[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

SSH Key qustion

Posted on 2006-05-10
22
Medium Priority
?
313 Views
Last Modified: 2010-04-20
I have a network of 5 Linux and one Solaris boxes. Account user1 is configured for no password SSH login from all linux boxes to the solaris box.
when I look at .ssh/authorized_keys2 of the user1 on solaris, I don't see any reference to the 5 linux boxes. I see two long lines. I expected to see an entry for all 5 boxes that can ssh into the solaris.

Questiona are how user1 is able to ssh into solaris from all 5 boxes and with box 7 (linux) now online, how do I allow user1 to ssh into box 7 without password from the other 5 linux boxes. Please note that I can not find any public keys in any of the .ssh folders of the 5 linux boxes to place in box7's user1 .ssh folder. And I don't want to create a new key on the 5 boxes as it will break the current connections for the solaris.

thanks.
0
Comment
Question by:mehranalmasi
  • 10
  • 9
  • 2
  • +1
22 Comments
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 16653706
maybe your solaris have been configured to allow ssh without passwords. and user1 has no password.

have you tried that from another ip?



0
 

Author Comment

by:mehranalmasi
ID: 16653773
Other users have to put in a password when using SSH to get into solaris.
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 16653864
this is good =)

now I wonder where is the piece of configuration that let users enter from determined ip's without password.

maybe in /etc/ssh/sshd_config ?
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 

Author Comment

by:mehranalmasi
ID: 16653907
the only line in /etc/ssh/sshd_config is
Subsystem   sftp   /user/libeexec/sftp-server

while in /etc/ssh I did:
>cat * | grep user1

with nothing returned.

If I am hearing that that the only way for this to work is to have the public keys in authorized_keys2, maybe I am misunderstanding what is in solaris' authorized_keys2.
Is there anyway to verify what authorized_keys2 file contains?
0
 
LVL 27

Expert Comment

by:Nopius
ID: 16655740
authorized_keys on Solaris are user's public keys. You may login to your solaris from any box where user specifies it's private key matching that public key on solaris.
Usually users have .ssh/id or .ssh/id_dsa or ./ssh/id_rsa as private keys (in home directories), but this is not a requirement.
Which private key is used on that 5 Linuxes (if not standard) is usually connfigured in .ssh/config file or in command line for ssh -i flag.

If you like to allow all these users to connect to some other box, just copy there .ssh/authorized_keys from solaris to .ssh/authorized keys to that box and setup appropriate file permssions (chmod 600 authorized_keys).


0
 
LVL 2

Expert Comment

by:chedlin
ID: 16713588
It is also possible to provide access to the keys through chained ssh connections using ssh-agent
0
 

Author Comment

by:mehranalmasi
ID: 16765624
Hi,
this problem is still causing me problems using the i option. In this case I am trying to use rsync to keep two versions of CVS.
I run ssh-keygen -t dsa -b 2048 -f /root/rsync/mirror-key on mirror server.
I move the public key to /home/rsync/.ssh/authorized_keys (600 permissions) of the cvs server.
when I run (as root) on mirror:
rsync --owner --perms --archive --verbose -r "ssh -i /root/rsync/mirror-key"  rsync@cvs.server.com:/home/cvsroot /home/cvs_rsync
it still asks for password.
To verify I do (as root) from mirror:
ssh -i /root/rsync/mirror-key rsync@cvs.server.com
I have to enter password.
When I run with -v, it shows that it uses the /root/rsync/mirror-key but still wants the password.

any ideas to help?

thanks.
0
 

Author Comment

by:mehranalmasi
ID: 16765631
Hi,
I forgot to mention that I have set this up with a tester user and no password. connectin from the mirror to cvs as tester and rsync works but all ownerships are changed to tester user.
0
 
LVL 27

Expert Comment

by:Nopius
ID: 16765729
when you generated secret key with 'ssh-keygen' did you use password?
0
 

Author Comment

by:mehranalmasi
ID: 16766175
no!
0
 
LVL 27

Expert Comment

by:Nopius
ID: 16766254
You forget to put ssh username when running rsync. Try this syntax:
rsync --owner --perms --archive --verbose -r "ssh -i /root/rsync/mirror-key -l rsync"  rsync@cvs.server.com:/home/cvsroot /home/cvs_rsync
0
 

Author Comment

by:mehranalmasi
ID: 16770400
Hi Nipius,
I think you missed the -e before ssh, so I did:
rsync --owner --perms --archive --verbose -r -e "ssh -i /root/rsync/mirror-key -l rsync"  rsync@cvs.server.com:/home/cvsroot /home/cvs_rsync

I get:
ssh: |: name or service not known.

just to be sure that is a pipe before username you added. right?

also, isn't rsync@cvs.server.com telling what name to use for ssh?
0
 
LVL 27

Expert Comment

by:Nopius
ID: 16777379
> also, isn't rsync@cvs.server.com telling what name to use for ssh?
Rsync accounts and shell accounts are different. Even in 'man rsync' you find ssh with -l flag. It's a small 'EL', not capital 'i'
0
 
LVL 27

Expert Comment

by:Nopius
ID: 16777383
and not a pipe sign :-)
0
 

Author Comment

by:mehranalmasi
ID: 16778168
Ok I tried with lower case "L" and I get:

building file list ... link_stat ssh -i /root/rsync/mirror-key -l rsync : no such file or directory.

it seems like there is an error in where the -l is .

if there is any help, I used this site as a guide:

http://www.howtoforge.com/mirroring_with_rsync

thanks.
0
 
LVL 27

Expert Comment

by:Nopius
ID: 16778274
I'm just checked the same configuration. The difference is only in command line (remove user name from target path).

rsync --owner --perms --archive --verbose -r -e "ssh -2 -i /root/rsync/mirror-key -l rsync" 10.x.x.x:/tmp /tmp/a

and it works.

If it doesn't:
1) Run ssh on remode site in debug mode (ssh -D -d)
2) Check local file "/root/rsync/mirror-key" permissions (current user and nobody else is  able to read it)
3) Check if 'rsync' command exists on remote site
0
 
LVL 27

Expert Comment

by:Nopius
ID: 16778280
of course 'sshd -D -d' for debug, not 'ssh'
0
 

Author Comment

by:mehranalmasi
ID: 16779475
looks like I have to do the ssh in debug mode on Tuesday.

first I need to make sure in:
"ssh -2 -i /root/rsync/mirror-key -l rsync"  rsync is the logging account to cvs server?

when I try your suggestion I get the password promp for rsync account. If I put the password for rsync in, rsync works but I don't think this is how the article was meant to work.
I think In the article the SSH keys are created with root account and if those keys are used in the rsync attemp, the rsync account password should not be asked for.
If I repalce rsync with root at the end of  "ssh -2 -i /root/rsync/mirror-key -l rsync" , SSH asks for root password and when I enter it, rsync works.

in other words, in the article I supplied the link to, ssh used root keys to log in, in your syntax, rsync keys are used.

am I correct?
0
 
LVL 27

Accepted Solution

by:
Nopius earned 1000 total points
ID: 16781259
> rsync is the logging account to cvs server?
Yes. In rsync's home directory .ssh/authorized_keys will be checked by ssh daemon

> I think In the article the SSH keys are created with root account and if those keys are used in the rsync attemp, the rsync account password should not be asked for.
It doesn't matter under which account ssh key where created. If you created it under 'rsync' account, it should work.

> in other words, in the article I supplied the link to, ssh used root keys to log in, in your syntax, rsync keys are used.
Ok, let's follow this article.

>> 3 Test rsync
>> Next we test rsync on mirror.example.com. As root we do this:
>> mirror:
>> rsync -avz -e ssh someuser@server1.example.com:/var/www/ /var/www/

Here you SHOULD be asked for password. For me this command didn't work, I used double '-v' flag to find problem?
rsync -v -avz -e ssh someuser@server1.example.com:/var/www/ /var/www/

then I found, that on remote server 'rsync' command not found in default path, so I used:
rsync -v --rsync-path=/opt/sfw/bin/rsync -avz -e ssh someuser@server1.example.com:/var/www/ /var/www/
From now it's working, but asking for password, It's ok. Also you will see 'ssh' command as it's invoked.

Next.
4 Create The Keys On mirror.example.com
>> Now we create the private/public key pair on mirror.example.com:
>> mirror:
>> (We do this as root!)
>> mkdir /root/rsync
>>  ssh-keygen -t dsa -b 2048 -f /root/rsync/mirror-rsync-key

Usually it's a bad idea to mirror from root account, but they recommend, I do.

Now everithing goes smoothly before:

>> 6 Test rsync On mirror.example.com
>> Now we must test on mirror.example.com if we can mirror server1.example.com without being prompted for someuser's password. We do this:
>> mirror:
>> (We do this as root!)
>> rsync -avz --delete --exclude=**/stats --exclude=**/error --exclude=**/files/pictures -e "ssh -i /root/rsync/mirror-rsync-key" someuser@server1.example.com:/var/www/ /var/www/

As for me, there where 'rsync not found', that is fixed with --rsync-path= flag, then
'rsnc error: protocol version incompatibility', that is fixed with editing 'checkrsync' script:
I've used:
/opt/sfw/bin/rsync\ --server*)

instead of:
rsync\ --server*)

Now synchronization is done with that command;
rsync -avvz --rsync-path=/opt/sfw/bin/rsync -e "ssh -i /root/rsync/mirror-rsync-key" someuser@server1.example.com:/var/www/ /var/www/
0
 
LVL 27

Expert Comment

by:Nopius
ID: 16781267
P.S. I was also using one Linux and the other is Solaris 10.
Linux was a "mirror", Solaris was a "server".
0
 

Author Comment

by:mehranalmasi
ID: 16782417
Hi Nopius,
after going over the setup AGAIN . I noticed that in my last setup of keys I had root owner for authorized_keys in cvs server. after changing the ownership to rsync, the suggested syntax in the link material worked.
thanks so much for staying with me throughout this long troublshooting. Not feeling alone in dealing with things like this is very helpful in itself let alone all the technical help!
0
 
LVL 27

Expert Comment

by:Nopius
ID: 16787982
mehranalmashi: thank you. I think that's why EE community is created :-)
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question