ssh-keygen for auto ssh login not working
I followed the information provided on this page to use ssh-keygen to generate ssh keys to allow me to login to some machines on the local network that would not require me to login (because I'm writing a script that needs to ssh into these machines and execute various commands). These machines are running different versions of Linux, including one WindowsXP machine running cygwin.
It worked great for every machine except for one embedded system that is running a minimal version of debian. I copied over the key to it exactly the same as I did for the other machines, but it still requires me to enter a password. I checked permissions and also tried to save the key to .ssh/authorized_keys2 as the webpage suggests, but nothing changed. I don't see any messages at all regarding ssh so I'm unable to really figure out what I should do, and a general web search didn't help me either. Does anyone have an idea of what might be wrong or what I could be missing? One important distinction is on this machine, when I ssh into it I have to login as root. So I stored my ssh key in /root/.ssh/authorized_keys instead of in a user's local home .ssh folder. I'm wondering if there's something special or different I need to do for ssh'ing in as root as opposed to a normal user. |
Also I checked the permissions of .ssh and authorized_keys and they are both correct as far as I know (again, according to the site I linked to in my original post).
|
Does ssh -vvv ... show any hint of pubkey authentication?
|
Ah thanks, didn't even know about that ssh option.
Code:
$ ssh -vvv root@192.168.1.4 |
The authorized_keys file will be used on the server side. You can limit the kind of authorization with:
Code:
$ ssh -vvv -oPreferredAuthentications=publickey root@192.168.1.4 |
Doesn't this part of the log:
Code:
$ ssh -vvv root@192.168.1.4 |
The most likely cause of this is that you are generating the keys on an ssh-2 machine but your target machine is installed with ssh-1 protocol and never the twain shall meet .....
debug1: Connection established. debug1: identity file /home/militho/.ssh/identity type -1 debug3: Not a RSA1 key file /home/militho/.ssh/id_rsa. <----------- debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: missing keytype |
I have the output about the failed RSA1 detection all the time I use -vvv and it doesn’t mean the server expect only RSA1, nor prohibits it to log in using RSA2 keys AFAICS, for me it works despite the debug message.
|
Does that SSH server accept root login?
You can simply verify that in your sshd_config (usually located in /etc/ssh/). Do you have the parameter "PermitRootLogin yes"? Hope this helps! |
Sorry I've been absent here the past couple of days. I got tied up with some other work.
Yes, the sshd server permits root login. If it didn't I shouldn't be able to login as root as all, right? And I can ssh as root into that machine, just not without requiring a password. After reading everyone's feedback and going through the ssh-keygen man page, I tried a couple of things and still have the same problem. Code:
# Try generating rsa1 keys Code:
$ ssh -vvv -oPreferredAuthentications=publickey root@192.168.1.4 |
As suggested: can you please check the logfile on the server, e.g. /var/log/messages?
|
Oops, sorry I skipped over that. There is nothing in /var/log/messages; its simply a blank file. A different company setup this embedded system (it runs some version of Debian) and I have no idea how they have it configured. I didn't see anything else in /var/log that looked like it would contain any useful information.
|
/root is also not writable by anyone else, as its permission is checked too.
I only know of a setting with the opposite effect: diallow password login for root, but still allow logins by publickey method. Maybe the location of the authorized_keys file is different. Is there a line like: Code:
AuthorizedKeysFile |
There is but its commented out.
Code:
$ cat /etc/ssh/sshd_config | grep Keys |
Ok, then it’s not used. But usually the default is written in this form and so I assume that the home directory of root is /root on this machine where you put the keys?
|
Check /etc/ssh/sshd_config. Do you have the following settings enabled?
Code:
RSAAuthentication yes Code:
PermitRootLogin no Also what do the following logs say (depending on your OS): Code:
tail -f /var/log/secure |
Yes, the home directory of root is /root and I put all the keys in /root/.ssh/authorized_keys
|
I also had a problem with PAM as it's required on sshd in debian with public keys.
Code:
UsePAM yes |
Yes, PAM is enabled in my sshd_config. Thanks for the suggestion though.
|
Did you see my previous comment about the auth logs? What do they say when you attempt to auth?
|
Quote:
Quote:
Fortunately, this particular machine does not have a direct connection to the outside world. Its part of a small local network of machines, so I have to first login to one of the two machines that do have an external connect and then from there ssh into this internal system. And we never ssh in as root to those machines with external access (I'm pretty sure root ssh access is disabled). Quote:
|
Well I figured out the problem. After searching for information on one of the debug messages I got earlier ("we did not send a packet, disable method"), I came across a forum thread where someone said they fixed their issue by changing the permissions on the home directory, as ssh apparently does not like it to have 777 permissions. I checked, and sure enough root had these permissions:
Code:
drwxrwxrwt 13 root root 180 1933-12-03 03:48 root Code:
# chmod 755 root Thanks for your help everyone. I wouldn't have found the answer myself if you weren't all helping to guide me to the solution. |
It doesn't like the .ssh directory to have permissions other than 700. I haven't heard of it checking on the home directory. I wonder if ssh is barfing because of the .ssh permissions?
|
No I checked .ssh multiple times and it did indeed have 700 permissions.
|
ssh-keygen
Since you have already made some attempt first of all remove all content from /root/.ssh/konown_hosts and /root/.ssh/authorized_keys in both machine, that means your machine and the machine you wish to login.
Follow below steps, In your machine execute following commands #ssh-keygen (give passphrase when prompting) #ssh-copy-id root@<IP of remote machine> #ssh root@IP First time it will prompt to enter passphrase, hereafter it will not prompt. If it is not works, Please mail me #sham_antony@aol.com# |
just use "ssh-copy-id" to get your key to the machine where you want to log in.
And allow root login is .... erm... NEVER ALLOW THAT log in as normal user and issue then a "su" or "sudo" |
Password locked?
I had this same problem stump me for over 2 hours. Continually applying the same fixes outlined here. Then I looked at the shadow file and saw that the account was locked. Unlocking the account enabled the ssh key login to work. It would simply fail the login with no error message.
|
All times are GMT -5. The time now is 10:45 PM. |