SSH Key qustion

I have a network of 5 Linux and one Solaris boxes. Account user1 is configured for no password SSH login from all linux boxes to the solaris box.
when I look at .ssh/authorized_keys2 of the user1 on solaris, I don't see any reference to the 5 linux boxes. I see two long lines. I expected to see an entry for all 5 boxes that can ssh into the solaris.

Questiona are how user1 is able to ssh into solaris from all 5 boxes and with box 7 (linux) now online, how do I allow user1 to ssh into box 7 without password from the other 5 linux boxes. Please note that I can not find any public keys in any of the .ssh folders of the 5 linux boxes to place in box7's user1 .ssh folder. And I don't want to create a new key on the 5 boxes as it will break the current connections for the solaris.

thanks.
mehranalmasiAsked:
Who is Participating?
 
NopiusConnect With a Mentor Commented:
> rsync is the logging account to cvs server?
Yes. In rsync's home directory .ssh/authorized_keys will be checked by ssh daemon

> I think In the article the SSH keys are created with root account and if those keys are used in the rsync attemp, the rsync account password should not be asked for.
It doesn't matter under which account ssh key where created. If you created it under 'rsync' account, it should work.

> in other words, in the article I supplied the link to, ssh used root keys to log in, in your syntax, rsync keys are used.
Ok, let's follow this article.

>> 3 Test rsync
>> Next we test rsync on mirror.example.com. As root we do this:
>> mirror:
>> rsync -avz -e ssh someuser@server1.example.com:/var/www/ /var/www/

Here you SHOULD be asked for password. For me this command didn't work, I used double '-v' flag to find problem?
rsync -v -avz -e ssh someuser@server1.example.com:/var/www/ /var/www/

then I found, that on remote server 'rsync' command not found in default path, so I used:
rsync -v --rsync-path=/opt/sfw/bin/rsync -avz -e ssh someuser@server1.example.com:/var/www/ /var/www/
From now it's working, but asking for password, It's ok. Also you will see 'ssh' command as it's invoked.

Next.
4 Create The Keys On mirror.example.com
>> Now we create the private/public key pair on mirror.example.com:
>> mirror:
>> (We do this as root!)
>> mkdir /root/rsync
>>  ssh-keygen -t dsa -b 2048 -f /root/rsync/mirror-rsync-key

Usually it's a bad idea to mirror from root account, but they recommend, I do.

Now everithing goes smoothly before:

>> 6 Test rsync On mirror.example.com
>> Now we must test on mirror.example.com if we can mirror server1.example.com without being prompted for someuser's password. We do this:
>> mirror:
>> (We do this as root!)
>> rsync -avz --delete --exclude=**/stats --exclude=**/error --exclude=**/files/pictures -e "ssh -i /root/rsync/mirror-rsync-key" someuser@server1.example.com:/var/www/ /var/www/

As for me, there where 'rsync not found', that is fixed with --rsync-path= flag, then
'rsnc error: protocol version incompatibility', that is fixed with editing 'checkrsync' script:
I've used:
/opt/sfw/bin/rsync\ --server*)

instead of:
rsync\ --server*)

Now synchronization is done with that command;
rsync -avvz --rsync-path=/opt/sfw/bin/rsync -e "ssh -i /root/rsync/mirror-rsync-key" someuser@server1.example.com:/var/www/ /var/www/
0
 
Gabriel OrozcoSolution ArchitectCommented:
maybe your solaris have been configured to allow ssh without passwords. and user1 has no password.

have you tried that from another ip?



0
 
mehranalmasiAuthor Commented:
Other users have to put in a password when using SSH to get into solaris.
0
Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

 
Gabriel OrozcoSolution ArchitectCommented:
this is good =)

now I wonder where is the piece of configuration that let users enter from determined ip's without password.

maybe in /etc/ssh/sshd_config ?
0
 
mehranalmasiAuthor Commented:
the only line in /etc/ssh/sshd_config is
Subsystem   sftp   /user/libeexec/sftp-server

while in /etc/ssh I did:
>cat * | grep user1

with nothing returned.

If I am hearing that that the only way for this to work is to have the public keys in authorized_keys2, maybe I am misunderstanding what is in solaris' authorized_keys2.
Is there anyway to verify what authorized_keys2 file contains?
0
 
NopiusCommented:
authorized_keys on Solaris are user's public keys. You may login to your solaris from any box where user specifies it's private key matching that public key on solaris.
Usually users have .ssh/id or .ssh/id_dsa or ./ssh/id_rsa as private keys (in home directories), but this is not a requirement.
Which private key is used on that 5 Linuxes (if not standard) is usually connfigured in .ssh/config file or in command line for ssh -i flag.

If you like to allow all these users to connect to some other box, just copy there .ssh/authorized_keys from solaris to .ssh/authorized keys to that box and setup appropriate file permssions (chmod 600 authorized_keys).


