July 8, 2008 08:30pm pdt

1. gheist 7,190
2. TeRReF 4,000
3. ravenpl 3,200
4. mr_egyptian 2,000
4. louisbohm 2,000
4. Arthur_Mino 2,000
4. gbougiakas 2,000
4. riotz 2,000
4. sda100 2,000
4. KCTS 2,000
4. gnurl 2,000
4. tprpics 2,000
13. Dhaest 1,500
13. michal_sjx 1,500
13. Psychotec 1,500
13. mwecompu... 1,500

1. ahoffmann 58,928
2. gheist 35,529
3. yuzh 34,747
4. Tintin 26,923
5. ravenpl 17,555
6. jlevie 17,456
7. chris_ca... 14,021
8. wesly_chen 8,820
9. ppfoong 8,019
10. liddler 7,400
11. PsiCop 4,792
12. amit_g 4,750
13. TeRReF 4,600
14. zgrp 3,000
14. sparks1984 3,000

08.19.2003 at 04:38AM PDT, ID: 20713692

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

6.2

SSH login without password fails

Zone: Unix Network Security Questions

Tags: ssh, password, without, login

I'm trying to setup a password-less login using SSH on Solaris8
I've installed OpenSSH_3.6.1p1, SSH protocols 1.5/2.0 on 2 servers.
SSH works fine when providing remote passwords.

To set up password less logins I've done the following:

1) cd ~/.ssh
2) ssh-keygen -t dsa -f id_dsa
3) scp id_dsa.pub <remote-server>:~/.ssh/authorized_keys

Testing the password-less login fails since the test-command "ssh <remote-server> pwd" still prompts me for a password.

Anyone any clues?
Ron

Start your free trial to view this solution

Question Stats

Zone: Security

Question Asked By: rwiersma64

Solution Provided By: liddler

Participating Experts: 2

Solution Grade: B

Translate:

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
New Net Users
New Users

Software
Digital Music
Gaming World

Home Security
Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Handhelds / PDAs
Displays / Monitors
Components
Networking Hardware

Peripherals
Laptops/Notebooks
Storage
Servers

Desktops
New Users
Misc
Apple

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMWare
Misc
Web Development

OS
CYGWIN
Voice Recognition
Message Queue
Quality Assurance
Security
Firewalls
MultiMedia Applications

Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals

Devices
Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
WebApplications
IDS
Vulnerabilities
Email Clients

File Sharing
Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMWare

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel

Algorithms
Game
Signal Processing
Project Management
Open Source

Database
Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Images

Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration
WebApplications

Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Broadband

Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Community Advisor
Lounge
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles

Community Support

Suggestions
New to EE
New Topics
Community Advisor

CleanUp
Announcements
General

Feedback
Input
EE Bugs

08.19.2003 at 05:35AM PDT, ID: 9180429

liddler:

First run
ssh -v -v <remote server >
and look at the output
Also on remote server, kill sshd and run
sshd -d -d
You may have to enable telnet while you do this, if it's disabled.
You can then get error messages from ssh in verbose mode (-v -v) and sshd in debug mode (-d -d)
typically, it it a file permission problem. ssh is very strict about file ownership / permissions.

If you don't understand the output from ssh or sshd, post it here for us to take a look

08.19.2003 at 06:15AM PDT, ID: 9180644

rwiersma64:

Here's (part of) my "ssh -v -v output":
-----------------------------------------------
OpenSSH_3.6.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090702f
debug1: Reading configuration data /usr/local/etc/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug2: ssh_connect: needpriv 0
debug1: Connecting to aamfinance [10.56.29.244] port 22.
debug1: Connection established.
debug1: identity file /u01/app/oracle/.ssh/identity type -1
debug1: identity file /u01/app/oracle/.ssh/id_rsa type -1
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /u01/app/oracle/.ssh/id_dsa type 2
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.6.1p1
debug1: match: OpenSSH_3.6.1p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.6.1p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 132/256
debug2: bits set: 1607/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'aamfinance' is known and matches the RSA host key.
debug1: Found key in /u01/app/oracle/.ssh/known_hosts:1
debug2: bits set: 1530/3191
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /u01/app/oracle/.ssh/identity
debug1: Trying private key: /u01/app/oracle/.ssh/id_rsa
debug1: Offering public key: /u01/app/oracle/.ssh/id_dsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
oracle@aamfinance's password:
debug2: we sent a password packet, wait for reply
Connection closed by 10.56.29.244
debug1: Calling cleanup 0x2c95c(0x0)

