LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-22-2002, 01:43 PM   #1
Sonny
Newbie
 
Registered: Jan 2002
Location: Burnaby British Columbia
Distribution: Redhat 7.1
Posts: 25

Rep: Reputation: 15
Getting ssh-agent to work..


Hi Guys,

I want to use ssh-agent to avoid having to type my password every time I log into a remote system. These are the steps I took:

1) Create my private/public keys using ssh_keygen
2) Copy the identity.pub file to sonny@remotsystem:~/.ssh/authorized_keys
3) chmod 600 authorized_keys
4) chmod 644 ~/.ssh/identity
5) start a ssh-agent session for a bash shell: ssh-agent bash
6) add my key: ssh-add
7) confirm the key has been added with ssh-add -l
8) attempt to login to the remote system with ssh remotesystem

My understanding is that at this point, the remote system *should* authenticate me through my ssh-agent, but instead it prompts me for my password. Anyone have any ideas? Any suggestions would be welcome.


Sonny.
 
Old 01-22-2002, 01:51 PM   #2
lfslinux
LFS Maintainer
 
Registered: Jan 2002
Location: Canmore, Alberta, Canada
Distribution: Linux From Scratch
Posts: 372

Rep: Reputation: 30
Re: Getting ssh-agent to work..

Quote:
Originally posted by Sonny
Hi Guys,

I want to use ssh-agent to avoid having to type my password every time I log into a remote system. These are the steps I took:

1) Create my private/public keys using ssh_keygen
2) Copy the identity.pub file to sonny@remotsystem:~/.ssh/authorized_keys
3) chmod 600 authorized_keys
4) chmod 644 ~/.ssh/identity
5) start a ssh-agent session for a bash shell: ssh-agent bash
6) add my key: ssh-add
7) confirm the key has been added with ssh-add -l
8) attempt to login to the remote system with ssh remotesystem

My understanding is that at this point, the remote system *should* authenticate me through my ssh-agent, but instead it prompts me for my password. Anyone have any ideas? Any suggestions would be welcome.


Sonny.

you don't need to start ssh-agent for this to work properly.

One reason this isn't working is that you may be ssh'ing to the remote server using the ssh2 protocol, as opposed to ssh 1 protocol, but your key combinations are for ssh 1 and ignored (different file names).

Check your authentication log file (not sure what it's called on your machine, check /etc/syslog.conf to see which files contains the auth messages).

Here's an example of a login with ssh2:

Jan 22 11:47:16 shadowfax sshd[7554]: Accepted publickey for gerard from 199.243.135.21 port 37791 ssh2


Here's a ssh1 example:

Jan 22 11:48:41 shadowfax sshd[7661]: Accepted rsa for gerard from 199.243.135.21 port 37794


The difference: it'll say ssh2 at the end of a ssh2 login, and publickey instead of rsa.

So, if you're using ssh2 (which is _highly_ recommended, it is so much more secure than ssh1) you need to create ssh2 keys. Note that the default setting for ssh-keygen are ssh1 keys.

Run "ssh-keygen -t dsa" then read the ssh man page which files to copy where and what to name them.
 
Old 01-22-2002, 02:12 PM   #3
Sonny
Newbie
 
Registered: Jan 2002
Location: Burnaby British Columbia
Distribution: Redhat 7.1
Posts: 25

Original Poster
Rep: Reputation: 15
Hi Gerard,

Thanks for replying to my post. I checked in my /etc/syslog.conf file and I presume the correct log file to look at is the following:

# The authpriv file has restricted access
authpriv.* /var/log/secure

I then checked in /var/log/secure but none of the ssh logins were recorded there. The latest message I have in the log is the following:

Jan 22 10:50:10 dev 1 login: LOGIN ON 1 BY sonny FROM Selusa

Any of the other place I should look?

I do need to use ssh1 as opposed to ssh2 to ensure compatiblity with an existing development library.
 
Old 01-22-2002, 02:14 PM   #4
lfslinux
LFS Maintainer
 
Registered: Jan 2002
Location: Canmore, Alberta, Canada
Distribution: Linux From Scratch
Posts: 372

Rep: Reputation: 30
Quote:
Originally posted by Sonny
Hi Gerard,

Thanks for replying to my post. I checked in my /etc/syslog.conf file and I presume the correct log file to look at is the following:

# The authpriv file has restricted access
authpriv.* /var/log/secure

I then checked in /var/log/secure but none of the ssh logins were recorded there. The latest message I have in the log is the following:

Jan 22 10:50:10 dev 1 login: LOGIN ON 1 BY sonny FROM Selusa

Any of the other place I should look?

I do need to use ssh1 as opposed to ssh2 to ensure compatiblity with an existing development library.
authpriv is something different. Look for a line with just auth in it (and not auth.none - that's something else too).

Either way, you setup your keys for ssh1 and if you're not sure what you are logging in with, you can force ssh to use protocol 1 by adding the -1 option to ssh, like:

ssh -1 user@yourserver.org
 
Old 01-22-2002, 02:55 PM   #5
Sonny
Newbie
 
Registered: Jan 2002
Location: Burnaby British Columbia
Distribution: Redhat 7.1
Posts: 25

Original Poster
Rep: Reputation: 15
Thanks! ... one more question....

Hi Gerard,

The ssh -1 did the trick! Thanks a bundle!


One more question. The first time I did ssh -1 to the remote server I got the following message:

The authenticity of host 'dev1 (xxx.xxx.xxx.xxx)' can't be established. Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'dev1 (xxx.xxx.xxx.xxx)' (RSA1) to the list of known hosts

I checked my ~/.ssh/known_hosts file and found an entry for dev1. How can the authenticity of a remote host be established?

Sonny.
 
Old 01-22-2002, 03:09 PM   #6
lfslinux
LFS Maintainer
 
Registered: Jan 2002
Location: Canmore, Alberta, Canada
Distribution: Linux From Scratch
Posts: 372

Rep: Reputation: 30
Re: Thanks! ... one more question....

Quote:
Originally posted by Sonny
Hi Gerard,

The ssh -1 did the trick! Thanks a bundle!


One more question. The first time I did ssh -1 to the remote server I got the following message:

The authenticity of host 'dev1 (xxx.xxx.xxx.xxx)' can't be established. Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'dev1 (xxx.xxx.xxx.xxx)' (RSA1) to the list of known hosts

I checked my ~/.ssh/known_hosts file and found an entry for dev1. How can the authenticity of a remote host be established?

Sonny.
through ssh host keys.

compare ~/.ssh/known_host to /etc/ssh_host_key.pub on the server
 
Old 01-22-2002, 04:28 PM   #7
Sonny
Newbie
 
Registered: Jan 2002
Location: Burnaby British Columbia
Distribution: Redhat 7.1
Posts: 25

Original Poster
Rep: Reputation: 15
Arrggh.. extreme frustration with ssh-agent...

Hi Gerard,

Sorry to be pestering you yet again with this ssh-agent question. It appears that after I issued the "exportfs -ra" command on my remote server to make its directories mountable, my ssh-agent authentication is no longer working. I am once again getting the request for a password when I type

ssh -1 dev1

I've rebooted my laptop and the remote server to see if that would help (heheehe... a poor-man's Windows tech support trick), but no luck.

Any ideas would be once again greatly welcomed.

Sonny.


:smash:
 
Old 01-22-2002, 10:53 PM   #8
lfslinux
LFS Maintainer
 
Registered: Jan 2002
Location: Canmore, Alberta, Canada
Distribution: Linux From Scratch
Posts: 372

Rep: Reputation: 30
Re: Arrggh.. extreme frustration with ssh-agent...

Quote:
Originally posted by Sonny
Hi Gerard,

Sorry to be pestering you yet again with this ssh-agent question. It appears that after I issued the "exportfs -ra" command on my remote server to make its directories mountable, my ssh-agent authentication is no longer working. I am once again getting the request for a password when I type

ssh -1 dev1

I've rebooted my laptop and the remote server to see if that would help (heheehe... a poor-man's Windows tech support trick), but no luck.

Any ideas would be once again greatly welcomed.

Sonny.


:smash:
Turn off ssh-agent. First of all, I never found it necessary to use it if the keys are setup properly (which they are in your case). I've never actually ran ssh-agent so I have no idea what the implications are of using it.

If you absolutely need it, I wouldnt' mind trying ssh-agent out for you and see what happens on my end when I use NFS and such. I need more info though, what exactly you run and configure in order for it to break
 
Old 01-24-2002, 12:33 PM   #9
Sonny
Newbie
 
Registered: Jan 2002
Location: Burnaby British Columbia
Distribution: Redhat 7.1
Posts: 25

Original Poster
Rep: Reputation: 15
Hi Gerard,

ssh-agent sets up an authentication agent for you (at least that's what I've read) so that it provides your passphrase on your behalf. Once it is setup, you don't need to explicitly type your passphrase to log in to a remote system (that has your publickey).

I'm not sure exactly what to tell you in terms of how dev1 (the remote system) is configured. So please bear with me if the following information is not helpful with your diagnosis.

1) dev1 has Redhat 6.2
2) My local system Selusa has Redhat 7.1
3) I'm now using ssh-2. I create the keys with the following steps:

ssh-keygen -t dsa
cp id_dsa.pub authorized_keys2
chmod 644 authorized_keys2
scp authorized_keys2 sonny@dev1:~/.ssh
chmod 700 .ssh (for both local and remote system)

4) Set up my ssh agent so that it can provide authentication information on my behalf.
ssh-agent bash
ssh-add
<type my passphrase>

5) Atttempt to connect to remote system

ssh sonny@dev1
At this point, dev1 prompts me for my password.

In contrast on another remote system, sigma - on which I've gone through exactly the same setup steps when I type:

ssh sonny@sigma

I am automatically authenticated. I am not prompted for my password. Sigma however has Redhat 7.1 - if that is relevant.

Sonny.
 
Old 01-24-2002, 02:55 PM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
hmm. how about if you do
ssh-agent $SHELL, ssh-add, and then ssh to Selusa with options "-v -v -v", the triple v should dump a lot of info, could point to something, and watch your permissions. ssh doesn't like ~/.ssh/id_dsa to have group and world rw's (man ssh).

for this kind of situations I add a serverside syslog entry logging *everything*:
*.*<tab>/var/log/all
this will dump a lot of debugging/useless info but it might tell you something (only serveride) because loglevels usually are set from level "INFO" and up.
 
Old 01-24-2002, 04:35 PM   #11
Sonny
Newbie
 
Registered: Jan 2002
Location: Burnaby British Columbia
Distribution: Redhat 7.1
Posts: 25

Original Poster
Rep: Reputation: 15
Hey unSpawn,

Selusa does not have sshd installed.. I am looking
into installing it now.

The file permission are correctly set (I believe).
The authorizied_keys2 is 644 while the ~/.ssh
directory is 700.

In regards to:

"...for this kind of situations I add a serverside
syslog entry logging *everything*:
*.*<tab>/var/log/all "

I presume you are referring to the the file in
syslog.conf with the following comment line:

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;news.none;authpriv.none
/var/log/messages


In dev1:/var/log/messages I found the following lines:

dev1 sshd[1806]: Failed publickey for sonny from xxx.xxx.xxx.xxx port yyy ssh2

This seems to imply that the perhaps the authorized_keys2 file is not properly setup. However, I have copied the same authorized_keys2 file fot antoher remote server (sigma) that I am able to use ssh-agent with.




Sonny.
 
Old 01-24-2002, 05:29 PM   #12
lfslinux
LFS Maintainer
 
Registered: Jan 2002
Location: Canmore, Alberta, Canada
Distribution: Linux From Scratch
Posts: 372

Rep: Reputation: 30
Quote:
Originally posted by Sonny
Hi Gerard,

ssh-agent sets up an authentication agent for you (at least that's what I've read) so that it provides your passphrase on your behalf. Once it is setup, you don't need to explicitly type your passphrase to log in to a remote system (that has your publickey).

I'm not sure exactly what to tell you in terms of how dev1 (the remote system) is configured. So please bear with me if the following information is not helpful with your diagnosis.

1) dev1 has Redhat 6.2
2) My local system Selusa has Redhat 7.1
3) I'm now using ssh-2. I create the keys with the following steps:

ssh-keygen -t dsa
cp id_dsa.pub authorized_keys2
chmod 644 authorized_keys2
scp authorized_keys2 sonny@dev1:~/.ssh
chmod 700 .ssh (for both local and remote system)

4) Set up my ssh agent so that it can provide authentication information on my behalf.
ssh-agent bash
ssh-add
<type my passphrase>

5) Atttempt to connect to remote system

ssh sonny@dev1
At this point, dev1 prompts me for my password.

In contrast on another remote system, sigma - on which I've gone through exactly the same setup steps when I type:

ssh sonny@sigma

I am automatically authenticated. I am not prompted for my password. Sigma however has Redhat 7.1 - if that is relevant.

Sonny.
You don't need ssh-agent running in order not to be prompted for a password. It may require you when running 'ssh-geygen" leaving the passphrase empty. If you upload that file to the remote server, it shouldn't ask you for a password.
 
Old 01-24-2002, 05:42 PM   #13
Sonny
Newbie
 
Registered: Jan 2002
Location: Burnaby British Columbia
Distribution: Redhat 7.1
Posts: 25

Original Poster
Rep: Reputation: 15
Hi Gerard,

I use a non-empty passphrase for the extra security. On sigma,
ssh-agent works fine and I can ssh to it without being prompted for my password but on dev1 it asks me.

I checked in dev1:/var/log/messages and found the following message

dev1 sshd[1806]: Failed publickey for sonny from xxx.xxx.xxx.xxx port yyy ssh2

This seems to imply that the perhaps the authorized_keys2 file is not properly setup. However, I have copied the same authorized_keys2 file for another remote server (sigma) that I am able to use ssh-agent with.


Sonny.
 
Old 01-25-2002, 01:31 AM   #14
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Ok, so you established Protocol 2 pubkey auth fails. What does the clientside (-v -v -v) say?
(*scrub any public IP addy's first)
 
Old 01-25-2002, 06:28 AM   #15
Sonny
Newbie
 
Registered: Jan 2002
Location: Burnaby British Columbia
Distribution: Redhat 7.1
Posts: 25

Original Poster
Rep: Reputation: 15
Hi unSpawn,

Sorry.. I don't understand what you mean by:

...(*scrub any public IP addy's first)

What are "addy's" and how do I go about scrubbing them?

Sonny.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh-agent, ssh-add and ssh-keygen AND CVS raylpc Linux - General 2 11-19-2008 02:50 AM
ssh-agent/ssh-add question mega Slackware 2 01-26-2005 03:09 AM
ssh-agent alaios Linux - Security 5 05-02-2004 11:24 AM
ssh-agent question podollb Linux - Networking 1 03-29-2004 04:38 PM
ssh-agent podollb Linux - Networking 15 10-16-2003 12:51 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:51 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration