LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 11-15-2009, 01:45 PM   #1
Alexvader
Member
 
Registered: Oct 2009
Location: Japan
Distribution: Arch, Debian, Slackware
Posts: 994

Rep: Reputation: 94
allowing ssh connection without password as user how do I do it...?


Hi Forum, I have configured ssh to work in my Slackware box...


bash-3.1$ ssh-keygen -t rsa
bash-3.1$ cat ~/.ssh/id_rsa.pub > ~/.ssh/authorized_keys


I have an aplication that needs to connect to X through ssh...


My host can be pinged allright :

bash-3.1$ ping iskandhar
PING iskandhar.site (192.168.100.10) 56(84) bytes of data.
64 bytes from iskandhar.site (192.168.100.10): icmp_seq=1 ttl=64 time=0.031 ms
64 bytes from iskandhar.site (192.168.100.10): icmp_seq=2 ttl=64 time=0.028 ms
64 bytes from iskandhar.site (192.168.100.10): icmp_seq=3 ttl=64 time=0.027 ms
64 bytes from iskandhar.site (192.168.100.10): icmp_seq=4 ttl=64 time=0.027 ms
^C
--- iskandhar.site ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 0.027/0.028/0.031/0.004 ms
bash-3.1$

But when i try to access iskandhar through ssh it asks for a password, which i defined as empty when creating ssh ids... :


bash-3.1$ ssh iskandhar
The authenticity of host 'iskandhar (192.168.100.10)' can't be established.
RSA key fingerprint is 36:5a:02:5f:d4:29:81:f8:50:79:79:98:b1:0e:e1:e1.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'iskandhar,192.168.100.10' (RSA) to the list of known hosts.
alex@iskandhar's password:
Permission denied, please try again.
alex@iskandhar's password:
Permission denied, please try again.
alex@iskandhar's password:
Permission denied (publickey,password,keyboard-interactive).
bash-3.1$



How do I disable password checking when connecting to X through ssh...?


BRGDS

Alex
 
Click here to see the post LQ members have rated as the most helpful post in this thread.
Old 11-15-2009, 01:56 PM   #2
EricTRA
LQ Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297
Hi,

Did you change your sshd_config to allow empty passwords? Because standard it doesn't as far as I know. Beware that this opens a security risk.

I used this, and it works great, it automatically lets me login without providing password. Although not tested using X.

Kind regards,

Eric
 
Old 11-15-2009, 03:16 PM   #3
Alexvader
Member
 
Registered: Oct 2009
Location: Japan
Distribution: Arch, Debian, Slackware
Posts: 994

Original Poster
Rep: Reputation: 94
Hi EricTRA

I changed the allowEmptyPassword thing in sshd_config, and had to change the r/w permissions in the ~/.ssh folder...

Works ok now... :



bash-3.1$ ssh localhost
Warning: untrusted X11 forwarding setup failed: xauth key data not generated
Warning: No xauth data; using fake authentication data for X11 forwarding.
Last login: Sun Nov 15 20:46:51 2009 from localhost
Linux 2.6.29.6.

C, n.:
A programming language that is sort of like Pascal except more
like assembly except that it isn't very much like either one, or
anything else. It is either the best language available to the art
today, or it isn't.
-- Ray Simard

alex@iskandhar:~$

Thanks for yr help.... :-)

Alex
 
Old 11-15-2009, 03:19 PM   #4
EricTRA
LQ Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297
Great, glad you got it working. And you're welcome

Kind regards,

Eric
 
1 members found this post helpful.
Old 11-16-2009, 05:54 AM   #5
mattydee
Member
 
Registered: Dec 2006
Location: Vancouver, BC
Distribution: Debian,Ubuntu,Slackware
Posts: 479

Rep: Reputation: 48
It would be much safer to use a pub/priv key for password-less authentication. you can generate a key pair on the client using ssh-keygen and then add the public key to ~/.ssh/authorized_keys on the server.
 
1 members found this post helpful.
Old 11-16-2009, 12:26 PM   #6
Woodsman
Senior Member
 
Registered: Oct 2005
Distribution: Slackware 14.1
Posts: 3,482

Rep: Reputation: 546Reputation: 546Reputation: 546Reputation: 546Reputation: 546Reputation: 546
I believe password-less logins work best with keys. With a user's public key available in authorized_keys, then that user should be able to login without a password. This is not the same as using empty passwords. The public/private key combo functions like using passwords but is more secure.

Here is my sshd_config:

Code:
Protocol 2
SyslogFacility LOCAL6
LoginGraceTime 30s
PasswordAuthentication no
AllowTcpForwarding yes
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
PrintMotd no
PrintLastLog no
Subsystem	sftp	/usr/libexec/sftp-server
Some people will scream with the following advice, but you can enable root logins without using a password. You decide if that is what you want. You need root's public key in authorized_keys. Then in sshd_config add:

Code:
PermitRootLogin without-password
To use X apps through ssh, you'll need at least the following in ssh_config:

Code:
Host *
ForwardAgent yes
ForwardX11 yes
I hope this helps.
 
2 members found this post helpful.
Old 11-17-2009, 08:12 AM   #7
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,541

Rep: Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065
Something you may want to consider is not editing /etc/ssh/sshd_config (which is system-wide) in favor of editing individual user accounts. The way you do this is to add ~/.ssh/config and that file contains the directives you want for that specific user to access specific other machines both on your intranet and external machines as well.

I have three machines on my intranet, fubar, snafu and pita; I also access external machines and permit one of them access to my machines ('cause it's a Sun workstation that I use at work -- that machine is not shown below, but its configuration is identical to the others). My ~/.ssh/config files all look like this one (which resides on pita:
Code:
Host fubar
ForwardAgent yes
ForwardX11 yes
Compression yes
Protocol 2,1
User trona

Host fubar
ForwardX11 yes
Compression yes
Protocol 2,1
User root

Host snafu
ForwardAgent yes
ForwardX11 yes
Compression yes
Protocol 2,1
User trona

Host snafu
ForwardX11 yes
Compression yes
Protocol 2,1
User root

Host *
ForwardX11 no
What this gives you is control (over individual users; e.g., your kids can't go fooling around in places you don't want them experimenting -- and that goes for all other users too) and, when there is an update you don't have to go fooling around reediting /etc/ssh/sshd_config either.

The above counts on the ~/.ssh/known_hosts and ~/.ssh/authorized_keys (containing the public keys for each user account on the external servers) as described in previous posts. When I generate keys I do not use a pass phrase (I just hate typing passwords all the time) knowing that I'm going to copy the public key to other machines' and knowing that SSHs public-private key mechanism works just fine. Then it's a simple matter of typing ssh fubar and getting connected either locally or remotely.

Hope this helps some.
 
1 members found this post helpful.
Old 11-17-2009, 09:17 AM   #8
Alexvader
Member
 
Registered: Oct 2009
Location: Japan
Distribution: Arch, Debian, Slackware
Posts: 994

Original Poster
Rep: Reputation: 94
Quote:
Originally Posted by Woodsman View Post

...To use X apps through ssh, you'll need at least the following in ssh_config:
Hi Woodsman,

It helps allright, but I guess I also have to disable the noListen TCP option thing, only I do not know how it is done, I mean, i've searched man xinit, and man x, and there is no clue as what is the allowed syntax, and where in .xinitrc must I drop that command... is it noListenTCP=0...?

I know that if one uses a DE, one sets this in XDM, KDM, or GDM ( Like I set it in Lenny/Gnome ) , but I am only using a WM.... I boot directly into startx to fluxBox...

I have searched in LQ about this, but so far I have only found this http://www.linuxquestions.org/questi...efault-176328/ ...

And I have looked specifically in my /etc/X11/xinit/.xinitrc and found no entry with the nolisten TCP thing... how do I disable the nolisten TCP...?

BRGDS

Alex
 
Old 11-17-2009, 04:12 PM   #9
mRgOBLIN
Slackware Contributor
 
Registered: Jun 2002
Location: New Zealand
Distribution: Slackware
Posts: 999

Rep: Reputation: 231Reputation: 231Reputation: 231
ssh -Y somehost
 
1 members found this post helpful.
Old 11-17-2009, 07:15 PM   #10
Woodsman
Senior Member
 
Registered: Oct 2005
Distribution: Slackware 14.1
Posts: 3,482

Rep: Reputation: 546Reputation: 546Reputation: 546Reputation: 546Reputation: 546Reputation: 546
Quote:
It helps allright, but I guess I also have to disable the noListen TCP option thing, only I do not know how it is done, I mean, i've searched man xinit, and man x, and there is no clue as what is the allowed syntax, and where in .xinitrc must I drop that command... is it noListenTCP=0...?
I modify my startx script:

serverargs="-dpi 120 -ac -nolisten tcp"

Look here for an example. The startx file is linked at the bottom.
 
1 members found this post helpful.
Old 11-18-2009, 01:40 AM   #11
mRgOBLIN
Slackware Contributor
 
Registered: Jun 2002
Location: New Zealand
Distribution: Slackware
Posts: 999

Rep: Reputation: 231Reputation: 231Reputation: 231
-nolisten tcp has nothing to do with ssh and X11Forwarding.
 
1 members found this post helpful.
Old 11-18-2009, 09:18 AM   #12
Alexvader
Member
 
Registered: Oct 2009
Location: Japan
Distribution: Arch, Debian, Slackware
Posts: 994

Original Poster
Rep: Reputation: 94
Hi mRgOBLIN

Quote:
Originally Posted by mRgOBLIN View Post
-nolisten tcp has nothing to do with ssh and X11Forwarding.
Ok, but AFAIK -nolisten tcp is enabled by default in Slackware... ( and in many other Distros BTW ) An it stops an Appliaction that I have from creating an XTerm window displaying a runtime process...

How do I disable it...?

Should be enough to modify the

serverargs="-dpi 120 -ac -nolisten tcp" to serverargs="-dpi 120 -ac", right ?

( I ask this bcause I am not w/ my slackware box right now...)


BRGDS

Alex
 
Old 11-18-2009, 04:36 PM   #13
Woodsman
Senior Member
 
Registered: Oct 2005
Distribution: Slackware 14.1
Posts: 3,482

Rep: Reputation: 546Reputation: 546Reputation: 546Reputation: 546Reputation: 546Reputation: 546
Quote:
serverargs="-dpi 120 -ac -nolisten tcp" to serverargs="-dpi 120 -ac", right ?
Yes, you can modify the arguments --- if you want 120 dots per inch and want to allow listening to TCP.

Know that these arguments can be passed at the command line or embedded in an alias for startx. The parameters do not affect the graphical login manager such as KDM. For run level 4 you have to add the same options to the kdmrc config file.
 
2 members found this post helpful.
Old 11-18-2009, 08:11 PM   #14
thatquietboy
LQ Newbie
 
Registered: May 2008
Posts: 26

Rep: Reputation: 17
I followed the instructions I found here.
 
1 members found this post helpful.
Old 11-19-2009, 02:49 AM   #15
mRgOBLIN
Slackware Contributor
 
Registered: Jun 2002
Location: New Zealand
Distribution: Slackware
Posts: 999

Rep: Reputation: 231Reputation: 231Reputation: 231
Quote:
Originally Posted by Alexvader View Post
Hi mRgOBLIN

Ok, but AFAIK -nolisten tcp is enabled by default in Slackware... ( and in many other Distros BTW ) An it stops an Appliaction that I have from creating an XTerm window displaying a runtime process...


Alex
The "-nolisten tcp" will just stop the X server from listening on it's normal TCP/6000. (Generally a good idea and why it is the default)

This TCP port is only needed when connecting directly to the X server from another machine.
To do this you need to allow access via "xhost" and set the "$DISPLAY" variable correctly.

As I said this has nothing to do with X11Forwarding and ssh.

ssh sets the DISPLAY variable automatically and tunnels X through an encrypted channel. The X TCP port is not used nor is xhost etc...
(The ForwardAgent is also not actually required (I'll explain this later).

If you have the correct ssh keys set up and "ForwardX11" is "yes" in the server (target machine) sshd_config it should be easy to test with.
Code:
ssh -Y user@somehost some_program_to_run
For example
Code:
ssh -Y mrgoblin@groupy rxvt
will start a remote rxvt but display it on my local X session.

(you can skip the -Y if you set "ForwardX11Trusted" for that host in your .ssh/config file)

Now I can hear the screaming already but the pass-phrase-less keys are not the most secure approach and not needed either. If anyone gets a copy of your private key then they have unfettered access to any machine that has your public key installed.

You should be creating keys with a pass-phrase and taking advantage of ssh-agent to remember said phrase.

You can check if ssh-agent is already running by looking for the SSH_AGENT_PID and SSH_AUTH_SOCK variables.
Code:
env |fgrep SSH
should show them.

If they are there then skip the next step.

If there is no sign of ssh-agent running then do this.

Code:
eval $(exec ssh-agent)
you should now see those variables.

now simply load your private key

Code:
ssh-add ~/.ssh/id_dsa
which should prompt you for your pass-phrase.

Now you can ssh to those hosts without being asked for the pass-phrase each time.

The "ForwardAgent" refers to the forwarding of the ssh-agent credentials allowing you to carry them with you as you hop from host to host.

If you have your keys loaded into ssh-agent there is also a simple way to send your public key to another host.

Code:
ssh-copy-id user@remote.host
Saves a lot of futzing about =)

Last edited by mRgOBLIN; 12-14-2009 at 02:58 PM.
 
2 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Locking out a user when password expires, but allowing them to change their password kaplan71 Linux - Security 5 06-27-2008 07:12 PM
Allowing user to change the password santhosh23 Linux - General 11 05-02-2007 12:36 AM
ssh login without password for only one user zhjim Linux - Server 4 11-21-2006 04:31 PM
Allowing SSH to accepts ANY Password mperkel Linux - Security 14 11-01-2005 11:42 AM
ssh without user password question tonyfreeman Linux - Security 2 10-26-2004 11:02 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 10:08 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration