Solved

ssh no-passphrase works for one user, but not another.

Posted on 2004-10-06
8
759 Views
Last Modified: 2008-01-09
Hi,

Trying to set up 'passwordless' logins.  I can get them to work for one user, but not another.  On the same box.
The output from ssh -vvv  (included below) says it can't figure out the key type and doesn't like something about the key format, too much whitespace among other things.  But it works for the other user, using exactly the same sequence.

I'm stumped.  Any hints appreciated.

---------------------------------------------------------------------------

 I'm first attempting on a single box named mm04.

1. Gen the key

mm04$ ssh-keygen -t rsa -C"thomson"
Generating public/private rsa key pair.
Enter file in which to save the key (/home/thomson/.ssh/id_rsa):
Enter passphrase (empty for no passphrase): <cr>
Enter same passphrase again: <cr>
Your identification has been saved in /home/thomson/.ssh/id_rsa.
Your public key has been saved in /home/thomson/.ssh/id_rsa.pub.
The key fingerprint is:
6a:23:1f:c0:5e:60:4f:28:09:87:46:f9:d0:ba:ef:6f thomson

mm04$ ls
id_rsa       id_rsa.pub   known_hosts

2.  do authorized_keys

mm04$ cp id_rsa.pub authorized_keys

3  Now try to do a passwordless ssh to the same machine

mm04$ ssh mm04
The authenticity of host 'mm04 (10.70.1.54)' can't be established.
RSA key fingerprint is e9:64:e6:e4:c8:89:16:60:45:ea:d2:e0:79:bb:1b:a1.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'mm04,10.70.1.54' (RSA) to the list of known hosts.
Last login: Wed Oct  6 18:52:35 2004 from 10.70.1.99

mm04$

Works.  Very kewl.

-------------------------------------

Now to do the next user:

1.  gen the key:

mm04[pspy]> ssh-keygen -t rsa -C"pspy"
Generating public/private rsa key pair.
Enter file in which to save the key (/home/pspy/.ssh/id_rsa):
Enter passphrase (empty for no passphrase): <cr>
Enter same passphrase again: <cr>
Your identification has been saved in /home/pspy/.ssh/id_rsa.
Your public key has been saved in /home/pspy/.ssh/id_rsa.pub.
The key fingerprint is:
39:31:99:ee:92:70:77:a3:c4:8c:c3:cb:ab:2d:71:e1 pspy
mm04[pspy]>

2.  set up authorized_keys:

mm04[pspy]> ls -la
total 18
drwx--l---   2 pspy     spec         512 Oct  6 18:46 ./
drwxrwsr-x  14 pspy     spec        4608 Oct  6 18:43 ../
-rw-------   1 pspy     spec         883 Oct  6 18:44 id_rsa
-rw-r--r--   1 pspy     spec         214 Oct  6 18:44 id_rsa.pub
-rw-r--r--   1 pspy     spec         458 Oct  6 14:41 known_hosts
mm04[pspy]> cp id_rsa.pub authorized_keys
mm04[pspy]>

mm04[pspy]> ls -la
total 20
drwx--l---   2 pspy     spec         512 Oct  6 18:46 ./
drwxrwsr-x  14 pspy     spec        4608 Oct  6 18:47 ../
-rw-r--r--   1 pspy     spec         214 Oct  6 18:46 authorized_keys
-rw-------   1 pspy     spec         883 Oct  6 18:44 id_rsa
-rw-r--r--   1 pspy     spec         214 Oct  6 18:44 id_rsa.pub
-rw-r--r--   1 pspy     spec         458 Oct  6 14:41 known_hosts
mm04[pspy]>

OK, should work now.

mm04[pspy]> ssh mm04
pspy@mm04's password:

Rats.  Still asking for a password.

--------------------------------------------------------


mm04[pspy]> ssh -vvv mm04
OpenSSH_3.7.1p2, SSH protocols 1.5/2.0, OpenSSL 0.9.7b 10 Apr 2003
debug1: Reading configuration data /usr/local/etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to mm04 [10.70.1.54] port 22.
debug1: Connection established.
debug3: Not a RSA1 key file /home/pspy/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/pspy/.ssh/id_rsa type 1
debug1: identity file /home/pspy/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.7.1p2
debug1: match: OpenSSH_3.7.1p2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.7.1p2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 120/256
debug2: bits set: 516/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/pspy/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 2
debug3: check_host_in_hostfile: filename /home/pspy/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 2
debug1: Host 'mm04' is known and matches the RSA host key.
debug1: Found key in /home/pspy/.ssh/known_hosts:2
debug2: bits set: 503/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/pspy/.ssh/id_rsa (67180)
debug2: key: /home/pspy/.ssh/id_dsa (0)
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: start over, passed a different list publickey,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/pspy/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /home/pspy/.ssh/id_dsa
debug3: no such identity: /home/pspy/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: userauth_kbdint: disable: no info_req_seen
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred:
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
pspy@mm04's password:


--------------------------------------------------------
sshd_config:


#       $OpenBSD: sshd_config,v 1.65 2003/08/28 12:54:34 markus Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

Port 22
Protocol 2
AllowTCPForwarding yes
X11Forwarding yes
HostKey /usr/local/etc/ssh/ssh_host_rsa_key
HostKey /usr/local/etc/ssh/ssh_host_dsa_key


#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /usr/local/etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /usr/local/etc/ssh/ssh_host_dsa_key
#HostKey /usr/local/etc/ssh/ssh_host_rsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile     .ssh/authorized_keys

# For this to work you will also need host keys in /usr/local/etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCreds yes

# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication'
#UsePAM yes

#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem       sftp    /usr/local/libexec/sftp-server

-------------------------------------------

ssh_config:

#       $OpenBSD: ssh_config,v 1.19 2003/08/13 08:46:31 markus Exp $

# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for various options

Host *
        Port 22
        Protocol 2
        ForwardX11 yes

# Host *
#   ForwardAgent no
#   ForwardX11 no
#   RhostsRSAAuthentication no
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   Port 22
#   Protocol 2,1
#   Cipher 3des
#   Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
#   EscapeChar ~




0
Comment
Question by:amlp
8 Comments
 
LVL 5

Expert Comment

by:Anonymouslemming
ID: 12382062
please can you cat the failing user's authorized_keys file and show the output here.

Also, as a rule, authorized_keys should be permission 600
0
 

Expert Comment

by:perlgirl
ID: 12711891
Hi,
I went through a similar situation  a while back.
I noticed later that the ssh version on the two systems was different.
I installed the latest openssh client and started using DSA keys.
After that it's worked well for me ever since.

-perlgirl
0
 

Author Comment

by:amlp
ID: 13009849
Hi.

Apologies for neglecting this question...there wasn't any response for long enough I figured everyone else was stumped too.

On the destination computer, the failing user:

mm04[pspy]> ls
authorized_keys   known_hosts
mm04[pspy]> cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA2zl16kWmzHsLU17bArcyJJis+rmAP3dMFLtxwt0fUipvialw7MHqXYy079s38Bef7UXGq4xhZHwa7TQnqIb2evOfvxkbWTl0plZaCv80H7pPJ0PPts/0AlmTahjpPx/VvS6vdm81cnMAvbLGZO80FxFgPLq7BIEFdnfjaGBTLtE= pspy

perlgirl:  I'll try DSA then, and get back to here.

Thanks again.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 

Author Comment

by:amlp
ID: 13009998
Ok, tried dsa, no change.  Still wants a password.

command was 'ssh-keygen -t dsa ' and hit returns

Changed the permissions on authorized_keys (on both rsa and dsa tries) to 0600, no change.  Still wants a password.

Changed login shells to match (solaris likes ksh for some silly ancient reason).  no change.
0
 

Author Comment

by:amlp
ID: 13097391
More info:

I'm detecting a pattern:  Users that I create have no problem with the key handshaking.  Users created before I came along have the problem.

So, I'm assuming there's environmental differences.  But how do I find out what the relevant differences are?

0
 

Author Comment

by:amlp
ID: 13102378
ok, solved.

the openssh key exchange does not like for the parent home directory (/home/username) to be g+rw.  Doesn't 'trust' the key, in that case.

Two solutions.

The right solution is to chmod go-w /home/username.

sometimes that's not possible, so second best solution is

/etc/sshd/sshd_config:

StrictModes no

0
 

Accepted Solution

by:
CetusMOD earned 0 total points
ID: 16238488
PAQed with points refunded (500)

CetusMOD
Community Support Moderator
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now