LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 07-29-2008, 01:03 PM   #1
mfitzpat
LQ Newbie
 
Registered: Feb 2004
Location: Boston, MA
Distribution: Centos
Posts: 27

Rep: Reputation: 15
SSH key issue


Hi,
I am trying to setup ssh keys so that I do not need passwds to scp/ssh between systems. System nona-man is running CentOS4.5 and node1003 is running CentOS5.1.

I generate the keys for nona-man: ssh-keygen -t rsa
no passphrase. Then via kickstart copy nona-man's id_rsa, id_rsa.pub and authorized_keys (copy of id_rsa.pub) files to node1003:/root/.ssh. All root/.ssh dir/files have the permission 700/600, respectively. I can ssh as root into the node1003 from nona-man without a passwd ,but not the reverse. My /etc/sshd_config file is a default and unchanged. /etc/hosts.allow on nona-man allows ssh from the node1003. host.deny is ALL:ALL

nona-man:/var/log/messages shows
nona sshd[2111]: ROOT LOGIN REFUSED FROM ::ffff:172.20.101.3 (node IP)
I do not want to allow root logins, as other nics are exposed to the outside world.


Below is the debug info from the node to nona-man.

One debug message seems strange to me: It is looking for rsa1 key...

debug1: identity file /root/.ssh/identity type -1
debug3: Not a RSA1 key file /root/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'

Googling around, I see others having this problem and the suggestes solution is to convert the id_rsa key to ssh2 format.
I have tried,on both systems, and get errors
root@node1003 .ssh]# ssh-keygen -i
Enter file in which the key is (/root/.ssh/id_rsa):
buffer_get_string_ret: bad string length 813826652
key_from_blob: can't read key type
decode blob failed.

I know I am missing something simple, but can not put my finger on it.

Thanks for any advice/help
Mary Ellen


[root@node1003 .ssh]# ssh -vvv nona-man |more
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006
debug1: Reading configuration data /root/.ssh/config
debug1: /root/.ssh/config line 3: Deprecated option "FallBackToRsh"
debug1: Applying options for nona-man
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to nona-man [172.20.0.1] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug3: Not a RSA1 key file /root/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /root/.ssh/id_rsa type 1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: loaded 3 keys
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.9p1
debug1: match: OpenSSH_3.9p1 pat OpenSSH_3.*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 129/256
debug2: bits set: 505/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /dev/null
debug3: check_host_in_hostfile: filename /opt/xcat/etc/gkh
debug3: check_host_in_hostfile: match line 2
debug1: Host 'nona-man' is known and matches the RSA host key.
debug1: Found key in /opt/xcat/etc/gkh:2
debug2: bits set: 518/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /root/.ssh/identity ((nil))
debug2: key: /root/.ssh/id_rsa (0x5555564805e0)
debug2: key: /root/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-with-mic,publickey
debug3: authmethod_lookup publickey
debug3: remaining preferred: ,publickey
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug3: no such identity: /root/.ssh/identity
debug1: Offering public key: /root/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 149
debug2: input_userauth_pk_ok: fp 15:14:97:bd:b6:9d:7e:fb:d7:57:8e:0f:81:39:ee:d2
debug3: sign_and_send_pubkey
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /root/.ssh/id_dsa
debug3: no such identity: /root/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,password).

--
Thanks
Mary Ellen
 
Old 07-29-2008, 02:26 PM   #2
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,079

Rep: Reputation: 794Reputation: 794Reputation: 794Reputation: 794Reputation: 794Reputation: 794Reputation: 794
If I'm reading it correctly, you generated keys with ssh-keygen then you copied allof the files to another machine? Uh, no, that's not going to do it.

First thing you'll need to do (on both machines) is get into the root/.ssh directory and remove everything or edit authorized_keys and known_hosts and delete the entries for the "other" machine name in those files. It might be easier to simply remove all the files in the directory so you can start clean.

What you have to do is generate keys on each machine individually; you copy the id_rsa.pub file to every other machine that will connect with "this" machine. You do the same thing on every other machine, copying the id_rsa.pub file to "these" machines. You do not copy any other file to another machine.

You do this for every user (including root) that you want to be able to connect without a password.

So, you do ssh-keygen on nonaman; that puts the files in the .ssh directory. You do the same thing on node1003. Now, cd .ssh on nonaman and cp id_rsa.pub nonaman.pub. Copy nonaman.pub to node1003:root/.ssh. Get logged in as root on node1003, cd .ssh, cp id_rsa.pub node1003.pub, copy that to nonaman:root/.ssh.

