LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 08-17-2009, 10:11 AM   #1
kregec05
LQ Newbie
 
Registered: Aug 2009
Posts: 8

Rep: Reputation: 0
Exclamation SSH: Automated Login via public key not working


hallo!

so here's the goal I want to reach:

Run a script on ServerA which uses a ssh-connection to ServerB to execute a few commands on ServerB.

As ServerB only allows login with username+password the whole stuff gets more complex.
SSH provides key authentication enabling passwordless login as you probably know.

So as stated in many tutorials I did the following:

Quote:
ssh-keygen -t dsa
ssh-copy-id .ssh/id_dsa.pub osr@10.17.120.207
Trying to connect with

ssh osr@10.17.120.207

should now be passwordless but I'm somehow still getting the prompt for the password...

here's the output from ssh -vvv osr@10.17.120.207

Quote:
OpenSSH_4.1p1, OpenSSL 0.9.7d 17 Mar 2004
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 10.17.120.207 [10.17.120.207] port 22.
debug1: Connection established.
debug1: identity file /users/osr/.ssh/identity type -1
debug1: identity file /users/osr/.ssh/id_rsa type -1
debug3: Not a RSA1 key file /users/osr/.ssh/id_dsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /users/osr/.ssh/id_dsa type 2
debug1: Remote protocol version 1.99, remote software version OpenSSH_4.1
debug1: match: OpenSSH_4.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.1
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-gro up14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-c tr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-c tr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@open ssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@open ssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-gro up14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-c tr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-c tr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@open ssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@open ssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 132/256
debug2: bits set: 515/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /users/osr/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host '10.17.120.207' is known and matches the RSA host key.
debug1: Found key in /users/osr/.ssh/known_hosts:1
debug2: bits set: 490/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /users/osr/.ssh/identity ((nil))
debug2: key: /users/osr/.ssh/id_rsa ((nil))
debug2: key: /users/osr/.ssh/id_dsa (0x55e150)
debug1: Authentications that can continue: publickey,keyboard-interactive
debug3: start over, passed a different list publickey,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /users/osr/.ssh/identity
debug3: no such identity: /users/osr/.ssh/identity
debug1: Trying private key: /users/osr/.ssh/id_rsa
debug3: no such identity: /users/osr/.ssh/id_rsa
debug1: Offering public key: /users/osr/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,keyboard-interactive
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:

interesting are probably the following lines:

Quote:
debug3: Not a RSA1 key file /users/osr/.ssh/id_dsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
I have no idea about how to solve this issue...
I hope you know the solution to this problem
 
Old 08-17-2009, 10:20 AM   #2
centosboy
Senior Member
 
Registered: May 2009
Location: london
Distribution: centos5
Posts: 1,137

Rep: Reputation: 116Reputation: 116
Quote:
Originally Posted by kregec05 View Post
hallo!

so here's the goal I want to reach:

Run a script on ServerA which uses a ssh-connection to ServerB to execute a few commands on ServerB.

As ServerB only allows login with username+password the whole stuff gets more complex.
SSH provides key authentication enabling passwordless login as you probably know.

So as stated in many tutorials I did the following:



Trying to connect with

ssh osr@10.17.120.207

should now be passwordless but I'm somehow still getting the prompt for the password...

here's the output from ssh -vvv osr@10.17.120.207




interesting are probably the following lines:



I have no idea about how to solve this issue...
I hope you know the solution to this problem


Normally, default

Code:
#AuthorizedKeysFile     .ssh/authorized_keys
so please check this first.
If yes, then append your public key to a file called authorized_keys
check secure log too.


ssh directory perms 700
authorized_keys file 400 or 600 if being written to
id_dsa 400

Last edited by centosboy; 08-17-2009 at 10:23 AM.
 
Old 08-17-2009, 10:33 AM   #3
kregec05
LQ Newbie
 
Registered: Aug 2009
Posts: 8

Original Poster
Rep: Reputation: 0
Thanks for the quick answer

The authorized_keys-file on ServerB has the entry for user@ServerA.
Changed permissions as stated...
still prompting for password...

How can I check the secure log?
Do I have to add your code-line to the ssh_config if it is not in there?
 
Old 08-17-2009, 11:14 AM   #4
karamarisan
Member
 
Registered: Jul 2009
Location: Illinois, US
Distribution: Fedora 11
Posts: 374

Rep: Reputation: 55
You want to check the option centosboy mentioned in /etc/ssh/sshd_config. Run through the whole thing and make sure pubkey is enabled, check that option, etc.
 
Old 08-17-2009, 11:53 AM   #5
centosboy
Senior Member
 
Registered: May 2009
Location: london
Distribution: centos5
Posts: 1,137

Rep: Reputation: 116Reputation: 116
also, reset the ssh key passphrase. (i know it is blank)

but still, if no joy, recreate the key. will only take a few seconds
using passphrase less keys is a security issue. ideally you would set a phrase but use ssh-agent to cache it. never mind, thats another issue
 
Old 08-17-2009, 11:54 AM   #6
centosboy
Senior Member
 
Registered: May 2009
Location: london
Distribution: centos5
Posts: 1,137

Rep: Reputation: 116Reputation: 116
Quote:
Originally Posted by kregec05 View Post
Thanks for the quick answer

The authorized_keys-file on ServerB has the entry for user@ServerA.
Changed permissions as stated...
still prompting for password...

How can I check the secure log?

Do I have to add your code-line to the ssh_config if it is not in there?
secure log

Code:
/var/log/secure
 
Old 08-17-2009, 08:00 PM   #7
johnnyk
LQ Newbie
 
Registered: Apr 2003
Location: Melbourne, Australia
Distribution: Debian
Posts: 4

Rep: Reputation: 1
As previously mentioned, check that the permission on both .ssh directories is 700, the authorized_keys and private key files should preferebly be 600.

Also, check your home directory (on both machines) does not allow group or other write access -i.e the most lax can be 755. If group or other have write access then one could rename the .ssh directory and make up a new .ssh directory with bogus keys, authorized_keys file, etc etc.

That should hopefully solve your issue.
 
Old 08-18-2009, 02:44 AM   #8
kregec05
LQ Newbie
 
Registered: Aug 2009
Posts: 8

Original Poster
Rep: Reputation: 0
Thank you guys, it works now!

I deleted all keys, rechecked configuration of sshd and deleted all the .ssh direcotries...
But I think the action that made the difference was the setting of the permissions on the home-direcotory from 775 to 755...

After doing it all again it worked with password-prompt.

Thanks again!
 
Old 08-18-2009, 05:58 AM   #9
abhandari
LQ Newbie
 
Registered: Dec 2008
Location: NP
Posts: 28

Rep: Reputation: 1
SSH automated login - without password

SSH auto login - without password
Here i have used RHEL4 servers (host1=192.168.0.1 and host2= 192.168.0.2) with default ssh ver
===========
Suppose you want a user(abhandari) at host1 auto login as root in host2 via SSH


-----------
At Host1 (192.168.0.1)
-----------

1.Login at host1 as abhandari user.
$ ssh -V
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006
$ cd ~/.ssh
(if the folder is not there create it)
---------------
2.Execute the following command to generate RSA Private-Public Key pair. From SSH documentation, 1024 bytes key is sufficiently strong. Just keep pressing Enter and DO NOT enter anything for passphrase. The key pair should be stored in /home/abhandari/.ssh as id_rsa and id_rsa.pub.

$ ssh-keygen -t rsa -b 1024
$ ls -la /home/abhandari/.ssh
(you just need id_rsa.pub don't distribute id_rsa)
----------------

3.Copy /home/abhandari/.ssh/id_rsa.pub from host1 to host2. Enter ís password for respective hosts when prompted. Make sure the .ssh folder is present on host2 otherwise create it.

$ scp /home/abhandari/.ssh/id_rsa.pub root@192.168.0.2:/root/.ssh/id_rsa.pub.abhandari
(this above command is single line.)

NOW
Host2(192.168.0.2)
4. login as root.
5. Add abhandariís public key (from host1) to authorized_keys list:
# cat /home/abhandari/.ssh/id_rsa.pub.kramer >> /root/.ssh/authorized_keys
(this above command is single line.)
6. From host1, as abhandari, try the following command:
$ ssh root@192.168.0.2
(if you have ssh different listening port at host2 then use -P option like this:
$ ssh -P 1555 root@192.168.0.2
)
7.If the command succeeds and you find yourself logged into root at host2, you are good and can expect to work properly. But we have still to do some little work for success that you were lost in previous support. Lets hunt it.) That is FAP permission of .ssh folder and the content inside it.
======at host2 as root===============
8. Allow root login from remote at ssh port (for normal user u don't have to do it)
vi /etc/ssh/sshd_config
(uncomment and edit the following line like to permit root login from at ssh port. Save it and restart the sshd service)

PermitRootLogin yes

----------------
9. File permission setting which is most.
cd /root/.ssh/
ls
chmod 700 ~/.ssh/
chmod go-rwx ~/.ssh/*
chmod go-w ~/
ls -la

10.(starting the service updated rules without breaking any previous connection at ssh port)
# cat /var/run/sshd.pid
9502
# kill 9502
# /etc/init.d/sshd start
Starting sshd: [ OK ]
# service sshd restart

For more info about erros u can peep at log files
# tail -f /var/log/message
# tail -f /var/log/secure
=======Now at Host1=========

11. File permission at host1 as abhandari user
cd /home/abhandari/.ssh/
ls -la
chmod 700 ~/.ssh/
chmod go-rwx ~/.ssh/*
chmod go-w ~/

----still at host1-------
now login to host2 from host1 ( first disable any firewall rule at both servers or mailny at host2 using "iptables -F " and "service iptables off".

now try to login
host1 as abhandari user.In some case host2 may ask password for the first time but never on next time since we are using Public Key auth. If password is asked next login also then check the File access permission/public keys or the version of the ssh that you are using is commercial or different version using RSA/DSA auth key.

$ ssh root@192.168.0.2
(u must be logined as root at host2 and its auto login process that u can use it from script as well)

Enjoy !!!
http://www.ispexperts.com.np
 
Old 08-18-2009, 06:27 AM   #10
centosboy
Senior Member
 
Registered: May 2009
Location: london
Distribution: centos5
Posts: 1,137

Rep: Reputation: 116Reputation: 116
Quote:
Originally Posted by abhandari View Post
SSH auto login - without password
Here i have used RHEL4 servers (host1=192.168.0.1 and host2= 192.168.0.2) with default ssh ver
===========
Suppose you want a user(abhandari) at host1 auto login as root in host2 via SSH


-----------
At Host1 (192.168.0.1)
-----------

1.Login at host1 as abhandari user.
$ ssh -V
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006
$ cd ~/.ssh
(if the folder is not there create it)
---------------
2.Execute the following command to generate RSA Private-Public Key pair. From SSH documentation, 1024 bytes key is sufficiently strong. Just keep pressing Enter and DO NOT enter anything for passphrase. The key pair should be stored in /home/abhandari/.ssh as id_rsa and id_rsa.pub.

$ ssh-keygen -t rsa -b 1024
$ ls -la /home/abhandari/.ssh
(you just need id_rsa.pub don't distribute id_rsa)
----------------

3.Copy /home/abhandari/.ssh/id_rsa.pub from host1 to host2. Enter ís password for respective hosts when prompted. Make sure the .ssh folder is present on host2 otherwise create it.

$ scp /home/abhandari/.ssh/id_rsa.pub root@192.168.0.2:/root/.ssh/id_rsa.pub.abhandari
(this above command is single line.)

NOW
Host2(192.168.0.2)
4. login as root.
5. Add abhandariís public key (from host1) to authorized_keys list:
# cat /home/abhandari/.ssh/id_rsa.pub.kramer >> /root/.ssh/authorized_keys
(this above command is single line.)
6. From host1, as abhandari, try the following command:
$ ssh root@192.168.0.2
(if you have ssh different listening port at host2 then use -P option like this:
$ ssh -P 1555 root@192.168.0.2
)
7.If the command succeeds and you find yourself logged into root at host2, you are good and can expect to work properly. But we have still to do some little work for success that you were lost in previous support. Lets hunt it.) That is FAP permission of .ssh folder and the content inside it.
======at host2 as root===============
8. Allow root login from remote at ssh port (for normal user u don't have to do it)
vi /etc/ssh/sshd_config
(uncomment and edit the following line like to permit root login from at ssh port. Save it and restart the sshd service)

PermitRootLogin yes

----------------
9. File permission setting which is most.
cd /root/.ssh/
ls
chmod 700 ~/.ssh/
chmod go-rwx ~/.ssh/*
chmod go-w ~/
ls -la

10.(starting the service updated rules without breaking any previous connection at ssh port)
# cat /var/run/sshd.pid
9502
# kill 9502
# /etc/init.d/sshd start
Starting sshd: [ OK ]
# service sshd restart

For more info about erros u can peep at log files
# tail -f /var/log/message
# tail -f /var/log/secure
=======Now at Host1=========

11. File permission at host1 as abhandari user
cd /home/abhandari/.ssh/
ls -la
chmod 700 ~/.ssh/
chmod go-rwx ~/.ssh/*
chmod go-w ~/

----still at host1-------
now login to host2 from host1 ( first disable any firewall rule at both servers or mailny at host2 using "iptables -F " and "service iptables off".

now try to login
host1 as abhandari user.In some case host2 may ask password for the first time but never on next time since we are using Public Key auth. If password is asked next login also then check the File access permission/public keys or the version of the ssh that you are using is commercial or different version using RSA/DSA auth key.

$ ssh root@192.168.0.2
(u must be logined as root at host2 and its auto login process that u can use it from script as well)

Enjoy !!!
http://www.ispexperts.com.np

we prefer type dsa
and ssh 2 protocol only for security purposes
 
1 members found this post helpful.
Old 08-18-2009, 08:34 AM   #11
sxbsxb
LQ Newbie
 
Registered: Feb 2009
Location: Minnesota
Distribution: Redhat EL 5
Posts: 4

Rep: Reputation: 0
I always use:

ssh-keygen -t rsa -N ""

on each machine. The -N "" is the no password trick.

to generate the RSA keys. Then I create the file "authorized_keys" in .ssh from both of the id_rsa.pub files that were created in .ssh. I then put the authorized_keys file on both machines. As you add more machines, just append the id_rsa.pub files: cat id_rsa.pub >> authorized_keys

s
 
Old 08-19-2009, 03:49 AM   #12
abhandari
LQ Newbie
 
Registered: Dec 2008
Location: NP
Posts: 28

Rep: Reputation: 1
Thumbs up SSH automated login - without password With DSA

Quote:
Originally Posted by centosboy View Post
we prefer type dsa
and ssh 2 protocol only for security purposes
======================================
SSH public key setup and configuration
--------------------------------------
User abhandari at Host1=192.168.0.1 login via SSH protocol to Host2=192.168.0.2
--------------------------------------

1.Works for DSA key auth using SSH to SSH
# All steps when going from an OpenSSH machine to an OpenSSH machine
# This has been tested.
cd .ssh
ssh-keygen -t dsa
scp id_dsa.pub host2:/home/mst3k/.ssh/host1_mst3k_id_dsa.pub
ssh host2:
cd .ssh
cat host1_mst3k_id_dsa.pub >> authorized_keys

================================================

2.Works for DSA key auth using SSH to SSH2


Step 1: Generate the DSA key pair
> ssh-keygen -d
Generating DSA parameter and key.
Enter file in which to save the key (/home/abhandari/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /home/abhandari/.ssh/id_dsa.
Your public key has been saved in /home/abhandari/.ssh/id_dsa.pub.
The key fingerprint is:
00:6e:05:42:93:7f:34:18:77:fb:e1:b1:54:75:7b:fb abhandari@example.com.np

> Step 2: Convert the key to a SSH2-compatible public key
> ssh-keygen -x -f id_dsa > id_dsa_1024_abhandari.pub (

Step 3: Upload the file id_dsa_1024_abhandari.pub from host1 to /root/.ssh2 at the remote host2
Step 4: Add an entry "key id_dsa_1024_abhandari.pub" to /root/.ssh2/authorization
Step 5: You should get a auto login connection by invoking command "ssh root@192.168.0.2"
Step 6: Trouble shooting. It works for ssh version 2 only. If you want other version, generate a rsa key pair instead.
=======================
Enjoy
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
open-ssh vs. commercial ssh (tru64), public-key auth not possible? cf050 Linux - Networking 8 03-28-2012 12:15 PM
SSH with passwordless public/private key not working on another account on server infocom Linux - Server 14 12-27-2010 06:09 AM
Public key authentication with ssh elnacho12 Linux - Networking 3 12-18-2007 09:38 AM
Can't use public key authentication with SSH Noob69 Linux - General 5 01-06-2006 07:27 AM
ssh using public key jkmartha Linux - Networking 1 05-04-2005 03:52 AM


All times are GMT -5. The time now is 10:23 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration