matt_nz
asked on
SSH access without password
Hi
I'm trying to set up SSH (I'm using protocol 2) with key access between 2 solaris boxes so I don't require password verification. I have read a number of other questions from people trying to do the same thing, but mine still doesn't fly.
OK, So far I have
1, generated my keys
ssh-keygen -t dsa -f ~/.ssh/id_dsa
ssh-keygen -t rsa -f ~/.ssh/id_rsa
2, Copied the id_dsa.pub and id_rsa.pub into a authorized_keys file (also tried calling this authorized_keys2) and put this on the remote box in ~/.ssh
3, Started the ssh-agent
4, Ran add-ssh, this failed the first time but seems to be ok now.
However when I come to ssh user@remotebox it still prompts me for a password, rather frustrating. Is there something I need to change in the sshd_config file? or add to the ~/.ssh/known_hosts file?
Thanks in advance.
Matt
I'm trying to set up SSH (I'm using protocol 2) with key access between 2 solaris boxes so I don't require password verification. I have read a number of other questions from people trying to do the same thing, but mine still doesn't fly.
OK, So far I have
1, generated my keys
ssh-keygen -t dsa -f ~/.ssh/id_dsa
ssh-keygen -t rsa -f ~/.ssh/id_rsa
2, Copied the id_dsa.pub and id_rsa.pub into a authorized_keys file (also tried calling this authorized_keys2) and put this on the remote box in ~/.ssh
3, Started the ssh-agent
4, Ran add-ssh, this failed the first time but seems to be ok now.
However when I come to ssh user@remotebox it still prompts me for a password, rather frustrating. Is there something I need to change in the sshd_config file? or add to the ~/.ssh/known_hosts file?
Thanks in advance.
Matt
ASKER
This is basically what I have already done and it still prompts me for a password. Any more ideas?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Have you checked the access rights on your .ssh directory and on your authorized_keys2 ?
You should :
cd ~
chmod 700 .ssh
chmod 400 .ssh/authorized_keys2
Of course, they should belong to you.
You should :
cd ~
chmod 700 .ssh
chmod 400 .ssh/authorized_keys2
Of course, they should belong to you.
ASKER
Hi - The machinces I am using run Solaris 8 on Sun v120's.
The output from the ssh -vvvvv was extremely useful, the keypass is looking for private keys in an 'identity' file. I catted id_rsa and id_dsa into identity and I got prompted for the passphrase - a step forward, however this fails and it moves on to password authentication. So I now have the private keys in idntity and public keys in authorized_keys in ~.ssh on the remote machine. On the local machine I have id_rsa.pub, id_rsa, id_dsa, id_dsa.pub, known_hosts and identity files in ~.ssh.
This is where it fails out put from -vvvvv
debug1: read PEM private key done: type DSA
debug3: sign_and_send_pubkey
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: /usr/local/home/.ssh/id_rs a
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: /usr/local/home/.ssh/id_ds a
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
This is my sshd_config
"sshd_config" [Read only] 98 lines, 2550 characters
# $OpenBSD: sshd_config,v 1.65 2003/08/28 12:54:34 markus Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sb in:/sbin:/ usr/local/ bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22
#Protocol 2,1
#Changed by MED 26/4/2004
Protocol 2
ListenAddress (Remote IP here)
#ListenAddress ::
# HostKey for protocol version 1
#HostKey /usr/local/etc/ssh_host_ke y
# HostKeys for protocol version 2
#HostKey /usr/local/etc/ssh_host_rs a_key
#HostKey /usr/local/etc/ssh_host_ds a_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768
# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /usr/local/etc/ssh_known_h osts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthenti cation yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCreds yes
# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication'
#UsePAM yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
# no default banner path
#Banner /some/path
# override default of no subsystems
Subsystem sftp /usr/local/libexec/sftp-se rver
Rgds
Matt
The output from the ssh -vvvvv was extremely useful, the keypass is looking for private keys in an 'identity' file. I catted id_rsa and id_dsa into identity and I got prompted for the passphrase - a step forward, however this fails and it moves on to password authentication. So I now have the private keys in idntity and public keys in authorized_keys in ~.ssh on the remote machine. On the local machine I have id_rsa.pub, id_rsa, id_dsa, id_dsa.pub, known_hosts and identity files in ~.ssh.
