LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 11-06-2010, 12:18 AM   #1
puk007
LQ Newbie
 
Registered: Jan 2010
Posts: 7

Rep: Reputation: 0
ssh and Miscl server related issues


Hi There

I have a server running on Ubuntu and I am having 2 problems:

1)SSH-KEYGEN related-> I have several computers and I ssh into each, so I initially set up keyless connection via the following commands (more or less)


ssh-keygen -t rsa
scp id_rsa.pub user@host:


#remote computer
touch .ssh/authorized_keys
chmod 600 .ssh/authorized_keys
cat id_rsa.pub >>.ssh/authorized_keys

everything works fine at first when, for example, connecting computer A to computer B. And it still works when connecting computer B to computer A. But when I introduce computer C, all of a sudden computer B gets fussy and no longer does keyless connections. Or if I have multiple users on computer A, lets call them A1-A9, then only A1 accepts keyless connections.

My question is this: what is the rational between allowing keyless connection for some, but not all computers and/or users?

2) Tab related: when I create additional users, I can no longer use <tab> to complete a file or command name. It's like when one is in sftp, and the tab button actually inserts a full tab. Why does this occur

any help would be appreciated
 
Old 11-07-2010, 02:51 AM   #2
feinbein
Member
 
Registered: Jan 2010
Location: Norway
Posts: 76

Rep: Reputation: 12
Quote:
Originally Posted by puk007 View Post

everything works fine at first when, for example, connecting computer A to computer B. And it still works when connecting computer B to computer A. But when I introduce computer C, all of a sudden computer B gets fussy and no longer does keyless connections. Or if I have multiple users on computer A, lets call them A1-A9, then only A1 accepts keyless connections.

My question is this: what is the rational between allowing keyless connection for some, but not all computers and/or users?
You have to execute the sequence of commands you mentioned for all users from all computers you want to log in from. Your authorized_keys on computer A might look like f.eks.:
Code:
ssh-rsa uhsdrhtishiurth....z87e4z568v87z USERA1@computerB
ssh-rsa w6t576t45t36356....62353t576t34t USERA1@computerC
ssh-rsa uhsdrhtishiurth....z87e4z568v87z USERA2@computerB
ssh-rsa vt583t45t854875....658735zt38z87 USERA2@computerC
.
.
.
Hope this explains it for you.

Last edited by feinbein; 11-07-2010 at 02:56 AM.
 
Old 11-07-2010, 02:59 AM   #3
feinbein
Member
 
Registered: Jan 2010
Location: Norway
Posts: 76

Rep: Reputation: 12
As far as your second question is concerned:
  • only ask one question per thread
  • the other users might have a different shell assigned, some shells like /bin/sh don't have completion
 
Old 11-07-2010, 11:07 PM   #4
puk007
LQ Newbie
 
Registered: Jan 2010
Posts: 7

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by feinbein View Post
You have to execute the sequence of commands you mentioned for all users from all computers you want to log in from. Your authorized_keys on computer A might look like f.eks.:
Code:
ssh-rsa uhsdrhtishiurth....z87e4z568v87z USERA1@computerB
ssh-rsa w6t576t45t36356....62353t576t34t USERA1@computerC
ssh-rsa uhsdrhtishiurth....z87e4z568v87z USERA2@computerB
ssh-rsa vt583t45t854875....658735zt38z87 USERA2@computerC
.
.
.
Hope this explains it for you.
Hi. Well I am familiar with ssh-rsa, but I assume u mean the ssh-keygen -t rsa commands. The problem isn't that I'm doing it wrong, it's that after a while it stops working. So I can set it up such that I can login to A from B w/o a password, but after I set it up duch that I can login to A from C, I can no longer log into A from B.
 
Old 11-08-2010, 12:00 AM   #5
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,287

Rep: Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034
Can you post your sshd cfg and the relevant line(s) of /var/log/message or /var/log/secure or /var/log/audit.
One of those should log an error msg when you try to get in & can't.
Also, try adding 1, 2 or 3 -v to the ssh cmd eg

ssh -v user@target

Last edited by chrism01; 11-08-2010 at 12:01 AM.
 
Old 11-08-2010, 10:15 AM   #6
feinbein
Member
 
Registered: Jan 2010
Location: Norway
Posts: 76

Rep: Reputation: 12
You only execute
Code:
ssh-keygen -t rsa
once per user and computer.
E.g. once passwordless login is set up from compA to compB you only copy the key to from compA to compC without generating it again.
Code:
scp id_rsa.pub user@host:
#remote computer
touch .ssh/authorized_keys
chmod 600 .ssh/authorized_keys
cat id_rsa.pub >>.ssh/authorized_keys
----
It doesn't stop working from A to B 'after a while' but exactly when you re-generate id_rsa.pub.

Sorry I was a little un-precise in my first post.
 
Old 11-08-2010, 11:27 PM   #7
puk007
LQ Newbie
 
Registered: Jan 2010
Posts: 7

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by chrism01 View Post
Can you post your sshd cfg and the relevant line(s) of /var/log/message or /var/log/secure or /var/log/audit.
One of those should log an error msg when you try to get in & can't.
Also, try adding 1, 2 or 3 -v to the ssh cmd eg

ssh -v user@target
Hi Chris, before we go any further, I should mention that I have no problem sftping from computer A to computer B w/o a password, I just can't ssh from A to B w/o the password. To complicate matters, I sometimes CAN sftp without password. For example, if I have already made an ssh connection, opening another terminal and running ssh or sftp will no longer need password entry. I don't think this is normal behaviour.

Here is the sshd config file:

Code:
# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile	%h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
Here is the `ssh -v user@B` command as executed on computer A:

Code:
OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to B [B] port 22.
debug1: Connection established.
debug1: identity file /Users/username/.ssh/identity type -1
debug1: identity file /Users/username/.ssh/id_rsa type 1
debug1: identity file /Users/username/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-4ubuntu4
debug1: match: OpenSSH_5.5p1 Debian-4ubuntu4 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'B' is known and matches the RSA host key.
debug1: Found key in /Users/username/.ssh/known_hosts:3
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/username/.ssh/identity
debug1: Offering public key: /Users/username/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /Users/username/.ssh/id_dsa
debug1: Next authentication method: password
I'll post the /var/log/secure file below
 
Old 11-08-2010, 11:28 PM   #8
puk007
LQ Newbie
 
Registered: Jan 2010
Posts: 7

Original Poster
Rep: Reputation: 0
I don't have a /var/log/message or /var/log/audit file, so I just included the /var/log/secure file. also it was too long, so I had to only post the last few lines:

Code:
Nov  5 00:12:06 MacbookPro com.apple.SecurityServer[23]: Succeeded authorizing right 'system.burn' by client '/Applications/Utilities/Disk Utility.app' for authorization created by '/Applications/Utilities/Disk Utility.app'
Nov  5 00:24:41 MacbookPro com.apple.SecurityServer[23]: Succeeded authorizing right 'system.burn' by client '/Applications/Utilities/Disk Utility.app' for authorization created by '/Applications/Utilities/Disk Utility.app'
Nov  5 01:26:53 localhost com.apple.SecurityServer[25]: Session 0x5fbff962 created
Nov  5 01:26:53 localhost com.apple.SecurityServer[25]: Entering service
Nov  5 01:27:00 MacbookPro com.apple.SecurityServer[25]: Succeeded authorizing right 'config.modify.com.apple.CoreRAID.admin' by client '/System/Library/PrivateFrameworks/CoreRAID.framework/Versions/A/Resources/CoreRAIDServer' for authorization created by '/System/Library/PrivateFrameworks/CoreRAID.framework/Versions/A/Resources/CoreRAIDServer'
Nov  5 01:27:06 MacbookPro com.apple.SecurityServer[25]: Session 0x306cbf created
Nov  5 01:27:06 MacbookPro com.apple.SecurityServer[25]: Session 0x306cbf attributes 0x30
Nov  5 01:27:07 MacbookPro loginwindow[43]: Login Window Started Security Agent
Nov  5 01:27:07 MacbookPro SecurityAgent[107]: Showing Login Window
Nov  5 01:27:16 MacbookPro SecurityAgent[107]: User info context values set for peymanaskari
Nov  5 01:27:16 MacbookPro authorizationhost[106]: Failed to authenticate user <peymanaskari> (tDirStatus: -14090).
Nov  5 01:27:19 MacbookPro SecurityAgent[107]: User info context values set for peymanaskari
Nov  5 01:27:20 MacbookPro SecurityAgent[107]: Login Window Showing Progress
Nov  5 01:27:20 MacbookPro SecurityAgent[107]: Login Window done
Nov  5 01:27:20 MacbookPro com.apple.SecurityServer[25]: Succeeded authorizing right 'system.login.console' by client '/System/Library/CoreServices/loginwindow.app' for authorization created by '/System/Library/CoreServices/loginwindow.app'
Nov  5 01:27:20 MacbookPro loginwindow[43]: Login Window - Returned from Security Agent
Nov  5 01:27:20 MacbookPro com.apple.SecurityServer[25]: Succeeded authorizing right 'system.login.done' by client '/System/Library/CoreServices/loginwindow.app' for authorization created by '/System/Library/CoreServices/loginwindow.app'
Nov  5 01:27:30 MacbookPro /System/Library/CoreServices/CCacheServer.app/Contents/MacOS/CCacheServer[147]: Starting up.
Nov  5 01:37:30 MacbookPro /System/Library/CoreServices/CCacheServer.app/Contents/MacOS/CCacheServer[147]: No valid tickets, timing out
Nov  5 12:28:30 localhost com.apple.SecurityServer[25]: Session 0x5fbff962 created
Nov  5 12:28:30 localhost com.apple.SecurityServer[25]: Entering service
Nov  5 12:28:37 MacbookPro com.apple.SecurityServer[25]: Succeeded authorizing right 'config.modify.com.apple.CoreRAID.admin' by client '/System/Library/PrivateFrameworks/CoreRAID.framework/Versions/A/Resources/CoreRAIDServer' for authorization created by '/System/Library/PrivateFrameworks/CoreRAID.framework/Versions/A/Resources/CoreRAIDServer'
Nov  5 12:28:40 MacbookPro com.apple.SecurityServer[25]: Session 0x40e3de created
Nov  5 12:28:40 MacbookPro com.apple.SecurityServer[25]: Session 0x40e3de attributes 0x30
Nov  5 12:28:40 MacbookPro loginwindow[43]: Login Window Started Security Agent
Nov  5 12:28:41 MacbookPro SecurityAgent[94]: Showing Login Window
Nov  5 12:28:54 MacbookPro SecurityAgent[94]: User info context values set for peymanaskari
Nov  5 12:28:54 MacbookPro authorizationhost[92]: Failed to authenticate user <peymanaskari> (tDirStatus: -14090).
Nov  5 12:28:57 MacbookPro SecurityAgent[94]: User info context values set for peymanaskari
Nov  5 12:28:58 MacbookPro SecurityAgent[94]: Login Window Showing Progress
Nov  5 12:28:58 MacbookPro SecurityAgent[94]: Login Window done
Nov  5 12:28:58 MacbookPro com.apple.SecurityServer[25]: Succeeded authorizing right 'system.login.console' by client '/System/Library/CoreServices/loginwindow.app' for authorization created by '/System/Library/CoreServices/loginwindow.app'
Nov  5 12:28:58 MacbookPro loginwindow[43]: Login Window - Returned from Security Agent
Nov  5 12:28:58 MacbookPro com.apple.SecurityServer[25]: Succeeded authorizing right 'system.login.done' by client '/System/Library/CoreServices/loginwindow.app' for authorization created by '/System/Library/CoreServices/loginwindow.app'
Nov  5 12:28:59 MacbookPro /System/Library/CoreServices/CCacheServer.app/Contents/MacOS/CCacheServer[140]: Starting up.
Nov  5 12:38:59 MacbookPro /System/Library/CoreServices/CCacheServer.app/Contents/MacOS/CCacheServer[140]: No valid tickets, timing out
Nov  6 18:59:11 MacbookPro com.apple.SecurityServer[25]: Succeeded authorizing right 'system.preferences' by client '/Applications/System Preferences.app' for authorization created by '/Applications/System Preferences.app'
Nov  6 18:59:11 MacbookPro com.apple.SecurityServer[25]: Succeeded authorizing right 'system.print.admin' by client '/Applications/System Preferences.app' for authorization created by '/Applications/System Preferences.app'
Nov  6 18:59:12 MacbookPro com.apple.SecurityServer[25]: Succeeded authorizing right 'system.preferences' by client '/System/Library/PrivateFrameworks/Admin.framework/Versions/A/Resources/writeconfig' for authorization created by '/Applications/System Preferences.app'
 
