 2 USER www 3 Jul 3 12:10 .
drwxr-x--- 8 USER www 28 Jul 2 11:58 ..
-rw------- 1 USER www 404 Jul 2 16:24 authorized_keys

[jesse .ssh]$ ls -al
total 20
drwx------ 2 jesse jesse 4096 2012-07-02 13:23 .
drwx------ 34 jesse jesse 4096 2012-07-03 07:17 ..
-r-------- 1 jesse jesse 1679 2012-07-02 13:23 id_rsa
-rw------- 1 jesse jesse 404 2012-07-02 13:23 id_rsa.pub
-rw------- 1 jesse jesse 540 2012-06-29 16:16 known_hosts

sftp -2 -v -i /home/jesse/.ssh/id_rsa -P 2222 USER@ftp.ipage.com
ssh -2 -v -i /home/jesse/.ssh/id_rsa -p 2222 USER@ftp.ipage.com

lleb · 07-03-2012, 03:25 PM

if you own both servers you can start over and try following these basic steps:

Code:

[rx30@rx30 ~]$ cd .ssh
[rx30@rx30 .ssh]$ ls -l
total 12
-rw------- 1 rx30 group 3243 Jun 22 15:50 id_rsa
-rw-r--r-- 1 rx30 group  743 Jun 22 15:50 id_rsa.pub
-rw-r--r-- 1 rx30 group 2980 Jun 13 12:02 known_hosts
[rx30@rx30 .ssh]$ rm -rf id*
[rx30@rx30 .ssh]$ ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/usr/rx30/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /usr/rx30/.ssh/id_rsa.
Your public key has been saved in /usr/rx30/.ssh/id_rsa.pub.
The key fingerprint is:
1c:b1:72:fd:40:3c:93:4e:a6:99:21:31:fd:7a:2c:d8 rx30@rx30.localdomain
[rx30@rx30 .ssh]$
[rx30@rx30 .ssh]$ ls -laF
total 56
drwxr-xr-x   2 rx30 group  4096 Jul  3 16:18 ./
drwxrwxrwx+ 52 rx30 group 36864 Jul  3 16:09 ../
-rw-------   1 rx30 group  3243 Jul  3 16:18 id_rsa
-rw-r--r--   1 rx30 group   743 Jul  3 16:18 id_rsa.pub
-rw-r--r--   1 rx30 group  2980 Jun 13 12:02 known_hosts
[rx30@rx30 .ssh]$ ssh-copy-id -i *.pub XXX@10.10.4.81
10
XXX@10.10.4.81's password:
Now try logging into the machine, with "ssh 'XXX@10.10.4.81'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

[rx30@rx30 .ssh]$ ssh XXX@10.10.4.81
Last login: Fri Jun 22 16:31:31 2012 from 10.10.4.77
[XXX@XXX ~]$ exit
logout
Connection to 10.10.4.81 closed.

The permissions on the remote system for .ssh are as follows:

Code:

$ ls -laF /home/XXX/.ssh/
total 24
drwx------.  2 ray ray 4096 Jul  3 16:18 ./
drwx------. 59 ray ray 4096 May 31 14:01 ../
-rw-------   1 ray ray  743 Jul  3 16:18 authorized_keys
-rw-r--r--   1 ray ray 8346 Jul  3 16:17 known_hosts

on the local box the permissions for .ssh are:

Code:

drwxr-xr-x   2 rx30 group      4096 Jul  3 16:18 .ssh

and on the remote box:

Code:

drwx------.  2 XXX  XXX     4096 Jul  3 16:18 .ssh/

Hope this helps. The permissions of 761 on the local system are a bit loose, but it does not seem to affect the ability to connect. typically you dont want permissions looser then 700, but 755 are ok.

Laertiades · 07-04-2012, 10:11 AM

thank you lleb for your contribution. I do not have control of the remote server. I tried your steps but couldn't get ssh-copy-id to connect. I am also unable to connect with ssh. I have been able to connect with ftp and sftp. At this point I am going to desist from further attempts. Perhaps it is a red herring. Perhaps I am in over my head. Thank you, everyone, for your time.