Shony
asked on
ssh login needs password despite authorization
I confirmed that authorziation and known-hosts information is complete on both hosts
(SuSE 8.2 and SuSE9.0), and that the ssh konfig-information is identical.
However, the direction to the Release 8.2 host always requires the password.
What else should I take into account ?
"Good" shell communication:
> ssh -1v 1.2.3.4 ls
OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090609f
2414: debug1: Reading configuration data /etc/ssh/ssh_config
2414: debug1: Applying options for *
2414: debug1: Rhosts Authentication disabled, originating port will not be trusted.
2414: debug1: ssh_connect: needpriv 0
2414: debug1: Connecting to 1.2.3.4 [1.2.3.4] port 22.
2414: debug1: Connection established.
2414: debug1: identity file /home/user/.ssh/identity type 0
2414: debug1: Remote protocol version 1.99, remote software version OpenSSH_3.7.1p2
2414: debug1: match: OpenSSH_3.7.1p2 pat OpenSSH*
2414: debug1: Local version string SSH-1.5-OpenSSH_3.5p1
2414: debug1: Waiting for server public key.
2414: debug1: Received server public key (768 bits) and host key (1024 bits).
2414: debug1: Host '1.2.3.4' is known and matches the RSA1 host key.
2414: debug1: Found key in /home/user/.ssh/known_host
2414: debug1: Encryption type: 3des
2414: debug1: Sent encrypted session key.
2414: debug1: cipher_init: set keylen (16 -> 32)
2414: debug1: cipher_init: set keylen (16 -> 32)
2414: debug1: Installing crc compensation attack detector.
2414: debug1: Received encrypted confirmation.
2414: debug1: Trying RSA authentication with key '/home/user/.ssh/identity'
2414: debug1: Received RSA challenge from server.
2414: debug1: Sending response to host key RSA challenge.
2414: debug1: Remote: RSA authentication accepted.
2414: debug1: RSA authentication accepted by server.
2414: debug1: Sending command: ls
2414: debug1: Entering interactive session.
Desktop
Documents
......
"Bad" shell communication:
> ssh -1v 1.2.3.5 ls
OpenSSH_3.7.1p2, SSH protocols 1.5/2.0, OpenSSL 0.9.7b 10 Apr 2003
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 1.2.3.5 [1.2.3.5] port 22.
debug1: Connection established.
debug1: identity file /home/user/.ssh/identity type 0
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.5p1
debug1: match: OpenSSH_3.5p1 pat OpenSSH_3.2*,OpenSSH_3.3*,
debug1: Local version string SSH-1.5-OpenSSH_3.7.1p2
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (1024 bits).
debug1: Host '1.2.3.5' is known and matches the RSA1 host key.
debug1: Found key in /home/user/.ssh/known_host
debug1: Encryption type: 3des
debug1: Sent encrypted session key.
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug1: Trying RSA authentication with key '/home/user/.ssh/identity'
debug1: Server refused our key.
debug1: Doing challenge response authentication.
debug1: No challenge.
debug1: Doing password authentication.
user@1.2.3.5's password:
I would guess that the permissions on the identity file or the .ssh directory could be wrong. Its easy enough to find out though. Stop the sshd service on the server. On redhat or fedora this would involve the command service sshd stop or /etc/init.d/sshd stop. Im not sure on suse. Then run the server with the command sshd -d. This will prevent the server from going into the background when it starts. It will write all of its debugging info onto the terminal where you started it. Try to log in again from the client. The sshd debug window will tell you why it rejected the indentity file.
you must use pass phrases in order to not require a user entering password.
you must use something like
ssh-add
in order to store your pass-phrase in memory.
you must use something like
ssh-add
in order to store your pass-phrase in memory.
Is authorized_keys or authorized_keys2 in /home/user/.ssh/ directory on destination host? Does .ssh directory and files in there have correct access flags (700 for directory and 600 for files).
See also /var/log/auth.log if there are some error-messages related to login.
See also /var/log/auth.log if there are some error-messages related to login.
One more thing,
.ssh/identify is probably a key for protocol version 1. I recommend using dsa or rsa keys (ssh-keygen -t dsa) for protocol version 2.
.ssh/identify is probably a key for protocol version 1. I recommend using dsa or rsa keys (ssh-keygen -t dsa) for protocol version 2.
ASKER
With debugging the sshd I got he following information.
As to the ownership and modes, everything is same as in the good direction !
Password still required.
Command on the local host is "ssh -1v 1.2.3.5 ls", as above.
authorized_keys (and authorized_keys2) file is provided.
4464: debug1: sshd version OpenSSH_3.5p1
4464: debug1: private host key: #0 type 0 RSA1
4464: debug1: read PEM private key done: type RSA
4464: debug1: private host key: #1 type 1 RSA
4464: debug1: read PEM private key done: type DSA
4464: debug1: private host key: #2 type 2 DSA
4464: debug1: Bind to port 22 on ::.
4464: Server listening on :: port 22.
4464: Generating 768 bit RSA key.
4464: RSA key generation complete.
4464: debug1: Server will not fork when running in debugging mode.
4464: Connection from ::ffff:1.2.3.5 port 54145
4464: debug1: Client protocol version 1.5; client software version OpenSSH_3.7.1p2
4464: debug1: match: OpenSSH_3.7.1p2 pat OpenSSH*
4464: debug1: Local version string SSH-1.99-OpenSSH_3.5p1
4464: debug1: Sent 768 bit server key and 1024 bit host key.
4464: debug1: Encryption type: 3des
4464: debug1: cipher_init: set keylen (16 -> 32)
4464: debug1: cipher_init: set keylen (16 -> 32)
4464: debug1: Received session key; encryption turned on.
4464: debug1: Installing crc compensation attack detector.
4464: debug1: Starting up PAM with username "user"
4464: debug1: PAM setting rhost to "remotebox.domain.net"
4464: debug1: Attempting authentication for user.
4464: debug1: temporarily_use_uid: 503/100 (e=0/0)
4464: debug1: trying public RSA key file /home/user/.ssh/authorized
4464: Authentication refused: bad ownership or modes for directory /home/user
4464: debug1: restore_uid: 0/0
4464: Failed rsa for user from ::ffff:1.2.3.5 port 54145
4464: debug1: rcvd SSH_CMSG_AUTH_TIS
4464: Failed challenge-response for user from ::ffff:1.2.3.5 port 54145
...............
As to the ownership and modes, everything is same as in the good direction !
Password still required.
Command on the local host is "ssh -1v 1.2.3.5 ls", as above.
authorized_keys (and authorized_keys2) file is provided.
4464: debug1: sshd version OpenSSH_3.5p1
4464: debug1: private host key: #0 type 0 RSA1
4464: debug1: read PEM private key done: type RSA
4464: debug1: private host key: #1 type 1 RSA
4464: debug1: read PEM private key done: type DSA
4464: debug1: private host key: #2 type 2 DSA
4464: debug1: Bind to port 22 on ::.
4464: Server listening on :: port 22.
4464: Generating 768 bit RSA key.
4464: RSA key generation complete.
4464: debug1: Server will not fork when running in debugging mode.
4464: Connection from ::ffff:1.2.3.5 port 54145
4464: debug1: Client protocol version 1.5; client software version OpenSSH_3.7.1p2
4464: debug1: match: OpenSSH_3.7.1p2 pat OpenSSH*
4464: debug1: Local version string SSH-1.99-OpenSSH_3.5p1
4464: debug1: Sent 768 bit server key and 1024 bit host key.
4464: debug1: Encryption type: 3des
4464: debug1: cipher_init: set keylen (16 -> 32)
4464: debug1: cipher_init: set keylen (16 -> 32)
4464: debug1: Received session key; encryption turned on.
4464: debug1: Installing crc compensation attack detector.
4464: debug1: Starting up PAM with username "user"
4464: debug1: PAM setting rhost to "remotebox.domain.net"
4464: debug1: Attempting authentication for user.
4464: debug1: temporarily_use_uid: 503/100 (e=0/0)
4464: debug1: trying public RSA key file /home/user/.ssh/authorized
4464: Authentication refused: bad ownership or modes for directory /home/user
4464: debug1: restore_uid: 0/0
4464: Failed rsa for user from ::ffff:1.2.3.5 port 54145
4464: debug1: rcvd SSH_CMSG_AUTH_TIS
4464: Failed challenge-response for user from ::ffff:1.2.3.5 port 54145
...............
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Simple, but I didn't assume that ssh looks up the home dir too. Changed to "0755", ok.