ssh without password -- non-root user
A while ago I set up two servers so 'root' on the first server could scp to 'root' on the second server without needing a password.
I am now trying to add this functionality for a second (non-root) user on the same pair of servers. I follow the standard procedure as shown on this site and elsewhere. As the non-root user I do: 1. Use ssh-keygen rsa to create $HOME/.ssh/id_rsa.pub on first server 2. Copy that file to $HOME/.ssh/authorized_keys for the same user on the target server. I have verified that file permissions on the target system are correct and the file and PubKeyAUthentication and RSAAuthenication are set to yes in /etc/ssh/sshd.conf. No matter what I do I cannot keep the system from asking for a password for the non-root user. The root user continues to work just fine. Is it not possible to have two password-free ssh users on the same server? Thanks for any suggestions. Sanford Stein CyberTools Inc. |
What about the directory permissions on .ssh in your user home directories? Can you post all of the ls -l output for all of the relevant files?
|
this very often comes down to permissions on the .ssh directory, which would be 700, with the files inside as 600.
There's certainly no limitation as you suggest, indeed it's impossible to even know if that is the case in the ssh service. |
You can use a certificate instead of a password.
|
Please use -vvv flag with the ssh and check the sshd logs to find out why this is happening.
Evo2. |
Try with Public and private key pair
|
Quote:
|
Quote:
Non-Root Machine:
Root Machine:
Don't remember if I had to do authorized_keys or authorized_keys2, and there are better ways to copy/paste, but you get the idea.... |
Quote:
Evo2. |
grok. what a horrible non word...
|
Quote:
Evo2. |
Grok is good. I grok grok.
|
Thank you all for your responses.
Blacky, here are the directory listings: For the source server: [root@cedar ~]# ls -ld /root/.ssh drwx------ 2 root root 4096 Mar 25 16:06 /root/.ssh [root@cedar ~]# ls -lR /root/.ssh /root/.ssh: total 20 -rw-r--r-- 1 root root 1059 Dec 17 11:37 authorized_keys -rw------- 1 root root 1675 Sep 28 2008 id_rsa -rw-r--r-- 1 root root 419 Sep 28 2008 id_rsa.pub -rw-r--r-- 1 root root 6706 Jan 17 09:17 known_hosts [root@cedar ~]# ls -ld /home/mbp5vdrzqtui/.ssh drwx------ 2 mbp5vdrzqtui mbp5vdrzqtui 4096 Mar 25 17:08 /home/mbp5vdrzqtui/.ssh [root@cedar ~]# ls -lR /home/mbp5vdrzqtui/.ssh /home/mbp5vdrzqtui/.ssh: total 12 -rw------- 1 mbp5vdrzqtui mbp5vdrzqtui 1675 Mar 25 17:08 id_rsa -rw-r--r-- 1 mbp5vdrzqtui mbp5vdrzqtui 427 Mar 25 17:08 id_rsa.pub -rw-r--r-- 1 mbp5vdrzqtui mbp5vdrzqtui 1816 Mar 25 16:15 known_hosts [root@cedar ~]# For the target server: [root@pear ~]# ls -ld /root/.ssh drwx------ 2 root root 4096 Mar 25 17:14 /root/.ssh [root@pear ~]# ls -lR /root/.ssh /root/.ssh: total 20 -rw-r--r-- 1 root root 838 Apr 9 2009 authorized_keys -rw------- 1 root root 1675 Mar 25 17:16 id_rsa -rw-r--r-- 1 root root 406 Mar 25 17:16 id_rsa.pub -rw-r--r-- 1 root root 6346 Mar 25 17:14 known_hosts [root@pear ~]# ls -ld /home/mbp5vdrzqtui/.ssh drwxr--r-- 2 mbp5vdrzqtui mbp5vdrzqtui 4096 Mar 26 09:52 /home/mbp5vdrzqtui/.ssh [root@pear ~]# ls -lR /home/mbp5vdrzqtui/.ssh /home/mbp5vdrzqtui/.ssh: total 8 -rw-r--r-- 1 mbp5vdrzqtui mbp5vdrzqtui 854 Mar 25 17:27 authorized_keys -rw-r--r-- 1 mbp5vdrzqtui mbp5vdrzqtui 1588 Mar 25 17:12 known_hosts Evo2 and Hockeyman, I ran ssh -vvv for both the root and non-root user. The output was the same up until the point were the public key was sent and tested: < debug1: Offering public key: /root/.ssh/id_rsa^M < debug3: send_pubkey_test^M < debug2: we sent a publickey packet, wait for reply^M < debug1: Server accepts key: pkalg ssh-rsa blen 277^M < debug2: input_userauth_pk_ok: SHA1 fp 64:35:c8:5d:88:16:47:a3:82:50:ae:1e:47:2a:a8:70:0b:a1:57:08^M < debug3: sign_and_send_pubkey^M < debug1: read PEM private key done: type RSA^M < debug1: Authentication succeeded (publickey).^M --- > debug1: Offering public key: /home/mbp5vdrzqtui/.ssh/id_rsa^M > debug3: send_pubkey_test^M > debug2: we sent a publickey packet, wait for reply^M > debug1: Authentications that can continue: publickey,gssapi-with-mic,password^M > debug1: Trying private key: /home/mbp5vdrzqtui/.ssh/id_dsa^M > debug3: no such identity: /home/mbp5vdrzqtui/.ssh/id_dsa^M > debug2: we did not send a packet, disable method^M > debug3: authmethod_lookup password^M > debug3: remaining preferred: ,password^M > debug3: authmethod_is_enabled password^M > debug1: Next authentication method: password^M Jefro--thanks, but certificate is not an option for us. Any further feedback or ideas are appreciated. SS |
The authorized_keys files have the wrong permissions. They MUST be 600.
|
I think the problem is with the permissions of .ssh directory of the server:
Code:
[root@pear ~]# ls -ld /home/mbp5vdrzqtui/.ssh |
All times are GMT -5. The time now is 07:25 PM. |