LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 06-06-2007, 09:46 AM   #1
lefty.crupps
Member
 
Registered: Apr 2005
Location: Minneap USA
Distribution: Debian, Mepis, Sidux
Posts: 470

Rep: Reputation: 32
Passwordless SSH setup not working, any ideas?


I followed this HowTo http://www.debian-administration.org/articles/152 and I've read numerous threads here at LQ and on the web but I cannot get this to function!

I want passwordless logons for root access to work and client servers.

I have set up an RSA key on my box for user@user-desktop (the basic Kubuntu machine name) and I copied/added the rsa_id_nopass.pub file to the end of the destination server's ~/.ssh/authorized_keys2 file, but it still isn't working; I am asked for a password (not passphrase) every time.

I have edited the ssh_config file (both on local machine and server) to use
RSAAuthentication yes
PubkeyAuthentication yes
and restarted the sshd server on both machines.

I want to get root access for servers when I log in using these keys. Unfortunately it isn't giving me root or regular user access at all; 'ssh root@server' is acting like it would had none of my work been done.

My system is Kubuntu 7.04 and the test server is a RedHat Enterprise Linux 9, but the key setup would eventually go onto a few debian servers and RHEL servers. I also am failing to get this to function on two Kubuntu 7.04 boxes (one is at home, one is at work (this setup is for two regular user accounts, not root accounts)). Does this whole setup require that the user name is identical on both machines??? Cause that's just a pain if I have to become root just to not enter a root password five seconds later.

Thanks for any advice

Last edited by lefty.crupps; 06-06-2007 at 10:01 AM.
 
Old 06-06-2007, 10:06 AM   #2
alunduil
Member
 
Registered: Feb 2005
Location: San Antonio, TX
Distribution: Gentoo
Posts: 684

Rep: Reputation: 62
It sounds like you've checked everything. Create the key pair; put public key in the remote box's ~/.ssh/authorized_keys2 file. Check that the remote ~/.ssh directory is chmod 700. The private key applies as long as you are currently running on the local box as the user you created the key for; the same user that has it in their ~/.ssh directory. You also have to be logging in as the user on the remote box that you created the ~/.ssh/authorized_keys2 file for.

Otherwise, everything you've done sounds correct. If things still don't work just post the line that created your key here, and we'll try to help you out some more.

Regards,

Alunduil
 
Old 06-06-2007, 01:48 PM   #3
jeenam
Member
 
Registered: Dec 2006
Distribution: Slackware 11
Posts: 144

Rep: Reputation: 15
Try copying ~/.ssh/authorized_keys2 to ~/.ssh/authorized_keys.

EDIT: On the destination machine(s), of course.

Last edited by jeenam; 06-07-2007 at 09:38 AM.
 
Old 06-06-2007, 02:15 PM   #4
lefty.crupps
Member
 
Registered: Apr 2005
Location: Minneap USA
Distribution: Debian, Mepis, Sidux
Posts: 470

Original Poster
Rep: Reputation: 32
jeenam i am not following you. Did you mean to say, copy authorized_keys to authorized_keys2 ?

alunduil you sort of answered my question, 'do both usernames have to be the same?' I tried installing the pubkey on the destination server as myself (i wanted passwordless root access from a regular shell account, otherwise i still end up typing the root passwd which saves me no time nor braincells) but it still isn't working.

Does the name of my key matter, or is each key tried before a match is found? I had created a new key specifically for this task and named it 'rsa_id_nopass.pub' and i am wondering if the '_nopass' part makes a difference. My private key has a matching name (except the .pub).

I did have to enable this:
Host *
because where I had added these:
RSAAuthentication yes
PubkeyAuthentication yes
was in a part that had no hosts defined. Then I restarted sshd but still no success.

p.s. alunduil greetings to a local Minnesotan!

Last edited by lefty.crupps; 06-06-2007 at 02:17 PM.
 
Old 06-07-2007, 09:38 AM   #5
jeenam
Member
 
Registered: Dec 2006
Distribution: Slackware 11
Posts: 144

Rep: Reputation: 15
Typo above; it should read: Try copying ~/.ssh/authorized_keys2 to ~/.ssh/authorized_keys.
 
Old 03-05-2009, 03:40 PM   #6
simon.sweetman
Member
 
Registered: Mar 2009
Posts: 32

Rep: Reputation: 22
Quote:
Originally Posted by lefty.crupps View Post
I followed the HowTos and I've read numerous threads here at LQ and on the web but I cannot get this to function!

I want passwordless logons for root access to work and client servers.
Have you set the PermitRootLogin to yes or without-password (for public key verification only) in /etc/ssh/sshd_config on the target machine(s)?

Of course a restart of sshd will be required after this change.
 
Old 05-12-2009, 02:33 PM   #7
doc.nice
Member
 
Registered: Oct 2004
Location: Germany
Distribution: Debian
Posts: 274

Rep: Reputation: 34
this may be due to a compromised ssh key.
Check /var/log/auth.log for a message about compromised keys, like this one:

Quote:
May 12 21:13:38 spiff sshd[5415]: Public key <your key fingerprint> from <source-ip> blacklisted (see ssh-vulnkey(1))
if this is the case, update your openssl and openssh packages using aptitude or whatever you use and afterwards create a new key using
ssh-keygen. (overwrite your old key and create a backup if needed before).

WITHOUT YOUR OLD KEY, YOU WILL NOT BE ABLE TO LOG IN TO MACHINES ONLY ACCEPTING YOUR KEY AS AUTH, NO PASSWORD! BE SURE TO DOUBLE CHECK, WHAT YOU DO! You have to (re)deploy the new key to all machines you want be able to auth using the key using ssh-copy-id.

