Hi Forum, I have configured ssh to work in my Slackware box...


bash-3.1$ ssh-keygen -t rsa
bash-3.1$ cat ~/.ssh/id_rsa.pub > ~/.ssh/authorized_keys


I have an aplication that needs to connect to X through ssh...


My host can be pinged allright :

bash-3.1$ ping iskandhar
PING iskandhar.site (192.168.100.10) 56(84) bytes of data.
64 bytes from iskandhar.site (192.168.100.10): icmp_seq=1 ttl=64 time=0.031 ms
64 bytes from iskandhar.site (192.168.100.10): icmp_seq=2 ttl=64 time=0.028 ms
64 bytes from iskandhar.site (192.168.100.10): icmp_seq=3 ttl=64 time=0.027 ms
64 bytes from iskandhar.site (192.168.100.10): icmp_seq=4 ttl=64 time=0.027 ms
^C
--- iskandhar.site ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 0.027/0.028/0.031/0.004 ms
bash-3.1$

But when i try to access iskandhar through ssh it asks for a password, which i defined as empty when creating ssh ids... :


bash-3.1$ ssh iskandhar
The authenticity of host 'iskandhar (192.168.100.10)' can't be established.
RSA key fingerprint is 36:5a:02:5f:d4:29:81:f8:50:79:79:98:b1:0e:e1:e1.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'iskandhar,192.168.100.10' (RSA) to the list of known hosts.
alex@iskandhar's password:
Permission denied, please try again.
alex@iskandhar's password:
Permission denied, please try again.
alex@iskandhar's password:
Permission denied (publickey,password,keyboard-interactive).
bash-3.1$



How do I disable password checking when connecting to X through ssh...?


BRGDS

Alex

Hi,

Did you change your sshd_config to allow empty passwords? Because standard it doesn't as far as I know. Beware that this opens a security risk.

I used this, and it works great, it automatically lets me login without providing password. Although not tested using X.

Kind regards,

Eric

Hi EricTRA

I changed the allowEmptyPassword thing in sshd_config, and had to change the r/w permissions in the ~/.ssh folder...

Works ok now... :



bash-3.1$ ssh localhost
Warning: untrusted X11 forwarding setup failed: xauth key data not generated
Warning: No xauth data; using fake authentication data for X11 forwarding.
Last login: Sun Nov 15 20:46:51 2009 from localhost
Linux 2.6.29.6.

C, n.:
A programming language that is sort of like Pascal except more
like assembly except that it isn't very much like either one, or
anything else. It is either the best language available to the art
today, or it isn't.
-- Ray Simard

alex@iskandhar:~$

Thanks for yr help.... :-)

Alex

Great, glad you got it working. And you're welcome

Kind regards,

Eric

1 members found this post helpful.

It would be much safer to use a pub/priv key for password-less authentication. you can generate a key pair on the client using ssh-keygen and then add the public key to ~/.ssh/authorized_keys on the server.

1 members found this post helpful.

I believe password-less logins work best with keys. With a user's public key available in authorized_keys, then that user should be able to login without a password. This is not the same as using empty passwords. The public/private key combo functions like using passwords but is more secure.

Here is my sshd_config:

Some people will scream with the following advice, but you can enable root logins without using a password. You decide if that is what you want. You need root's public key in authorized_keys. Then in sshd_config add:

To use X apps through ssh, you'll need at least the following in ssh_config:

I hope this helps.

2 members found this post helpful.

Something you may want to consider is not editing /etc/ssh/sshd_config (which is system-wide) in favor of editing individual user accounts. The way you do this is to add ~/.ssh/config and that file contains the directives you want for that specific user to access specific other machines both on your intranet and external machines as well.

I have three machines on my intranet, fubar, snafu and pita; I also access external machines and permit one of them access to my machines ('cause it's a Sun workstation that I use at work -- that machine is not shown below, but its configuration is identical to the others). My ~/.ssh/config files all look like this one (which resides on pita:
What this gives you is control (over individual users; e.g., your kids can't go fooling around in places you don't want them experimenting -- and that goes for all other users too) and, when there is an update you don't have to go fooling around reediting /etc/ssh/sshd_config either.

The above counts on the ~/.ssh/known_hosts and ~/.ssh/authorized_keys (containing the public keys for each user account on the external servers) as described in previous posts. When I generate keys I do not use a pass phrase (I just hate typing passwords all the time) knowing that I'm going to copy the public key to other machines' and knowing that SSHs public-private key mechanism works just fine. Then it's a simple matter of typing ssh fubar and getting connected either locally or remotely.

Hope this helps some.

1 members found this post helpful.

Hi Woodsman,

It helps allright, but I guess I also have to disable the noListen TCP option thing, only I do not know how it is done, I mean, i've searched man xinit, and man x, and there is no clue as what is the allowed syntax, and where in .xinitrc must I drop that command... is it noListenTCP=0...?

I know that if one uses a DE, one sets this in XDM, KDM, or GDM ( Like I set it in Lenny/Gnome ) , but I am only using a WM.... I boot directly into startx to fluxBox...

I have searched in LQ about this, but so far I have only found this http://www.linuxquestions.org/questi...efault-176328/ ...

And I have looked specifically in my /etc/X11/xinit/.xinitrc and found no entry with the nolisten TCP thing... how do I disable the nolisten TCP...?

BRGDS

Alex

ssh -Y somehost

1 members found this post helpful.

I modify my startx script:

serverargs="-dpi 120 -ac -nolisten tcp"

Look here for an example. The startx file is linked at the bottom.

1 members found this post helpful.

-nolisten tcp has nothing to do with ssh and X11Forwarding.

1 members found this post helpful.

Hi mRgOBLIN

Ok, but AFAIK -nolisten tcp is enabled by default in Slackware... ( and in many other Distros BTW ) An it stops an Appliaction that I have from creating an XTerm window displaying a runtime process...

How do I disable it...?

Should be enough to modify the

serverargs="-dpi 120 -ac -nolisten tcp" to serverargs="-dpi 120 -ac", right ?

( I ask this bcause I am not w/ my slackware box right now...)


BRGDS

Alex

Yes, you can modify the arguments --- if you want 120 dots per inch and want to allow listening to TCP.

Know that these arguments can be passed at the command line or embedded in an alias for startx. The parameters do not affect the graphical login manager such as KDM. For run level 4 you have to add the same options to the kdmrc config file.

2 members found this post helpful.

I followed the instructions I found here.

1 members found this post helpful.

The "-nolisten tcp" will just stop the X server from listening on it's normal TCP/6000. (Generally a good idea and why it is the default)

This TCP port is only needed when connecting directly to the X server from another machine.
To do this you need to allow access via "xhost" and set the "$DISPLAY" variable correctly.

As I said this has nothing to do with X11Forwarding and ssh.

ssh sets the DISPLAY variable automatically and tunnels X through an encrypted channel. The X TCP port is not used nor is xhost etc...
(The ForwardAgent is also not actually required (I'll explain this later).

If you have the correct ssh keys set up and "ForwardX11" is "yes" in the server (target machine) sshd_config it should be easy to test with.
For example
will start a remote rxvt but display it on my local X session.

(you can skip the -Y if you set "ForwardX11Trusted" for that host in your .ssh/config file)

Now I can hear the screaming already but the pass-phrase-less keys are not the most secure approach and not needed either. If anyone gets a copy of your private key then they have unfettered access to any machine that has your public key installed.

You should be creating keys with a pass-phrase and taking advantage of ssh-agent to remember said phrase.

You can check if ssh-agent is already running by looking for the SSH_AGENT_PID and SSH_AUTH_SOCK variables.
should show them.

If they are there then skip the next step.

If there is no sign of ssh-agent running then do this.

you should now see those variables.

now simply load your private key

which should prompt you for your pass-phrase.

Now you can ssh to those hosts without being asked for the pass-phrase each time.

The "ForwardAgent" refers to the forwarding of the ssh-agent credentials allowing you to carry them with you as you hop from host to host.

If you have your keys loaded into ssh-agent there is also a simple way to send your public key to another host.

Saves a lot of futzing about =)

2 members found this post helpful.