Solved

SSH access without password

Posted on 2004-04-26
11
5,902 Views
Last Modified: 2013-12-27
Hi

I'm trying to set up SSH (I'm using protocol 2) with key access between 2 solaris boxes so I don't require password verification. I have read a number of other questions from people trying to do the same thing, but mine still doesn't fly.

OK, So far I have
1, generated my keys
ssh-keygen -t dsa -f ~/.ssh/id_dsa
ssh-keygen -t rsa -f ~/.ssh/id_rsa

2, Copied the  id_dsa.pub and id_rsa.pub into a authorized_keys file (also tried calling this authorized_keys2) and put this on the remote box in ~/.ssh

3, Started the ssh-agent

4, Ran add-ssh, this failed the first time but seems to be ok now.

However when I come to ssh user@remotebox it still prompts me for a password, rather frustrating. Is there something I need to change in the sshd_config file? or add to the ~/.ssh/known_hosts file?

Thanks in advance.
Matt
0
Comment
Question by:matt_nz
  • 4
  • 4
  • 3
11 Comments
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 10926348
Hi mat,

I use RSA keys. and when I configure my keys I do in general
ssh-keygen -t rsa -b 1024
and then I save it to its defaults in general
I then copy my id_rsa.pub to authorized_keys
i do chmod 640 on authorized_keys and my pub and private key.
and this is my sshd_config

rotocol 2,1
Port 22
ListenAddress 169.42.108.191
HostKey /usr/local/etc/ssh_host_rsa_key
HostKey /usr/local/etc/ssh_host_dsa_key
AllowTcpForwarding yes
X11Forwarding yes
X11DisplayOffset 10
Banner /etc/issue
PrintMotd no
KeepAlive yes
SyslogFacility auth
LogLevel verbose
Ciphers aes128-cbc,blowfish-cbc,3des-cbc
MACS    hmac-sha1,hmac-md5
ServerKeyBits 1024
KeyRegenerationInterval 3600
StrictModes yes
LoginGraceTime 60
PubkeyAuthentication yes
PermitEmptyPasswords no
PasswordAuthentication no
#PAMAuthenticationViaKBDInt yes
PermitRootLogin yes
Subsystem       sftp    /usr/lib/ssh/sftp-server

When I connect  with putty I specify to use protocol 2 for unix I put this preference in ssh_config.
When you use dsa keys you need to place them in authorized_keys2
cheers
0
 

Author Comment

by:matt_nz
ID: 10933758
This is basically what I have already done and it still prompts me for a password. Any more ideas?
0
 
LVL 6

Accepted Solution

by:
bloemkool1980 earned 100 total points
ID: 10936035
what is the client you use ?
And if it is a unix one paste your config file.
if u use the unix one do an ssh -vvvvv and look what error you get.
0
 
LVL 9

Expert Comment

by:Alf666
ID: 10943581
Have you checked the access rights on your .ssh directory and on your authorized_keys2 ?
You should :

cd ~
chmod 700 .ssh
chmod 400 .ssh/authorized_keys2

Of course, they should belong to you.
0
 

Author Comment

by:matt_nz
ID: 10943661
Hi - The machinces I am using run Solaris 8 on Sun v120's.

The output from the ssh -vvvvv was extremely useful, the keypass is looking for private keys in an 'identity' file. I catted id_rsa and id_dsa into identity and I got prompted for the passphrase - a step forward, however this fails and it moves on to password authentication. So I now have the private keys in idntity and public keys in authorized_keys in ~.ssh on the remote machine. On the local machine I have id_rsa.pub, id_rsa, id_dsa, id_dsa.pub, known_hosts and identity files in ~.ssh.

This is where it fails out put from -vvvvv

debug1: read PEM private key done: type DSA
debug3: sign_and_send_pubkey
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: /usr/local/home/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: /usr/local/home/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password

This is my sshd_config

"sshd_config" [Read only] 98 lines, 2550 characters
#       $OpenBSD: sshd_config,v 1.65 2003/08/28 12:54:34 markus Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#Protocol 2,1
#Changed by MED 26/4/2004
Protocol 2
ListenAddress (Remote IP here)
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /usr/local/etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /usr/local/etc/ssh_host_rsa_key
#HostKey /usr/local/etc/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys

# For this to work you will also need host keys in /usr/local/etc/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCreds yes

# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication'
#UsePAM yes

#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem       sftp    /usr/local/libexec/sftp-server

Rgds
Matt
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 9

Expert Comment

by:Alf666
ID: 10943702
If what I gave you does not work, kill you sshd, and relaunch one in debug mode :

sshd -d -D
0
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 10946419
# HostKey for protocol version 1
#HostKey /usr/local/etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /usr/local/etc/ssh_host_rsa_key
#HostKey /usr/local/etc/ssh_host_dsa_key

you should uncomment the host keys settings. Your ssh Server thus SSHD does not has a key specified because they are all commented.
You need a key pair on the client side but also on the server side.
ssh-keygen  -t rsa1 -f /usr/local/etc/ssh_host_key -N ""
ssh-keygen  -t rsa -f  /usr/local/etc/ssh_host_rsa_key -N ""
ssh-keygen  -t dsa -f /usr/local/etc/ssh_host_dsa_key -N ""
do above commands to generate your sshd keys and then uncomment the section I pasted on top
Then it will work
0
 

Author Comment

by:matt_nz
ID: 10982238
I've been off for a couple of days - thanks for the suggestions. However this is still not working. Where do I get the host key from in the following error message to add to known_hosts?

TG-A$ ssh TG-B
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
49:1c:fa:d3:65:cf:6b:99:0c:60:b7:ce:17:91:a4:ef.
Please contact your system administrator.
Add correct host key in /.ssh/known_hosts to get rid of this message.
Offending key in /.ssh/known_hosts:3
RSA host key for tg-b has changed and you have requested strict checking.
Host key verification failed.
TG-A$
0
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 10984026
ah this is because your key on the server has been changed.
Delete the known_host file in your .ssh directory on the client
0
 
LVL 9

Expert Comment

by:Alf666
ID: 10985159
NOOOOOO !

Don't delete the whole known_host file.
Just delete the TG-B line in this file.
0
 

Author Comment

by:matt_nz
ID: 11027612
The problem was creating keys as root in /.ssh and others as user in ~/.ssh (which the -vvvvv was telling me, only my brain wasn't listening!). After some fiddling keys round it's all working now. cheers.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Installing FreeBSD… FreeBSD is a darling of an operating system. The stability and usability make it a clear choice for servers and desktops (for the cunning). Savvy?  The Ports collection makes available every popular FOSS application and packag…
Introduction Regular patching is part of a system administrator's tasks. However, many patches require that the system be in single-user mode before they can be installed. A cluster patch in particular can take quite a while to apply if the machine…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now