Solved

ssh questions

Posted on 2002-04-10
28
395 Views
Last Modified: 2010-03-18
I'm trying to do port forwarding and I realise that it always prompts me for the password for the remote machine.  Is there anyway of doing it non-interactively?

I run this on the server
ssh -S -R tcp/1030:myserver.com:23 myremote.com

on my remote machine I run
telnet myremote.com 1030

However, when I run the server statement it prompts me for a password to let myremote.com authenticate me.

Please advise
Yam
0
Comment
Question by:YamSeng
  • 13
  • 8
  • 6
  • +1
28 Comments
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
There are several ways to get the SSH server not to prompt for a password, depending on which version of the protocol is being used and how the server is configured. The simplest way is to generate a private/public keypair and include the public key in your authorized_hosts file on the server.

For a V1 protocol generate the keypair with 'ssh-keygen -t rsa1' and add the public key (.ssh/identity.pub) to ~/.ssh/authorized_keys on the server.

For a V2 protcol generate the keypair with 'ssh-keygen -t rsa' and add the public key (.ssh/id_rsa.pub) to ~/.ssh/authorized_keys2 on the server.

Note that when generating the keys you'll need to use an empty passphrase so you won't be prompted for a password when connecting. For more information see 'man ssh-keygen' and 'man ssh'.
0
 
LVL 1

Author Comment

by:YamSeng
Comment Utility
Hi jlevie,

My version of SSH is 3.10.

I think when I tried to use SSH, it prompts me to generate a public key. But that's no prob. Coz I think it's just the initial setup.  And I'm planning to make the file accessible by anyone, coz my ssh command is to be invoked by my procmailrc script, and I may not be logged in....

However, when I run ssh, other than the public key thingy, it also prompts me for a password to authenticate so that it can listen on the remote machine.  I think I'm having more problems with this.  Coz as ssh is executed by procmailrc, it's non-interative.  And so, how can I enter the password when ssh prompts?

Basically, I'm doing port forwarding for a local telnet port 23 to a foreign address with a port > 1023, ie say 1030.  I know that this port do not need superuser rights, but I think it needs at least a valid user authentication. I think this is why when I run the ssh -S -R command, it prompts for password.

Yam
0
 
LVL 40

Accepted Solution

by:
jlevie earned 50 total points
Comment Utility
Which SSH implemention, OpenSSH or the commercial variant? If there aren't typo's in the question the command looks more like the commercial variant. In which case what I described earlier as a means of avoiding the password prompt may not work. Given the availability of OpenSSH there's probably not much reason to run the commercial variant these days.

If this were to be OpenSSH, what I've described above will work if I understand what you are trying to accomplish. My reading of the question says that you've got an outside system (presumably outside of a firewall) named myremote and you've got an inside server (myserver). You want to set up port forwarding so that you, from some Internet host, can connect to myremote on port 1030 and see a telnet login prompt from myserver. I.E., you are setting up a tunnel through a firewall for login access to a system inside of the firewall.

To avoid the password prompt when setting up the ssh tunnel it is necessary to have the correct public key installed on myremote. Assuming that the user name is the same on both systems (me) and that I'm using OpenSSH v2 or later while logged in to myserver I'd do:

myserver> ssk_keygen -t rsa
myserver> scp .ssh/id_rsa.pub myremote.com:
myserver> ssh myremote.com
Password:
myremote> cat id_rsa.pub >>.ssh/authorized_keys2
myremote> exit
myserver>

Then I can set up the tunnel with:

myserver> ssh -R 1030:myserver.com:23 myremote.com
myremote>

Now from anywhere on the Internet that I have access to myremote.com I can 'telnet myremote.com 1030' and get a login prompt from the telnet service on myserver.

There are some things to watch out for. At least some installations of OpenSSH (like RedHat's) default to 'GatewayPorts' not being set to 'yes' which results in ssh listening only on the localhost IP. Another problem is that a lot of firewalls will time out idle connections, whcih breaks the tunnel.
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
(Open)ssh 3.x does not work with -i and rsa keys :-(
You have to switch back to protocol version 1, like
  ssh -1 ...
  ssh -oProtokol=1 ...

