LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 08-22-2008, 09:39 PM   #1
vikas027
Senior Member
 
Registered: May 2007
Location: Sydney
Distribution: RHEL, CentOS, Ubuntu, Debian, OS X
Posts: 1,305

Rep: Reputation: 107Reputation: 107
Unhappy problem adding ssh keys to skip password prompt


Hi all,

I had around 25 servers to add ssh-keygen in authorized_keys file.
I did that in 22 servers successfully through a command
Code:
scp 123.pub OB5adm1N@10.12.42.74:/home/OB5adm1N/.ssh/
and then
cat 123.pub >> authorized_keys
BUT on rest three servers its still asking for the password. Is there some other security in some file ??

I have already matched the ownership, file/directory permissions etc of the all the files from the server where it is working fine.

Pls suggest.

Thanks in adv.
VIKAS
 
Old 08-22-2008, 09:46 PM   #2
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Compare the server configs from a working box and a non-working box (/etc/ssh/sshd_config)
 
Old 08-22-2008, 09:57 PM   #3
vikas027
Senior Member
 
Registered: May 2007
Location: Sydney
Distribution: RHEL, CentOS, Ubuntu, Debian, OS X
Posts: 1,305

Original Poster
Rep: Reputation: 107Reputation: 107
Quote:
Originally Posted by billymayday View Post
Compare the server configs from a working box and a non-working box (/etc/ssh/sshd_config)
I have also matched the parameters of /etc/ssh/sshd_config and then restarted the service, BUT still issue persists.

Is there some other file I can check.

These are the parameters which are not hashed out in /etc/ssh/sshd_config in both working box and a non-working box

Code:
----------------------------------------------------------------
grep -v ^# /etc/ssh/sshd_config
SyslogFacility AUTHPRIV
X11Forwarding yes
Subsystem       sftp    /usr/libexec/openssh/sftp-server
----------------------------------------------------------------
Pls help

Last edited by vikas027; 08-22-2008 at 10:01 PM. Reason: forgot something
 
Old 08-22-2008, 10:12 PM   #4
matthewg42
Senior Member
 
Registered: Oct 2003
Location: UK
Distribution: Kubuntu 12.10 (using awesome wm though)
Posts: 3,530

Rep: Reputation: 65
You need to make sure the authorized_keys file has the correct permissions. It should be chmoded to 600 (user read+write, group and other no perms), as should your ~/.ssh/config file. I think the ~/.ssh directory should be set to perms 700.

i.e. on the remote host
Code:
chmod 600 ~/.ssh/*
chmod 700 ~/.ssh
If your distro distributes it, or if you download it off the net, you could use the ssh-copy-id script which will copy a key to your remote machine's authorized_keys file and set the required permissions.

If you still cannot use public key authentication, try generating an RSA key. I found a few servers (notably my host-co) which only allows ssh public key authentication using an RSA key (not DSA, which my ssh-keygen program creates by default).

Another way to get more information about what is going on might be to try to connect using the -v option to ssh. You can use it multiple times to get more verbose info.

If all these fail, I think it must be a config issue on the host you are connecting to. Make sure the sshd_config which is used is the one you are looking at (consider that your distro might put the working copy in a weird place - locate might be helpful to find it).

Last edited by matthewg42; 08-22-2008 at 10:14 PM.
 
Old 08-22-2008, 10:14 PM   #5
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
I take it you are generating the keys on the servers thebn scp'ing them out?

Are you running the same version of openssh-server on all servers?
 
Old 08-22-2008, 10:23 PM   #6
vikas027
Senior Member
 
Registered: May 2007
Location: Sydney
Distribution: RHEL, CentOS, Ubuntu, Debian, OS X
Posts: 1,305

Original Poster
Rep: Reputation: 107Reputation: 107
Unhappy

Quote:
Originally Posted by billymayday View Post
I take it you are generating the keys on the servers thebn scp'ing them out?

Are you running the same version of openssh-server on all servers?
Exactly, I have done it many times before and runs perfectly. BUT I don't know why these 2-3 servers are giving problems.

I have matched everything from file permissions to dir permissions, default parameters in /etc/ssh/sshd_config.

And yes I am using same version -- openssh-server-3.9p1-8.RHEL4.12 on both working and non-working boxes.
 
