LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   Passwordless SSH setup not working, any ideas? (https://www.linuxquestions.org/questions/linux-software-2/passwordless-ssh-setup-not-working-any-ideas-559628/)

lefty.crupps 06-06-2007 09:46 AM

Passwordless SSH setup not working, any ideas?
 
I followed this HowTo http://www.debian-administration.org/articles/152 and I've read numerous threads here at LQ and on the web but I cannot get this to function!

I want passwordless logons for root access to work and client servers.

I have set up an RSA key on my box for user@user-desktop (the basic Kubuntu machine name) and I copied/added the rsa_id_nopass.pub file to the end of the destination server's ~/.ssh/authorized_keys2 file, but it still isn't working; I am asked for a password (not passphrase) every time.

I have edited the ssh_config file (both on local machine and server) to use
RSAAuthentication yes
PubkeyAuthentication yes
and restarted the sshd server on both machines.

I want to get root access for servers when I log in using these keys. Unfortunately it isn't giving me root or regular user access at all; 'ssh root@server' is acting like it would had none of my work been done.

My system is Kubuntu 7.04 and the test server is a RedHat Enterprise Linux 9, but the key setup would eventually go onto a few debian servers and RHEL servers. I also am failing to get this to function on two Kubuntu 7.04 boxes (one is at home, one is at work (this setup is for two regular user accounts, not root accounts)). Does this whole setup require that the user name is identical on both machines??? Cause that's just a pain if I have to become root just to not enter a root password five seconds later.

Thanks for any advice

alunduil 06-06-2007 10:06 AM

It sounds like you've checked everything. Create the key pair; put public key in the remote box's ~/.ssh/authorized_keys2 file. Check that the remote ~/.ssh directory is chmod 700. The private key applies as long as you are currently running on the local box as the user you created the key for; the same user that has it in their ~/.ssh directory. You also have to be logging in as the user on the remote box that you created the ~/.ssh/authorized_keys2 file for.

Otherwise, everything you've done sounds correct. If things still don't work just post the line that created your key here, and we'll try to help you out some more.

Regards,

Alunduil

jeenam 06-06-2007 01:48 PM

Try copying ~/.ssh/authorized_keys2 to ~/.ssh/authorized_keys.

EDIT: On the destination machine(s), of course.

lefty.crupps 06-06-2007 02:15 PM

jeenam i am not following you. Did you mean to say, copy authorized_keys to authorized_keys2 ?

alunduil you sort of answered my question, 'do both usernames have to be the same?' I tried installing the pubkey on the destination server as myself (i wanted passwordless root access from a regular shell account, otherwise i still end up typing the root passwd which saves me no time nor braincells) but it still isn't working.

Does the name of my key matter, or is each key tried before a match is found? I had created a new key specifically for this task and named it 'rsa_id_nopass.pub' and i am wondering if the '_nopass' part makes a difference. My private key has a matching name (except the .pub).

I did have to enable this:
Host *
because where I had added these:
RSAAuthentication yes
PubkeyAuthentication yes
was in a part that had no hosts defined. Then I restarted sshd but still no success.

p.s. alunduil greetings to a local Minnesotan!

jeenam 06-07-2007 09:38 AM

Typo above; it should read: Try copying ~/.ssh/authorized_keys2 to ~/.ssh/authorized_keys.

simon.sweetman 03-05-2009 03:40 PM

Quote:

Originally Posted by lefty.crupps (Post 2777409)
I followed the HowTos and I've read numerous threads here at LQ and on the web but I cannot get this to function!

I want passwordless logons for root access to work and client servers.

Have you set the PermitRootLogin to yes or without-password (for public key verification only) in /etc/ssh/sshd_config on the target machine(s)?

Of course a restart of sshd will be required after this change.

doc.nice 05-12-2009 02:33 PM

this may be due to a compromised ssh key.
Check /var/log/auth.log for a message about compromised keys, like this one:

Quote:

May 12 21:13:38 spiff sshd[5415]: Public key <your key fingerprint> from <source-ip> blacklisted (see ssh-vulnkey(1))
if this is the case, update your openssl and openssh packages using aptitude or whatever you use and afterwards create a new key using
ssh-keygen. (overwrite your old key and create a backup if needed before).

