ssh questions

I'm trying to do port forwarding and I realise that it always prompts me for the password for the remote machine.  Is there anyway of doing it non-interactively?

I run this on the server
ssh -S -R tcp/1030:myserver.com:23 myremote.com

on my remote machine I run
telnet myremote.com 1030

However, when I run the server statement it prompts me for a password to let myremote.com authenticate me.

Please advise
Yam
LVL 1
YamSengAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
jlevieConnect With a Mentor Commented:
Which SSH implemention, OpenSSH or the commercial variant? If there aren't typo's in the question the command looks more like the commercial variant. In which case what I described earlier as a means of avoiding the password prompt may not work. Given the availability of OpenSSH there's probably not much reason to run the commercial variant these days.

If this were to be OpenSSH, what I've described above will work if I understand what you are trying to accomplish. My reading of the question says that you've got an outside system (presumably outside of a firewall) named myremote and you've got an inside server (myserver). You want to set up port forwarding so that you, from some Internet host, can connect to myremote on port 1030 and see a telnet login prompt from myserver. I.E., you are setting up a tunnel through a firewall for login access to a system inside of the firewall.

To avoid the password prompt when setting up the ssh tunnel it is necessary to have the correct public key installed on myremote. Assuming that the user name is the same on both systems (me) and that I'm using OpenSSH v2 or later while logged in to myserver I'd do:

myserver> ssk_keygen -t rsa
myserver> scp .ssh/id_rsa.pub myremote.com:
myserver> ssh myremote.com
Password:
myremote> cat id_rsa.pub >>.ssh/authorized_keys2
myremote> exit
myserver>

Then I can set up the tunnel with:

myserver> ssh -R 1030:myserver.com:23 myremote.com
myremote>

Now from anywhere on the Internet that I have access to myremote.com I can 'telnet myremote.com 1030' and get a login prompt from the telnet service on myserver.

There are some things to watch out for. At least some installations of OpenSSH (like RedHat's) default to 'GatewayPorts' not being set to 'yes' which results in ssh listening only on the localhost IP. Another problem is that a lot of firewalls will time out idle connections, whcih breaks the tunnel.
0
 
jlevieCommented:
There are several ways to get the SSH server not to prompt for a password, depending on which version of the protocol is being used and how the server is configured. The simplest way is to generate a private/public keypair and include the public key in your authorized_hosts file on the server.

For a V1 protocol generate the keypair with 'ssh-keygen -t rsa1' and add the public key (.ssh/identity.pub) to ~/.ssh/authorized_keys on the server.

For a V2 protcol generate the keypair with 'ssh-keygen -t rsa' and add the public key (.ssh/id_rsa.pub) to ~/.ssh/authorized_keys2 on the server.

Note that when generating the keys you'll need to use an empty passphrase so you won't be prompted for a password when connecting. For more information see 'man ssh-keygen' and 'man ssh'.
0
 
YamSengAuthor Commented:
Hi jlevie,

My version of SSH is 3.10.

I think when I tried to use SSH, it prompts me to generate a public key. But that's no prob. Coz I think it's just the initial setup.  And I'm planning to make the file accessible by anyone, coz my ssh command is to be invoked by my procmailrc script, and I may not be logged in....

However, when I run ssh, other than the public key thingy, it also prompts me for a password to authenticate so that it can listen on the remote machine.  I think I'm having more problems with this.  Coz as ssh is executed by procmailrc, it's non-interative.  And so, how can I enter the password when ssh prompts?

Basically, I'm doing port forwarding for a local telnet port 23 to a foreign address with a port > 1023, ie say 1030.  I know that this port do not need superuser rights, but I think it needs at least a valid user authentication. I think this is why when I run the ssh -S -R command, it prompts for password.

Yam
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
ahoffmannCommented:
(Open)ssh 3.x does not work with -i and rsa keys :-(
You have to switch back to protocol version 1, like
  ssh -1 ...
  ssh -oProtokol=1 ...

0
 
jlevieCommented:
Hmmm, OpenSSH 3.1p1 works for me on Solaris & RedHat with V2 keys (dsa & rsa).
0
 
ahoffmannCommented:
I know: security is done with workarounds
but that's what I do, 'cause I did not dig deeper into 3.1's dsa&rsa keys (there is a doc about this), and I've to deal with 2.x servers. So I avoided to generate new V2 keys.
IIRC I've seen it working with the ssh-agent.
0
 
YamSengAuthor Commented:
It says
SSH V3.1.0 (Non commercial version) on i686...
Would that make it openSSH?
0
 
jlevieCommented:
No, that's the commercial variant from ssh.com. I don't see any docs on their site so I can't look to see how (or if) it can be set up not to require a password. Your installation should have some documentation with it that you might look at.
0
 
YamSengAuthor Commented:
hmm? but I thought if it's written as "non commercial" then we should take it as it's non commercial variant?

Anyway, where is the documentation that I need to look for?
0
 
YamSengAuthor Commented:
hmm...ok. I've just been to the ssh.com and found that my version could really be the commercial variant. But as I'm from a academic institution, it's free to use.  Maybe?
0
 
jlevieCommented:
Yes, according to what I know of that version it is free for certain uses. I found the docs on ssh.com and there are two procedures documented for setting up public key authorization (see http://www.ssh.com/products/ssh/administrator31/Public-Key_Authentication-2.html). What I can't tell from the docs is whether you can use an empty passphrase, like one can with OpenSSH. I guess you'll have to try generating a key and see.
0
 
YamSengAuthor Commented:
hmm...I think I have to enter the passphrase still.

However, even if I manage to get away with the password thingy, I think setting up remote is too troublesome. I can't do it ad-hoc. I need to setup this before I leave the network, and like what you mentioned, the firewall may just disconnect the idle connection tunnel.
8(
0
 
ahoffmannCommented:
if ssh forces to use a password, give ssh-agent a try
0
 
YamSengAuthor Commented:
ahoffmann, can you give an example of how ssh-agent might be able to help?
Yam
0
 
ahoffmannCommented:
ssh-agent
ssh-add path/to/your/private-keyfile
ssh-add other/private/keyfile
...

# see  man ssh-agent  about security issues
0
 
The--CaptainCommented:
YamSeng - don't forget - as jlevie stated, when you generate your public/private keypair, just *must* *only* hit the ENTER key when it asks for a passphrase - if you actually type anything before pressing enter, a passphrase will still be associated with the keypair and it will still continue to hassle you about the password...

If you can confirm that you did that, then the problem is that your keys do not exist or they are in the wrong places...  I would set the ssh protocol version to a single value, make sure you can connect normally with a password (to verify that client and server both support the protocol version), and then proceed using the instructions above that apply to the ssh protocol version you have set.

It's really not that hard - have you brushed up on the manpages?

-Jon
0
 
YamSengAuthor Commented:
yes, I hit the enter on the passphrase.  It still prompts me for password for authentication on remote side.

When you said my keys do not exist. Which side do you mean? The server side or the remote side?  I'm sure that on the server's side, the key is there, coz if not, it'll prompt me to generate a key before proceeding.

Yam
0
 
jlevieCommented:
What The--Captain meant was to make sure that the public key of the pair you just generated is in the correct place on the remote system. You have to manually transfer the public key to the system.
0
 
YamSengAuthor Commented:
Currently, I'm also looking at another way to workaround this whole problem.

What happens is, if I can initiate a telnet (rather than ssh) from the server to the remote side, and maybe telnet might be able to do the login and password thing non-interactively?  Then after telnet gets login into the remote machine, and if I use programs like xhost and xterm -e and try to telnet back to my server....

If this is workable, it might be easier than to figure out the public key pair for the server and remote machine I think.

Any comments on the viability?

Yam
0
 
jlevieCommented:
That approach won't work. While you could establish a telnet session from the server to the remote, once you reach the remote you won't be able to use the open telnet session to talk to the server.

The trick is to figure out what hasn't been done correctly on setting up the public key on the remote. It would be helpful to see the commands that you used to generate the public key and transfer that to the remote. And a transcript of the attempt to set up the session with the remote could be illuminating.
0
 
YamSengAuthor Commented:
Hmm....I think you're right, coz when I telnet at the remote to the server, I'm specifying the server's ip or hostname, so it should create a new channel and it shouldn't work if the firewall is blocking it.  I've verified this with netstat -tan | grep <ip>.  Coz after when I did all the logins, I run netstat command and found 2 communication channels. 8(

ok.  So back to ssh.  The command I use to generate the public key is
ssh-keygen
And I hit only <enter> for the passphrase.
Then after it generates the *.pub file, I copy the file from the server to the remote machine as ./ssh2/authorized_keys2

Then when I run from the server
ssh remote.com
it still prompts me for the password.
0
 
ahoffmannCommented:
which kind of keys did you generate with ssh-keygen: rsa?

As I said before: ssh2 (which defaults to protcol version 2) does not work with rsa keys, you need to force protocol version 1.
0
 
YamSengAuthor Commented:
ok, good news.I'm progressing.

I've looked at http://www.ssh.com/products/ssh/administrator31/Public-Key_Authentication-2.html again and followed exactly the same steps.  that is creating the "identification" file for server and "authorization" file for remote.

Currently except for the first time where it prompts me for the fingerprints, I just typed "yes".  Subsequently, it didn't prompt me for password anymore! Yes, another obstacle passed.

But how can I do away the first time prompts for the fingerprints?  Does that mean I have to manually create the hostkeys files myself?

The error prompt I get for the everytime I connect to a new remote machine was

Host key not found from database.
Key fingerprint:
xubeb-bolat-syvyt-nelyl-gased-hobek-zofyl-zybab-vitoc-maceg-sexex
You can get a public key's fingerprint by running
% ssh-keygen -F publickey.pub    

0
 
YamSengAuthor Commented:
ahoffman, I thought it worked for me?  I generated a key with ssh-keygen -t rsa it seems ok.  Except for the fingerprint thing which I think is a different matter.
0
 
YamSengAuthor Commented:
hmm, ahoffman, maybe your ssh is openSSH? and mine's commerical variant but foc ssh?  Coz even jlevie's version of 3.1 worked with rsa.
0
 
YamSengAuthor Commented:
hmm....wait.  With regards to the previous xhost and xterm solution I mentioned.....I'm beginning to think that it may work....let me clarify....

Assume server has remote machine's IP thru another form of notification.

Server setenv display to remote machine and run xterm.

remote machine run xhost + server.

Wouldn't that allow the remote machine to have a xterm showing but running on server?

Yam
0
 
ahoffmannCommented:
yes, this even works with ssh if XForwarding is enabled
0
 
jlevieCommented:
Yes that works, providing that you intend to do things on the remote while logged in to the server. From the way the original question is stated it looks like you are trying to set up a tunnel from the server to the remote (presumably through a firewall at the server's side) so that you could go to the remote and do things from there on the server. I don't see the login, export display, etc. helping if you are wanting to access the server from the remote. And if you are using ssh to make the connection and have XForwarding enabled you don't have to do any of the DISPLAY or xhost things (as ahoffman pointed out). When ssh forwards X all of that is automatically taken care of.

As to your comment of yesterday regarding the fingerprint. You'll only get that the very first time you connect to another system. There are ways to avoid that by manually copying the keys from the remote to the local system, or as you've seen you can let ssh do the job. Unless I don't fully understand your needs I don't see how the initial key exchange would be a problem.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.