Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Do you need it in both directions - then target and source setup must be applied on both machines. For now I would assume that there is no sshd on the client at all. Or is/was a plain ssh working before to reach it?
As said: please post ssh -vvv
I’m a little bit lost in this long thread: did you also setup /etc/ssh/shosts.equiv to contain the hostnames of the source machines (or just both in your case)?
(BTW: with credentials I meant "long-name, short-name, TCP/IP-address ssh-hostkey" to be setup on both machines in /etc/ssh/ssh_known_hosts.)
@Reuti, just to help out a bit. On post 30 and 31 OP confirmed that he was able to login without a password after accepting the RSA key fingerprint. He is indeed trying to setup both directions. Somewhere along the line from post 31 onwards there must have slipped in an error, since now neither side is authenticating, one errors out and the other requires password.
openssh-server is installed on both server and client.
Please assume that I want to establish a one way ssh (client->server). If that works, then we will continue to bidirectional ssh.
One thing that I want to ask is that I have a directory ~/.ssh on the server which contain:
mahmood@client:~$ ssh -vvv server
OpenSSH_5.3p1 Debian-3ubuntu6, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to server [192.168.1.1] port 22.
debug1: Connection established.
debug1: identity file /home/mahmood/.ssh/identity type -1
debug1: identity file /home/mahmood/.ssh/id_rsa type -1
debug1: identity file /home/mahmood/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3p1 Debian-3ubuntu4
debug1: match: OpenSSH_5.3p1 Debian-3ubuntu4 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu6
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug3: Wrote 792 bytes for a total of 831
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug3: Wrote 24 bytes for a total of 855
debug2: dh_gen_key: priv key bits set: 124/256
debug2: bits set: 508/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: Wrote 144 bytes for a total of 999
debug3: check_host_in_hostfile: filename /home/mahmood/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug3: check_host_in_hostfile: filename /home/mahmood/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 2
debug1: Host 'server' is known and matches the RSA host key.
debug1: Found key in /home/mahmood/.ssh/known_hosts:1
debug2: bits set: 517/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: Wrote 16 bytes for a total of 1015
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug3: Wrote 48 bytes for a total of 1063
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/mahmood/.ssh/identity ((nil))
debug2: key: /home/mahmood/.ssh/id_rsa ((nil))
debug2: key: /home/mahmood/.ssh/id_dsa ((nil))
debug3: Wrote 64 bytes for a total of 1127
debug1: Authentications that can continue: publickey,password,hostbased
debug3: start over, passed a different list publickey,password,hostbased
debug3: preferred gssapi-keyex,gssapi-with-mic,gssapi,hostbased,publickey,keyboard-interactive,password
debug3: authmethod_lookup hostbased
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled hostbased
debug1: Next authentication method: hostbased
debug2: userauth_hostbased: chost client.
debug2: ssh_keysign called
debug3: ssh_msg_send: type 2
debug3: ssh_msg_recv entering
debug1: permanently_drop_suid: 1000
debug2: we sent a hostbased packet, wait for reply
debug3: Wrote 608 bytes for a total of 1735
debug1: Authentications that can continue: publickey,password,hostbased
debug2: userauth_hostbased: chost client.
debug2: ssh_keysign called
debug3: ssh_msg_send: type 2
debug3: ssh_msg_recv entering
debug1: permanently_drop_suid: 1000
debug2: we sent a hostbased packet, wait for reply
debug3: Wrote 672 bytes for a total of 2407
debug1: Authentications that can continue: publickey,password,hostbased
debug1: No more client hostkeys for hostbased authentication.
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/mahmood/.ssh/identity
debug3: no such identity: /home/mahmood/.ssh/identity
debug1: Trying private key: /home/mahmood/.ssh/id_rsa
debug3: no such identity: /home/mahmood/.ssh/id_rsa
debug1: Trying private key: /home/mahmood/.ssh/id_dsa
debug3: no such identity: /home/mahmood/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
mahmood@server's password:
in your output and a Google revealed at least a bug for this in openSUSE, but maybe it’s an OpenSSH issue in the end. I’ll look into it. On a newly setup machine (which has indeed openSUSE 11.4) I face exactly the same :-/.
Is there any alternative for that? something like:
1- explicitly stating a user that can ssh without password. For example ssh daemon checks that an incoming connection from user1 is allowed.
2- setting a rule on network interface. For example all connections on port 22 on eth2 are allowed without any password.
3- automate the job for users (and future users) that when administrator runs the script the users add to passwordless ssh.
I rechecked: my issue which is somewhere in ssh-keysign seems to be unrelated to yours. Can you check on the target side of the connection whether the ssh-key in /etc/ssh/ssh_known_hosts is also only one line and not two due to copy & paste?
I asked this question in openssh mailing list. Someone say that the PreferredAuthentications must be chnaged so that hostbased comes before password.
I did that in sshd_config
...
HostbasedAuthentication yes
PreferredAuthentications hostbased,keyboard-interactive,password,publickey
...
however I am not able to ssh from client to server anymore.
Code:
mahmood@client:~$ ssh -vvv server
OpenSSH_5.3p1 Debian-3ubuntu6, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to server [192.168.1.1] port 22.
debug1: connect to address 192.168.1.1 port 22: Connection refused
ssh: connect to host server port 22: Connection refused
What he said what good and I think that could be a fix to that (look at the next method in the output of -vvv I posted). However I don't know why the connection is refused
If it not possible at this time to perform hostbased ssh, then I have to do that manually for all users on all hosts. Is there any script for that or I have to write that myself?
mahmood@server:~$ ./setup_ssh_certificates
Checking for network interface...OK
What is the IP Address of the mirror? : client
Attempting to ping the mirror at tuna...OK
What is the username for the remote host?: mahmood
What is the password for the remote host?:
Attempting to setup passwordless login via SSH keys...Generating public/private dsa key pair.
Your identification has been saved in /home/mahmood/.ssh/id_dsa.
Your public key has been saved in /home/mahmood/.ssh/id_dsa.pub.
The key fingerprint is:
5b:75:4e:47:67:42:40:91:7a:70:e4:dd:b4:3b:75:ad mahmood@server
The key's randomart image is:
+--[ DSA 1024]----+
| o==o =|
| ..o. *+|
| +o +.*|
| ...+ o+|
| S .. Eo |
| o .|
| . |
| |
| |
+-----------------+
Sorry, failed to create public/private key pair
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.