At this point you've got, in root/.ssh on nonaman, the files you generated plus the file node1003.pub that you copied from there. Simply cp node103b.pub authorized_keys and you're good to go. Do the same thing on node1003 (except use the nonaman.pub file you copied over there) and you're good to go there, too.

You do need to repeat this for every user individually for the accounts they will be logging in to on whatever machine (don't copy the files generated for root, that won't work).

Now, last step, in the .ssh directory create a file config and put entries in it like this:
Host noanaman
ForwardX11 yes
Compression yes
Protocol 2,1
User root
This will make life easy -- the above goes on node1003, you'd change the Host name in the config file on nonaman.

Hope this helps some -- you may want to take a look at http://www.linuxjournal.com/article/6602 for a discussion of the content of the config file.

Last edited by tronayne; 07-29-2008 at 02:35 PM.
 
Old 07-30-2008, 12:59 AM   #3
tajamari
Member
 
Registered: Jul 2007
Distribution: Red Hat CentOS Ubuntu FreeBSD OpenSuSe
Posts: 252

Rep: Reputation: 30
Try these steps

Creating a SCP and SSH connection without passwords.

1. local> ssh-keygen -t dsa -b 2048 -f .ssh/id_dsa
2. local> cd .ssh
3. local> scp id_dsa.pub user@remote:~/.ssh/id_dsa.pub
4. local> ssh user@remote
5. remote> cd .ssh
6. remote> cat id_dsa.pub >> authorized_keys2
7. remote> chmod 640 authorized_keys2
8. remote> rm id_dsa.pub
9. quit
 
Old 07-30-2008, 01:39 PM   #4
mfitzpat
LQ Newbie
 
Registered: Feb 2004
Location: Boston, MA
Distribution: Centos
Posts: 27

Original Poster
Rep: Reputation: 15
Thanks for the tips. I believe the issue is resolved. In my case I am building a cluster and you need the nodes to be able to connect with each other as root without passwds. The problem was not with the ssh keys on the local or remote host. The issue was sshing as root from the remote host (node1003) to the local host (nona-man). The local host did not permit root logins.

Solution for me was to edit /etc/ssh/sshd_conf on the local host (nona-man) and set PermitRootLogin without-passwd. This allows root login, provided their is a key associated with the remote host.


Additional info


In building my cluster,I am using the application xcat. As part of the xcat configuration, all of the node (remote hosts) keys are generated and stored in a file located at /opt/xcat/etc/gkh (exported to all nodes). Then there is a line added to the /root/.ssh/config file to point to the GlobalKnownHosts file: /opt/xcat/etc/gkh. This config file is also copied to each node.

/root/.ssh/config

ForwardX11 yes
StrictHostKeyChecking no
FallBackToRsh no
Host bmc* host-A host-B node* nona-man userA userB nona-man 172.20.0.1
GlobalKnownHostsFile /opt/xcat/etc/gkh
BatchMode yes
ConnectionAttempts 5
UsePrivilegedPort no
Compression no
Cipher blowfish
UserKnownHostsFile /dev/null
CheckHostIP no
Protocol 2


So during the ssh session from the remote host(node1003) to the local host(nona-man), debug notes that it knows about my node and the keys.

debug3: check_host_in_hostfile: filename /dev/null
debug3: check_host_in_hostfile: filename /opt/xcat/etc/gkh
Warning: Permanently added 'nona-man' (RSA) to the list of known hosts.

And with the change to PermitRootLogin, the localhost can now allow the remote host root access.
 
Old 09-03-2008, 11:36 PM   #5
mohdshakir
Member
 
Registered: Jan 2006
Distribution: gentoo, slackware
Posts: 36

Rep: Reputation: 15
I prefer to use the method described on the site below to create and transfer the key, which is by using ssh-copy-id
Configure passwordless ssh login

Last edited by mohdshakir; 07-06-2010 at 09:57 PM. Reason: Update URL
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
open-ssh vs. commercial ssh (tru64), public-key auth not possible? cf050 Linux - Networking 8 03-28-2012 11:15 AM
how to use ssh key knockout_artist Linux - Newbie 6 12-04-2007 05:13 PM
[SSH] Issue logging in [SSH & Permissions] MD3 Linux - Networking 11 12-10-2006 09:25 AM
ssh issue: /usr/bin/ssh -x -oFallBackToRsh no -l WeNdeL Linux - Software 1 03-04-2003 07:17 PM
ssh / ssh-key -- its always asking for passphrase BaerRS Linux - General 1 01-07-2003 06:21 PM


All times are GMT -5. The time now is 07:10 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration