LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Red Hat
User Name
Password
Red Hat This forum is for the discussion of Red Hat Linux.

Notices


Reply
  Search this Thread
Old 07-12-2018, 12:16 PM   #1
dan.mera
LQ Newbie
 
Registered: Feb 2009
Posts: 9

Rep: Reputation: 2
cannot connect w/o a password via ssh


Hello,
I hope that someone can suggest something to help me connect w/o a password to another server. Both source and destination are RedHat 7.4(Maipo) version).
I'm trying to setup ssh keys between a server to multiple other ones and i cannot get rid of password authentication and here is what is verified as prerequisites:
1. home directory is 755(source and destination )
2. .ssh directory is 700(source and destination )
3. all files are 600(authorized_keys,known_hosts,id_rsa and id_rsa.pub)(source and destination )
4. /etc/ssh/sshd_config has these set correctly:
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

keys were copied with ssh-copy-id command to avoid mistakes.
I tried to create dsa keys but also same result, even tough i can see another server which is connecting via a dsa key.
From the same source i can connect to one destination successfully and comparing the /etc/ssh/sshd_config files are exactly the same.
to other destinations i'm getting these output using these commands:
ssh -vvv -i $HOME/.ssh/id-rsa xxx@hostname or
ssh -vvv xxx@hostname gives this:
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: KEYRINGersistent:600)

debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: KEYRINGersistent:600)

debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /xxx/xxx/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Offering DSA public key: /xxx/xxx/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /xxx/xxx/.ssh/id_ecdsa
debug3: no such identity: /xxx/xxx/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /xxx/xxx/.ssh/id_ed25519
debug3: no such identity: /xxx/xxx/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
Any suggestions is appreciated as I ran out of google new ideas.
thank you
 
Old 07-12-2018, 12:43 PM   #2
kilgoretrout
Senior Member
 
Registered: Oct 2003
Posts: 2,668

Rep: Reputation: 238Reputation: 238Reputation: 238
First, if you're running RHEL7.4, do you have a service contract with RedHat?

Second, exactly what command did you run to generate your key and what was the output.

I'm not an expert on RH systems, but judging from the output when you try to login, I'm guessing that for security reasons, RH has configured ssh to require both key and password. If you generated your key with a blank password, it may be refusing on that basis. Either that, or the key was generated with a password and you'll need to supply it when you login.

Last edited by kilgoretrout; 07-12-2018 at 12:49 PM.
 
Old 07-12-2018, 12:54 PM   #3
jsbjsb001
Senior Member
 
Registered: Mar 2009
Location: Earth? I would say I hope so but I'm not so sure about that... I could just be a figment of your imagination too.
Distribution: CentOS at the time of this writing, but some others over the years too...
Posts: 2,028

Rep: Reputation: 925Reputation: 925Reputation: 925Reputation: 925Reputation: 925Reputation: 925Reputation: 925Reputation: 925
Quote:
Originally Posted by kilgoretrout View Post
...I'm not an expert on RH systems, but judging from the output when you try to login, I'm guessing that for security reasons, RH has configured ssh to require both key and password. If you generated your key with a blank password, it may be refusing on that basis. Either that, or the key was generated with a password and you'll need to supply it when you login.
Not so sure about that. I used SSH from my smartphone to my desktop with CentOS 7.4 and it worked without any keys setup. They might need to enable certain options in their SSH config file.
 
Old 07-12-2018, 12:57 PM   #4
dan.mera
LQ Newbie
 
Registered: Feb 2009
Posts: 9

Original Poster
Rep: Reputation: 2
I generated the key using ssh-keygen -t rsa -b 2048 and i didn't use a password for the key. the same key will connect to another destination w/o asking for any password. there is a service contract with redhat, but I'm not the linux admin even though the account used can su to root but the connection is attempted from the user and not from the root.
thanks

Last edited by dan.mera; 07-12-2018 at 01:03 PM.
 
Old 07-12-2018, 01:01 PM   #5
jsbjsb001
Senior Member
 
Registered: Mar 2009
Location: Earth? I would say I hope so but I'm not so sure about that... I could just be a figment of your imagination too.
Distribution: CentOS at the time of this writing, but some others over the years too...
Posts: 2,028

Rep: Reputation: 925Reputation: 925Reputation: 925Reputation: 925Reputation: 925Reputation: 925Reputation: 925Reputation: 925
Quote:
Originally Posted by dan.mera View Post
I generated the key using ssh-keygen -t rsa -b 2048 and i didn't use a password for the key. the same key will connect to another destination w/o asking for any password.
thanks
Did you notice any of the following messages ?

Code:
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
...
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:600)
...
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /xxx/xxx/.ssh/id_ecdsa
debug3: no such identity: /xxx/xxx/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /xxx/xxx/.ssh/id_ed25519
debug3: no such identity: /xxx/xxx/.ssh/id_ed25519: No such file or directory
From you're error messages, it looks like it cannot find the key you created. And please use CODE tags when posting command output.
 
Old 07-12-2018, 01:15 PM   #6
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.5
Posts: 2,018

Rep: Reputation: 628Reputation: 628Reputation: 628Reputation: 628Reputation: 628Reputation: 628
Look at (but probably shouldn't post) the contents of ~/.ssh/authorized_keys on the remote server to confirm that the key is there.

Also, note that man ssh-copy-id says:
Code:
The default_ID_file is the most recent file that matches: ~/.ssh/id*.pub...
so check that with
Code:
lr ~/.ssh/id*.pub
on the local server to be sure the correct key got copied.

Review man ssh-copy-id for details.

Oh! Is the account logging in as root? Or as the non-privileged user?
 
Old 07-12-2018, 01:22 PM   #7
michaelk
Moderator
 
Registered: Aug 2002
Posts: 17,736

Rep: Reputation: 2381Reputation: 2381Reputation: 2381Reputation: 2381Reputation: 2381Reputation: 2381Reputation: 2381Reputation: 2381Reputation: 2381Reputation: 2381Reputation: 2381
Code:
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /xxx/xxx/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Offering DSA public key: /xxx/xxx/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
The OP only stated that rsa and dsa keys were created. Both keys were were offered but neither was not accepted by the server. As stated the correct public key might not of be copied to the destination.

Is the other destination also running RHEL 7? I don't know if it is configured for 2fa. CentOS 7 is not.

Last edited by michaelk; 07-12-2018 at 01:23 PM.
 
Old 07-12-2018, 01:38 PM   #8
dan.mera
LQ Newbie
 
Registered: Feb 2009
Posts: 9

Original Poster
Rep: Reputation: 2
now that you mentioned i noticed when comparing connecting to a destination sucessfull:
Quote:
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /data/britebil/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Offering DSA public key: /data/britebil/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-dss blen 435
and unsucessfull:
Quote:
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /data/britebil/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Offering DSA public key: /data/britebil/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /data/britebil/.ssh/id_ecdsa
debug3: no such identity: /data/britebil/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /data/britebil/.ssh/id_ed25519
debug3: no such identity: /data/britebil/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
source and destination( 2 servers) are running the same version of RHEL 7.4. compared the destinations(success vs unsuccess) key and they are identical. running as a regular user the connection. thanks to all so far for questions and notes/suggestions

Last edited by dan.mera; 07-12-2018 at 01:47 PM. Reason: add more details
 
Old 07-12-2018, 06:56 PM   #9
michaelk
Moderator
 
Registered: Aug 2002
Posts: 17,736

Rep: Reputation: 2381Reputation: 2381Reputation: 2381Reputation: 2381Reputation: 2381Reputation: 2381Reputation: 2381Reputation: 2381Reputation: 2381Reputation: 2381Reputation: 2381
Quote:
compared the destinations(success vs unsuccess) key and they are identical.
The authorized_keys file are identical on both destinations? Did you copy both public keys i.e. the id_dsa.pub and id_rsa.pub to each server? Could you of overwritten one of the keys so the public key on the unsuccessful destination does not match the private key?

How many keys are in the authorized_keys file on the unsuccessful server? Can you start over i.e delete the file and copy the correct public key?
 
Old 07-13-2018, 11:51 AM   #10
dan.mera
LQ Newbie
 
Registered: Feb 2009
Posts: 9

Original Poster
Rep: Reputation: 2
one of my colleagues found the solution which I would like to share:
it seems that the security around the authentication had to do something with SE Linux.(not sure how that works)
but the home directory for this id changed from /home/user to /data/user.
ls -aZ whould show the security context like this:
drwx------. user user unconfined_ubject_r:default_t:s0 .ssh
and the solution found on this link https://www.sysarchitects.com/ssh_and_rhel6
changing the security context using this command
chcon -t ssh_home_t .ssh/
chcon -t ssh_home_t .ssh/authorized_keys
will make the security context like this:
drwx------. user user system_ubject_r:ssh_home_t:s0 .ssh

and the connection is successful.
Thank you to everyone who looked at it and tried to help me and hopefully it will help someone.
 
2 members found this post helpful.
Old 07-14-2018, 01:30 PM   #11
kilgoretrout
Senior Member
 
Registered: Oct 2003
Posts: 2,668

Rep: Reputation: 238Reputation: 238Reputation: 238
Quote:
it seems that the security around the authentication had to do something with SE Linux.(not sure how that works)
Should have known. I'm not sure anyone knows how selinux works. The first thing I've always done when running fedora is disable it and I'm not alone. That's obviously not appropriate in a production environment, however.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: SSH login without password using SSH keys LXer Syndicated Linux News 0 09-21-2014 02:36 AM
Can't backspace password (e.g. su and ssh password) on Xterm simopal6 Linux - Software 4 04-28-2013 04:16 AM
Connect to other machine using ssh with password parameter Gurutechnet Linux - Server 4 12-07-2012 12:39 AM
[SOLVED] SSH: Asks for password: Permission denied (keyboard-interactive,password). tulicloure Linux - Newbie 7 02-14-2012 10:48 AM
system said the our root password failure when I use ssh to connect Fedora8 vvcat Linux - Security 1 03-03-2008 01:21 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Red Hat

All times are GMT -5. The time now is 06:34 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration