SSH access without password

Posted on 2004-04-26
Medium Priority
Last Modified: 2013-12-27

I'm trying to set up SSH (I'm using protocol 2) with key access between 2 solaris boxes so I don't require password verification. I have read a number of other questions from people trying to do the same thing, but mine still doesn't fly.

OK, So far I have
1, generated my keys
ssh-keygen -t dsa -f ~/.ssh/id_dsa
ssh-keygen -t rsa -f ~/.ssh/id_rsa

2, Copied the  id_dsa.pub and id_rsa.pub into a authorized_keys file (also tried calling this authorized_keys2) and put this on the remote box in ~/.ssh

3, Started the ssh-agent

4, Ran add-ssh, this failed the first time but seems to be ok now.

However when I come to ssh user@remotebox it still prompts me for a password, rather frustrating. Is there something I need to change in the sshd_config file? or add to the ~/.ssh/known_hosts file?

Thanks in advance.
Question by:matt_nz
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3

Expert Comment

ID: 10926348
Hi mat,

I use RSA keys. and when I configure my keys I do in general
ssh-keygen -t rsa -b 1024
and then I save it to its defaults in general
I then copy my id_rsa.pub to authorized_keys
i do chmod 640 on authorized_keys and my pub and private key.
and this is my sshd_config

rotocol 2,1
Port 22
HostKey /usr/local/etc/ssh_host_rsa_key
HostKey /usr/local/etc/ssh_host_dsa_key
AllowTcpForwarding yes
X11Forwarding yes
X11DisplayOffset 10
Banner /etc/issue
PrintMotd no
KeepAlive yes
SyslogFacility auth
LogLevel verbose
Ciphers aes128-cbc,blowfish-cbc,3des-cbc
MACS    hmac-sha1,hmac-md5
ServerKeyBits 1024
KeyRegenerationInterval 3600
StrictModes yes
LoginGraceTime 60
PubkeyAuthentication yes
PermitEmptyPasswords no
PasswordAuthentication no
#PAMAuthenticationViaKBDInt yes
PermitRootLogin yes
Subsystem       sftp    /usr/lib/ssh/sftp-server

When I connect  with putty I specify to use protocol 2 for unix I put this preference in ssh_config.
When you use dsa keys you need to place them in authorized_keys2

Author Comment

ID: 10933758
This is basically what I have already done and it still prompts me for a password. Any more ideas?

Accepted Solution

bloemkool1980 earned 300 total points
ID: 10936035
what is the client you use ?
And if it is a unix one paste your config file.
if u use the unix one do an ssh -vvvvv and look what error you get.
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more


Expert Comment

ID: 10943581
Have you checked the access rights on your .ssh directory and on your authorized_keys2 ?
You should :

cd ~
chmod 700 .ssh
chmod 400 .ssh/authorized_keys2

Of course, they should belong to you.

Author Comment

ID: 10943661
Hi - The machinces I am using run Solaris 8 on Sun v120's.

The output from the ssh -vvvvv was extremely useful, the keypass is looking for private keys in an 'identity' file. I catted id_rsa and id_dsa into identity and I got prompted for the passphrase - a step forward, however this fails and it moves on to password authentication. So I now have the private keys in idntity and public keys in authorized_keys in ~.ssh on the remote machine. On the local machine I have id_rsa.pub, id_rsa, id_dsa, id_dsa.pub, known_hosts and identity files in ~.ssh.

This is where it fails out put from -vvvvv

debug1: read PEM private key done: type DSA
debug3: sign_and_send_pubkey
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: /usr/local/home/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: /usr/local/home/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password

This is my sshd_config

"sshd_config" [Read only] 98 lines, 2550 characters
#       $OpenBSD: sshd_config,v 1.65 2003/08/28 12:54:34 markus Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#Protocol 2,1
#Changed by MED 26/4/2004
Protocol 2
ListenAddress (Remote IP here)
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /usr/local/etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /usr/local/etc/ssh_host_rsa_key
#HostKey /usr/local/etc/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys

# For this to work you will also need host keys in /usr/local/etc/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCreds yes

# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication'
#UsePAM yes

#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem       sftp    /usr/local/libexec/sftp-server


Expert Comment

ID: 10943702
If what I gave you does not work, kill you sshd, and relaunch one in debug mode :

sshd -d -D

Expert Comment

ID: 10946419
# HostKey for protocol version 1
#HostKey /usr/local/etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /usr/local/etc/ssh_host_rsa_key
#HostKey /usr/local/etc/ssh_host_dsa_key

you should uncomment the host keys settings. Your ssh Server thus SSHD does not has a key specified because they are all commented.
You need a key pair on the client side but also on the server side.
ssh-keygen  -t rsa1 -f /usr/local/etc/ssh_host_key -N ""
ssh-keygen  -t rsa -f  /usr/local/etc/ssh_host_rsa_key -N ""
ssh-keygen  -t dsa -f /usr/local/etc/ssh_host_dsa_key -N ""
do above commands to generate your sshd keys and then uncomment the section I pasted on top
Then it will work

Author Comment

ID: 10982238
I've been off for a couple of days - thanks for the suggestions. However this is still not working. Where do I get the host key from in the following error message to add to known_hosts?

TG-A$ ssh TG-B
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
Please contact your system administrator.
Add correct host key in /.ssh/known_hosts to get rid of this message.
Offending key in /.ssh/known_hosts:3
RSA host key for tg-b has changed and you have requested strict checking.
Host key verification failed.

Expert Comment

ID: 10984026
ah this is because your key on the server has been changed.
Delete the known_host file in your .ssh directory on the client

Expert Comment

ID: 10985159

Don't delete the whole known_host file.
Just delete the TG-B line in this file.

Author Comment

ID: 11027612
The problem was creating keys as root in /.ssh and others as user in ~/.ssh (which the -vvvvv was telling me, only my brain wasn't listening!). After some fiddling keys round it's all working now. cheers.

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I promised to write further about my project, and here I am.  First, I needed to setup the Primary Server.  You can read how in this article: Setup FreeBSD Server with full HDD encryption (http://www.experts-exchange.com/OS/Unix/BSD/FreeBSD/A_3660-S…
Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Suggested Courses
Course of the Month9 days, 17 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question