ssh for not asking passwd

linuxguy08 · 05-12-2008, 04:15 PM

Hi Guys,

I have a problem of ssh/rsync that should not ask password.
what i have done sofar is ,

there are 2 server , server-a and server-b

from server-b datas need to rsync to server-a, For that, I have id_rsa.pub in sever-a and copied that key into server-b as authorized_keys in /home/oracle/.ssh of server-b
still it ask passwd while logon into server-b
not sure why?
Any help would highly appreciated!!!

Thanks

MensaWater · 05-12-2008, 05:10 PM

ssh = secure shell - the operative part being "secure".

Accordingly your ssh setup must be secure or it will continue to ask for password.

A few common reasons it fails:
1) User's home directory is world writable (e.g. -rwxrwxrwx) - chmod 755 the user's home to cure this.
2) The .ssh directory under user's home is world writable or readable (e.g. rwxr--r--). To cure this chmod 700 .ssh.
3) Individual files under .ssh have permissions. You don't want people reading these files.
4) Any of the above are not owned by the user.

Another reason you might see failure has to do with "type". You said you're doing rsa - make sure that is what your ssh is doing by default. It might be necessary to specify type 1 or type on your command line.

linuxguy08 · 05-12-2008, 05:37 PM

yes , I have all appropriate permission has been given as other server have which enable login without password.

colucix · 05-12-2008, 07:18 PM

Try to connect using the -v option of ssh. You will get the exact talking between the two machines useful for debugging. You can improve the debugging level, using -vv or -vvv. In particular look at the output following the line:

Code:

debug1: Next authentication method: publickey

linuxguy08 · 05-12-2008, 07:38 PM

I have copied some part while debugging the ssh..

debug1: Found key in /root/.ssh/known_hosts:7
debug2: bits set: 522/1026
debug1: ssh_dss_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /root/.ssh/identity ((nil))
debug2: key: /root/.ssh/id_rsa (0x90f1c78)
debug2: key: /root/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Offering public key: /root/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /root/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
oracle@10.10.10.7's password:

finally it comes in password..

Eazy-Snatch · 05-13-2008, 02:48 AM

Here is one script i use for make ssh pub key without password

Code:

#!/bin/bash     
# This was write only for simple usage 
#Valentin Hristev  Syste and network administrator a.k.a Eazy-Snatch

### Enter username and IP(or hostname) for REMOTE machine
echo -n "Enter remote username: "
read USR
echo -n "Remote username is set to $USR  "
case $usr in
esac
echo ""

echo -n "Enter remote ip/host address: "
read HOST
echo -n "Remote ip/host is set to $HOST  "
case $usr in
esac

#echo -n "Default SSH port is 22 if you want to change it please open ssh_gen with your favourite text editor and change "PORT=" PORT_NUMMER"


echo -n "Enter PORT: "
read PORT 
echo -n "Remote port is $PORT  "
case $usr in
esac

echo -n "Your config is :User = $USR  Host = $HOST Port = $PORT "
 
#PORT="22"
NEWKEY="yes"

# Generate SSH keys RSA 
makekey () {
if [ $NEWKEY == "yes" ]; then
ssh-keygen -t rsa -f ~/.ssh/identity
fi
}

# Check for file "authozed_keys" if file is not there create it.

checkfile () {
if [ -f ~/.ssh/authorized_keys ]; then
touch ~/.ssh/authorized_keys
fi
}

# Check for ".ssh" if dir is not there create it.
upload () {
cat ~/.ssh/identity.pub | ssh -p $PORT $USR@$HOST 'sh -c "if [ ! -d .ssh ] ; then mkdir .ssh ; chmod 700 .ssh ; fi
cat - >>~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"'
echo "Done..................... "
}

## Main Menu
press_enter () {
echo ""
echo -n "Press Enter to continue"
read
clear
}

selection=
until [ "$selection" = "0" ]; do
echo ""
echo "*******PROGRAM MENU"**********
echo "1 - Generate & Upload New Key"
echo "2 - Upload Old Key"
echo ""
echo "0 - exit "
echo ""
echo -n "Enter choose: "
read selection
echo ""
case $selection in
1 ) checkfile ; makekey ; upload ;;
2 ) upload ;;
0 ) exit ;;
* ) echo "Please enter 1, 2 or 0"; press_enter
esac
done

exit 0

#END

MensaWater · 05-13-2008, 02:51 PM

On your two hosts and two users type "ls -ld <homedirectory>" and "ls -la <homedirectory>/.ssh"

Also provide the exact command line you're typing to do an ssh from the one host to the other.

As noted before the issue is almost certainly permissions or key types and you didn't say anything about the one except "permissions are OK" and nothing at all about key type tests.

I thought your other thread was asking how to make it prompt for password.

Do NOT post the same question in multiple threads.

linuxguy08 · 05-13-2008, 03:14 PM

server to which i copied authorized_keys

/home/oracle>ls -la /home/oracle/.ssh/
total 32
drwxr-xr-x 2 oracle dba 4096 May 12 08:49 .
drwxr-xr-x 18 oracle dba 4096 Mar 26 11:38 ..
-rw-r--r-- 1 oracle dba 232 May 13 05:16 authorized_keys
-rw------- 1 oracle dba 528 May 12 06:11 identity
-rw-r--r-- 1 oracle dba 332 May 12 06:11 identity.pub
-rw------- 1 oracle dba 963 May 12 08:51 id_rsa
-rw-r--r-- 1 oracle dba 223 May 12 08:51 id_rsa.pub
-rw-r--r-- 1 oracle dba 1111 Jul 11 2005 known_hosts2

/home>ls -ld oracle/

drwxr-xr-x 18 oracle dba 4096 Mar 26 11:38 oracle/

The server from which I copied pub key

[root@server ~]# ls -ld /root/
drwxr-x--- 14 root root 4096 May 13 11:12 /root/

[root@server ~]# ls -la /root/.ssh/
total 28
drwxr-xr-x 2 root root 4096 May 12 16:21 .
drwxr-x--- 14 root root 4096 May 13 11:12 ..
-rw-r--r-- 1 root root 612 May 12 12:45 authorized_keys
-rw------- 1 root root 887 Oct 25 2007 id_rsa
-rw-r--r-- 1 root root 232 May 12 12:43 id_rsa.pub
-rw-r--r-- 1 root root 2533 May 12 16:20 known_hosts

the command for ssh i type
ssh oracle@ipaddr

Thanks

MensaWater · 05-14-2008, 09:23 AM

You have read and execute permissions for everyone on the two .ssh directories. ONLY the owner should be able to access the directory.

Type "chmod 700 .ssh" for both of the .ssh directories (while sitting in the parent directory).

AGAIN - ssh will not do "trust" if it doesn't believe it is "secure". It is NOT secure if everyone can read all the keys.

linuxguy08 · 05-14-2008, 12:19 PM

yes still it doesnot work evenafter changing permission 700 to .ssh for both server.
could it be version different? not sure

[root@server ~]# rpm -qa |grep openssh
openssh-askpass-gnome-3.9p1-8.RHEL4.9
openssh-clients-3.9p1-8.RHEL4.9
openssh-askpass-3.9p1-8.RHEL4.9
openssh-3.9p1-8.RHEL4.9
openssh-server-3.9p1-8.RHEL4.9

-------------------------------
/home/oracle>rpm -qa | grep openssh
openssh-askpass-2.9p2-7
openssh-2.9p2-7
openssh-askpass-gnome-2.9p2-7
openssh-server-2.9p2-7
openssh-clients-2.9p2-7

MensaWater · 05-14-2008, 01:59 PM

Try doing "ssh -1 oracle@ipaddr" then try "ssh -2 oracle@ipaddr".

As noted before it could be a key type specification. It looks like one of your servers is fairly old so it may only do type 1.

linuxguy08 · 05-14-2008, 03:13 PM

tried in both method but no use :-(

colucix · 05-14-2008, 03:26 PM

If it is a protocol issue, as jlightner suggests, try to recreate the keys using

Code:

ssh-keygen -t rsa1

Anyway, support for the SSH2 protocol has been introduced with version 2.0 and by the talking between the two servers, it looks like it is enabled. But you can give it a try.

mohdshakir · 09-03-2008, 11:58 PM

This site describe probably the exact solution to what you need:
Automatic backup using rsync