After the update, the login should be possible.

btw: the username must not be identical, simply call "ssh username@hostname" to log into another username on the remote machine...

Last edited by doc.nice; 05-12-2009 at 02:41 PM. Reason: hint about identical usernames added
 
Old 05-12-2009, 08:13 PM   #8
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,226

Rep: Reputation: 2022Reputation: 2022Reputation: 2022Reputation: 2022Reputation: 2022Reputation: 2022Reputation: 2022Reputation: 2022Reputation: 2022Reputation: 2022Reputation: 2022
Just a some side points:

1. There's no such thing as RedHat Enterprise Linux 9, if that's really RH v9 (codename Shrike), its so out of date is not funny. RHEL is currently on v5.3.
2. Are you sure you really want to be able to login remotely as root? That's usually not recommended for security reasons, especially if its on the internet
(Actually, re-reading, passwordless ie via keys is probably ok...)
3. when describing your problem, please be careful to specify whether you are editing ssh_config or sshd_config, they both exist and it makes all the difference as to which one you edit. (See your OP).

Last edited by chrism01; 05-14-2009 at 07:37 PM. Reason: adjust point 2
 
Old 05-14-2009, 03:36 PM   #9
barae
LQ Newbie
 
Registered: Aug 2006
Posts: 1

Rep: Reputation: 0
One other thing you might want to verify is that the .ssh directory and authorized_keys(2) files are owned by root:root (or user:user)
 
Old 05-15-2009, 03:11 AM   #10
doc.nice
Member
 
Registered: Oct 2004
Location: Germany
Distribution: Debian
Posts: 274

Rep: Reputation: 34
...and the ssh dir ist set to mode 700 (call chown user: ~/.ssh; chmod 700 ~/.ssh)
 
Old 05-15-2009, 04:17 PM   #11
ermoreno
LQ Newbie
 
Registered: May 2009
Location: San Antonio, Texas
Distribution: AIX, RHEL
Posts: 8

Rep: Reputation: 0
put /etc/ssh/ssh_host_rsa_key.pub from the remote server in the authorized_keys file on the local host. Then ssh with the -i switch and the path for the identity file. As long as the permissions are correct for .ssh and the underlying files are correct and the PermitRootLogin line of sshd_config is set to yes you should be good.

ssh -i /etc/ssh/ssh_host_rsa_key root@remotehost
 
Old 11-10-2009, 02:55 AM   #12
elkali
LQ Newbie
 
Registered: Nov 2009
Posts: 4

Rep: Reputation: 0
Remember to check not only the directory permissions and ownership, but also the authorized_keys file. It should belong to the user and be chmod'ed to 700.

This will solve your problem almost for sure, it did solve mine :-)
 
Old 09-05-2011, 02:02 PM   #13
martygoody
LQ Newbie
 
Registered: Sep 2011
Posts: 1

Rep: Reputation: Disabled
My public auth ssh was not working and my home directory permissions were the problem. I had to remove group and other write permissions to my home directory and then everything worked:

chmod go-w ~/


Looking at /var/log/auth.log what what helped me figure out what was going wrong.

In case anyone has the same problem.
 
Old 11-12-2011, 09:17 AM   #14
_anonymous
LQ Newbie
 
Registered: Nov 2011
Posts: 1

Rep: Reputation: Disabled
I used absolute path in sshd_config as "AuthorizedKeysFile /root/.ssh/authorized_keys".
file permissions were made 700 for .ssh & authorized_keys.

Restarted sshd and then it worked.

Last edited by _anonymous; 11-12-2011 at 09:21 AM.
 
Old 01-18-2012, 02:29 PM   #15
nperrins
LQ Newbie
 
Registered: Jan 2007
Posts: 3

Rep: Reputation: 0
Angry sshd_config bug

We have had two of us working on getting ssh keys working on a Fedora Core 13 server. We have done this kind of thing many times before and truly believe the ssh set up to be a real pain. For one reason or another you can waste days of time getting it to work.

I have to post this one because the previous poster has almost hit the nail on the head - and we have spent all this time not seeing it here because we weren't searching for the right thing. So for all others out there I think it only right to add a few terms for searching here:

putty keys do not connect
cannot ssh connect to linux server
Fedora Core 13 cannot ssh
linux ssh drops key
sshd bugs

OK, the problem is inside the sshd_config file. There is a setting

AuthorizedKeysFile .ssh/authorized_keys

This is a real bad bug because you look at it and you think it is OK. The problem is that the only way you can find this problem is to see where it looks. You do this by putting sshd into debug logging (by changing another setting in sshd_config - LogLevel INFO to LogLevel DEBUG). When you do that, /var/log/secure shows that sshd is looking for //.ssh/authorized_keys.

So, the previous poster is correct in saying that changing it to /root/.ssh/authorized_keys works. But, of course, you then have to use the same public key for every users (not good). So, the answer is to amend the sshd_config file to look in all users .ssh folders. I haven't done this yet, but it should be straight forward (~/ won't cut it. root sees this as its own home)

So, I have just lost about 20 hours of my life just for that. Thanks guys.

Last edited by nperrins; 01-18-2012 at 02:31 PM.
 
  


Reply

Tags
fail, key, login, passwordless, root, rsa, ssh


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH with passwordless public/private key not working on another account on server infocom Linux - Server 14 12-27-2010 05:09 AM
Can't use passwordless ssh sunhui Linux - Security 1 10-03-2006 08:29 PM
Passwordless SSH with SSH commercial server and open ssh cereal83 Linux - General 7 04-18-2006 12:34 PM
Can't get passwordless ssh working thorney Linux - Networking 3 11-27-2005 10:08 PM
Regarding Passwordless SSH nedian123 Linux - Software 1 08-05-2004 05:07 PM


All times are GMT -5. The time now is 05:00 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration