Improve company productivity with a Business Account.Sign Up


SSH access without password

Posted on 2004-04-26
Medium Priority
Last Modified: 2013-12-27

I'm trying to set up SSH (I'm using protocol 2) with key access between 2 solaris boxes so I don't require password verification. I have read a number of other questions from people trying to do the same thing, but mine still doesn't fly.

OK, So far I have
1, generated my keys
ssh-keygen -t dsa -f ~/.ssh/id_dsa
ssh-keygen -t rsa -f ~/.ssh/id_rsa

2, Copied the and into a authorized_keys file (also tried calling this authorized_keys2) and put this on the remote box in ~/.ssh

3, Started the ssh-agent

4, Ran add-ssh, this failed the first time but seems to be ok now.

However when I come to ssh user@remotebox it still prompts me for a password, rather frustrating. Is there something I need to change in the sshd_config file? or add to the ~/.ssh/known_hosts file?

Thanks in advance.
Question by:matt_nz
  • 4
  • 4
  • 3

Expert Comment

ID: 10926348
Hi mat,

I use RSA keys. and when I configure my keys I do in general
ssh-keygen -t rsa -b 1024
and then I save it to its defaults in general
I then copy my to authorized_keys
i do chmod 640 on authorized_keys and my pub and private key.
and this is my sshd_config

rotocol 2,1
Port 22
HostKey /usr/local/etc/ssh_host_rsa_key
HostKey /usr/local/etc/ssh_host_dsa_key
AllowTcpForwarding yes
X11Forwarding yes
X11DisplayOffset 10
Banner /etc/issue
PrintMotd no
KeepAlive yes
SyslogFacility auth
LogLevel verbose
Ciphers aes128-cbc,blowfish-cbc,3des-cbc
MACS    hmac-sha1,hmac-md5
ServerKeyBits 1024
KeyRegenerationInterval 3600
StrictModes yes
LoginGraceTime 60
PubkeyAuthentication yes
PermitEmptyPasswords no
PasswordAuthentication no
#PAMAuthenticationViaKBDInt yes
PermitRootLogin yes
Subsystem       sftp    /usr/lib/ssh/sftp-server

When I connect  with putty I specify to use protocol 2 for unix I put this preference in ssh_config.
When you use dsa keys you need to place them in authorized_keys2

Author Comment

ID: 10933758
This is basically what I have already done and it still prompts me for a password. Any more ideas?

Accepted Solution

bloemkool1980 earned 300 total points
ID: 10936035
what is the client you use ?
And if it is a unix one paste your config file.
if u use the unix one do an ssh -vvvvv and look what error you get.
The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!


Expert Comment

ID: 10943581
Have you checked the access rights on your .ssh directory and on your authorized_keys2 ?
You should :

cd ~
chmod 700 .ssh
chmod 400 .ssh/authorized_keys2

Of course, they should belong to you.

Author Comment

ID: 10943661
Hi - The machinces I am using run Solaris 8 on Sun v120's.

The output from the ssh -vvvvv was extremely useful, the keypass is looking for private keys in an 'identity' file. I catted id_rsa and id_dsa into identity and I got prompted for the passphrase - a step forward, however this fails and it moves on to password authentication. So I now have the private keys in idntity and public keys in authorized_keys in ~.ssh on the remote machine. On the local machine I have, id_rsa, id_dsa,, known_hosts and identity files in ~.ssh.

This is where it fails out put from -vvvvv

debug1: read PEM private key done: type DSA
debug3: sign_and_send_pubkey
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: /usr/local/home/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: /usr/local/home/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password

This is my sshd_config

"sshd_config" [Read only] 98 lines, 2550 characters
#       $OpenBSD: sshd_config,v 1.65 2003/08/28 12:54:34 markus Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#Protocol 2,1
#Changed by MED 26/4/2004
Protocol 2
ListenAddress (Remote IP here)
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /usr/local/etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /usr/local/etc/ssh_host_rsa_key
#HostKey /usr/local/etc/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys

# For this to work you will also need host keys in /usr/local/etc/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCreds yes

# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication'
#UsePAM yes

#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/
#MaxStartups 10

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem       sftp    /usr/local/libexec/sftp-server


Expert Comment

ID: 10943702
If what I gave you does not work, kill you sshd, and relaunch one in debug mode :

sshd -d -D

Expert Comment

ID: 10946419
# HostKey for protocol version 1
#HostKey /usr/local/etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /usr/local/etc/ssh_host_rsa_key
#HostKey /usr/local/etc/ssh_host_dsa_key

you should uncomment the host keys settings. Your ssh Server thus SSHD does not has a key specified because they are all commented.
You need a key pair on the client side but also on the server side.
ssh-keygen  -t rsa1 -f /usr/local/etc/ssh_host_key -N ""
ssh-keygen  -t rsa -f  /usr/local/etc/ssh_host_rsa_key -N ""
ssh-keygen  -t dsa -f /usr/local/etc/ssh_host_dsa_key -N ""
do above commands to generate your sshd keys and then uncomment the section I pasted on top
Then it will work

Author Comment

ID: 10982238
I've been off for a couple of days - thanks for the suggestions. However this is still not working. Where do I get the host key from in the following error message to add to known_hosts?

TG-A$ ssh TG-B
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
Please contact your system administrator.
Add correct host key in /.ssh/known_hosts to get rid of this message.
Offending key in /.ssh/known_hosts:3
RSA host key for tg-b has changed and you have requested strict checking.
Host key verification failed.

Expert Comment

ID: 10984026
ah this is because your key on the server has been changed.
Delete the known_host file in your .ssh directory on the client

Expert Comment

ID: 10985159

Don't delete the whole known_host file.
Just delete the TG-B line in this file.

Author Comment

ID: 11027612
The problem was creating keys as root in /.ssh and others as user in ~/.ssh (which the -vvvvv was telling me, only my brain wasn't listening!). After some fiddling keys round it's all working now. cheers.

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

When you do backups in the Solaris Operating System, the file system must be inactive. Otherwise, the output may be inconsistent. A file system is inactive when it's unmounted or it's write-locked by the operating system. Although the fssnap utility…
Why Shell Scripting? Shell scripting is a powerful method of accessing UNIX systems and it is very flexible. Shell scripts are required when we want to execute a sequence of commands in Unix flavored operating systems. “Shell” is the command line i…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

579 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question