LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   ssh and Miscl server related issues (http://www.linuxquestions.org/questions/linux-server-73/ssh-and-miscl-server-related-issues-842684/)

puk007 11-06-2010 12:18 AM

ssh and Miscl server related issues
 
Hi There

I have a server running on Ubuntu and I am having 2 problems:

1)SSH-KEYGEN related-> I have several computers and I ssh into each, so I initially set up keyless connection via the following commands (more or less)


ssh-keygen -t rsa
scp id_rsa.pub user@host:


#remote computer
touch .ssh/authorized_keys
chmod 600 .ssh/authorized_keys
cat id_rsa.pub >>.ssh/authorized_keys

everything works fine at first when, for example, connecting computer A to computer B. And it still works when connecting computer B to computer A. But when I introduce computer C, all of a sudden computer B gets fussy and no longer does keyless connections. Or if I have multiple users on computer A, lets call them A1-A9, then only A1 accepts keyless connections.

My question is this: what is the rational between allowing keyless connection for some, but not all computers and/or users?

2) Tab related: when I create additional users, I can no longer use <tab> to complete a file or command name. It's like when one is in sftp, and the tab button actually inserts a full tab. Why does this occur

any help would be appreciated

feinbein 11-07-2010 02:51 AM

Quote:

Originally Posted by puk007 (Post 4150828)

everything works fine at first when, for example, connecting computer A to computer B. And it still works when connecting computer B to computer A. But when I introduce computer C, all of a sudden computer B gets fussy and no longer does keyless connections. Or if I have multiple users on computer A, lets call them A1-A9, then only A1 accepts keyless connections.

My question is this: what is the rational between allowing keyless connection for some, but not all computers and/or users?

You have to execute the sequence of commands you mentioned for all users from all computers you want to log in from. Your authorized_keys on computer A might look like f.eks.:
Code:

ssh-rsa uhsdrhtishiurth....z87e4z568v87z USERA1@computerB
ssh-rsa w6t576t45t36356....62353t576t34t USERA1@computerC
ssh-rsa uhsdrhtishiurth....z87e4z568v87z USERA2@computerB
ssh-rsa vt583t45t854875....658735zt38z87 USERA2@computerC
.
.
.

Hope this explains it for you.

feinbein 11-07-2010 02:59 AM

As far as your second question is concerned:
  • only ask one question per thread
  • the other users might have a different shell assigned, some shells like /bin/sh don't have completion

puk007 11-07-2010 11:07 PM

Quote:

Originally Posted by feinbein (Post 4151680)
You have to execute the sequence of commands you mentioned for all users from all computers you want to log in from. Your authorized_keys on computer A might look like f.eks.:
Code:

ssh-rsa uhsdrhtishiurth....z87e4z568v87z USERA1@computerB
ssh-rsa w6t576t45t36356....62353t576t34t USERA1@computerC
ssh-rsa uhsdrhtishiurth....z87e4z568v87z USERA2@computerB
ssh-rsa vt583t45t854875....658735zt38z87 USERA2@computerC
.
.
.

Hope this explains it for you.

Hi. Well I am familiar with ssh-rsa, but I assume u mean the ssh-keygen -t rsa commands. The problem isn't that I'm doing it wrong, it's that after a while it stops working. So I can set it up such that I can login to A from B w/o a password, but after I set it up duch that I can login to A from C, I can no longer log into A from B.

chrism01 11-08-2010 12:00 AM

Can you post your sshd cfg and the relevant line(s) of /var/log/message or /var/log/secure or /var/log/audit.
One of those should log an error msg when you try to get in & can't.
Also, try adding 1, 2 or 3 -v to the ssh cmd eg

ssh -v user@target

feinbein 11-08-2010 10:15 AM

You only execute
Code:

ssh-keygen -t rsa
once per user and computer.
E.g. once passwordless login is set up from compA to compB you only copy the key to from compA to compC without generating it again.
Code:

scp id_rsa.pub user@host:
#remote computer
touch .ssh/authorized_keys
chmod 600 .ssh/authorized_keys
cat id_rsa.pub >>.ssh/authorized_keys

----
It doesn't stop working from A to B 'after a while' but exactly when you re-generate id_rsa.pub.

Sorry I was a little un-precise in my first post.

puk007 11-08-2010 11:27 PM

Quote:

Originally Posted by chrism01 (Post 4152332)
Can you post your sshd cfg and the relevant line(s) of /var/log/message or /var/log/secure or /var/log/audit.
One of those should log an error msg when you try to get in & can't.
Also, try adding 1, 2 or 3 -v to the ssh cmd eg

ssh -v user@target

Hi Chris, before we go any further, I should mention that I have no problem sftping from computer A to computer B w/o a password, I just can't ssh from A to B w/o the password. To complicate matters, I sometimes CAN sftp without password. For example, if I have already made an ssh connection, opening another terminal and running ssh or sftp will no longer need password entry. I don't think this is normal behaviour.

Here is the sshd config file:

Code:

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile        %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

Here is the `ssh -v user@B` command as executed on computer A:

Code:

OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to B [B] port 22.
debug1: Connection established.
debug1: identity file /Users/username/.ssh/identity type -1
debug1: identity file /Users/username/.ssh/id_rsa type 1
debug1: identity file /Users/username/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-4ubuntu4
debug1: match: OpenSSH_5.5p1 Debian-4ubuntu4 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'B' is known and matches the RSA host key.
debug1: Found key in /Users/username/.ssh/known_hosts:3
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/username/.ssh/identity
debug1: Offering public key: /Users/username/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /Users/username/.ssh/id_dsa
debug1: Next authentication method: password

I'll post the /var/log/secure file below

puk007 11-08-2010 11:28 PM

I don't have a /var/log/message or /var/log/audit file, so I just included the /var/log/secure file. also it was too long, so I had to only post the last few lines:

Code:

Nov  5 00:12:06 MacbookPro com.apple.SecurityServer[23]: Succeeded authorizing right 'system.burn' by client '/Applications/Utilities/Disk Utility.app' for authorization created by '/Applications/Utilities/Disk Utility.app'
Nov  5 00:24:41 MacbookPro com.apple.SecurityServer[23]: Succeeded authorizing right 'system.burn' by client '/Applications/Utilities/Disk Utility.app' for authorization created by '/Applications/Utilities/Disk Utility.app'
Nov  5 01:26:53 localhost com.apple.SecurityServer[25]: Session 0x5fbff962 created
Nov  5 01:26:53 localhost com.apple.SecurityServer[25]: Entering service
Nov  5 01:27:00 MacbookPro com.apple.SecurityServer[25]: Succeeded authorizing right 'config.modify.com.apple.CoreRAID.admin' by client '/System/Library/PrivateFrameworks/CoreRAID.framework/Versions/A/Resources/CoreRAIDServer' for authorization created by '/System/Library/PrivateFrameworks/CoreRAID.framework/Versions/A/Resources/CoreRAIDServer'
Nov  5 01:27:06 MacbookPro com.apple.SecurityServer[25]: Session 0x306cbf created
Nov  5 01:27:06 MacbookPro com.apple.SecurityServer[25]: Session 0x306cbf attributes 0x30
Nov  5 01:27:07 MacbookPro loginwindow[43]: Login Window Started Security Agent
Nov  5 01:27:07 MacbookPro SecurityAgent[107]: Showing Login Window
Nov  5 01:27:16 MacbookPro SecurityAgent[107]: User info context values set for peymanaskari
Nov  5 01:27:16 MacbookPro authorizationhost[106]: Failed to authenticate user <peymanaskari> (tDirStatus: -14090).
Nov  5 01:27:19 MacbookPro SecurityAgent[107]: User info context values set for peymanaskari
Nov  5 01:27:20 MacbookPro SecurityAgent[107]: Login Window Showing Progress
Nov  5 01:27:20 MacbookPro SecurityAgent[107]: Login Window done
Nov  5 01:27:20 MacbookPro com.apple.SecurityServer[25]: Succeeded authorizing right 'system.login.console' by client '/System/Library/CoreServices/loginwindow.app' for authorization created by '/System/Library/CoreServices/loginwindow.app'
Nov  5 01:27:20 MacbookPro loginwindow[43]: Login Window - Returned from Security Agent
Nov  5 01:27:20 MacbookPro com.apple.SecurityServer[25]: Succeeded authorizing right 'system.login.done' by client '/System/Library/CoreServices/loginwindow.app' for authorization created by '/System/Library/CoreServices/loginwindow.app'
Nov  5 01:27:30 MacbookPro /System/Library/CoreServices/CCacheServer.app/Contents/MacOS/CCacheServer[147]: Starting up.
Nov  5 01:37:30 MacbookPro /System/Library/CoreServices/CCacheServer.app/Contents/MacOS/CCacheServer[147]: No valid tickets, timing out
Nov  5 12:28:30 localhost com.apple.SecurityServer[25]: Session 0x5fbff962 created
Nov  5 12:28:30 localhost com.apple.SecurityServer[25]: Entering service
Nov  5 12:28:37 MacbookPro com.apple.SecurityServer[25]: Succeeded authorizing right 'config.modify.com.apple.CoreRAID.admin' by client '/System/Library/PrivateFrameworks/CoreRAID.framework/Versions/A/Resources/CoreRAIDServer' for authorization created by '/System/Library/PrivateFrameworks/CoreRAID.framework/Versions/A/Resources/CoreRAIDServer'
Nov  5 12:28:40 MacbookPro com.apple.SecurityServer[25]: Session 0x40e3de created
Nov  5 12:28:40 MacbookPro com.apple.SecurityServer[25]: Session 0x40e3de attributes 0x30
Nov  5 12:28:40 MacbookPro loginwindow[43]: Login Window Started Security Agent
Nov  5 12:28:41 MacbookPro SecurityAgent[94]: Showing Login Window
Nov  5 12:28:54 MacbookPro SecurityAgent[94]: User info context values set for peymanaskari
Nov  5 12:28:54 MacbookPro authorizationhost[92]: Failed to authenticate user <peymanaskari> (tDirStatus: -14090).
Nov  5 12:28:57 MacbookPro SecurityAgent[94]: User info context values set for peymanaskari
Nov  5 12:28:58 MacbookPro SecurityAgent[94]: Login Window Showing Progress
Nov  5 12:28:58 MacbookPro SecurityAgent[94]: Login Window done
Nov  5 12:28:58 MacbookPro com.apple.SecurityServer[25]: Succeeded authorizing right 'system.login.console' by client '/System/Library/CoreServices/loginwindow.app' for authorization created by '/System/Library/CoreServices/loginwindow.app'
Nov  5 12:28:58 MacbookPro loginwindow[43]: Login Window - Returned from Security Agent
Nov  5 12:28:58 MacbookPro com.apple.SecurityServer[25]: Succeeded authorizing right 'system.login.done' by client '/System/Library/CoreServices/loginwindow.app' for authorization created by '/System/Library/CoreServices/loginwindow.app'
Nov  5 12:28:59 MacbookPro /System/Library/CoreServices/CCacheServer.app/Contents/MacOS/CCacheServer[140]: Starting up.
Nov  5 12:38:59 MacbookPro /System/Library/CoreServices/CCacheServer.app/Contents/MacOS/CCacheServer[140]: No valid tickets, timing out
Nov  6 18:59:11 MacbookPro com.apple.SecurityServer[25]: Succeeded authorizing right 'system.preferences' by client '/Applications/System Preferences.app' for authorization created by '/Applications/System Preferences.app'
Nov  6 18:59:11 MacbookPro com.apple.SecurityServer[25]: Succeeded authorizing right 'system.print.admin' by client '/Applications/System Preferences.app' for authorization created by '/Applications/System Preferences.app'
Nov  6 18:59:12 MacbookPro com.apple.SecurityServer[25]: Succeeded authorizing right 'system.preferences' by client '/System/Library/PrivateFrameworks/Admin.framework/Versions/A/Resources/writeconfig' for authorization created by '/Applications/System Preferences.app'


puk007 11-08-2010 11:34 PM

Quote:

Originally Posted by feinbein (Post 4152764)
You only execute
Code:

ssh-keygen -t rsa
once per user and computer.
E.g. once passwordless login is set up from compA to compB you only copy the key to from compA to compC without generating it again.
Code:

scp id_rsa.pub user@host:
#remote computer
touch .ssh/authorized_keys
chmod 600 .ssh/authorized_keys
cat id_rsa.pub >>.ssh/authorized_keys

----
It doesn't stop working from A to B 'after a while' but exactly when you re-generate id_rsa.pub.

Sorry I was a little un-precise in my first post.

Hi Feinbein. That's not an issue here. I generated public keys once for each computer, not once for each connection amongst the computers.

puk007 12-02-2010 10:44 AM

I found a solution to this problem here:
https://bugs.launchpad.net/ubuntu/+s...ng/+bug/201786

I still don't know what the problem is, but it can be fixed by issuing the following command

ssh-add


All times are GMT -5. The time now is 11:42 PM.