Here the complete "sshd -d -d output":
-------------------------------------------------
debug2: read_server_config: filename /usr/local/etc/sshd_config
debug1: sshd version OpenSSH_3.6.1p1
debug1: private host key: #0 type 0 RSA1
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from 10.72.28.216 port 36503
debug1: Client protocol version 2.0; client software version OpenSSH_3.6.1p1
debug1: match: OpenSSH_3.6.1p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_3.6.1p1
debug2: Network child is on pid 24249
debug1: permanently_set_uid: 1004/102
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug2: monitor_read: 0 used once, disabling now
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug2: dh_gen_key: priv key bits set: 129/256
debug2: bits set: 1578/3191
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug2: bits set: 1597/3191
debug2: monitor_read: 4 used once, disabling nowdebug1: SSH2_MSG_KEX_DH_GEX_REPLY sent

debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user oracle service ssh-connection method none
debug1: attempt 0 failures 0
debug2: monitor_read: 6 used once, disabling nowdebug2: input_userauth_request: setting up authctxt for oracle

debug1: Starting up PAM with username "oracle"debug2: input_userauth_request: try method none

debug1: PAM setting rhost to "aamfinance-qa"
debug2: monitor_read: 41 used once, disabling now
debug2: monitor_read: 3 used once, disabling now
Failed none for oracle from 10.72.28.216 port 36503 ssh2
Failed none for oracle from 10.72.28.216 port 36503 ssh2
debug1: userauth-request for user oracle service ssh-connection method publickey
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method publickey
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 1001/101 (e=0/1)
debug1: trying public key file /u01/app/oracle/.ssh/authorized_keys
Authentication refused: bad ownership or modes for file /u01/app/oracle/.ssh/authorized_keys
debug1: restore_uid: 0/1
debug1: temporarily_use_uid: 1001/101 (e=0/1)
debug1: trying public key file /u01/app/oracle/.ssh/authorized_keys2
Authentication refused: bad ownership or modes for file /u01/app/oracle/.ssh/authorized_keys2
debug1: restore_uid: 0/1
debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss
Failed publickey for oracle from 10.72.28.216 port 36503 ssh2
debug1: userauth-request for user oracle service ssh-connection method keyboard-interactive
debug1: attempt 2 failures 2
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=oracle devs=
debug1: kbdint_alloc: devices ''
debug2: auth2_challenge_start: devices
Failed keyboard-interactive for oracle from 10.72.28.216 port 36503 ssh2

08.19.2003 at 06:21AM PDT, ID: 9180688

liddler:

>>Authentication refused: bad ownership or modes for file /u01/app/oracle/.ssh/authorized_keys2
That's the naughtly line, must be owned by oracle and only writeable by oracle, not by group.
If you are still not sure post the output of:
ls -la /u01/app/oracle/.ssh

08.19.2003 at 06:33AM PDT, ID: 9180760

rwiersma64:

ls -la output:
Total 10
drwxr-xr-x 2 oracle dba 512 Aug 19 13:48 .
drwxrwxr-x 9 oracle dba 512 Aug 19 14:45 ..
-rw-rw-r-- 1 oracle dba 610 Aug 19 11:46 authorized_keys
-rw-rw-r-- 1 oracle dba 610 Aug 19 13:48 authorized_keys2
-rw-rw-r-- 1 oracle dba 469 Aug 19 11:46 known_hosts

By the way: I already tried some chmod-variants but the last thing I read was the the authorized_keys* file ought to be 664, so that's what you see here.
So what you're saying is I have to change this to 600 ?
By the way2: the authorized_keys2 file was originally not present, I copied authorized_keys to authorized_keys2 myself (wich was another suggestion I read somewhere).

08.19.2003 at 06:42AM PDT, ID: 9180841

liddler:

644 will do, it the group write that ssh objects to.

08.19.2003 at 06:47AM PDT, ID: 9180876

rwiersma64:

After chmod 600 ~/.ssh/*keys* I get:

debug1: trying public key file /u01/app/oracle/.ssh/authorized_keys
Authentication refused: bad ownership or modes for directory /u01/app/oracle
debug1: restore_uid: 0/1
debug1: temporarily_use_uid: 1001/101 (e=0/1)
debug1: trying public key file /u01/app/oracle/.ssh/authorized_keys2
Authentication refused: bad ownership or modes for directory /u01/app/oracle

08.19.2003 at 07:10AM PDT, ID: 9181020

liddler:

probably /u01/app/oracle had group write
chmod 755 /u01/app/oracle

Accepted Solution

08.19.2003 at 07:30AM PDT, ID: 9181174

rwiersma64:

Thanks a lot, this did the trick (it always seems to easy afterwards).
But again, thanks a lot.
Kind regards,
Ron

03.02.2005 at 10:49AM PST, ID: 13442566

ocastilla:

Please,

Do yuo have the process to implement the SHA1 method to crypt on solaris 8 ?
I like to encrypt passwords or strings.

Regards
Oscar

20080236-EE-VQP-29