Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Run a script on ServerA which uses a ssh-connection to ServerB to execute a few commands on ServerB.
As ServerB only allows login with username+password the whole stuff gets more complex.
SSH provides key authentication enabling passwordless login as you probably know.
So as stated in many tutorials I did the following:
Run a script on ServerA which uses a ssh-connection to ServerB to execute a few commands on ServerB.
As ServerB only allows login with username+password the whole stuff gets more complex.
SSH provides key authentication enabling passwordless login as you probably know.
So as stated in many tutorials I did the following:
Trying to connect with
ssh osr@10.17.120.207
should now be passwordless but I'm somehow still getting the prompt for the password...
here's the output from ssh -vvv osr@10.17.120.207
interesting are probably the following lines:
I have no idea about how to solve this issue...
I hope you know the solution to this problem
Normally, default
Code:
#AuthorizedKeysFile .ssh/authorized_keys
so please check this first.
If yes, then append your public key to a file called authorized_keys
check secure log too.
ssh directory perms 700
authorized_keys file 400 or 600 if being written to
id_dsa 400
You want to check the option centosboy mentioned in /etc/ssh/sshd_config. Run through the whole thing and make sure pubkey is enabled, check that option, etc.
also, reset the ssh key passphrase. (i know it is blank)
but still, if no joy, recreate the key. will only take a few seconds
using passphrase less keys is a security issue. ideally you would set a phrase but use ssh-agent to cache it. never mind, thats another issue
As previously mentioned, check that the permission on both .ssh directories is 700, the authorized_keys and private key files should preferebly be 600.
Also, check your home directory (on both machines) does not allow group or other write access -i.e the most lax can be 755. If group or other have write access then one could rename the .ssh directory and make up a new .ssh directory with bogus keys, authorized_keys file, etc etc.
I deleted all keys, rechecked configuration of sshd and deleted all the .ssh direcotries...
But I think the action that made the difference was the setting of the permissions on the home-direcotory from 775 to 755...
After doing it all again it worked with password-prompt.
SSH auto login - without password
Here i have used RHEL4 servers (host1=192.168.0.1 and host2= 192.168.0.2) with default ssh ver
===========
Suppose you want a user(abhandari) at host1 auto login as root in host2 via SSH
-----------
At Host1 (192.168.0.1)
-----------
1.Login at host1 as abhandari user.
$ ssh -V
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006
$ cd ~/.ssh
(if the folder is not there create it)
---------------
2.Execute the following command to generate RSA Private-Public Key pair. From SSH documentation, 1024 bytes key is sufficiently strong. Just keep pressing Enter and DO NOT enter anything for passphrase. The key pair should be stored in /home/abhandari/.ssh as id_rsa and id_rsa.pub.
$ ssh-keygen -t rsa -b 1024
$ ls -la /home/abhandari/.ssh
(you just need id_rsa.pub don't distribute id_rsa)
----------------
3.Copy /home/abhandari/.ssh/id_rsa.pub from host1 to host2. Enter ’s password for respective hosts when prompted. Make sure the .ssh folder is present on host2 otherwise create it.
NOW
Host2(192.168.0.2)
4. login as root.
5. Add abhandari’s public key (from host1) to authorized_keys list:
# cat /home/abhandari/.ssh/id_rsa.pub.kramer >> /root/.ssh/authorized_keys
(this above command is single line.)
6. From host1, as abhandari, try the following command:
$ ssh root@192.168.0.2
(if you have ssh different listening port at host2 then use -P option like this:
$ ssh -P 1555 root@192.168.0.2
)
7.If the command succeeds and you find yourself logged into root at host2, you are good and can expect to work properly. But we have still to do some little work for success that you were lost in previous support. Lets hunt it.) That is FAP permission of .ssh folder and the content inside it.
======at host2 as root===============
8. Allow root login from remote at ssh port (for normal user u don't have to do it)
vi /etc/ssh/sshd_config
(uncomment and edit the following line like to permit root login from at ssh port. Save it and restart the sshd service)
PermitRootLogin yes
----------------
9. File permission setting which is most.
cd /root/.ssh/
ls
chmod 700 ~/.ssh/
chmod go-rwx ~/.ssh/*
chmod go-w ~/
ls -la
10.(starting the service updated rules without breaking any previous connection at ssh port)
# cat /var/run/sshd.pid
9502
# kill 9502
# /etc/init.d/sshd start
Starting sshd: [ OK ]
# service sshd restart
For more info about erros u can peep at log files
# tail -f /var/log/message
# tail -f /var/log/secure
=======Now at Host1=========
11. File permission at host1 as abhandari user
cd /home/abhandari/.ssh/
ls -la
chmod 700 ~/.ssh/
chmod go-rwx ~/.ssh/*
chmod go-w ~/
----still at host1-------
now login to host2 from host1 ( first disable any firewall rule at both servers or mailny at host2 using "iptables -F " and "service iptables off".
now try to login
host1 as abhandari user.In some case host2 may ask password for the first time but never on next time since we are using Public Key auth. If password is asked next login also then check the File access permission/public keys or the version of the ssh that you are using is commercial or different version using RSA/DSA auth key.
$ ssh root@192.168.0.2
(u must be logined as root at host2 and its auto login process that u can use it from script as well)
SSH auto login - without password
Here i have used RHEL4 servers (host1=192.168.0.1 and host2= 192.168.0.2) with default ssh ver
===========
Suppose you want a user(abhandari) at host1 auto login as root in host2 via SSH
-----------
At Host1 (192.168.0.1)
-----------
1.Login at host1 as abhandari user.
$ ssh -V
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006
$ cd ~/.ssh
(if the folder is not there create it)
---------------
2.Execute the following command to generate RSA Private-Public Key pair. From SSH documentation, 1024 bytes key is sufficiently strong. Just keep pressing Enter and DO NOT enter anything for passphrase. The key pair should be stored in /home/abhandari/.ssh as id_rsa and id_rsa.pub.
$ ssh-keygen -t rsa -b 1024
$ ls -la /home/abhandari/.ssh
(you just need id_rsa.pub don't distribute id_rsa)
----------------
3.Copy /home/abhandari/.ssh/id_rsa.pub from host1 to host2. Enter ’s password for respective hosts when prompted. Make sure the .ssh folder is present on host2 otherwise create it.
NOW
Host2(192.168.0.2)
4. login as root.
5. Add abhandari’s public key (from host1) to authorized_keys list:
# cat /home/abhandari/.ssh/id_rsa.pub.kramer >> /root/.ssh/authorized_keys
(this above command is single line.)
6. From host1, as abhandari, try the following command:
$ ssh root@192.168.0.2
(if you have ssh different listening port at host2 then use -P option like this:
$ ssh -P 1555 root@192.168.0.2
)
7.If the command succeeds and you find yourself logged into root at host2, you are good and can expect to work properly. But we have still to do some little work for success that you were lost in previous support. Lets hunt it.) That is FAP permission of .ssh folder and the content inside it.
======at host2 as root===============
8. Allow root login from remote at ssh port (for normal user u don't have to do it)
vi /etc/ssh/sshd_config
(uncomment and edit the following line like to permit root login from at ssh port. Save it and restart the sshd service)
PermitRootLogin yes
----------------
9. File permission setting which is most.
cd /root/.ssh/
ls
chmod 700 ~/.ssh/
chmod go-rwx ~/.ssh/*
chmod go-w ~/
ls -la
10.(starting the service updated rules without breaking any previous connection at ssh port)
# cat /var/run/sshd.pid
9502
# kill 9502
# /etc/init.d/sshd start
Starting sshd: [ OK ]
# service sshd restart
For more info about erros u can peep at log files
# tail -f /var/log/message
# tail -f /var/log/secure
=======Now at Host1=========
11. File permission at host1 as abhandari user
cd /home/abhandari/.ssh/
ls -la
chmod 700 ~/.ssh/
chmod go-rwx ~/.ssh/*
chmod go-w ~/
----still at host1-------
now login to host2 from host1 ( first disable any firewall rule at both servers or mailny at host2 using "iptables -F " and "service iptables off".
now try to login
host1 as abhandari user.In some case host2 may ask password for the first time but never on next time since we are using Public Key auth. If password is asked next login also then check the File access permission/public keys or the version of the ssh that you are using is commercial or different version using RSA/DSA auth key.
$ ssh root@192.168.0.2
(u must be logined as root at host2 and its auto login process that u can use it from script as well)
on each machine. The -N "" is the no password trick.
to generate the RSA keys. Then I create the file "authorized_keys" in .ssh from both of the id_rsa.pub files that were created in .ssh. I then put the authorized_keys file on both machines. As you add more machines, just append the id_rsa.pub files: cat id_rsa.pub >> authorized_keys
we prefer type dsa
and ssh 2 protocol only for security purposes
====================================== SSH public key setup and configuration
--------------------------------------
User abhandari at Host1=192.168.0.1 login via SSH protocol to Host2=192.168.0.2
--------------------------------------
1.Works for DSA key auth using SSH to SSH
# All steps when going from an OpenSSH machine to an OpenSSH machine
# This has been tested.
cd .ssh
ssh-keygen -t dsa
scp id_dsa.pub host2:/home/mst3k/.ssh/host1_mst3k_id_dsa.pub
ssh host2:
cd .ssh
cat host1_mst3k_id_dsa.pub >> authorized_keys
================================================
2.Works for DSA key auth using SSH to SSH2
Step 1: Generate the DSA key pair
> ssh-keygen -d
Generating DSA parameter and key.
Enter file in which to save the key (/home/abhandari/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/abhandari/.ssh/id_dsa.
Your public key has been saved in /home/abhandari/.ssh/id_dsa.pub.
The key fingerprint is:
00:6e:05:42:93:7f:34:18:77:fb:e1:b1:54:75:7b:fb abhandari@example.com.np
> Step 2: Convert the key to a SSH2-compatible public key
> ssh-keygen -x -f id_dsa > id_dsa_1024_abhandari.pub (
Step 3: Upload the file id_dsa_1024_abhandari.pub from host1 to /root/.ssh2 at the remote host2
Step 4: Add an entry "key id_dsa_1024_abhandari.pub" to /root/.ssh2/authorization
Step 5: You should get a auto login connection by invoking command "ssh root@192.168.0.2"
Step 6: Trouble shooting. It works for ssh version 2 only. If you want other version, generate a rsa key pair instead.
=======================
Enjoy
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.