Solved

ssh login needs password despite authorization

Posted on 2004-08-23
9
352 Views
Last Modified: 2009-12-16

I confirmed that authorziation and known-hosts information is complete on both hosts
(SuSE 8.2 and SuSE9.0), and that the ssh konfig-information is identical.
However, the direction to the Release 8.2 host always requires the password.
What else should I take into account ?


"Good" shell communication:

> ssh -1v  1.2.3.4 ls
OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090609f
2414: debug1: Reading configuration data /etc/ssh/ssh_config
2414: debug1: Applying options for *
2414: debug1: Rhosts Authentication disabled, originating port will not be trusted.
2414: debug1: ssh_connect: needpriv 0
2414: debug1: Connecting to 1.2.3.4 [1.2.3.4] port 22.
2414: debug1: Connection established.
2414: debug1: identity file /home/user/.ssh/identity type 0
2414: debug1: Remote protocol version 1.99, remote software version OpenSSH_3.7.1p2
2414: debug1: match: OpenSSH_3.7.1p2 pat OpenSSH*
2414: debug1: Local version string SSH-1.5-OpenSSH_3.5p1
2414: debug1: Waiting for server public key.
2414: debug1: Received server public key (768 bits) and host key (1024 bits).
2414: debug1: Host '1.2.3.4' is known and matches the RSA1 host key.
2414: debug1: Found key in /home/user/.ssh/known_hosts:1
2414: debug1: Encryption type: 3des
2414: debug1: Sent encrypted session key.
2414: debug1: cipher_init: set keylen (16 -> 32)
2414: debug1: cipher_init: set keylen (16 -> 32)
2414: debug1: Installing crc compensation attack detector.
2414: debug1: Received encrypted confirmation.
2414: debug1: Trying RSA authentication with key '/home/user/.ssh/identity'
2414: debug1: Received RSA challenge from server.
2414: debug1: Sending response to host key RSA challenge.
2414: debug1: Remote: RSA authentication accepted.
2414: debug1: RSA authentication accepted by server.
2414: debug1: Sending command: ls
2414: debug1: Entering interactive session.
Desktop
Documents
......



"Bad" shell communication:

> ssh -1v 1.2.3.5 ls
OpenSSH_3.7.1p2, SSH protocols 1.5/2.0, OpenSSL 0.9.7b 10 Apr 2003
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 1.2.3.5 [1.2.3.5] port 22.
debug1: Connection established.
debug1: identity file /home/user/.ssh/identity type 0
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.5p1
debug1: match: OpenSSH_3.5p1 pat OpenSSH_3.2*,OpenSSH_3.3*,OpenSSH_3.4*,OpenSSH_3.5*
debug1: Local version string SSH-1.5-OpenSSH_3.7.1p2
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (1024 bits).
debug1: Host '1.2.3.5' is known and matches the RSA1 host key.
debug1: Found key in /home/user/.ssh/known_hosts:8
debug1: Encryption type: 3des
debug1: Sent encrypted session key.
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug1: Trying RSA authentication with key '/home/user/.ssh/identity'
debug1: Server refused our key.
debug1: Doing challenge response authentication.
debug1: No challenge.
debug1: Doing password authentication.
user@1.2.3.5's password:
0
Comment
Question by:Shony
  • 3
  • 2
  • 2
  • +1
9 Comments
 
LVL 17

Expert Comment

by:owensleftfoot
ID: 11873149
I would guess that the permissions on the identity file or the .ssh directory could be wrong. Its easy enough to find out though. Stop the sshd service on the server. On redhat or fedora this would involve the command service sshd stop or /etc/init.d/sshd stop. Im not sure on suse. Then run the server with the command sshd -d. This will prevent the server from going into the background when it starts. It will write all of its debugging info onto the terminal where you started it. Try to log in again from the client. The sshd debug window will tell you why it rejected the indentity file.
0
 
LVL 1

Expert Comment

by:master_chris
ID: 11877715
you must use pass phrases in order to not require a user entering password.
you must use something like
ssh-add
in order to store your pass-phrase in memory.

0
 
LVL 1

Expert Comment

by:master_chris
ID: 11878029
0
 
LVL 1

Expert Comment

by:ttimonen
ID: 11882739
Is authorized_keys or authorized_keys2 in /home/user/.ssh/ directory on destination host? Does .ssh directory and files in there have correct access flags (700 for directory and 600 for files).

See also /var/log/auth.log if there are some error-messages related to login.
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 1

Expert Comment

by:ttimonen
ID: 11882780
One more thing,

.ssh/identify is probably a key for protocol version 1. I recommend using dsa or rsa keys (ssh-keygen -t dsa) for protocol version 2.
0
 

Author Comment

by:Shony
ID: 11883832
With debugging the sshd I got he following information.
As to the ownership and modes, everything is same as in the good direction !
Password still required.

Command on the local host is "ssh -1v 1.2.3.5 ls", as above.

authorized_keys (and authorized_keys2) file is provided.



4464: debug1: sshd version OpenSSH_3.5p1
4464: debug1: private host key: #0 type 0 RSA1
4464: debug1: read PEM private key done: type RSA
4464: debug1: private host key: #1 type 1 RSA
4464: debug1: read PEM private key done: type DSA
4464: debug1: private host key: #2 type 2 DSA
4464: debug1: Bind to port 22 on ::.
4464: Server listening on :: port 22.
4464: Generating 768 bit RSA key.
4464: RSA key generation complete.
4464: debug1: Server will not fork when running in debugging mode.
4464: Connection from ::ffff:1.2.3.5 port 54145
4464: debug1: Client protocol version 1.5; client software version OpenSSH_3.7.1p2
4464: debug1: match: OpenSSH_3.7.1p2 pat OpenSSH*
4464: debug1: Local version string SSH-1.99-OpenSSH_3.5p1
4464: debug1: Sent 768 bit server key and 1024 bit host key.
4464: debug1: Encryption type: 3des
4464: debug1: cipher_init: set keylen (16 -> 32)
4464: debug1: cipher_init: set keylen (16 -> 32)
4464: debug1: Received session key; encryption turned on.
4464: debug1: Installing crc compensation attack detector.
4464: debug1: Starting up PAM with username "user"
4464: debug1: PAM setting rhost to "remotebox.domain.net"
4464: debug1: Attempting authentication for user.
4464: debug1: temporarily_use_uid: 503/100 (e=0/0)
4464: debug1: trying public RSA key file /home/user/.ssh/authorized_keys
4464: Authentication refused: bad ownership or modes for directory /home/user
4464: debug1: restore_uid: 0/0
4464: Failed rsa for user from ::ffff:1.2.3.5 port 54145
4464: debug1: rcvd SSH_CMSG_AUTH_TIS
4464: Failed challenge-response for user from ::ffff:1.2.3.5 port 54145
...............
0
 
LVL 1

Assisted Solution

by:ttimonen
ttimonen earned 125 total points
ID: 11886052
There is probably a group or others write permission to to your home directory.
0
 
LVL 17

Accepted Solution

by:
owensleftfoot earned 125 total points
ID: 11890020
It definitely a permissions problem. What does the output of ls -l /home give you (Im only looking for the permissions for /home/usr/).
0
 

Author Comment

by:Shony
ID: 11952241
Simple, but I didn't assume that ssh looks up the home dir too. Changed to "0755", ok.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now