WITHOUT YOUR OLD KEY, YOU WILL NOT BE ABLE TO LOG IN TO MACHINES ONLY ACCEPTING YOUR KEY AS AUTH, NO PASSWORD! BE SURE TO DOUBLE CHECK, WHAT YOU DO! You have to (re)deploy the new key to all machines you want be able to auth using the key using ssh-copy-id.

After the update, the login should be possible.

btw: the username must not be identical, simply call "ssh username@hostname" to log into another username on the remote machine...

chrism01 05-12-2009 08:13 PM

Just a some side points:

1. There's no such thing as RedHat Enterprise Linux 9, if that's really RH v9 (codename Shrike), its so out of date is not funny. RHEL is currently on v5.3.
2. Are you sure you really want to be able to login remotely as root? That's usually not recommended for security reasons, especially if its on the internet
(Actually, re-reading, passwordless ie via keys is probably ok...)
3. when describing your problem, please be careful to specify whether you are editing ssh_config or sshd_config, they both exist and it makes all the difference as to which one you edit. (See your OP).

barae 05-14-2009 03:36 PM

One other thing you might want to verify is that the .ssh directory and authorized_keys(2) files are owned by root:root (or user:user)

doc.nice 05-15-2009 03:11 AM

...and the ssh dir ist set to mode 700 (call chown user: ~/.ssh; chmod 700 ~/.ssh)

ermoreno 05-15-2009 04:17 PM

put /etc/ssh/ssh_host_rsa_key.pub from the remote server in the authorized_keys file on the local host. Then ssh with the -i switch and the path for the identity file. As long as the permissions are correct for .ssh and the underlying files are correct and the PermitRootLogin line of sshd_config is set to yes you should be good.

ssh -i /etc/ssh/ssh_host_rsa_key root@remotehost

elkali 11-10-2009 02:55 AM

Remember to check not only the directory permissions and ownership, but also the authorized_keys file. It should belong to the user and be chmod'ed to 700.

This will solve your problem almost for sure, it did solve mine :-)

martygoody 09-05-2011 02:02 PM

My public auth ssh was not working and my home directory permissions were the problem. I had to remove group and other write permissions to my home directory and then everything worked:

chmod go-w ~/


Looking at /var/log/auth.log what what helped me figure out what was going wrong.

In case anyone has the same problem.

_anonymous 11-12-2011 09:17 AM

I used absolute path in sshd_config as "AuthorizedKeysFile /root/.ssh/authorized_keys".
file permissions were made 700 for .ssh & authorized_keys.

Restarted sshd and then it worked.

nperrins 01-18-2012 02:29 PM

sshd_config bug
 
We have had two of us working on getting ssh keys working on a Fedora Core 13 server. We have done this kind of thing many times before and truly believe the ssh set up to be a real pain. For one reason or another you can waste days of time getting it to work.

I have to post this one because the previous poster has almost hit the nail on the head - and we have spent all this time not seeing it here because we weren't searching for the right thing. So for all others out there I think it only right to add a few terms for searching here:

putty keys do not connect
cannot ssh connect to linux server
Fedora Core 13 cannot ssh
linux ssh drops key
sshd bugs

OK, the problem is inside the sshd_config file. There is a setting

AuthorizedKeysFile .ssh/authorized_keys

This is a real bad bug because you look at it and you think it is OK. The problem is that the only way you can find this problem is to see where it looks. You do this by putting sshd into debug logging (by changing another setting in sshd_config - LogLevel INFO to LogLevel DEBUG). When you do that, /var/log/secure shows that sshd is looking for //.ssh/authorized_keys.

So, the previous poster is correct in saying that changing it to /root/.ssh/authorized_keys works. But, of course, you then have to use the same public key for every users (not good). So, the answer is to amend the sshd_config file to look in all users .ssh folders. I haven't done this yet, but it should be straight forward (~/ won't cut it. root sees this as its own home)

So, I have just lost about 20 hours of my life just for that. Thanks guys.


All times are GMT -5. The time now is 02:55 AM.