0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
Hmmm, OpenSSH 3.1p1 works for me on Solaris & RedHat with V2 keys (dsa & rsa).
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
I know: security is done with workarounds
but that's what I do, 'cause I did not dig deeper into 3.1's dsa&rsa keys (there is a doc about this), and I've to deal with 2.x servers. So I avoided to generate new V2 keys.
IIRC I've seen it working with the ssh-agent.
0
 
LVL 1

Author Comment

by:YamSeng
Comment Utility
It says
SSH V3.1.0 (Non commercial version) on i686...
Would that make it openSSH?
0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
No, that's the commercial variant from ssh.com. I don't see any docs on their site so I can't look to see how (or if) it can be set up not to require a password. Your installation should have some documentation with it that you might look at.
0
 
LVL 1

Author Comment

by:YamSeng
Comment Utility
hmm? but I thought if it's written as "non commercial" then we should take it as it's non commercial variant?

Anyway, where is the documentation that I need to look for?
0
 
LVL 1

Author Comment

by:YamSeng
Comment Utility
hmm...ok. I've just been to the ssh.com and found that my version could really be the commercial variant. But as I'm from a academic institution, it's free to use.  Maybe?
0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
Yes, according to what I know of that version it is free for certain uses. I found the docs on ssh.com and there are two procedures documented for setting up public key authorization (see http://www.ssh.com/products/ssh/administrator31/Public-Key_Authentication-2.html). What I can't tell from the docs is whether you can use an empty passphrase, like one can with OpenSSH. I guess you'll have to try generating a key and see.
0
 
LVL 1

Author Comment

by:YamSeng
Comment Utility
hmm...I think I have to enter the passphrase still.

However, even if I manage to get away with the password thingy, I think setting up remote is too troublesome. I can't do it ad-hoc. I need to setup this before I leave the network, and like what you mentioned, the firewall may just disconnect the idle connection tunnel.
8(
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
if ssh forces to use a password, give ssh-agent a try
0
 
LVL 1

Author Comment

by:YamSeng
Comment Utility
ahoffmann, can you give an example of how ssh-agent might be able to help?
Yam
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
ssh-agent
ssh-add path/to/your/private-keyfile
ssh-add other/private/keyfile
...

# see  man ssh-agent  about security issues
0
 
LVL 16

Expert Comment

by:The--Captain
Comment Utility
YamSeng - don't forget - as jlevie stated, when you generate your public/private keypair, just *must* *only* hit the ENTER key when it asks for a passphrase - if you actually type anything before pressing enter, a passphrase will still be associated with the keypair and it will still continue to hassle you about the password...

If you can confirm that you did that, then the problem is that your keys do not exist or they are in the wrong places...  I would set the ssh protocol version to a single value, make sure you can connect normally with a password (to verify that client and server both support the protocol version), and then proceed using the instructions above that apply to the ssh protocol version you have set.

It's really not that hard - have you brushed up on the manpages?

-Jon
0
 
LVL 1

Author Comment

by:YamSeng
Comment Utility
yes, I hit the enter on the passphrase.  It still prompts me for password for authentication on remote side.

When you said my keys do not exist. Which side do you mean? The server side or the remote side?  I'm sure that on the server's side, the key is there, coz if not, it'll prompt me to generate a key before proceeding.

Yam
0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
What The--Captain meant was to make sure that the public key of the pair you just generated is in the correct place on the remote system. You have to manually transfer the public key to the system.
0
 
LVL 1

Author Comment

by:YamSeng
Comment Utility
Currently, I'm also looking at another way to workaround this whole problem.

What happens is, if I can initiate a telnet (rather than ssh) from the server to the remote side, and maybe telnet might be able to do the login and password thing non-interactively?  Then after telnet gets login into the remote machine, and if I use programs like xhost and xterm -e and try to telnet back to my server....

