Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am trying to setup a passwordless authentication on one of my boxes in order to be able to use ssh commands in a script.
I have generated public/private RSA keys on the client machine (in the user I'm logged in as' .ssh directory) and added the public key to the server machine's authorized_keys files (in the user I want to be able to ssh as' .ssh directory).
I have set the rights on both .ssh directories, the key files and the authorized_keys files to 700.
On the server machine, in the /etc/ssh/sshd_config file, I have set the two following parameters :
Code:
RSAAuthentication yes
PubkeyAuthentication yes
When I try and ssh from the client machine, it still prompts me for password. The verbose output ends with the following:
Code:
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: My Key
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/me/.ssh/id_rsa
debug3: no such identity: /home/me/.ssh/id_rsa
debug1: Trying private key: /home/me/.ssh/id_dsa
debug3: no such identity: /home/me/.ssh/id_dsa
debug1: Trying private key: /home/me/.ssh/id_ecdsa
debug3: no such identity: /home/me/.ssh/id_ecdsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
Then it prompts me for a password.
I don't understand why the "My Key" "Offering" doesn't seem to succeed. Does anyone have any idea of what I am doing wrong?
Notes: I am using Linux Mint 15 on both machines. Password logging works as expected. SSH versions are as follows:
Code:
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.1p1 Debian-4
debug1: Local version string SSH-2.0-OpenSSH_6.1p1 Debian-4
Any help is greatly appreciated. Let me know if you need any additional information.
What is the name of your private key? ssh will not find it automatically. It either has to be loaded into the agent (no more than the 6th key on the list or you will fail the default server auth settings) or else pointed to manually. You point to a private key manually with -i
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/me/.ssh/id_rsa
debug3: no such identity: /home/me/.ssh/id_rsa
debug1: Trying private key: /home/me/.ssh/id_dsa
debug3: no such identity: /home/me/.ssh/id_dsa
debug1: Trying private key: /home/me/.ssh/id_ecdsa
debug3: no such identity: /home/me/.ssh/id_ecdsa
debug2: we did not send a packet, disable method
Looks like you have no generated and exchanged keys yet. Please do according to well know practice.
I can cat the authorized_keys file on the server and the ssh-rsa entry is in there. The only difference is I have not named the key files id_rsa and id_rsa.pub because I need to be able to use different keys in order to connect to different servers. My files are named ~me/.ssh/my_key and ~me/.ssh/my_key.pub. I have tried specifying my private key file as an "IdentityFile" entry in /etc/ssh/ssh_config on the client machine to no avail. I also tried specifying it with the -i option with the same result. When I specify the file, the ouput is different though:
Code:
debug2: key: /home/me/.ssh/my_key (0x7f65d5317cd0)
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/me/.ssh/my_key
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
The /var/log/auth.log file only contains this single entry for a failed login attempt:
Code:
Nov 3 12:57:29 slg-NAS sshd[2478]: Connection closed by 192.168.0.1 [preauth]
Then, content of ~me/.ssh/my_key.pub should be pasted in authorized_keys on server side.
Correct command should be:
Code:
$ ssh -i ~me/.ssh/my_key remoteuser@server
The second well known problem is wrong permissions on destination home directory.
It should not be group,other writable. The .ssh directory should be 700,
authorized_keys should be 644.
Apparently, the server can't find the authorized_keys file:
Code:
debug1: userauth-request for user me service ssh-connection method publickey [preauth]
debug1: attempt 1 failures 0 [preauth]
debug1: test whether pkalg/pkblob are acceptable [preauth]
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug1: trying public key file /home/me/.ssh/authorized_keys
debug1: Could not open authorized keys '/home/me/.ssh/authorized_keys': No such file or directory
Rights:
Code:
drwxr-xr-x 5 root root 4096 juil. 21 22:26 /home
drwx------ 23 me me 4096 nov. 4 00:43 /home/me/
drwx------ 2 me me 4096 nov. 2 23:22 /home/me/.ssh/
-rw-r--r-- 1 me me 389 nov. 2 23:37 /home/me/.ssh/authorized_keys
debug1: Could not open authorized keys '/home/me/.ssh/authorized_keys': No such file or directory
Are you sure that /home/me/.ssh/authorized_keys exist on server side ?
As I see, user "me" has UID/GID 1000/1000:
Quote:
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
If you login as "me" on server, could you do "cat /home/me/.ssh/authorized_keys" ?
If you still has no solution, probably it is selinux problem.
Please set it to PERMISSIVE and check what happen in /var/log/messages.
This is weird. This morning when I restarted both machines (after I had switched them off for the night), it started working without changing anything. I guess some services had to be restarted for some of the changes to take effect... I had already tried to restart sshd on the server, though.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.