[SOLVED] Passwordless SSH setup not working, any ideas?
Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I want passwordless logons for root access to work and client servers.
I have set up an RSA key on my box for user@user-desktop (the basic Kubuntu machine name) and I copied/added the rsa_id_nopass.pub file to the end of the destination server's ~/.ssh/authorized_keys2 file, but it still isn't working; I am asked for a password (not passphrase) every time.
I have edited the ssh_config file (both on local machine and server) to use
RSAAuthentication yes
PubkeyAuthentication yes
and restarted the sshd server on both machines.
I want to get root access for servers when I log in using these keys. Unfortunately it isn't giving me root or regular user access at all; 'ssh root@server' is acting like it would had none of my work been done.
My system is Kubuntu 7.04 and the test server is a RedHat Enterprise Linux 9, but the key setup would eventually go onto a few debian servers and RHEL servers. I also am failing to get this to function on two Kubuntu 7.04 boxes (one is at home, one is at work (this setup is for two regular user accounts, not root accounts)). Does this whole setup require that the user name is identical on both machines??? Cause that's just a pain if I have to become root just to not enter a root password five seconds later.
Thanks for any advice
Last edited by lefty.crupps; 06-06-2007 at 10:01 AM.
It sounds like you've checked everything. Create the key pair; put public key in the remote box's ~/.ssh/authorized_keys2 file. Check that the remote ~/.ssh directory is chmod 700. The private key applies as long as you are currently running on the local box as the user you created the key for; the same user that has it in their ~/.ssh directory. You also have to be logging in as the user on the remote box that you created the ~/.ssh/authorized_keys2 file for.
Otherwise, everything you've done sounds correct. If things still don't work just post the line that created your key here, and we'll try to help you out some more.
jeenam i am not following you. Did you mean to say, copy authorized_keys to authorized_keys2 ?
alunduil you sort of answered my question, 'do both usernames have to be the same?' I tried installing the pubkey on the destination server as myself (i wanted passwordless root access from a regular shell account, otherwise i still end up typing the root passwd which saves me no time nor braincells) but it still isn't working.
Does the name of my key matter, or is each key tried before a match is found? I had created a new key specifically for this task and named it 'rsa_id_nopass.pub' and i am wondering if the '_nopass' part makes a difference. My private key has a matching name (except the .pub).
I did have to enable this:
Host *
because where I had added these:
RSAAuthentication yes
PubkeyAuthentication yes
was in a part that had no hosts defined. Then I restarted sshd but still no success.
p.s. alunduil greetings to a local Minnesotan!
Last edited by lefty.crupps; 06-06-2007 at 02:17 PM.
this may be due to a compromised ssh key.
Check /var/log/auth.log for a message about compromised keys, like this one:
Quote:
May 12 21:13:38 spiff sshd[5415]: Public key <your key fingerprint> from <source-ip> blacklisted (see ssh-vulnkey(1))
if this is the case, update your openssl and openssh packages using aptitude or whatever you use and afterwards create a new key using
ssh-keygen. (overwrite your old key and create a backup if needed before).
WITHOUT YOUR OLD KEY, YOU WILL NOT BE ABLE TO LOG IN TO MACHINES ONLY ACCEPTING YOUR KEY AS AUTH, NO PASSWORD! BE SURE TO DOUBLE CHECK, WHAT YOU DO! You have to (re)deploy the new key to all machines you want be able to auth using the key using ssh-copy-id.
After the update, the login should be possible.
btw: the username must not be identical, simply call "ssh username@hostname" to log into another username on the remote machine...
Last edited by doc.nice; 05-12-2009 at 02:41 PM.
Reason: hint about identical usernames added
1. There's no such thing as RedHat Enterprise Linux 9, if that's really RH v9 (codename Shrike), its so out of date is not funny. RHEL is currently on v5.3.
2. Are you sure you really want to be able to login remotely as root? That's usually not recommended for security reasons, especially if its on the internet
(Actually, re-reading, passwordless ie via keys is probably ok...)
3. when describing your problem, please be careful to specify whether you are editing ssh_config or sshd_config, they both exist and it makes all the difference as to which one you edit. (See your OP).
Last edited by chrism01; 05-14-2009 at 07:37 PM.
Reason: adjust point 2
put /etc/ssh/ssh_host_rsa_key.pub from the remote server in the authorized_keys file on the local host. Then ssh with the -i switch and the path for the identity file. As long as the permissions are correct for .ssh and the underlying files are correct and the PermitRootLogin line of sshd_config is set to yes you should be good.
Remember to check not only the directory permissions and ownership, but also the authorized_keys file. It should belong to the user and be chmod'ed to 700.
This will solve your problem almost for sure, it did solve mine :-)
My public auth ssh was not working and my home directory permissions were the problem. I had to remove group and other write permissions to my home directory and then everything worked:
chmod go-w ~/
Looking at /var/log/auth.log what what helped me figure out what was going wrong.
We have had two of us working on getting ssh keys working on a Fedora Core 13 server. We have done this kind of thing many times before and truly believe the ssh set up to be a real pain. For one reason or another you can waste days of time getting it to work.
I have to post this one because the previous poster has almost hit the nail on the head - and we have spent all this time not seeing it here because we weren't searching for the right thing. So for all others out there I think it only right to add a few terms for searching here:
putty keys do not connect
cannot ssh connect to linux server
Fedora Core 13 cannot ssh
linux ssh drops key
sshd bugs
OK, the problem is inside the sshd_config file. There is a setting
AuthorizedKeysFile .ssh/authorized_keys
This is a real bad bug because you look at it and you think it is OK. The problem is that the only way you can find this problem is to see where it looks. You do this by putting sshd into debug logging (by changing another setting in sshd_config - LogLevel INFO to LogLevel DEBUG). When you do that, /var/log/secure shows that sshd is looking for //.ssh/authorized_keys.
So, the previous poster is correct in saying that changing it to /root/.ssh/authorized_keys works. But, of course, you then have to use the same public key for every users (not good). So, the answer is to amend the sshd_config file to look in all users .ssh folders. I haven't done this yet, but it should be straight forward (~/ won't cut it. root sees this as its own home)
So, I have just lost about 20 hours of my life just for that. Thanks guys.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.