This is where it fails out put from -vvvvv
debug1: read PEM private key done: type DSA
debug3: sign_and_send_pubkey
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: /usr/local/home/.ssh/id_rs
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: /usr/local/home/.ssh/id_ds
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
This is my sshd_config
"sshd_config" [Read only] 98 lines, 2550 characters
# $OpenBSD: sshd_config,v 1.65 2003/08/28 12:54:34 markus Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sb
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22
#Protocol 2,1
#Changed by MED 26/4/2004
Protocol 2
ListenAddress (Remote IP here)
#ListenAddress ::
# HostKey for protocol version 1
#HostKey /usr/local/etc/ssh_host_ke
# HostKeys for protocol version 2
#HostKey /usr/local/etc/ssh_host_rs
#HostKey /usr/local/etc/ssh_host_ds
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768
# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /usr/local/etc/ssh_known_h
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthenti
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCreds yes
# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication'
#UsePAM yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
# no default banner path
#Banner /some/path
# override default of no subsystems
Subsystem sftp /usr/local/libexec/sftp-se
Rgds
Matt
If what I gave you does not work, kill you sshd, and relaunch one in debug mode :
sshd -d -D
sshd -d -D
# HostKey for protocol version 1
#HostKey /usr/local/etc/ssh_host_ke y
# HostKeys for protocol version 2
#HostKey /usr/local/etc/ssh_host_rs a_key
#HostKey /usr/local/etc/ssh_host_ds a_key
you should uncomment the host keys settings. Your ssh Server thus SSHD does not has a key specified because they are all commented.
You need a key pair on the client side but also on the server side.
ssh-keygen -t rsa1 -f /usr/local/etc/ssh_host_ke y -N ""
ssh-keygen -t rsa -f /usr/local/etc/ssh_host_rs a_key -N ""
ssh-keygen -t dsa -f /usr/local/etc/ssh_host_ds a_key -N ""
do above commands to generate your sshd keys and then uncomment the section I pasted on top
Then it will work
#HostKey /usr/local/etc/ssh_host_ke
# HostKeys for protocol version 2
#HostKey /usr/local/etc/ssh_host_rs
#HostKey /usr/local/etc/ssh_host_ds
you should uncomment the host keys settings. Your ssh Server thus SSHD does not has a key specified because they are all commented.
You need a key pair on the client side but also on the server side.
ssh-keygen -t rsa1 -f /usr/local/etc/ssh_host_ke
ssh-keygen -t rsa -f /usr/local/etc/ssh_host_rs
ssh-keygen -t dsa -f /usr/local/etc/ssh_host_ds
do above commands to generate your sshd keys and then uncomment the section I pasted on top
Then it will work
ASKER
I've been off for a couple of days - thanks for the suggestions. However this is still not working. Where do I get the host key from in the following error message to add to known_hosts?
TG-A$ ssh TG-B
@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@ @@@@@@@@@@ @@@@@@@@@@ @@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@ @@@@@@@@@@ @@@@@@@@@@ @@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
49:1c:fa:d3:65:cf:6b:99:0c :60:b7:ce: 17:91:a4:e f.
Please contact your system administrator.
Add correct host key in /.ssh/known_hosts to get rid of this message.
Offending key in /.ssh/known_hosts:3
RSA host key for tg-b has changed and you have requested strict checking.
Host key verification failed.
TG-A$
TG-A$ ssh TG-B
@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
49:1c:fa:d3:65:cf:6b:99:0c
Please contact your system administrator.
Add correct host key in /.ssh/known_hosts to get rid of this message.
Offending key in /.ssh/known_hosts:3
RSA host key for tg-b has changed and you have requested strict checking.
Host key verification failed.
TG-A$
ah this is because your key on the server has been changed.
Delete the known_host file in your .ssh directory on the client
Delete the known_host file in your .ssh directory on the client
NOOOOOO !
Don't delete the whole known_host file.
Just delete the TG-B line in this file.
Don't delete the whole known_host file.
Just delete the TG-B line in this file.
ASKER
The problem was creating keys as root in /.ssh and others as user in ~/.ssh (which the -vvvvv was telling me, only my brain wasn't listening!). After some fiddling keys round it's all working now. cheers.
I use RSA keys. and when I configure my keys I do in general
ssh-keygen -t rsa -b 1024
and then I save it to its defaults in general
I then copy my id_rsa.pub to authorized_keys
i do chmod 640 on authorized_keys and my pub and private key.
and this is my sshd_config
rotocol 2,1
Port 22
ListenAddress 169.42.108.191
HostKey /usr/local/etc/ssh_host_rs
HostKey /usr/local/etc/ssh_host_ds
AllowTcpForwarding yes
X11Forwarding yes
X11DisplayOffset 10
Banner /etc/issue
PrintMotd no
KeepAlive yes
SyslogFacility auth
LogLevel verbose
Ciphers aes128-cbc,blowfish-cbc,3d
MACS hmac-sha1,hmac-md5
ServerKeyBits 1024
KeyRegenerationInterval 3600
StrictModes yes
LoginGraceTime 60
PubkeyAuthentication yes
PermitEmptyPasswords no
PasswordAuthentication no
#PAMAuthenticationViaKBDIn
PermitRootLogin yes
Subsystem sftp /usr/lib/ssh/sftp-server
When I connect with putty I specify to use protocol 2 for unix I put this preference in ssh_config.
When you use dsa keys you need to place them in authorized_keys2
cheers