Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

ssh connection without password prompt.

Posted on 2005-05-11
24
Medium Priority
?
17,832 Views
Last Modified: 2013-12-04
Hi,
I'm trying to configure ssh to log in without any password on the same sun unix box. Assuming the box name is : infodev and the OS user is : informat, the following line should work without prompting for the password but it is not.

infodev:/apps/informatica/.ssh> ssh -v infodev date

Below is the output of the above command:

OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7d 17 Mar 2004            
debug1: Reading configuration data /usr/local/etc/ssh_config                
debug1: Connecting to infodev [129.202.27.241] port 22.                      
debug1: Connection established.                                              
debug1: identity file /apps/informatica/.ssh/identity type -1                
debug1: identity file /apps/informatica/.ssh/id_rsa type -1                  
debug1: identity file /apps/informatica/.ssh/id_dsa type 2                  
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.8p1  
debug1: match: OpenSSH_3.8p1 pat OpenSSH*                                    
debug1: Enabling compatibility mode for protocol 2.0                        
debug1: Local version string SSH-2.0-OpenSSH_3.8p1                          
debug1: SSH2_MSG_KEXINIT sent                                                
debug1: SSH2_MSG_KEXINIT received                                            
debug1: kex: server->client aes128-cbc hmac-md5 none                        
debug1: kex: client->server aes128-cbc hmac-md5 none                        
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent                    
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP                                  
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent                                        
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY                                  
debug1: Host 'infodev' is known and matches the RSA host key.                
debug1: Found key in /apps/informatica/.ssh/known_hosts:1                    
debug1: ssh_rsa_verify: signature correct                                    
debug1: SSH2_MSG_NEWKEYS sent                                                
debug1: expecting SSH2_MSG_NEWKEYS                                          
debug1: SSH2_MSG_NEWKEYS received                                            
debug1: SSH2_MSG_SERVICE_REQUEST sent                                          
debug1: SSH2_MSG_SERVICE_ACCEPT received                                        
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey                                  
debug1: Trying private key: /apps/informatica/.ssh/identity                    
debug1: Trying private key: /apps/informatica/.ssh/id_rsa                      
debug1: Offering public key: /apps/informatica/.ssh/id_dsa                      
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: keyboard-interactive                        
debug1: Authentications that can continue: publickey,password,keyboard-interacte
debug1: Next authentication method: password                                    
informat@infodev's password:                                                    


Any help on this is greatly appreciated. The permissions of .ssh directory and authorized_keys file are set as below:
-rwxrwxr-x   1 informat users        605 May 11 11:13 authorized_keys*

Thanks,
sathiyakum.
0
Comment
Question by:sathiyakum
  • 4
  • 4
  • 4
  • +4
21 Comments
 
LVL 48

Expert Comment

by:Tintin
ID: 13983388
How did you create your ssh key?

Perms on the .ssh directory should be 700 and 600 on authorized keys.  Some ssh servers are less fussy on permissions depending on what settings they are using.
0
 
LVL 38

Expert Comment

by:yuzh
ID: 13983445
You need to make sure .ssh is NOT group/world writable, ssh client (server) doesn't let
you use the keys if it is group/world readable (the know_hosts file can be readable by any one!).
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13984123
are you using keys or password login?

for keys you need to enshure that on both sides ~/.ssh is owned by the proper user and has permission 700 or 500, same applies to key and know_hosts file in ther: 600 or 400

And take care that ~/.ssh is not symlinked somehow (some ssh versions are really picky)
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:sathiyakum
ID: 13987517
Still not working. I am using keys. Below are the steps I followed:

1. Generate the keys using ssh-keygen. I've used an empty passphrase.
bsed24:/apps/informatica> ssh-keygen -t dsa

2. Copy the contents of id_dsa.pub to authorized_keys
bsed24:/apps/informatica> cat id_dsa.pub > authorized_keys

3. Changed the permissions as below:
bsed24:/apps/informatica> ls -ld .ssh                      
drwx------   2 informat users         96 May 11 11:13 .ssh/

bsed24:/apps/informatica/.ssh> ls -lrt                              
total 8                                                              
-rw-------   1 informat users        605 May 11 11:11 id_dsa.pub    
-rw-------   1 informat users        668 May 11 11:11 id_dsa        
-rw-------   1 informat users        605 May 11 11:13 authorized_keys
-rw-------   1 informat users        451 May 11 11:14 known_hosts    

bsed24:/apps/informatica> ssh infodev date  
informat@infodev's password:                
Thu May 12 11:12:52 EDT 2005                

Any help is greatly appreciated.

Thanks,
sathiyakum.

0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13990917
silly question: did you add the ida_dsa.pub to the remote server's ~/.ssh/authorized_keys
0
 

Author Comment

by:sathiyakum
ID: 13991015
infodev is not remote server. It is localhost. Wouldn't the line "bsed24:/apps/informatica> cat id_dsa.pub > authorized_keys" do it OR perhaps I did not understand ahoffmann's question right.



0
 
LVL 48

Expert Comment

by:Tintin
ID: 13992264
Going back a few steps, why do you want to do this?  It doesn't make any sense to ssh to the localhost as the same user.
0
 
LVL 38

Expert Comment

by:yuzh
ID: 13992585
>>It doesn't make any sense to ssh to the localhost as the same user.

