passwordless ssh from one host to another host

Reuti · 04-28-2011, 05:54 AM

I wouldn’t trust the ouptut as it uses hard coded TCP/IP addresses, and even if you changed the TCP/IP address, you faced already a connection problem before and the script doesn’t distinguish between errors. Maybe it’s even working despite the message.

As I asked: did you check the server’s /etc/ssh/ssh_known_host file? The error you face points to a not accepted key.

mahmoodn · 04-28-2011, 06:00 AM

On the server

Code:

mahmood@server:~$ cat /etc/ssh/ssh_known_hosts
client,192.168.1.3 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA9Mi0TEUzMLJ1i2gascvkXilTE2g3BIYKcs6qIcFXa7w8GB+LN6GoH3uJ+0PujwQVdzO4B8qpQ+ClM9uwYxo61x9bIYh/nwqaVqJrI5VOtbzlzXPCs0SWeDAjVTJzTcX3Pk+D10lfqLDL2jLblzZD7yJpm0Elb8tuF4ISMeFaKP6MeG4m+Ygl+zbcvYzpvqtTpQSmM2u9SIEW+Cg62VuMw7xkrXqNg671ewdc53SvCQM8PysJCRUNDPcy1nKA4chhq/HDuyvpKVaPrFWugaoKGWkAz3Y0Ny6Xge4O3EJsclbuQt3AY6oXPsOkyBMm3QRU+I4Tjl7TCm0EjS+B8QXTEQ==
mahmood@server:~$

and from the client:

Code:

debug1: Authentications that can continue: publickey,password,hostbased
debug2: userauth_hostbased: chost client.
debug2: ssh_keysign called
debug3: ssh_msg_send: type 2
debug3: ssh_msg_recv entering
debug1: permanently_drop_suid: 1000
debug2: we sent a hostbased packet, wait for reply
debug3: Wrote 672 bytes for a total of 2407
debug1: Authentications that can continue: publickey,password,hostbased
debug1: No more client hostkeys for hostbased authentication.
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/mahmood/.ssh/identity
debug3: no such identity: /home/mahmood/.ssh/identity
debug1: Trying private key: /home/mahmood/.ssh/id_rsa
debug3: no such identity: /home/mahmood/.ssh/id_rsa
debug1: Trying private key: /home/mahmood/.ssh/id_dsa
debug3: no such identity: /home/mahmood/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
mahmood@server's password:

All the problem is

Code:

debug1: Authentications that can continue: publickey,password,hostbased
debug1: No more client hostkeys for hostbased authentication.
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password

For unknown reason it ignores hostbased

UPDATE:
At this page https://www.cs.uwaterloo.ca/twiki/vi...Authentication it is sated:
"No more client hostkeys for hostbased authentication" suggests that either end of the connection was having trouble looking up the reverse IP of the client and matching it against the key.

but I don't know what to do

Reuti · 04-28-2011, 06:30 AM

When I look in the source all tests failed with "No more client hostkeys for hostbased authentication."

And this key is from the client /etc/ssh/ssh_host_rsa_key.pub?

mahmoodn · 04-28-2011, 06:32 AM

Code:

mahmood@server:~$ cat /etc/ssh/ssh_host_rsa_key.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuBCfN+TMtNok1WezSr7aj7LqFm01NAlITGgLBRN4juwa01yfj+lbqkPaWQZg9bHUyH5iBge7HqjM0eFf0a8KRxL0yYB3nfcWJebWJ+XuEBIRPTAoZkJdsi26omY8fStN8p1fzqXsgVNCnrY8k16zTXMltcN+MNPG7x9nutZQu9uvNIteshthRLJyD34KzOIqf4anW1A2MRfGkQUJEc9Kwg/l6FYRSS2Y6irAaQq3dgO7hlwnesdXNJZRPeI1JmaxT20NVgWbZn4gbozuxrj21gFXKLJTioTy1FtKleY9mjPlCSyRBZJGw1MKfKtvhmSfyno8fvPV35iB0m+LMRYI/Q== root@server
mahmood@server:~$

What does root@server doing here? is that ok?

Reuti · 04-28-2011, 06:38 AM

Client - not server.

mahmoodn · 04-28-2011, 06:40 AM

Code:

mahmood@client:~$ cat /etc/ssh/ssh_host_rsa_key.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA9Mi0TEUzMLJ1i2gascvkXilTE2g3BIYKcs6qIcFXa7w8GB+LN6GoH3uJ+0PujwQVdzO4B8qpQ+ClM9uwYxo61x9bIYh/nwqaVqJrI5VOtbzlzXPCs0SWeDAjVTJzTcX3Pk+D10lfqLDL2jLblzZD7yJpm0Elb8tuF4ISMeFaKP6MeG4m+Ygl+zbcvYzpvqtTpQSmM2u9SIEW+Cg62VuMw7xkrXqNg671ewdc53SvCQM8PysJCRUNDPcy1nKA4chhq/HDuyvpKVaPrFWugaoKGWkAz3Y0Ny6Xge4O3EJsclbuQt3AY6oXPsOkyBMm3QRU+I4Tjl7TCm0EjS+B8QXTEQ== root@server
mahmood@client:~$

Again root@server is there. Shouldn't be mahmood@server?

Reuti · 04-28-2011, 06:45 AM

And "client" is the only name - no client.local or anything else in /etc/hosts on any of the machines?

EricTRA · 04-28-2011, 06:49 AM

Hello,

Deactivate reverse lookup and try again to eliminate that possibility by putting (uncommenting if exists) the following:

Code:

UseDns no
VerifyReverseMapping No

then restart SSH and try again.

Kind regards,

Eric

mahmoodn · 04-28-2011, 06:50 AM

On server:

Code:

mahmood@server:blackscholes$ cat /etc/hosts
127.0.0.1       localhost     localhost,server
124.22.69.105  server
192.168.1.3     client

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

mahmood@server:~$ sudo find / -name "client.local"
mahmood@server:~$

on client:

Code:

mahmood@client:~$ cat /etc/hosts
127.0.0.1 localhost
192.168.1.1 server
192.168.1.3 client

Can you explain what is the problem exactly? what is going on while client want to ssh to server? If I want to do that from scratch, which files should i delete (*.pub, ssh_nown_hosts, ....)??

Quote:

Deactivate reverse lookup and try again to eliminate that possibility by putting (uncommenting if exists) the following

in ssh_config or sshd_config?

Reuti · 04-28-2011, 06:56 AM

What’s that:

Quote:

127.0.0.1 localhost localhost,server
124.22.69.105 server

192.168.1.1 server

The server should have one address.

EricTRA · 04-28-2011, 06:57 AM

Quote:

Originally Posted by mahmoodn

in ssh_config or sshd_config?

Hi,

Sorry, in sshd_config, so if you have one way set up then on the server side. If you have bidirectional setup then on both machines. No guarantee it will work but it will deactivate reverse lookup so you will be able to see if anything else might be wrong.

Kind regards,

Eric

mahmoodn · 04-28-2011, 07:01 AM

Quote:

The server should have one address

server has two network interface. 124.22.69.105 is used to connect to internet while 192.168.1.1 is used inside cluster

Quote:

Sorry, in sshd_config

Code:

mahmood@server:~$ cat  /etc/ssh/sshd_config | grep "UseDns"
UseDns no
mahmood@server:~$ cat  /etc/ssh/sshd_config | grep "VerifyReverseMapping "
VerifyReverseMapping No
mahmood@server:~$ sudo service ssh restart
ssh start/running, process 12934

an on the client:

Code:

mahmood@client:~$ sudo service ssh restart
ssh start/running, process 2176

mahmood@client:~$ ssh -vvv server
debug1: Authentications that can continue: publickey,password,hostbased
debug1: No more client hostkeys for hostbased authentication.
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/mahmood/.ssh/identity
debug3: no such identity: /home/mahmood/.ssh/identity
debug1: Trying private key: /home/mahmood/.ssh/id_rsa
debug3: no such identity: /home/mahmood/.ssh/id_rsa
debug1: Trying private key: /home/mahmood/.ssh/id_dsa
debug3: no such identity: /home/mahmood/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
mahmood@server's password:

mahmoodn · 04-28-2011, 09:12 AM

I found the solution. Thanks to "Sharad" who point that on openssh mailing list.

Here is the procedure from one way passwordless ssh from client to server (or hostbased authentication). I will complete the procedure for bidirectional later.
1- Assumptions
1.1 server has two NIC, one for internet connection and the other for inside the cluster (192.168.X.X)

Code:

mahmood@server:~$ cat /etc/hosts
127.0.0.1       localhost     localhost,server
19.215.39.105  server
192.168.1.3     client

mahmood@client:~$ cat /etc/hosts
127.0.0.1 localhost
192.168.1.1 server
192.168.1.3 client

1.2 remove /etc/ssh/ssh_known_hosts if any.
1.3 remove ~/.ssh/* if there are any file

2- On the server, edit /etc/ssh/sshd_config and ensure two variables are set to:

Code:

IgnoreRhosts no
HostbasedAuthentication yes

3- on the client, edit /etc/ssh/ssh_config and ensure two variables are set to:

Code:

 
HostbasedAuthentication yes
EnableSSHKeysign yes

4- create a file on server (home directory of user) named .shosts that contain:

Code:

client.domain mahmood
192.168.1.3 mahmood
client mahmood

5- on the server, run "ssh-keyscan client" and add the output to ~/.ssh/known_hosts (note that hostname, ip address, and ipaddress+domainname are added to the beginning of the string. then chmod ".ssh" directory to 700

Code:

mahmood@server:~$ ls -l .ssh/
total 4
-rwx------ 1 mahmood mahmood 417 2011-04-28 18:00 known_hosts
mahmood@server:~$ ls -l .ssh/known_hosts
-rwx------ 1 mahmood mahmood 417 2011-04-28 18:00 .ssh/known_hosts
mahmood@server:~$ cat .ssh/known_hosts
192.168.1.3,client,client.domain ssh-rsa AAAAB.....
mahmood@server:~$

6- on the server, run "ssh-keyscan 192.168.1.1" and add the output to ~/.ssh/known_hosts (note that hostname, ip address, and ipaddress+domainname are added to the beginning of the string. then chmod ".ssh" directory to 700
IMPOTANT NOTE: DONOT USE "SERVER" IN "ssh-keyscan" SINCE THERE ARE TWO ENTRY IN /etc/hosts. IT IS SAFE TO USE THE IP ADDRESS DIRECTLY.

@EricTRA and Reuti: I think that is the trick.... previously I used "server" and it was not clear whether the 192.168.1.1 was used or the valid IP.

Code:

mahmood@client:~$ ls -l .ssh/
total 4
-rwx------ 1 mahmood mahmood 411 Apr 28  2011 known_hosts
mahmood@client:~$ ls -l .ssh/known_hosts
-rwx------ 1 mahmood mahmood 411 Apr 28  2011 .ssh/known_hosts
mahmood@client:~$ cat .ssh/known_hosts
192.168.1.1,server,server.domain ssh-rsa AAAAB3NzaC....
mahmood@client:~$

7- restart ssh service on both server and client:

Code:

mahmood@client:~$ sudo service ssh restart
ssh start/running, process 2223

mahmood@server:~$ sudo service ssh restart
ssh start/running, process 22622

FINISHED. You can now ssh from client to server without password

Code:

mahmood@client:~$ ssh 192.168.1.1
Linux server 2.6.32-24-server #39-Ubuntu SMP Wed Jul 28 06:21:40 UTC 2010 x86_64 GNU/Linux
Ubuntu 10.04.1 LTS

Welcome to the Ubuntu Server!
.....
.....
103 packages can be updated.
54 updates are security updates.

Last login: Thu Apr 28 16:26:05 2011 from 192.168.1.3
mahmood@server:~$

I will state the procedure for bidirectional hostbased ssh (without password) later.

EricTRA · 04-28-2011, 09:23 AM

Hi,

Great you got it fixed! Looking forward to your update once you get bidirectional functioning.

Kind regards,

Eric

Reuti · 08-08-2011, 12:47 PM

Quote:

Originally Posted by Reuti

Thx. There is the error:in your output and a Google revealed at least a bug for this in openSUSE, but maybe it’s an OpenSSH issue in the end. I’ll look into it. On a newly setup machine (which has indeed openSUSE 11.4) I face exactly the same :-/.

To get hostbased authentication back in openSUSE 11.4, it’s necessary to rename or delete on the source machine of the intended connection the files:

Code:

master:/etc/ssh # mv ssh_host_ecdsa_key ssh_host_ecdsa_key.old
master:/etc/ssh # mv ssh_host_ecdsa_key.pub ssh_host_ecdsa_key.pub.old

Their presence confuses the ssh-keysign application. Then you can use the rsa keys for hostbased authentication like before.

It’s also necessary to comment the relevant lines in /etc/init.d/sshd to avoid it’s recreation during the next start of the sshd.