passwordless ssh from one host to another host

Reuti · 04-25-2011, 01:12 PM

Do you need it in both directions - then target and source setup must be applied on both machines. For now I would assume that there is no sshd on the client at all. Or is/was a plain ssh working before to reach it?

As said: please post ssh -vvv

I’m a little bit lost in this long thread: did you also setup /etc/ssh/shosts.equiv to contain the hostnames of the source machines (or just both in your case)?

(BTW: with credentials I meant "long-name, short-name, TCP/IP-address ssh-hostkey" to be setup on both machines in /etc/ssh/ssh_known_hosts.)

EricTRA · 04-25-2011, 01:18 PM

Hi,

@Reuti, just to help out a bit. On post 30 and 31 OP confirmed that he was able to login without a password after accepting the RSA key fingerprint. He is indeed trying to setup both directions. Somewhere along the line from post 31 onwards there must have slipped in an error, since now neither side is authenticating, one errors out and the other requires password.

Kind regards,

Eric

mahmoodn · 04-25-2011, 01:24 PM

openssh-server is installed on both server and client.
Please assume that I want to establish a one way ssh (client->server). If that works, then we will continue to bidirectional ssh.

One thing that I want to ask is that I have a directory ~/.ssh on the server which contain:

Code:

mahmood@orca:~$ ls -l .ssh
total 20
-rw------- 1 mahmood users   3940 2011-01-08 23:02 authorized_keys
-rw------- 1 mahmood mahmood 1675 2011-01-08 21:36 id_rsa
-rw-r--r-- 1 mahmood mahmood  394 2011-01-08 21:36 id_rsa.pub
-rw-r--r-- 1 mahmood mahmood 5746 2011-04-25 12:22 known_hosts

Is it important?

Code:

mahmood@server:~$ ssh -vvv
OpenSSH_5.3p1 Debian-3ubuntu4, OpenSSL 0.9.8k 25 Mar 2009
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
           [-D [bind_address:]port] [-e escape_char] [-F configfile]
           [-i identity_file] [-L [bind_address:]port:host:hostport]
           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
           [-R [bind_address:]port:host:hostport] [-S ctl_path]
           [-w local_tun[:remote_tun]] [user@]hostname [command]
mahmood@client:~$ ssh -vvv
OpenSSH_5.3p1 Debian-3ubuntu6, OpenSSL 0.9.8k 25 Mar 2009
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
           [-D [bind_address:]port] [-e escape_char] [-F configfile]
           [-i identity_file] [-L [bind_address:]port:host:hostport]
           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
           [-R [bind_address:]port:host:hostport] [-S ctl_path]
           [-w local_tun[:remote_tun]] [user@]hostname [command]

mahmoodn · 04-25-2011, 01:25 PM

In this post, I will upload the other files (I have appended .txt so that I can upload)

Reuti · 04-25-2011, 01:28 PM

Sorry for being imprecise, I meant:

Code:

ssh -vvv server

from the client which turns on being verbose while trying to connect.

mahmoodn · 04-25-2011, 01:30 PM

Code:

mahmood@client:~$ ssh -vvv server
OpenSSH_5.3p1 Debian-3ubuntu6, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to server [192.168.1.1] port 22.
debug1: Connection established.
debug1: identity file /home/mahmood/.ssh/identity type -1
debug1: identity file /home/mahmood/.ssh/id_rsa type -1
debug1: identity file /home/mahmood/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3p1 Debian-3ubuntu4
debug1: match: OpenSSH_5.3p1 Debian-3ubuntu4 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu6
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug3: Wrote 792 bytes for a total of 831
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug3: Wrote 24 bytes for a total of 855
debug2: dh_gen_key: priv key bits set: 124/256
debug2: bits set: 508/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: Wrote 144 bytes for a total of 999
debug3: check_host_in_hostfile: filename /home/mahmood/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug3: check_host_in_hostfile: filename /home/mahmood/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 2
debug1: Host 'server' is known and matches the RSA host key.
debug1: Found key in /home/mahmood/.ssh/known_hosts:1
debug2: bits set: 517/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: Wrote 16 bytes for a total of 1015
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug3: Wrote 48 bytes for a total of 1063
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/mahmood/.ssh/identity ((nil))
debug2: key: /home/mahmood/.ssh/id_rsa ((nil))
debug2: key: /home/mahmood/.ssh/id_dsa ((nil))
debug3: Wrote 64 bytes for a total of 1127
debug1: Authentications that can continue: publickey,password,hostbased
debug3: start over, passed a different list publickey,password,hostbased
debug3: preferred gssapi-keyex,gssapi-with-mic,gssapi,hostbased,publickey,keyboard-interactive,password
debug3: authmethod_lookup hostbased
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled hostbased
debug1: Next authentication method: hostbased
debug2: userauth_hostbased: chost client.
debug2: ssh_keysign called
debug3: ssh_msg_send: type 2
debug3: ssh_msg_recv entering
debug1: permanently_drop_suid: 1000
debug2: we sent a hostbased packet, wait for reply
debug3: Wrote 608 bytes for a total of 1735
debug1: Authentications that can continue: publickey,password,hostbased
debug2: userauth_hostbased: chost client.
debug2: ssh_keysign called
debug3: ssh_msg_send: type 2
debug3: ssh_msg_recv entering
debug1: permanently_drop_suid: 1000
debug2: we sent a hostbased packet, wait for reply
debug3: Wrote 672 bytes for a total of 2407
debug1: Authentications that can continue: publickey,password,hostbased
debug1: No more client hostkeys for hostbased authentication.
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/mahmood/.ssh/identity
debug3: no such identity: /home/mahmood/.ssh/identity
debug1: Trying private key: /home/mahmood/.ssh/id_rsa
debug3: no such identity: /home/mahmood/.ssh/id_rsa
debug1: Trying private key: /home/mahmood/.ssh/id_dsa
debug3: no such identity: /home/mahmood/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
mahmood@server's password:

Reuti · 04-25-2011, 01:44 PM

Thx. There is the error:

Quote:

debug1: permanently_drop_suid: 1000

in your output and a Google revealed at least a bug for this in openSUSE, but maybe it’s an OpenSSH issue in the end. I’ll look into it. On a newly setup machine (which has indeed openSUSE 11.4) I face exactly the same :-/.

mahmoodn · 04-25-2011, 01:48 PM

O.... Hope that there is a fix for that in openssh (in my case ubuntu)

update:
I will come back tomorrow.

mahmoodn · 04-26-2011, 08:50 AM

Is there any alternative for that? something like:
1- explicitly stating a user that can ssh without password. For example ssh daemon checks that an incoming connection from user1 is allowed.

2- setting a rule on network interface. For example all connections on port 22 on eth2 are allowed without any password.

3- automate the job for users (and future users) that when administrator runs the script the users add to passwordless ssh.

Are they possible?

Reuti · 04-27-2011, 03:00 PM

I rechecked: my issue which is somewhere in ssh-keysign seems to be unrelated to yours. Can you check on the target side of the connection whether the ssh-key in /etc/ssh/ssh_known_hosts is also only one line and not two due to copy & paste?

mahmoodn · 04-28-2011, 01:00 AM

I asked this question in openssh mailing list. Someone say that the PreferredAuthentications must be chnaged so that hostbased comes before password.
I did that in sshd_config
...
HostbasedAuthentication yes
PreferredAuthentications hostbased,keyboard-interactive,password,publickey
...
however I am not able to ssh from client to server anymore.

Code:

mahmood@client:~$ ssh -vvv server
OpenSSH_5.3p1 Debian-3ubuntu6, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to server [192.168.1.1] port 22.
debug1: connect to address 192.168.1.1 port 22: Connection refused
ssh: connect to host server port 22: Connection refused

What he said what good and I think that could be a fix to that (look at the next method in the output of -vvv I posted). However I don't know why the connection is refused

Reuti · 04-28-2011, 03:56 AM

No, the hostbased authentication was tried before but failed. The order was ok.

"port 22: Connection refused" looks more like an entry in /etc/hosts.deny or hosts.allow.

mahmoodn · 04-28-2011, 05:27 AM

If it not possible at this time to perform hostbased ssh, then I have to do that manually for all users on all hosts. Is there any script for that or I have to write that myself?

Reuti · 04-28-2011, 05:29 AM

You will have to create a passphraseless ssh-key for each user and put it in the appropriate location in each user’s ~/.ssh/authorized_keys

mahmoodn · 04-28-2011, 05:34 AM

Can you please explain more.
On server side:
mahmood@server:~$ ??????

on client side
mahmood@client:~$ ??????

At http://tlug.dnho.net/passwordless_ssh I found a script however this is what I get:

Code:

mahmood@server:~$ ./setup_ssh_certificates
Checking for network interface...OK
What is the IP Address of the mirror? : client
Attempting to ping the mirror at tuna...OK
What is the username for the remote host?: mahmood

What is the password for the remote host?:
Attempting to setup passwordless login via SSH keys...Generating public/private dsa key pair.
Your identification has been saved in /home/mahmood/.ssh/id_dsa.
Your public key has been saved in /home/mahmood/.ssh/id_dsa.pub.
The key fingerprint is:
5b:75:4e:47:67:42:40:91:7a:70:e4:dd:b4:3b:75:ad mahmood@server
The key's randomart image is:
+--[ DSA 1024]----+
|           o==o =|
|          ..o. *+|
|           +o +.*|
|          ...+ o+|
|        S ..  Eo |
|         o      .|
|        .        |
|                 |
|                 |
+-----------------+
Sorry, failed to create public/private key pair

there is no email address to contact the author.