Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I want to use ssh-agent to avoid having to type my password every time I log into a remote system. These are the steps I took:
1) Create my private/public keys using ssh_keygen
2) Copy the identity.pub file to sonny@remotsystem:~/.ssh/authorized_keys
3) chmod 600 authorized_keys
4) chmod 644 ~/.ssh/identity
5) start a ssh-agent session for a bash shell: ssh-agent bash
6) add my key: ssh-add
7) confirm the key has been added with ssh-add -l
8) attempt to login to the remote system with ssh remotesystem
My understanding is that at this point, the remote system *should* authenticate me through my ssh-agent, but instead it prompts me for my password. Anyone have any ideas? Any suggestions would be welcome.
I want to use ssh-agent to avoid having to type my password every time I log into a remote system. These are the steps I took:
1) Create my private/public keys using ssh_keygen
2) Copy the identity.pub file to sonny@remotsystem:~/.ssh/authorized_keys
3) chmod 600 authorized_keys
4) chmod 644 ~/.ssh/identity
5) start a ssh-agent session for a bash shell: ssh-agent bash
6) add my key: ssh-add
7) confirm the key has been added with ssh-add -l
8) attempt to login to the remote system with ssh remotesystem
My understanding is that at this point, the remote system *should* authenticate me through my ssh-agent, but instead it prompts me for my password. Anyone have any ideas? Any suggestions would be welcome.
Sonny.
you don't need to start ssh-agent for this to work properly.
One reason this isn't working is that you may be ssh'ing to the remote server using the ssh2 protocol, as opposed to ssh 1 protocol, but your key combinations are for ssh 1 and ignored (different file names).
Check your authentication log file (not sure what it's called on your machine, check /etc/syslog.conf to see which files contains the auth messages).
Here's an example of a login with ssh2:
Jan 22 11:47:16 shadowfax sshd[7554]: Accepted publickey for gerard from 199.243.135.21 port 37791 ssh2
Here's a ssh1 example:
Jan 22 11:48:41 shadowfax sshd[7661]: Accepted rsa for gerard from 199.243.135.21 port 37794
The difference: it'll say ssh2 at the end of a ssh2 login, and publickey instead of rsa.
So, if you're using ssh2 (which is _highly_ recommended, it is so much more secure than ssh1) you need to create ssh2 keys. Note that the default setting for ssh-keygen are ssh1 keys.
Run "ssh-keygen -t dsa" then read the ssh man page which files to copy where and what to name them.
Thanks for replying to my post. I checked in my /etc/syslog.conf file and I presume the correct log file to look at is the following:
# The authpriv file has restricted access
authpriv.* /var/log/secure
I then checked in /var/log/secure but none of the ssh logins were recorded there. The latest message I have in the log is the following:
Jan 22 10:50:10 dev 1 login: LOGIN ON 1 BY sonny FROM Selusa
Any of the other place I should look?
I do need to use ssh1 as opposed to ssh2 to ensure compatiblity with an existing development library.
authpriv is something different. Look for a line with just auth in it (and not auth.none - that's something else too).
Either way, you setup your keys for ssh1 and if you're not sure what you are logging in with, you can force ssh to use protocol 1 by adding the -1 option to ssh, like:
One more question. The first time I did ssh -1 to the remote server I got the following message:
The authenticity of host 'dev1 (xxx.xxx.xxx.xxx)' can't be established. Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'dev1 (xxx.xxx.xxx.xxx)' (RSA1) to the list of known hosts
I checked my ~/.ssh/known_hosts file and found an entry for dev1. How can the authenticity of a remote host be established?
One more question. The first time I did ssh -1 to the remote server I got the following message:
The authenticity of host 'dev1 (xxx.xxx.xxx.xxx)' can't be established. Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'dev1 (xxx.xxx.xxx.xxx)' (RSA1) to the list of known hosts
I checked my ~/.ssh/known_hosts file and found an entry for dev1. How can the authenticity of a remote host be established?
Sonny.
through ssh host keys.
compare ~/.ssh/known_host to /etc/ssh_host_key.pub on the server
Sorry to be pestering you yet again with this ssh-agent question. It appears that after I issued the "exportfs -ra" command on my remote server to make its directories mountable, my ssh-agent authentication is no longer working. I am once again getting the request for a password when I type
ssh -1 dev1
I've rebooted my laptop and the remote server to see if that would help (heheehe... a poor-man's Windows tech support trick), but no luck.
Re: Arrggh.. extreme frustration with ssh-agent...
Quote:
Originally posted by Sonny Hi Gerard,
Sorry to be pestering you yet again with this ssh-agent question. It appears that after I issued the "exportfs -ra" command on my remote server to make its directories mountable, my ssh-agent authentication is no longer working. I am once again getting the request for a password when I type
ssh -1 dev1
I've rebooted my laptop and the remote server to see if that would help (heheehe... a poor-man's Windows tech support trick), but no luck.
Any ideas would be once again greatly welcomed.
Sonny.
:smash:
Turn off ssh-agent. First of all, I never found it necessary to use it if the keys are setup properly (which they are in your case). I've never actually ran ssh-agent so I have no idea what the implications are of using it.
If you absolutely need it, I wouldnt' mind trying ssh-agent out for you and see what happens on my end when I use NFS and such. I need more info though, what exactly you run and configure in order for it to break
ssh-agent sets up an authentication agent for you (at least that's what I've read) so that it provides your passphrase on your behalf. Once it is setup, you don't need to explicitly type your passphrase to log in to a remote system (that has your publickey).
I'm not sure exactly what to tell you in terms of how dev1 (the remote system) is configured. So please bear with me if the following information is not helpful with your diagnosis.
1) dev1 has Redhat 6.2
2) My local system Selusa has Redhat 7.1
3) I'm now using ssh-2. I create the keys with the following steps:
ssh-keygen -t dsa
cp id_dsa.pub authorized_keys2
chmod 644 authorized_keys2
scp authorized_keys2 sonny@dev1:~/.ssh
chmod 700 .ssh (for both local and remote system)
4) Set up my ssh agent so that it can provide authentication information on my behalf.
ssh-agent bash
ssh-add
<type my passphrase>
5) Atttempt to connect to remote system
ssh sonny@dev1
At this point, dev1 prompts me for my password.
In contrast on another remote system, sigma - on which I've gone through exactly the same setup steps when I type:
ssh sonny@sigma
I am automatically authenticated. I am not prompted for my password. Sigma however has Redhat 7.1 - if that is relevant.
hmm. how about if you do
ssh-agent $SHELL, ssh-add, and then ssh to Selusa with options "-v -v -v", the triple v should dump a lot of info, could point to something, and watch your permissions. ssh doesn't like ~/.ssh/id_dsa to have group and world rw's (man ssh).
for this kind of situations I add a serverside syslog entry logging *everything*:
*.*<tab>/var/log/all
this will dump a lot of debugging/useless info but it might tell you something (only serveride) because loglevels usually are set from level "INFO" and up.
Selusa does not have sshd installed.. I am looking
into installing it now.
The file permission are correctly set (I believe).
The authorizied_keys2 is 644 while the ~/.ssh
directory is 700.
In regards to:
"...for this kind of situations I add a serverside
syslog entry logging *everything*:
*.*<tab>/var/log/all "
I presume you are referring to the the file in
syslog.conf with the following comment line:
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;news.none;authpriv.none
/var/log/messages
In dev1:/var/log/messages I found the following lines:
dev1 sshd[1806]: Failed publickey for sonny from xxx.xxx.xxx.xxx port yyy ssh2
This seems to imply that the perhaps the authorized_keys2 file is not properly setup. However, I have copied the same authorized_keys2 file fot antoher remote server (sigma) that I am able to use ssh-agent with.
ssh-agent sets up an authentication agent for you (at least that's what I've read) so that it provides your passphrase on your behalf. Once it is setup, you don't need to explicitly type your passphrase to log in to a remote system (that has your publickey).
I'm not sure exactly what to tell you in terms of how dev1 (the remote system) is configured. So please bear with me if the following information is not helpful with your diagnosis.
1) dev1 has Redhat 6.2
2) My local system Selusa has Redhat 7.1
3) I'm now using ssh-2. I create the keys with the following steps:
ssh-keygen -t dsa
cp id_dsa.pub authorized_keys2
chmod 644 authorized_keys2
scp authorized_keys2 sonny@dev1:~/.ssh
chmod 700 .ssh (for both local and remote system)
4) Set up my ssh agent so that it can provide authentication information on my behalf.
ssh-agent bash
ssh-add
<type my passphrase>
5) Atttempt to connect to remote system
ssh sonny@dev1
At this point, dev1 prompts me for my password.
In contrast on another remote system, sigma - on which I've gone through exactly the same setup steps when I type:
ssh sonny@sigma
I am automatically authenticated. I am not prompted for my password. Sigma however has Redhat 7.1 - if that is relevant.
Sonny.
You don't need ssh-agent running in order not to be prompted for a password. It may require you when running 'ssh-geygen" leaving the passphrase empty. If you upload that file to the remote server, it shouldn't ask you for a password.
I use a non-empty passphrase for the extra security. On sigma,
ssh-agent works fine and I can ssh to it without being prompted for my password but on dev1 it asks me.
I checked in dev1:/var/log/messages and found the following message
dev1 sshd[1806]: Failed publickey for sonny from xxx.xxx.xxx.xxx port yyy ssh2
This seems to imply that the perhaps the authorized_keys2 file is not properly setup. However, I have copied the same authorized_keys2 file for another remote server (sigma) that I am able to use ssh-agent with.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.