Solved

SSH access without password

Posted on 2004-04-26
11
5,913 Views
Last Modified: 2013-12-27
Hi

I'm trying to set up SSH (I'm using protocol 2) with key access between 2 solaris boxes so I don't require password verification. I have read a number of other questions from people trying to do the same thing, but mine still doesn't fly.

OK, So far I have
1, generated my keys
ssh-keygen -t dsa -f ~/.ssh/id_dsa
ssh-keygen -t rsa -f ~/.ssh/id_rsa

2, Copied the  id_dsa.pub and id_rsa.pub into a authorized_keys file (also tried calling this authorized_keys2) and put this on the remote box in ~/.ssh

3, Started the ssh-agent

4, Ran add-ssh, this failed the first time but seems to be ok now.

However when I come to ssh user@remotebox it still prompts me for a password, rather frustrating. Is there something I need to change in the sshd_config file? or add to the ~/.ssh/known_hosts file?

Thanks in advance.
Matt
0
Comment
Question by:matt_nz
  • 4
  • 4
  • 3
11 Comments
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 10926348
Hi mat,

I use RSA keys. and when I configure my keys I do in general
ssh-keygen -t rsa -b 1024
and then I save it to its defaults in general
I then copy my id_rsa.pub to authorized_keys
i do chmod 640 on authorized_keys and my pub and private key.
and this is my sshd_config

rotocol 2,1
Port 22
ListenAddress 169.42.108.191
HostKey /usr/local/etc/ssh_host_rsa_key
HostKey /usr/local/etc/ssh_host_dsa_key
AllowTcpForwarding yes
X11Forwarding yes
X11DisplayOffset 10
Banner /etc/issue
PrintMotd no
KeepAlive yes
SyslogFacility auth
LogLevel verbose
Ciphers aes128-cbc,blowfish-cbc,3des-cbc
MACS    hmac-sha1,hmac-md5
ServerKeyBits 1024
KeyRegenerationInterval 3600
StrictModes yes
LoginGraceTime 60
PubkeyAuthentication yes
PermitEmptyPasswords no
PasswordAuthentication no
#PAMAuthenticationViaKBDInt yes
PermitRootLogin yes
Subsystem       sftp    /usr/lib/ssh/sftp-server

When I connect  with putty I specify to use protocol 2 for unix I put this preference in ssh_config.
When you use dsa keys you need to place them in authorized_keys2
cheers
0
 

Author Comment

by:matt_nz
ID: 10933758
This is basically what I have already done and it still prompts me for a password. Any more ideas?
0
 
LVL 6

Accepted Solution

by:
bloemkool1980 earned 100 total points
ID: 10936035
what is the client you use ?
And if it is a unix one paste your config file.
if u use the unix one do an ssh -vvvvv and look what error you get.
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 9

Expert Comment

by:Alf666
ID: 10943581
Have you checked the access rights on your .ssh directory and on your authorized_keys2 ?
You should :

cd ~
chmod 700 .ssh
chmod 400 .ssh/authorized_keys2

Of course, they should belong to you.
0
 

Author Comment

by:matt_nz
ID: 10943661
Hi - The machinces I am using run Solaris 8 on Sun v120's.

The output from the ssh -vvvvv was extremely useful, the keypass is looking for private keys in an 'identity' file. I catted id_rsa and id_dsa into identity and I got prompted for the passphrase - a step forward, however this fails and it moves on to password authentication. So I now have the private keys in idntity and public keys in authorized_keys in ~.ssh on the remote machine. On the local machine I have id_rsa.pub, id_rsa, id_dsa, id_dsa.pub, known_hosts and identity files in ~.ssh.

This is where it fails out put from -vvvvv

debug1: read PEM private key done: type DSA
debug3: sign_and_send_pubkey
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: /usr/local/home/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: /usr/local/home/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password

This is my sshd_config

"sshd_config" [Read only] 98 lines, 2550 characters
#       $OpenBSD: sshd_config,v 1.65 2003/08/28 12:54:34 markus Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#Protocol 2,1
#Changed by MED 26/4/2004
Protocol 2
ListenAddress (Remote IP here)
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /usr/local/etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /usr/local/etc/ssh_host_rsa_key
#HostKey /usr/local/etc/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys

# For this to work you will also need host keys in /usr/local/etc/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCreds yes

# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication'
#UsePAM yes

#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem       sftp    /usr/local/libexec/sftp-server

Rgds
Matt
0
 
LVL 9

Expert Comment

by:Alf666
ID: 10943702
If what I gave you does not work, kill you sshd, and relaunch one in debug mode :

sshd -d -D
0
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 10946419
# HostKey for protocol version 1
#HostKey /usr/local/etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /usr/local/etc/ssh_host_rsa_key
#HostKey /usr/local/etc/ssh_host_dsa_key

you should uncomment the host keys settings. Your ssh Server thus SSHD does not has a key specified because they are all commented.
You need a key pair on the client side but also on the server side.
ssh-keygen  -t rsa1 -f /usr/local/etc/ssh_host_key -N ""
ssh-keygen  -t rsa -f  /usr/local/etc/ssh_host_rsa_key -N ""
ssh-keygen  -t dsa -f /usr/local/etc/ssh_host_dsa_key -N ""
do above commands to generate your sshd keys and then uncomment the section I pasted on top
Then it will work
0
 

Author Comment

by:matt_nz
ID: 10982238
I've been off for a couple of days - thanks for the suggestions. However this is still not working. Where do I get the host key from in the following error message to add to known_hosts?

TG-A$ ssh TG-B
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
49:1c:fa:d3:65:cf:6b:99:0c:60:b7:ce:17:91:a4:ef.
Please contact your system administrator.
Add correct host key in /.ssh/known_hosts to get rid of this message.
Offending key in /.ssh/known_hosts:3
RSA host key for tg-b has changed and you have requested strict checking.
Host key verification failed.
TG-A$
0
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 10984026
ah this is because your key on the server has been changed.
Delete the known_host file in your .ssh directory on the client
0
 
LVL 9

Expert Comment

by:Alf666
ID: 10985159
NOOOOOO !

Don't delete the whole known_host file.
Just delete the TG-B line in this file.
0
 

Author Comment

by:matt_nz
ID: 11027612
The problem was creating keys as root in /.ssh and others as user in ~/.ssh (which the -vvvvv was telling me, only my brain wasn't listening!). After some fiddling keys round it's all working now. cheers.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

A metadevice consists of one or more devices (slices). It can be expanded by adding slices. Then, it can be grown to fill a larger space while the file system is in use. However, not all UNIX file systems (UFS) can be expanded this way. The conca…
Using libpcap/Jpcap to capture and send packets on Solaris version (10/11) Library used: 1.      Libpcap (http://www.tcpdump.org) Version 1.2 2.      Jpcap(http://netresearch.ics.uci.edu/kfujii/Jpcap/doc/index.html) Version 0.6 Prerequisite: 1.      GCC …
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question