It you want to use ssh login without passwd between different box, have a look at the
instructions in the following docs:

http://pirlwww.lpl.arizona.edu/user_notes/user_notes.cgi?id=86
http://docsun.cites.uiuc.edu/sun_docs/C/solaris_9/SUNWaadm/SYSADV6/p45.html
http://linuxproblem.org/art_9.html
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13994106
> cat id_dsa.pub > authorized_keys" do it OR perhaps I did not understand ahoffmann's question right.
yes you didn't get it right. Or do you mena that you used localhost as remote server?
id_dsa.pub has to be in authorised_keys on the *remote* server
0
 
LVL 48

Expert Comment

by:Tintin
ID: 14013312
Which all leads back to my last question.  Why would you want to ssh to the localhost as the same user?  I can't think of any sane reason for doing this.
0
 

Author Comment

by:sathiyakum
ID: 14013435
I want to use ssh to localhost itself for the following reason:

I want to run "ssh  <username>@<localhost> <command>"  without typing a password. Username could be same user or different user but the command has to be run with the corresponding user's profile.

I was not successful with sudo or su as I couldn't find a way to run the command without typing a password. That's why I went with ssh  option.

Would passwordless ssh option work for running commands. If so, are there any drawbacks. I am still not successful with the above-mentioned ssh command. Any thoughts.

Thanks,
Kumaran.
0
 
LVL 38

Accepted Solution

by:
yuzh earned 400 total points
ID: 14015479
You can use:

su - usrname -c "command"
you run command as usrname and use his/her login ENV
man su

use sudo with the above comand also work.
0
 
LVL 48

Assisted Solution

by:Tintin
Tintin earned 400 total points
ID: 14015623
OK, now we know the real problem.  

What you *really* want to do, is setup sudo.

It's easy to setup sudo to not need a password.  You just need an entry like:

infomat ALL =  NOPASSWD: /usr/bin/kill
0
 
LVL 7

Assisted Solution

by:XoF
XoF earned 400 total points
ID: 14026364
back to ssh:

> debug1: Trying private key: /apps/informatica/.ssh/identity                    
> debug1: Trying private key: /apps/informatica/.ssh/id_rsa                      
> debug1: Offering public key: /apps/informatica/.ssh/id_dsa

well, it seems as if ssh cannot find the private key.
Did you try that one:
infodev:/apps/informatica/.ssh> ssh -v -i id_dsa infodev date
?

HTH,

-XoF-
0
 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 400 total points
ID: 14027739
start sshd -d and see what it tells you when you try to connect again
0
 
LVL 18

Assisted Solution

by:decoleur
decoleur earned 400 total points
ID: 14065139
I was able to configure a root level user to use ssh to rsync with another machine without entering a password by changing the sshd config to "PermitRootLogin forced-commands-only"
and adding to the start of the key in the authorized hosts file the origin and a simple file that defines the allowed commands.

# cat authorized_keys
from="origin.domain.net",command="/home/user/.ssh/validate-rsync" ssh-dss AAAAB3...

where validate-rsync looks like:
# cat validate-rsync

#!/bin/sh

case "$SSH_ORIGINAL_COMMAND" in
        *\&*)
                echo "Rejected"
                ;;
        *\;*)
                echo "Rejected"
                ;;
        rsync\ --server*)
                $SSH_ORIGINAL_COMMAND
                ;;
        *)
                echo "Rejected"
                ;;
esac

and the files are set up as
# ls -l
total 8
-rw-------  1 root user 1186 Jan  5 11:38 authorized_keys
-rwxr-xr-x  1 root user  323 Jan  5 11:38 validate-rsync

When i try to just ssh using this configuration i get a request for a password, which will get denied, because i am using a limited use root account, but if I try to tunnel the rsync over ssh it works without a password.

I think your issue is with your sshd config, is the user you are trying to connect with in the wheel group or have root access?

Also you might want to try PermitRootLogin Yes in sshd_config and see what that does.

Hope this Helps.

-t
0
 
LVL 18

Expert Comment

by:decoleur
ID: 14065167
your authorized_keys file has to be in the .ssh directory, here is what happens when I duplicate your process:

[user@monitor ~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_dsa.
Your public key has been saved in /home/user/.ssh/id_dsa.pub.
The key fingerprint is:
09:...:e5 user@monitor.mydomain.net
[user@monitor ~]$ cd .ssh/
[user@monitor .ssh]$ ls
authorized_keys  id_dsa  id_dsa.pub  known_hosts
[user@monitor .ssh]$ cat id_dsa.pub >>authorized_keys
[user@monitor .ssh]$ ssh monitor date
Mon May 23 21:42:21 EDT 2005

I hit enter twice to avoid the passphrase.

HTH,

-t
0
 
LVL 18

Expert Comment

by:decoleur
ID: 14190901
-XoF- had it, you are trying to use cert based authentication without identifying what cert you want you use.

you need to identify the relivant key for the user@machine by using the -i flag with the /path/to/private/key

so in your case you would need to type:

infodev:/apps/informatica/.ssh> ssh infodev -i /path/to/private/key date

HTH

-t
0
 
LVL 62

Expert Comment

by:gheist
ID: 14303005
Is there any suspicious setting for AuthorizedKeysFile in /etc/ssh/sshd_config ???

At "05/12/2005 08:21AM PDT" You have all set up very well...
0
 
LVL 18

Expert Comment

by:decoleur
ID: 15685283
interested
0
 
LVL 62

Expert Comment

by:gheist
ID: 15686542
Did you get working situation back or still try to find magic curses to make it work ????
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…
Suggested Courses
Course of the Month13 days, 2 hours left to enroll

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question