?
Solved

passwordless ssh

Posted on 2003-03-19
11
Medium Priority
?
697 Views
Last Modified: 2008-03-03
hi all experts,
i wana ssh to a remote machine without asking for password. For this purpose i have gathered some tips from net and do something like
first of all i have created rsa and dsa keys using ssh-keygen without phrase under userhome/.ssh/.and the rsa key copy into @remoteuserhome/.ssh/authorised keys file of romote machine via scp.
i  am using OpenSSH_2.9p2, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
on both machine.
but still when i wana ssh to remote machine it is asking  for passwd.
any idea.
0
Comment
Question by:MNGROW
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +3
11 Comments
 

Expert Comment

by:GregBolshaw
ID: 8172936
There's an option in /etc/sshd_config to allow passwordless logins. Of course, you will also need a passwordless account to logon as.
0
 
LVL 6

Expert Comment

by:bummerlord
ID: 8173880
(Greg, you are scaring me! I hope you don't mean "PermitEmptyPasswords yes" ..you should go to jail for using that ;-))


MNGROW, make sure that you don't have "PubkeyAuthentication no" (default should be "yes" I think) in sshd_config
Then look in sshd_config again... look for "AuthorizedKeysFile".
If such a parameter exists note the value.. (e.g. .ssh/authorized_keys ) The default may be ".ssh/authorized_keys2" depending on the openssh version.

/b
0
 
LVL 20

Expert Comment

by:Gns
ID: 8175253
If you really don't care about security, use .shosts files (rhost authentication. This is normally disabled, with good cause). To get the keys right, connect back to the client system from the server.

You should follow bummerlords lead.

-- Glenn
0
Get MySQL database support online, now!

At Percona’s web store you can order your MySQL database support needs in minutes. No hassles, no fuss, just pick and click. Pay online with a credit card.

 
LVL 6

Expert Comment

by:bummerlord
ID: 8176378
btw, you didn't say what key you copied to the authorized_keys file on the remote account... it should be the _public_ key! Double check! :-)
Also there is no need to generate both RSA and DSA key pairs. Could it be that you copied the public DSA key, and are actually trying to authenticate using the RSA private key, or the other way around? (possibly both are tried if both exists, I haven't really thought about it until now...)
You could try to symlink ".ssh/identity" to ".ssh/id_dsa" (or id_rsa). I think "identity" is always used if it exists (the type of key doesn't matter)

If you connect using "ssh -v ...." you'll get some debug output that might give better clues. If you need, post it here and someone might decode it for you.

/b
0
 

Author Comment

by:MNGROW
ID: 8182982
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Seeding random number generator
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: restore_uid
debug1: ssh_connect: getuid 501 geteuid 0 anon 1
debug1: Connecting to remote [remote] port 6667.
debug1: temporarily_use_uid: 501/501 (e=0)
debug1: restore_uid
debug1: temporarily_use_uid: 501/501 (e=0)
debug1: restore_uid
debug1: Connection established.
debug1: read PEM private key done: type DSA
debug1: read PEM private key done: type RSA
debug1: identity file /var/ftp/admin005/.ssh/identity type 0
debug1: identity file /var/ftp/admin005/.ssh/id_rsa type -1
debug1: identity file /var/ftp/admin005/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_2.5.2p2
debug1: match: OpenSSH_2.5.2p2 pat ^OpenSSH_2\.5\.[012]
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_2.9p2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 132/256
debug1: bits set: 994/2049
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '202.179.159.130' is known and matches the RSA host key.
debug1: Found key in /var/ftp/admin005/.ssh/known_hosts2:1
debug1: bits set: 1045/2049
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: publickey,password
debug1: next auth method to try is publickey
debug1: try privkey: /var/ftp/admin005/.ssh/id_rsa
debug1: try privkey: /var/ftp/admin005/.ssh/id_dsa
debug1: next auth method to try is password
admin005@server's password:
debug1: authentications that can continue: publickey,password
Permission denied, please try again.
admin005@server's password:
debug1: authentications that can continue: publickey,password
Permission denied, please try again.
admin005@server's password:
debug1: authentications that can continue: publickey,password
debug1: no more auth methods to try
Permission denied (publickey,password).
debug1: Calling cleanup 0x8063570(0x0)
[admin005@moser admin005]$ ssh -v 202.179.159.130 -i .ssh/authorized_keys
OpenSSH_2.9p2, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Seeding random number generator
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: restore_uid
debug1: ssh_connect: getuid 501 geteuid 0 anon 1
debug1: Connecting to 202.179.159.130 [202.179.159.130] port 6667.
debug1: temporarily_use_uid: 501/501 (e=0)
debug1: restore_uid
debug1: temporarily_use_uid: 501/501 (e=0)
debug1: restore_uid
debug1: Connection established.
debug1: read PEM private key done: type DSA
debug1: read PEM private key done: type RSA
debug1: identity file .ssh/authorized_keys type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_2.5.2p2
debug1: match: OpenSSH_2.5.2p2 pat ^OpenSSH_2\.5\.[012]
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_2.9p2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 135/256
debug1: bits set: 1020/2049
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '202.179.159.130' is known and matches the RSA host key.
debug1: Found key in /var/ftp/admin005/.ssh/known_hosts2:1
debug1: bits set: 1015/2049
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: publickey,password
debug1: next auth method to try is publickey
debug1: try privkey: .ssh/authorized_keys
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Enter passphrase for key '.ssh/authorized_keys':
debug1: next auth method to try is password
admin005@202.179.159.130's password:
debug1: authentications that can continue: publickey,password
Permission denied, please try again.
admin005@202.179.159.130's password:
debug1: authentications that can continue: publickey,password
Permission denied, please try again.
admin005@202.179.159.130's password:
debug1: authentications that can continue: publickey,password
debug1: no more auth methods to try
Permission denied (publickey,password).
debug1: Calling cleanup 0x8063570(0x0)
#######################
thats all wht i have got by ssh -v
0
 

Author Comment

by:MNGROW
ID: 8183017
i have created empty by hit ENTER when it ask for passphrase twice time
but u can see above ssh -v out put it ask me for passphrase and when i enter i goes to password auth method
thats what i do,nt want.
0
 
LVL 6

Accepted Solution

by:
bummerlord earned 200 total points
ID: 8184362
Your first run looks good
---
debug1: next auth method to try is publickey
debug1: try privkey: /var/ftp/admin005/.ssh/id_rsa
debug1: try privkey: /var/ftp/admin005/.ssh/id_dsa
---

Client is trying to use the private keys for authentication..
The "problem" is at the server side.. possibly the public key should go in authorized_keys2" instead of "authorized_keys".
The password you are being prompted for is the remote password for the account, not the passphrase for the private key (that prompt looks rather different :-))

Your second run is bound to fail.. you don't authenticate using the public key(s) from the client. The authorized_keys file is _only_ used on the server.

Make sure that you copied the _public_ key to the authorized_keys(2) file for the account you intend to login to. Either if it's the first key, you just copy the id_rsa.pub to $HOME/.ssh/authorized_keys (possibly authorized_keys2), or if you already have other keys in there you'd append the content of id_rsa.pub using something like: cat id_rsa.pub >> $HOME/.ssh/authorized_keys


0
 

Expert Comment

by:CleanupPing
ID: 9087666
MNGROW:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
LVL 20

Expert Comment

by:Gns
ID: 9091957
Give it to the bummerlord, or possibly split off a smaller share for greg.

-- Glenn
0
 
LVL 6

Expert Comment

by:bummerlord
ID: 9097421
Hi Gns! :-)
Or refund..

Btw, I just realized that noone (especially I) didn't mention to check permissions on the private key... if too loose ssh will always ask for a passphrase even though the key isn't encrypted I think.

/b

0
 
LVL 2

Expert Comment

by:TheWeakestLink
ID: 9289064
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:
Accept comments from bummerlord as answer
Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

TheWeakestLink
EE Cleanup Volunteer
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years.  You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Suggested Courses
Course of the Month12 days, 1 hour left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question