Old 08-22-2008, 10:29 PM   #7
vikas027
Senior Member
 
Registered: May 2007
Location: Sydney
Distribution: RHEL, CentOS, Ubuntu, Debian, OS X
Posts: 1,305

Original Poster
Rep: Reputation: 107Reputation: 107
Angry

Quote:
Originally Posted by matthewg42 View Post
You need to make sure the authorized_keys file has the correct permissions. It should be chmoded to 600 (user read+write, group and other no perms), as should your ~/.ssh/config file. I think the ~/.ssh directory should be set to perms 700.

i.e. on the remote host
Code:
chmod 600 ~/.ssh/*
chmod 700 ~/.ssh
changing the permission of these files is just for security purpose... it is not mandatory. However, i am using the 600 permission only.

I have already tried two times generating the keys with ssh-kegen -t dsa
as well as ssh-kegen -t rsa both.

The keys runs fine on all servers except some specific ones.

I can feel I am missing something very stupid or some other file which is unexplored by me.
 
Old 08-22-2008, 10:33 PM   #8
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
I can't see how it would apply, by try switching SELinux off for a test (setenforce 0)
 
Old 08-23-2008, 12:40 AM   #9
vikas027
Senior Member
 
Registered: May 2007
Location: Sydney
Distribution: RHEL, CentOS, Ubuntu, Debian, OS X
Posts: 1,305

Original Poster
Rep: Reputation: 107Reputation: 107
Unhappy

Quote:
Originally Posted by billymayday View Post
I can't see how it would apply, by try switching SELinux off for a test (setenforce 0)
I did the same BUT still not working.
 
Old 08-23-2008, 12:52 AM   #10
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Ramp the loglevel up to debug and see what's happening
 
Old 08-23-2008, 02:03 AM   #11
matthewg42
Senior Member
 
Registered: Oct 2003
Location: UK
Distribution: Kubuntu 12.10 (using awesome wm though)
Posts: 3,530

Rep: Reputation: 65
Quote:
Originally Posted by vikas027 View Post
changing the permission of these files is just for security purpose... it is not mandatory. However, i am using the 600 permission only.
I believe that with some ssh implementations it is not optional - public key authentication will not work without the proper permissions. If you do not accept the advice, that is your business.
 
Old 08-23-2008, 08:02 AM   #12
/bin/bash
Senior Member
 
Registered: Jul 2003
Location: Indiana
Distribution: Mandrake Slackware-current QNX4.25
Posts: 1,802

Rep: Reputation: 47
Are you checking the server files at the server or from a ssh session?
Is it possible that the servers are putting you in a chroot environment and you are not actually seeing the config files. Maybe go to the servers and make changes there.
 
Old 08-23-2008, 09:13 AM   #13
/bin/bash
Senior Member
 
Registered: Jul 2003
Location: Indiana
Distribution: Mandrake Slackware-current QNX4.25
Posts: 1,802

Rep: Reputation: 47
Something you can try, add this line to /etc/ssh/sshd_config
Banner /etc/issue.net
Restart and login and if the banner did change then you know you are actually working with the correct config file.
 
Old 08-23-2008, 10:27 PM   #14
vikas027
Senior Member
 
Registered: May 2007
Location: Sydney
Distribution: RHEL, CentOS, Ubuntu, Debian, OS X
Posts: 1,305

Original Poster
Rep: Reputation: 107Reputation: 107
Wink

Quote:
Originally Posted by matthewg42 View Post
I believe that with some ssh implementations it is not optional - public key authentication will not work without the proper permissions. If you do not accept the advice, that is your business.

May be you are right, But the same keys with same permissions are working fine on other servers.
Anyways, thanks.
 
Old 08-23-2008, 10:38 PM   #15
vikas027
Senior Member
 
Registered: May 2007
Location: Sydney
Distribution: RHEL, CentOS, Ubuntu, Debian, OS X
Posts: 1,305

Original Poster
Rep: Reputation: 107Reputation: 107
Angry

Quote:
Originally Posted by /bin/bash View Post
Something you can try, add this line to /etc/ssh/sshd_config
Banner /etc/issue.net
Restart and login and if the banner did change then you know you are actually working with the correct config file.
I did this, banner changed. I am using the correct config file. God knows where I am wrong.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Skip fingerprint prompt in SSH davoti Linux - Security 1 07-17-2007 01:36 PM
ssh no password prompt dtra Linux - Software 9 05-25-2005 01:08 PM
ssh password prompt delay long while chaze Linux - Networking 1 04-14-2005 10:03 PM
ssh without the password prompt markehb Linux - Networking 27 03-25-2004 11:12 AM
remote command over ssh, password prompt linowes Linux - General 2 10-27-2002 08:22 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 01:29 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration