Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
At the last question I answered "yes". Then without any password I entered server. So there is no problem with client->server.
Quote:
If I'm not mistaking you've only set it up one way, from your client to your server.
The results, show that yes... it is setup this way. To complete it I have to setup the other way (server->client)
Let me try that. Since one way is working I can compare the config files.
That sounds perfect. So now you can connect FROM your client TO your server without entering a password. That was your goal from the start wasn't it? Glad you got that part working. Now, if you want to be able to do the same from your server to your client, as indicated you'll have to repeat the configuration the other way around. Looking forward to your feedback.
I have still problem. Let me summarize...
1-
Something that I want to know is that since I want a bidirectional passwordless ssh from client <-> server then sshd_config from server must be exactly the same as sshd_config from client. Also the ssh_config from server must be same as ssh_config from client.
To summarize, sshd_config must contain
Code:
IgnoreRhosts no
HostbasedAuthentication yes
and ssc_config must contain
Code:
HostbasedAuthentication yes
EnableSSHKeysign yes
Do you agree with that?
2-
the user (here mahmood) must ssh-keyscan on both systems and insert them into /etc/ssh/ssh_known_hosts. For example
Code:
mahmood@server:~$ ssh-keyscan server client
server ssh-rsa A1
client ssh-rsa A2
then I paste them into /etc/ssh/ssh_known_hosts on server.
Also
Code:
mahmood@client:~$ ssh-keyscan server client
server ssh-rsa A3
client ssh-rsa A4
then I paste them into /etc/ssh/ssh_known_hosts on client.
Do you agree with that?
3- on server:~ there is a file .shosts that contain "server mahmood" and on client:~ there is a file .shosts that contain "client mahmood".
Do you agree with that?
one thing that really bothers me is that every time I ssh to client and enter the password, the comparison of "ssh-kescan server client" and "/etc/ssh/ssh_known_hosts" shows different content. I will paste the whole so you can see what is strange:
Code:
mahmood@client:~$ cat /etc/ssh/ssh_known_hosts
# server SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4
server,192.168.1.1 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuBCfN+TMtNok1WezSr7aj7LqFm01NAlITGgLBRN4juwa01yfj+lbqkPaWQZg9bHUyH5iBge7HqjM0eFf0a8KRxL0yYB3nfcWJebWJ+XuEBIRPTAoZkJdsi26omY8fStN8p1fzqXsgVNCnrY8k16zTXMltcN+MNPG7x9nutZQu9uvNIteshthRLJyD34KzOIqf4anW1A2MRfGkQUJEc9Kwg/l6FYRSS2Y6irAaQq3dgO7hlwnesdXNJZRPeI1JmaxT20NVgWbZn4gbozuxrj21gFXKLJTioTy1FtKleY9mjPlCSyRBZJGw1MKfKtvhmSfyno8fvPV35iB0m+LMRYI/Q==
# client SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu6
client,192.168.1.3 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA9Mi0TEUzMLJ1i2gascvkXilTE2g3BIYKcs6qIcFXa7w8GB+LN6GoH3uJ+0PujwQVdzO4B8qpQ+ClM9uwYxo61x9bIYh/nwqaVqJrI5VOtbzlzXPCs0SWeDAjVTJzTcX3Pk+D10lfqLDL2jLblzZD7yJpm0Elb8tuF4ISMeFaKP6MeG4m+Ygl+zbcvYzpvqtTpQSmM2u9SIEW+Cg62VuMw7xkrXqNg671ewdc53SvCQM8PysJCRUNDPcy1nKA4chhq/HDuyvpKVaPrFWugaoKGWkAz3Y0Ny6Xge4O3EJsclbuQt3AY6oXPsOkyBMm3QRU+I4Tjl7TCm0EjS+B8QXTEQ==
mahmood@client:~$ ssh-keyscan server client
# server SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4
server ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuBCfN+TMtNok1WezSr7aj7LqFm01NAlITGgLBRN4juwa01yfj+lbqkPaWQZg9bHUyH5iBge7HqjM0eFf0a8KRxL0yYB3nfcWJebWJ+XuEBIRPTAoZkJdsi26omY8fStN8p1fzqXsgVNCnrY8k16zTXMltcN+MNPG7x9nutZQu9uvNIteshthRLJyD34KzOIqf4anW1A2MRfGkQUJEc9Kwg/l6FYRSS2Y6irAaQq3dgO7hlwnesdXNJZRPeI1JmaxT20NVgWbZn4gbozuxrj21gFXKLJTioTy1FtKleY9mjPlCSyRBZJGw1MKfKtvhmSfyno8fvPV35iB0m+LMRYI/Q==
# client SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu6
client ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA9Mi0TEUzMLJ1i2gascvkXilTE2g3BIYKcs6qIcFXa7w8GB+LN6GoH3uJ+0PujwQVdzO4B8qpQ+ClM9uwYxo61x9bIYh/nwqaVqJrI5VOtbzlzXPCs0SWeDAjVTJzTcX3Pk+D10lfqLDL2jLblzZD7yJpm0Elb8tuF4ISMeFaKP6MeG4m+Ygl+zbcvYzpvqtTpQSmM2u9SIEW+Cg62VuMw7xkrXqNg671ewdc53SvCQM8PysJCRUNDPcy1nKA4chhq/HDuyvpKVaPrFWugaoKGWkAz3Y0Ny6Xge4O3EJsclbuQt3AY6oXPsOkyBMm3QRU+I4Tjl7TCm0EjS+B8QXTEQ==
1. Yes.
2. No, you have to login to the server and insert the client key with the ssh-keyscan command. Next you have to login to the client insert the key (for the server which will function as a client) with the ssh-keyscan command. Those can not be generated on the same machine, they have to be executed on both machines.
3. No, since both machines function as server and as client they have to contain the correct credentials in the shosts file on both machines.
The problem with the keys is, in my opinion, related to the fact that you execute them apparently on the same server. You have to login to both machines and repeat the commands, not necessarily on the console but as a minimum using a SSH session. First you log in on the server and run the ssh-keyscan on the client, adding it to the ssh_known_hosts on the server. Then you log in on another session at the client and run the ssh-keyscan command pointing at the server and adding it to the ssh_known_hosts at the client.
Host keys don't change normally, only if you reinstalled your system.
Next, while the two terminals are open (both server and client), I grab the server key from server console
Code:
mahmood@server:~$ ssh-keyscan server
# server SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4
server ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuBCfN+TMtNok1WezSr7aj7LqFm01NAlITGgLBRN4juwa01yfj+lbqkPaWQZg9bHUyH5iBge7HqjM0eFf0a8KRxL0yYB3nfcWJebWJ+XuEBIRPTAoZkJdsi26omY8fStN8p1fzqXsgVNCnrY8k16zTXMltcN+MNPG7x9nutZQu9uvNIteshthRLJyD34KzOIqf4anW1A2MRfGkQUJEc9Kwg/l6FYRSS2Y6irAaQq3dgO7hlwnesdXNJZRPeI1JmaxT20NVgWbZn4gbozuxrj21gFXKLJTioTy1FtKleY9mjPlCSyRBZJGw1MKfKtvhmSfyno8fvPV35iB0m+LMRYI/Q==
Then I paste that in client's terminal (ssh_known_hosts):
Code:
mahmood@client:~$ cat /etc/ssh/ssh_known_hosts
# server SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4
server,192.168.1.1 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuBCfN+TMtNok1WezSr7aj7LqFm01NAlITGgLBRN4juwa01yfj+lbqkPaWQZg9bHUyH5iBge7HqjM0eFf0a8KRxL0yYB3nfcWJebWJ+XuEBIRPTAoZkJdsi26omY8fStN8p1fzqXsgVNCnrY8k16zTXMltcN+MNPG7x9nutZQu9uvNIteshthRLJyD34KzOIqf4anW1A2MRfGkQUJEc9Kwg/l6FYRSS2Y6irAaQq3dgO7hlwnesdXNJZRPeI1JmaxT20NVgWbZn4gbozuxrj21gFXKLJTioTy1FtKleY9mjPlCSyRBZJGw1MKfKtvhmSfyno8fvPV35iB0m+LMRYI/Q==
You can verify that they are the same.
Is my work fine here? Do you confirm that?
Quote:
3. No, since both machines function as server and as client they have to contain the correct credentials in the shosts file on both machines.
Sorry what is the correct credential in my example? Isn't what I said:
on server:~ there is a file .shosts that contain "server mahmood" and on client:~ there is a file .shosts that contain "client mahmood".
The terminals are open and I didn't reset/restart anything. What is your recommendation next?
On the client you need to point to the server to get the key and vice versa. You don't need to save the key of the client machine on that same machine (client). There's no point nor use for it. Normally you don't have to copy paste anything (better to avoid whenever possible when working with keys). When you run this on the server:
the key from the client will automatically be added on the server and you'll be able to connect FROM the client TO the server.
To have bidirectional possibilities you'll need to run the same command like this on the client:
Code:
mahmood@client:~$ ssh-keyscan server >> /etc/ssh/ssh_known_hosts
The credential files are off too. You need, on the server side, give access to the user from the client (the one you are connecting as) in this form:
Code:
client.domain mahmood
and since your client will also function as a server in order to have bidirectional traffic with host key authentication you'll need on your client:
Code:
server.domain mahmood
After those configurations, restart SSH and try connecting from either computer to the other. Also check /etc/hosts file on both machines to see that they have both machines listed correctly with their IP and hostname.domain. If you don't then your system will try to resolve the hostname using DNS. You can try that out using a ping command.
mahmood@client:~$ ssh-keyscan server >> /etc/ssh/ssh_known_hosts
# server SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4
mahmood@client:~$ cat /etc/ssh/ssh_known_hosts
server ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuBCfN+TMtNok1WezSr7aj7LqFm01NAlITGgLBRN4juwa01yfj+lbqkPaWQZg9bHUyH5iBge7HqjM0eFf0a8KRxL0yYB3nfcWJebWJ+XuEBIRPTAoZkJdsi26omY8fStN8p1fzqXsgVNCnrY8k16zTXMltcN+MNPG7x9nutZQu9uvNIteshthRLJyD34KzOIqf4anW1A2MRfGkQUJEc9Kwg/l6FYRSS2Y6irAaQq3dgO7hlwnesdXNJZRPeI1JmaxT20NVgWbZn4gbozuxrj21gFXKLJTioTy1FtKleY9mjPlCSyRBZJGw1MKfKtvhmSfyno8fvPV35iB0m+LMRYI/Q==
mahmood@client:~$ cat .shosts
server.domain mahmood
mahmood@client:~$ cat /etc/hosts
127.0.0.1 localhost
192.168.1.1 server
192.168.1.3 client
Now everything is fine here, so on server
Code:
mahmood@server:~$ sudo service ssh restart
ssh start/running, process 32672
and on the client
Code:
mahmood@client:~$ sudo service ssh restart
ssh start/running, process 32672
Now test on server:
Code:
mahmood@server:~$ ssh client
get_socket_address: getnameinfo 8 failed: Name or service not known
get_socket_address: getnameinfo 8 failed: Name or service not known
cannot get sockname for fd
ssh_keysign: no reply
key_sign failed
mahmood@client's password:
and test on client:
Code:
mahmood@client:~$ ssh server
mahmood@server's password:
I am really stuck at that with no success . Please leave it for now. I have to check all config files from scratch. Sometimes such abnormalities are caused by very simple mistakes and misconfiguration.
That must indeed be some misconfiguration and your idea about checking configurations is the best way to go. I'd even take it one step further and delete the ssh_know_hosts on both machines and the shosts key. Then try to set it up one way, like you did before and it worked. When you got that working, take it to the next level. Have a look at this site (I think I mentioned it before) which explains one way direction in very easy terminology.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.