Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hello, I am having a problem setting up public-key authentication. I have it set up so I can ssh from host A to host B without a password, but so far I cannot go from host B to host A without a password.
It might be that the hostname on hostB does not match its DNS entry, but even if I include its IP address in the key, it doesn't matter. I even tried using a .shosts file on hostA, to no avail, even with the remote hostname and IP address...
Here is what I get when I ssh from hostB to hostA:
Code:
dev@hostB:~$ ssh -v hostA
OpenSSH_3.8.1p1 Debian-8.sarge.4, OpenSSL 0.9.7e 25 Oct 2004
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to hostA [hostA's IP] port 22.
debug1: Connection established.
debug1: identity file /home/dev/.ssh/identity type -1
debug1: identity file /home/dev/.ssh/id_rsa type 1
debug1: identity file /home/dev/.ssh/id_dsa type 2
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.9p1
debug1: match: OpenSSH_3.9p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1 Debian-8.sarge.4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'HostA' is known and matches the RSA host key.
debug1: Found key in /home/dev/.ssh/known_hosts:2
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/dev/.ssh/identity
debug1: Offering public key: /home/dev/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Offering public key: /home/dev/.ssh/id_dsa
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: password
dev@HostA's password:
Connection closed by HostA
Here's the .ssh directory on HostA for user dev:
Code:
ls -l .ssh/
total 52
-rw------- 1 dev dev 824 Sep 17 16:50 authorized_keys
-rw------- 1 dev dev 668 Nov 14 2007 id_dsa
-rw-r--r-- 1 dev dev 609 Nov 14 2007 id_dsa.pub
-rw------- 1 dev dev 887 Nov 14 2007 id_rsa
-rw-r--r-- 1 dev dev 229 Nov 14 2007 id_rsa.pub
-rw-r--r-- 1 dev dev 6841 Sep 17 12:06 known_hosts
here's the sshd_config file on HostA (commented lines stripped out):
It should be the default ".ssh/authorized_keys. Your expression will expand to "<CLIENT_HOSTNAME>/.ssh/authorized_keys". This is the config file for the server you log into. It contains the user@hostname & public keys for each client that is authorized to log in.
I'd also recommend using "AllowUsers" or "AllowGroups" to deny all other login attempts. Also, use only protocol 2 and disable root logins.
Some people also go a step further and use a non-standard high port number. This will great reduce the number of script kiddie attacks on ssh.
That should be ".ssh/authorized_keys". Loose the "%" character.
Is this for logging in as a user or automated ssh access. The setting above is for user access. Look in both sshd_config and ssh_config for
the config entries to use for server <-> server root access. There is an /etc/ssh/ssh_known_hosts file and /etc/ssh/ssh_host_rsa_key. I
don't have experience using this and would never allow root ssh access. I don't know what would be used in place of ~/.ssh/authorized_keys?
Is is /root/.ssh/authorized_keys? I don't know for sure and would need to crack open a book to find out. ( And don't think this is what you
meant anyway. )
Code:
HostKey
Specifies a file containing a private host key used by SSH. The default is
/etc/ssh/ssh_host_key for protocol version 1, and /etc/ssh/ssh_host_rsa_key and
/etc/ssh/ssh_host_dsa_key for protocol version 2. Note that sshd(8) will refuse to use a file
if it is group/world-accessible. It is possible to have multiple host key files. “rsa1” keys
are used for version 1 and “dsa” or “rsa” are used for version 2 of the SSH protocol.
If you log in using "ssh -vv" you will get more information on what is tried and what failed and hopefully why. One common mistake
is if the permissions of ~/ or ~/.ssh or the keys in ~/.ssh are world readable. If your home directory is group writable, someone
in your group could replace the .ssh directory. If your private key is group or world readable, then ssh will refuse to authenticate.
Here are my uncommented entries in /etc/ssh/sshd_config. Only the hostnames and domain are altered:
Code:
Protocol 2
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
Subsystem sftp /usr/lib64/ssh/sftp-server
AllowUsers jschiwal@host1.mynet jschiwal@host2.mynet
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
Cannot set up passwordless login via ssh
Thanks for your help!