0
 
chedlinCommented:
It is also possible to provide access to the keys through chained ssh connections using ssh-agent
0
 
mehranalmasiAuthor Commented:
Hi,
this problem is still causing me problems using the i option. In this case I am trying to use rsync to keep two versions of CVS.
I run ssh-keygen -t dsa -b 2048 -f /root/rsync/mirror-key on mirror server.
I move the public key to /home/rsync/.ssh/authorized_keys (600 permissions) of the cvs server.
when I run (as root) on mirror:
rsync --owner --perms --archive --verbose -r "ssh -i /root/rsync/mirror-key"  rsync@cvs.server.com:/home/cvsroot /home/cvs_rsync
it still asks for password.
To verify I do (as root) from mirror:
ssh -i /root/rsync/mirror-key rsync@cvs.server.com
I have to enter password.
When I run with -v, it shows that it uses the /root/rsync/mirror-key but still wants the password.

any ideas to help?

thanks.
0
 
mehranalmasiAuthor Commented:
Hi,
I forgot to mention that I have set this up with a tester user and no password. connectin from the mirror to cvs as tester and rsync works but all ownerships are changed to tester user.
0
 
NopiusCommented:
when you generated secret key with 'ssh-keygen' did you use password?
0
 
mehranalmasiAuthor Commented:
no!
0
 
NopiusCommented:
You forget to put ssh username when running rsync. Try this syntax:
rsync --owner --perms --archive --verbose -r "ssh -i /root/rsync/mirror-key -l rsync"  rsync@cvs.server.com:/home/cvsroot /home/cvs_rsync
0
 
mehranalmasiAuthor Commented:
Hi Nipius,
I think you missed the -e before ssh, so I did:
rsync --owner --perms --archive --verbose -r -e "ssh -i /root/rsync/mirror-key -l rsync"  rsync@cvs.server.com:/home/cvsroot /home/cvs_rsync

I get:
ssh: |: name or service not known.

just to be sure that is a pipe before username you added. right?

also, isn't rsync@cvs.server.com telling what name to use for ssh?
0
 
NopiusCommented:
> also, isn't rsync@cvs.server.com telling what name to use for ssh?
Rsync accounts and shell accounts are different. Even in 'man rsync' you find ssh with -l flag. It's a small 'EL', not capital 'i'
0
 
NopiusCommented:
and not a pipe sign :-)
0
 
mehranalmasiAuthor Commented:
Ok I tried with lower case "L" and I get:

building file list ... link_stat ssh -i /root/rsync/mirror-key -l rsync : no such file or directory.

it seems like there is an error in where the -l is .

if there is any help, I used this site as a guide:

http://www.howtoforge.com/mirroring_with_rsync

thanks.
0
 
NopiusCommented:
I'm just checked the same configuration. The difference is only in command line (remove user name from target path).

rsync --owner --perms --archive --verbose -r -e "ssh -2 -i /root/rsync/mirror-key -l rsync" 10.x.x.x:/tmp /tmp/a

and it works.

If it doesn't:
1) Run ssh on remode site in debug mode (ssh -D -d)
2) Check local file "/root/rsync/mirror-key" permissions (current user and nobody else is  able to read it)
3) Check if 'rsync' command exists on remote site
0
 
NopiusCommented:
of course 'sshd -D -d' for debug, not 'ssh'
0
 
mehranalmasiAuthor Commented:
looks like I have to do the ssh in debug mode on Tuesday.

first I need to make sure in:
"ssh -2 -i /root/rsync/mirror-key -l rsync"  rsync is the logging account to cvs server?

when I try your suggestion I get the password promp for rsync account. If I put the password for rsync in, rsync works but I don't think this is how the article was meant to work.
I think In the article the SSH keys are created with root account and if those keys are used in the rsync attemp, the rsync account password should not be asked for.
If I repalce rsync with root at the end of  "ssh -2 -i /root/rsync/mirror-key -l rsync" , SSH asks for root password and when I enter it, rsync works.

in other words, in the article I supplied the link to, ssh used root keys to log in, in your syntax, rsync keys are used.

am I correct?
0
 
NopiusCommented:
P.S. I was also using one Linux and the other is Solaris 10.
Linux was a "mirror", Solaris was a "server".
0
 
mehranalmasiAuthor Commented:
Hi Nopius,
after going over the setup AGAIN . I noticed that in my last setup of keys I had root owner for authorized_keys in cvs server. after changing the ownership to rsync, the suggested syntax in the link material worked.
thanks so much for staying with me throughout this long troublshooting. Not feeling alone in dealing with things like this is very helpful in itself let alone all the technical help!
0
 
NopiusCommented:
mehranalmashi: thank you. I think that's why EE community is created :-)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.