If this is workable, it might be easier than to figure out the public key pair for the server and remote machine I think.

Any comments on the viability?

Yam
0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
That approach won't work. While you could establish a telnet session from the server to the remote, once you reach the remote you won't be able to use the open telnet session to talk to the server.

The trick is to figure out what hasn't been done correctly on setting up the public key on the remote. It would be helpful to see the commands that you used to generate the public key and transfer that to the remote. And a transcript of the attempt to set up the session with the remote could be illuminating.
0
 
LVL 1

Author Comment

by:YamSeng
Comment Utility
Hmm....I think you're right, coz when I telnet at the remote to the server, I'm specifying the server's ip or hostname, so it should create a new channel and it shouldn't work if the firewall is blocking it.  I've verified this with netstat -tan | grep <ip>.  Coz after when I did all the logins, I run netstat command and found 2 communication channels. 8(

ok.  So back to ssh.  The command I use to generate the public key is
ssh-keygen
And I hit only <enter> for the passphrase.
Then after it generates the *.pub file, I copy the file from the server to the remote machine as ./ssh2/authorized_keys2

Then when I run from the server
ssh remote.com
it still prompts me for the password.
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
which kind of keys did you generate with ssh-keygen: rsa?

As I said before: ssh2 (which defaults to protcol version 2) does not work with rsa keys, you need to force protocol version 1.
0
 
LVL 1

Author Comment

by:YamSeng
Comment Utility
ok, good news.I'm progressing.

I've looked at http://www.ssh.com/products/ssh/administrator31/Public-Key_Authentication-2.html again and followed exactly the same steps.  that is creating the "identification" file for server and "authorization" file for remote.

Currently except for the first time where it prompts me for the fingerprints, I just typed "yes".  Subsequently, it didn't prompt me for password anymore! Yes, another obstacle passed.

But how can I do away the first time prompts for the fingerprints?  Does that mean I have to manually create the hostkeys files myself?

The error prompt I get for the everytime I connect to a new remote machine was

Host key not found from database.
Key fingerprint:
xubeb-bolat-syvyt-nelyl-gased-hobek-zofyl-zybab-vitoc-maceg-sexex
You can get a public key's fingerprint by running
% ssh-keygen -F publickey.pub    

0
 
LVL 1

Author Comment

by:YamSeng
Comment Utility
ahoffman, I thought it worked for me?  I generated a key with ssh-keygen -t rsa it seems ok.  Except for the fingerprint thing which I think is a different matter.
0
 
LVL 1

Author Comment

by:YamSeng
Comment Utility
hmm, ahoffman, maybe your ssh is openSSH? and mine's commerical variant but foc ssh?  Coz even jlevie's version of 3.1 worked with rsa.
0
 
LVL 1

Author Comment

by:YamSeng
Comment Utility
hmm....wait.  With regards to the previous xhost and xterm solution I mentioned.....I'm beginning to think that it may work....let me clarify....

Assume server has remote machine's IP thru another form of notification.

Server setenv display to remote machine and run xterm.

remote machine run xhost + server.

Wouldn't that allow the remote machine to have a xterm showing but running on server?

Yam
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
yes, this even works with ssh if XForwarding is enabled
0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
Yes that works, providing that you intend to do things on the remote while logged in to the server. From the way the original question is stated it looks like you are trying to set up a tunnel from the server to the remote (presumably through a firewall at the server's side) so that you could go to the remote and do things from there on the server. I don't see the login, export display, etc. helping if you are wanting to access the server from the remote. And if you are using ssh to make the connection and have XForwarding enabled you don't have to do any of the DISPLAY or xhost things (as ahoffman pointed out). When ssh forwards X all of that is automatically taken care of.

As to your comment of yesterday regarding the fingerprint. You'll only get that the very first time you connect to another system. There are ways to avoid that by manually copying the keys from the remote to the local system, or as you've seen you can let ssh do the job. Unless I don't fully understand your needs I don't see how the initial key exchange would be a problem.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now