Old 11-08-2010, 11:34 PM   #9
puk007
LQ Newbie
 
Registered: Jan 2010
Posts: 7

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by feinbein View Post
You only execute
Code:
ssh-keygen -t rsa
once per user and computer.
E.g. once passwordless login is set up from compA to compB you only copy the key to from compA to compC without generating it again.
Code:
scp id_rsa.pub user@host:
#remote computer
touch .ssh/authorized_keys
chmod 600 .ssh/authorized_keys
cat id_rsa.pub >>.ssh/authorized_keys
----
It doesn't stop working from A to B 'after a while' but exactly when you re-generate id_rsa.pub.

Sorry I was a little un-precise in my first post.
Hi Feinbein. That's not an issue here. I generated public keys once for each computer, not once for each connection amongst the computers.
 
Old 12-02-2010, 10:44 AM   #10
puk007
LQ Newbie
 
Registered: Jan 2010
Posts: 7

Original Poster
Rep: Reputation: 0
I found a solution to this problem here:
https://bugs.launchpad.net/ubuntu/+s...ng/+bug/201786

I still don't know what the problem is, but it can be fixed by issuing the following command

ssh-add
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Question related to SSH rajeshkerala Linux - Newbie 12 08-17-2009 10:47 PM
An SSH - related Question.... rajeshkerala Linux - Newbie 3 12-20-2008 11:42 PM
Music related issues zeshon Linux - Software 1 02-06-2007 05:41 PM
Unresolved Keyboard Related Issues Woodsman Slackware 1 11-02-2005 11:02 PM
Firewall/NAT issues with X-Server w/ SSH forwarding JMCraig Linux - Security 1 01-25-2005 12:51 AM


All times are GMT -5. The time now is 05:10 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration