Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
01-20-2006, 04:59 PM
|
#1
|
Member
Registered: May 2005
Location: Minneapolis, MN
Distribution: Debian
Posts: 217
Rep:
|
Setting up passwordless ssh
I'm setting up passwordless ssh and I still get prompted for passwords. I generated the keys, copied the pub key to the server, cat the file /.ssh/autorized_keys, and still get asked for passwords. I double checked permissions and log files. I see no evidence that my keys are being checked.
|
|
|
01-20-2006, 05:13 PM
|
#2
|
LQ Veteran
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
|
When you generated the keys, did you remember to not create a passphrase?
|
|
|
01-20-2006, 05:24 PM
|
#3
|
Member
Registered: May 2005
Location: Minneapolis, MN
Distribution: Debian
Posts: 217
Original Poster
Rep:
|
Yes, the keys were generated w/o a passphrase.
|
|
|
01-20-2006, 07:54 PM
|
#4
|
Senior Member
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: Custom Debian Live ISO's
Posts: 1,291
Rep:
|
Sounds like it maybe the configuration on the server, can you post the contents of the sshd_config file from the server.
|
|
|
01-20-2006, 11:25 PM
|
#5
|
Member
Registered: May 2005
Location: Minneapolis, MN
Distribution: Debian
Posts: 217
Original Poster
Rep:
|
Here it is.
Code:
# $OpenBSD: sshd_config,v 1.72 2005/07/25 11:59:40 markus Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22
#Protocol 2,1
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#RSAAuthentication yes
#PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#ShowPatchLevel no
# no default banner path
#Banner /some/path
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
|
|
|
01-21-2006, 02:40 AM
|
#6
|
Member
Registered: Dec 2005
Location: New York
Distribution: Debian/GNU
Posts: 235
Rep:
|
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
try setting the empty passwords line to yes. maybe the default in ssh changed and the config file wasn't updated.
just a guess.
-dave
|
|
|
01-21-2006, 08:25 AM
|
#7
|
LQ Veteran
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
|
Quote:
PasswordAuthentication yes
|
That has to be set to no to disable passwords.
|
|
|
01-21-2006, 01:34 PM
|
#8
|
Member
Registered: May 2005
Location: Minneapolis, MN
Distribution: Debian
Posts: 217
Original Poster
Rep:
|
I made the suggested changes to sshd_config and now my client generates the following error.
Quote:
Permission denied (publickey,gssapi-with-mic).
|
|
|
|
01-21-2006, 06:22 PM
|
#9
|
LQ Veteran
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
|
I noticed that there are a couple other changed in the config, namely the ChallengeResponseAuthentication and the GSSAPI settings. Are those things you changed or is that the standard config for FC?
|
|
|
01-21-2006, 10:46 PM
|
#10
|
Member
Registered: May 2005
Location: Minneapolis, MN
Distribution: Debian
Posts: 217
Original Poster
Rep:
|
I did change some stuff and it's possible that I may have changed them although, I don't think I did. I must appoligize b/c I looked at other log files and realized I was looking at the wrong one for ssh activity.
Quote:
Authentication refused: bad ownership or modes for file /home/identity/.ssh/authorized_keys
|
I messed around with permissions and still couldn't figure it out. Could some one plz clear make it clear what the permissions should be for authorized_keys? Also, if there are things that I should change back in my sshd_config plz let me know. Again sorry for leading everyone down the wrong path.
Last edited by blackdragonblood; 01-21-2006 at 10:47 PM.
|
|
|
01-21-2006, 11:08 PM
|
#11
|
Member
Registered: Sep 2004
Location: Texas, USA
Distribution: Fedora
Posts: 620
Rep:
|
Obviously the user/group shown below will be different at your end, but take special note of the permissions on the .ssh directory. i.e. 700
Code:
[scowles@excelsior .ssh]$ ls -la
total 16
drwx------ 2 scowles scowles 4096 Dec 4 19:01 .
drwxr-xr-x 34 scowles scowles 4096 Jan 20 04:17 ..
-rw-r--r-- 1 scowles scowles 2223 Nov 25 23:22 authorized_keys
-rw-r--r-- 1 scowles scowles 1074 Dec 4 19:01 known_hosts
[scowles@excelsior .ssh]$ pwd
/home/scowles/.ssh
Last edited by scowles; 01-22-2006 at 06:28 AM.
|
|
|
01-21-2006, 11:58 PM
|
#12
|
Member
Registered: May 2005
Location: Minneapolis, MN
Distribution: Debian
Posts: 217
Original Poster
Rep:
|
I changed the permissions. I still get the same error messange and nothing shows up in /var/log/secure.
|
|
|
01-22-2006, 08:48 AM
|
#13
|
LQ Veteran
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
|
Check the permissions on your home directory. Basically if anybody besides the user can write to the home directory, the .ssh directory or any of its files, sshd is going to pitch a fit. I would also seriously reccomend setting all your sshd_config values back to whatever they normally should be for FC.
|
|
|
01-22-2006, 12:10 PM
|
#14
|
Member
Registered: May 2005
Location: Minneapolis, MN
Distribution: Debian
Posts: 217
Original Poster
Rep:
|
I tried changing permissions for /home/identity, changing sshd_config back, and changing more options sshd_config. Is it possible to get a fresh file from somewhere? I'll post sshd_config in it's current state.
Code:
# $OpenBSD: sshd_config,v 1.72 2005/07/25 11:59:40 markus Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22
#Protocol 2,1
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
PermitEmptyPasswords yes
PasswordAuthentication no
# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes
#ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
GSSAPIAuthentication no
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#ShowPatchLevel no
# no default banner path
#Banner /some/path
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
|
|
|
01-22-2006, 02:51 PM
|
#15
|
LQ Veteran
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
|
From what I've seen on the net I think you should change the following:
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
PermitEmptyPasswords no
|
|
|
All times are GMT -5. The time now is 07:47 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|