Getting ssh-agent to work..
Hi Guys,
I want to use ssh-agent to avoid having to type my password every time I log into a remote system. These are the steps I took: 1) Create my private/public keys using ssh_keygen 2) Copy the identity.pub file to sonny@remotsystem:~/.ssh/authorized_keys 3) chmod 600 authorized_keys 4) chmod 644 ~/.ssh/identity 5) start a ssh-agent session for a bash shell: ssh-agent bash 6) add my key: ssh-add 7) confirm the key has been added with ssh-add -l 8) attempt to login to the remote system with ssh remotesystem My understanding is that at this point, the remote system *should* authenticate me through my ssh-agent, but instead it prompts me for my password. Anyone have any ideas? Any suggestions would be welcome. Sonny. |
Re: Getting ssh-agent to work..
Quote:
you don't need to start ssh-agent for this to work properly. One reason this isn't working is that you may be ssh'ing to the remote server using the ssh2 protocol, as opposed to ssh 1 protocol, but your key combinations are for ssh 1 and ignored (different file names). Check your authentication log file (not sure what it's called on your machine, check /etc/syslog.conf to see which files contains the auth messages). Here's an example of a login with ssh2: Jan 22 11:47:16 shadowfax sshd[7554]: Accepted publickey for gerard from 199.243.135.21 port 37791 ssh2 Here's a ssh1 example: Jan 22 11:48:41 shadowfax sshd[7661]: Accepted rsa for gerard from 199.243.135.21 port 37794 The difference: it'll say ssh2 at the end of a ssh2 login, and publickey instead of rsa. So, if you're using ssh2 (which is _highly_ recommended, it is so much more secure than ssh1) you need to create ssh2 keys. Note that the default setting for ssh-keygen are ssh1 keys. Run "ssh-keygen -t dsa" then read the ssh man page which files to copy where and what to name them. |
Hi Gerard,
Thanks for replying to my post. I checked in my /etc/syslog.conf file and I presume the correct log file to look at is the following: # The authpriv file has restricted access authpriv.* /var/log/secure I then checked in /var/log/secure but none of the ssh logins were recorded there. The latest message I have in the log is the following: Jan 22 10:50:10 dev 1 login: LOGIN ON 1 BY sonny FROM Selusa Any of the other place I should look? I do need to use ssh1 as opposed to ssh2 to ensure compatiblity with an existing development library. |
Quote:
Either way, you setup your keys for ssh1 and if you're not sure what you are logging in with, you can force ssh to use protocol 1 by adding the -1 option to ssh, like: ssh -1 user@yourserver.org |
Thanks! ... one more question....
Hi Gerard,
The ssh -1 did the trick! Thanks a bundle! One more question. The first time I did ssh -1 to the remote server I got the following message: The authenticity of host 'dev1 (xxx.xxx.xxx.xxx)' can't be established. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'dev1 (xxx.xxx.xxx.xxx)' (RSA1) to the list of known hosts I checked my ~/.ssh/known_hosts file and found an entry for dev1. How can the authenticity of a remote host be established? Sonny. |
Re: Thanks! ... one more question....
Quote:
compare ~/.ssh/known_host to /etc/ssh_host_key.pub on the server |
Arrggh.. extreme frustration with ssh-agent...
Hi Gerard,
Sorry to be pestering you yet again with this ssh-agent question. It appears that after I issued the "exportfs -ra" command on my remote server to make its directories mountable, my ssh-agent authentication is no longer working. I am once again getting the request for a password when I type ssh -1 dev1 I've rebooted my laptop and the remote server to see if that would help (heheehe... a poor-man's Windows tech support trick), but no luck. Any ideas would be once again greatly welcomed. Sonny. :smash: |
Re: Arrggh.. extreme frustration with ssh-agent...
Quote:
If you absolutely need it, I wouldnt' mind trying ssh-agent out for you and see what happens on my end when I use NFS and such. I need more info though, what exactly you run and configure in order for it to break |
Hi Gerard,
ssh-agent sets up an authentication agent for you (at least that's what I've read:)) so that it provides your passphrase on your behalf. Once it is setup, you don't need to explicitly type your passphrase to log in to a remote system (that has your publickey). I'm not sure exactly what to tell you in terms of how dev1 (the remote system) is configured. So please bear with me if the following information is not helpful with your diagnosis. 1) dev1 has Redhat 6.2 2) My local system Selusa has Redhat 7.1 3) I'm now using ssh-2. I create the keys with the following steps: ssh-keygen -t dsa cp id_dsa.pub authorized_keys2 chmod 644 authorized_keys2 scp authorized_keys2 sonny@dev1:~/.ssh chmod 700 .ssh (for both local and remote system) 4) Set up my ssh agent so that it can provide authentication information on my behalf. ssh-agent bash ssh-add <type my passphrase> 5) Atttempt to connect to remote system ssh sonny@dev1 At this point, dev1 prompts me for my password. In contrast on another remote system, sigma - on which I've gone through exactly the same setup steps when I type: ssh sonny@sigma I am automatically authenticated. I am not prompted for my password. Sigma however has Redhat 7.1 - if that is relevant. Sonny. |
hmm. how about if you do
ssh-agent $SHELL, ssh-add, and then ssh to Selusa with options "-v -v -v", the triple v should dump a lot of info, could point to something, and watch your permissions. ssh doesn't like ~/.ssh/id_dsa to have group and world rw's (man ssh). for this kind of situations I add a serverside syslog entry logging *everything*: *.*<tab>/var/log/all this will dump a lot of debugging/useless info but it might tell you something (only serveride) because loglevels usually are set from level "INFO" and up. |
Hey unSpawn,
Selusa does not have sshd installed.. I am looking into installing it now. The file permission are correctly set (I believe). The authorizied_keys2 is 644 while the ~/.ssh directory is 700. In regards to: "...for this kind of situations I add a serverside syslog entry logging *everything*: *.*<tab>/var/log/all " I presume you are referring to the the file in syslog.conf with the following comment line: # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;news.none;authpriv.none /var/log/messages In dev1:/var/log/messages I found the following lines: dev1 sshd[1806]: Failed publickey for sonny from xxx.xxx.xxx.xxx port yyy ssh2 This seems to imply that the perhaps the authorized_keys2 file is not properly setup. However, I have copied the same authorized_keys2 file fot antoher remote server (sigma) that I am able to use ssh-agent with. Sonny. |
Quote:
|
Hi Gerard,
I use a non-empty passphrase for the extra security. On sigma, ssh-agent works fine and I can ssh to it without being prompted for my password but on dev1 it asks me. I checked in dev1:/var/log/messages and found the following message dev1 sshd[1806]: Failed publickey for sonny from xxx.xxx.xxx.xxx port yyy ssh2 This seems to imply that the perhaps the authorized_keys2 file is not properly setup. However, I have copied the same authorized_keys2 file for another remote server (sigma) that I am able to use ssh-agent with. Sonny. |
Ok, so you established Protocol 2 pubkey auth fails. What does the clientside (-v -v -v) say?
(*scrub any public IP addy's first) |
Hi unSpawn,
Sorry.. I don't understand what you mean by: ...(*scrub any public IP addy's first) What are "addy's" and how do I go about scrubbing them? Sonny. |
All times are GMT -5. The time now is 04:07 AM. |