password less ssh

sharathkv25 · 02-19-2007, 12:31 AM

Hi,

I have configured SSH to be run from scripts wihout password.

Example: My Hostname is 192.168.4.6(A)
Remote Hostname is 192.168.4.7(B)

Now I can connect from A to B wihout giving a password & vice-versa.

Now when I try to connect from A to A(same host) or B to B, it's asking for password.

This is the log file from sshd. I get this log when I try to connect from 192.168.4.6 to 192.168.4.6(Same)

Code:

# /opt/ssh/sbin/sshd -d -d

debug2: load_server_config: filename /opt/ssh/etc/sshd_config
debug2: load_server_config: done config len = 296
debug2: parse_server_config: config /opt/ssh/etc/sshd_config len 296
debug1: Config token is protocol
debug1: Config token is kerberosauthentication
debug1: Config token is usepam
debug1: Config token is x11forwarding
debug1: Config token is x11uselocalhost
debug1: Config token is hpndisabled
debug1: Config token is subsystem
debug1: sshd version OpenSSH_4.4p1-hpn12v11 [ HP-UX Secure Shell-A.04.40.006 ]
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/opt/ssh/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: rexec_argv[2]='-d'
debug2: fd 4 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 4, 4
debug1: audit connection from 192.168.4.6 port 56259 euid 0
Connection from 192.168.4.6 port 56259
debug1: Client protocol version 2.0; client software version OpenSSH_4.4p1-hpn12
v11
debug1: match: OpenSSH_4.4p1-hpn12v11 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.4p1-hpn12v11
debug2: fd 4 setting O_NONBLOCK
debug1: permanently_set_uid: 105/105
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-g
roup-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour1
28,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-c
tr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour1
28,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-c
tr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@open
ssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@open
ssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-g
roup-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour1
28,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-c
tr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour1
28,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-c
tr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@open
ssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@open
ssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: Network child is on pid 29243
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug2: monitor_read: 0 used once, disabling now
debug2: dh_gen_key: priv key bits set: 129/256
debug2: bits set: 533/1024
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug2: bits set: 517/1024
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug2: monitor_read: 4 used once, disabling now
debug1: userauth-request for user otroot service ssh-connection method none
debug1: attempt 0 failures 0
debug2: parse_server_config: config reprocess config len 296
debug1: Config token is protocol
debug1: Config token is kerberosauthentication
debug1: Config token is usepam
debug1: Config token is x11forwarding
debug1: Config token is x11uselocalhost
debug1: Config token is hpndisabled
debug1: Config token is subsystem
debug2: input_userauth_request: setting up authctxt for otroot
debug2: input_userauth_request: try method none
debug2: monitor_read: 6 used once, disabling now
debug1: PAM: initializing for "otroot"
debug1: PAM: setting PAM_RHOST to "test3"
debug2: monitor_read: 45 used once, disabling now
debug2: monitor_read: 3 used once, disabling now
debug1: userauth-request for user otroot service ssh-connection method publickey
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method publickey
Failed none for otroot from 192.168.4.6 port 56259 ssh2
debug1: audit event euid 0 user otroot event 3 (AUTH_FAIL_NONE)
debug1: temporarily_use_uid: 5000/104 (e=0/3)
debug1: trying public key file /home/otroot/.ssh/authorized_keys
debug1: restore_uid: 0/3
debug2: key not found
debug1: temporarily_use_uid: 5000/104 (e=0/3)
debug1: trying public key file /home/otroot/.ssh/authorized_keys2
debug1: restore_uid: 0/3
Failed publickey for otroot from 192.168.4.6 port 56259 ssh2
debug1: Entering record_failed_login uid 0
debug1: audit event euid 0 user otroot event 6 (AUTH_FAIL_PUBKEY)
debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss
debug1: userauth-request for user otroot service ssh-connection method keyboard-
interactive
debug1: attempt 2 failures 2
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=otroot devs=
debug1: kbdint_alloc: devices 'pam'
debug2: auth2_challenge_start: devices pam
debug2: kbdint_next_device: devices <empty>
debug1: auth2_challenge_start: trying authentication method 'pam'
Postponed keyboard-interactive for otroot from 192.168.4.6 port 56259 ssh2

Any help is appreciated.

MensaWater · 02-19-2007, 09:47 AM

You have to add A to the trusted hosts on A just as you had to add B to trusted hosts. That is to say a host does not automatically "trust" itself - it has no way of knowing when you open the connection that it is originating internally. (Well it could if they wrote it to trace it but why would they bother when you can just add a trust relationship - it saves a lot of unnecessary coding.)

Remember also the trust is not just machine to machine but user to user. So if you try to ssh from user bob to user bill on host A it doesn't matter if you've given trust for root to root on host A.

JimBass · 02-19-2007, 10:39 AM

This site has an easy writeup of how to generate ssh keys.

http://backuppc.sourceforge.net/faq/..._setup_openssh

I do NOT suggest doing it as root as those directions suggest however. Most (hopefully all) servers have ssh configured not to allow root to login through ssh. You can use the same directions, just where ever it says to generate the key as root, do it as your regular user.

Peace,
JimBass

MensaWater · 02-19-2007, 10:45 AM

It sounded from his original post that he already has generated the keys. He stated he is doing host B to A successfully and vice-versa. His issue is he trying to do A to A or B to B so as I said he probably just didn't realize he needs to setup a trust relationship within the host if it's doing ssh to itself.

Before you say he shouldn't I'll point out he's doing scripting. A good example of why one might do this is if they had Oracle EBusiness running on a host with an Oracle Database. The admin user for the Database is typically different than the Admin user for the Ebusiness but when shutting them down you want to shutdown first the Ebusiness then the Database. Allowing the DBAs to do trusts like this prevents System Admins (a/k/a the bane of DBA existence

) from having to give them root to switch users. This is exactly what this SA did to the DBAs at a prior job.

By shutting down I mean stopping the app and the database. Of course if it were the OS one could make an init script for the purpose and bypass all of this.

JimBass · 02-19-2007, 10:51 AM

Ah, yes! Would help if I read and comprehended before posting. (Casually removes foot from mouth).

Peace,
JimBass

MensaWater · 02-19-2007, 12:22 PM

I wouldn't worry about it - my foot's been in my mouth so many times here that my dental hygienist thinks I've been flossing with shoelaces.