Solved

openSSH on Red Hat 9 during non-interactive session

Posted on 2007-11-20
24
573 Views
Last Modified: 2013-12-06
I am trying to run an ssh command w/ CronTab during a non-interactive session (of course).  The command runs fine during an interactive session but is denied permission when it is non-interactive.  I supect it has something to do w/ what gets initially setup.   I believe that .bash_profile is setup but I am not totally sure.  The mail msg reads that the <SHELL=/bin/sh>. What can I do to insure that the ssh runs the same non-interactively as it does interactively.  Not exactly sure what is going on here.  Thx much in advance.
0
Comment
Question by:akaodin
  • 14
  • 10
24 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 20326096
to run a shell non-interactive like from cron or at, you have to ensure that the shell's resource files (.profile, .cshrc, .login, .bashrc, whatever) does not use the tty anyhow.
A simple echo command doesn't harm, usually, but if ther is something like the tty command or something expecting input, then the script fails. For cron and a like you best use a user without any shell startup files.
0
 

Author Comment

by:akaodin
ID: 20327056
Exactly how would I guarantee that the resource files not use the tty command.  I believe that I need the bashrc and profiles in order to launch the ssh - maybe not.  Another thought I have had is that maybe the problem I am having is the permissions on the ssh files.  I tried changing the permission of id_rsa from 600 to 777.  It did not work, moreover it hesitated my startup.  More thoughts?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 20327074
> Exactly how would I guarantee ..
  grep tty ~/.* /etc/*
or simply use an at command which logs in remote and catch the output

ssh permission problems are more generic, means that it won't worjk at all wether interactive or in batch mode

Can you pleas post an error message you get.
0
 

Author Comment

by:akaodin
ID: 20328373
I have 2 servers: DJX and TJW
on DJX I have a file named tryit w/ the line "ssh -v tjw cat sendit"
the command file works fine interactively but when I try it w/ a Cron job and the system is not interactive I get the following errors (as viewed from the mail msg):

From root@djx.odin.com  Wed Nov 21 10:23:00 2007
Return-Path: <root@djx.odin.com>
Received: from djx.odin.com (localhost [127.0.0.1])
        by djx.odin.com (8.12.8/8.12.8) with ESMTP id lALFN0ek015061
        for <root@djx.odin.com>; Wed, 21 Nov 2007 10:23:00 -0500
Received: (from root@localhost)
        by djx.odin.com (8.12.8/8.12.8/Submit) id lALFN0Wu015059
        for root; Wed, 21 Nov 2007 10:23:00 -0500
Date: Wed, 21 Nov 2007 10:23:00 -0500
Message-Id: <200711211523.lALFN0Wu015059@djx.odin.com>
From: root@djx.odin.com (Cron Daemon)
To: root@djx.odin.com
Subject: Cron <root@djx> /root/tryit
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=root>
Status: R

OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090701f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to tjw [10.0.0.142] port 22.
debug1: Connection established.
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type 1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.5p1
debug1: match: OpenSSH_3.5p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.5p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 122/256
debug1: bits set: 1626/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'tjw' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: bits set: 1617/3191
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: publickey,password,keyboard-interactive
debug1: next auth method to try is publickey
debug1: try privkey: /root/.ssh/identity
debug1: try pubkey: /root/.ssh/id_rsa
debug1: input_userauth_pk_ok: pkalg ssh-rsa blen 277 lastkey 0x808fef8 hint 1
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
debug1: try privkey: /root/.ssh/id_dsa
debug1: next auth method to try is keyboard-interactive
debug1: authentications that can continue: publickey,password,keyboard-interactive
debug1: next auth method to try is password
debug1: authentications that can continue: publickey,password,keyboard-interactive
Permission denied, please try again.
debug1: authentications that can continue: publickey,password,keyboard-interactive
Permission denied, please try again.
debug1: authentications that can continue: publickey,password,keyboard-interactive
debug1: no more auth methods to try
Permission denied (publickey,password,keyboard-interactive).
debug1: Calling cleanup 0x80674d0(0x0)


Hope this helps.  Thx.
0
 

Author Comment

by:akaodin
ID: 20328436
Hi again,
  The following are the msgs of the interactive session which succeeds:

[root@djx root]# tryit
OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090701f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to tjw [10.0.0.142] port 22.
debug1: Connection established.
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type 1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.5p1
debug1: match: OpenSSH_3.5p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.5p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 139/256
debug1: bits set: 1619/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'tjw' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: bits set: 1600/3191
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: publickey,password,keyboard-interactive
debug1: next auth method to try is publickey
debug1: userauth_pubkey_agent: testing agent key /root/.ssh/id_rsa
debug1: input_userauth_pk_ok: pkalg ssh-rsa blen 277 lastkey 0x8092900 hint -1
debug1: ssh-userauth2 successful: method publickey
debug1: channel 0: new [client-session]
debug1: send channel open 0
debug1: Entering interactive session.
debug1: ssh_session2_setup: id 0
debug1: Sending command: cat /root/tryit
debug1: channel request 0: exec
debug1: channel 0: open confirm rwindow 0 rmax 32768
ssh djx cat sendit
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: rcvd eof
debug1: channel 0: output open -> drain
debug1: channel 0: obuf empty
debug1: channel 0: close_write
debug1: channel 0: output drain -> closed
debug1: channel 0: rcvd close
debug1: channel 0: close_read
debug1: channel 0: input open -> closed
debug1: channel 0: almost dead
debug1: channel 0: gc: notify user
debug1: channel 0: gc: user detached
debug1: channel 0: send close
debug1: channel 0: is dead
debug1: channel 0: garbage collecting
debug1: channel_free: channel 0: client-session, nchannels 1
debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.3 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0
debug1: Exit status 0


The only discernable diff I noticed are the bits set.  Hope this also helps.  Thx.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 20334213
> debug1: PEM_read_PrivateKey failed
> debug1: read PEM private key done: type <unknown>
> debug1: try privkey: /root/.ssh/id_dsa
> debug1: next auth method to try is keyboard-interactive

the first line indicates that your keyfile cannot be read, which then results in a keyboard interactive auth methos (last line)

There's something wrong with your keyfiles and/or the user running your cron.
Can you please post the cron line.
0
 

Author Comment

by:akaodin
ID: 20342628
Hi,

   In my /root/.ssh I have:
      id_rsa
      id_rsa.pub
      known_hosts
      authorized_keys

These work interactively.  The cron line which is supposed to trigger these events is:

    30  3 * * * /root/tryit

and tryit has the single line: "ssh -v djx cat sendit"
Earlier I typed the wrong line.  Client TJW is supposed to read a file from DJX.

Hope this helps.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 20342743
most likely not the prboblem but I'd recommend to use full paths in all your scripts called by cron and cron itself
said this, can you please post the corresponding entry from your ~/.ssh/config file and also
  ls -lad /root/.ssh /root/.ssh/{config,id_rsa,known_hosts}
0
 

Author Comment

by:akaodin
ID: 20343059
Hi,
   My (Red Hat 9) ssh config is in /etc/ssh.  I have included the info youe requested.

drwx------    2 root     root         4096 Nov 20 20:22 .ssh
total 44
-rw-------    1 root     root         1743 Mar  6  2005 id_tjw
-rw-r--r--    1 root     root          381 Nov 18 09:30 id_djx.pub
-rw-------    1 root     root         1743 Nov 18 09:31 id_djx
-rw-r--r--    1 root     root          381 Nov 18 09:56 id_tjw.pub
-rwxr-xr-x    1 root     root         1143 Nov 18 09:58 authorized_keys
-rw-r--r--    1 root     root           44 Nov 18 10:00 pass.txt
-rw-r--r--    1 root     root          448 Nov 18 14:58 known_hosts
-rwx------    1 root     root           48 Nov 19 16:12 djx
-rwx------    1 root     root           48 Nov 19 16:13 tjw
-rw-r--r--    1 root     root          381 Nov 21 06:38 id_rsa.pub
-rw-------    1 root     root         1743 Nov 21 06:38 id_rsa
drwxr-xr-x    2 root     root         4096 Mar  6  2004 /etc/ssh
total 124
-rw-------    1 root     root        88039 Feb 14  2003 moduli
-rw-------    1 root     root         2474 Feb 21  2003 sshd_config
-rw-r--r--    1 root     root          319 Feb 21  2004 ssh_host_key.pub
-rw-------    1 root     root          515 Feb 21  2004 ssh_host_key
-rw-r--r--    1 root     root          210 Feb 21  2004 ssh_host_rsa_key.pub
-rw-------    1 root     root          883 Feb 21  2004 ssh_host_rsa_key
-rw-r--r--    1 root     root          590 Feb 21  2004 ssh_host_dsa_key.pub
-rw-------    1 root     root          668 Feb 21  2004 ssh_host_dsa_key
-rw-r--r--    1 root     root         1167 Mar 18  2004 ssh_config

Hope this helps.  Thx.
0
 

Author Comment

by:akaodin
ID: 20343066
Forgot,  this is my /etc/ssh/{ssh_config,sshd_config} files (not quite sure which one it uses) :

#      $OpenBSD: ssh_config,v 1.16 2002/07/03 14:21:05 markus Exp $

# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for various options

# Host *
#   ForwardAgent no
#   ForwardX11 no
#   RhostsAuthentication no
#   RhostsRSAAuthentication no
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
#   BatchMode no
#   CheckHostIP yes
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   Port 22
#   Protocol 2,1
#   Cipher 3des
#   Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
#   EscapeChar ~
Host *
      ForwardX11 yes
#      $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 3600
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 120
#PermitRootLogin yes
#StrictModes yes

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile      .ssh/authorized_keys

# rhosts authentication should not be used
#RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

#AFSTokenPassing no

# Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no

# Set this to 'yes' to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt no

#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes

#MaxStartups 10
# no default banner path
#Banner /some/path
#VerifyReverseMapping no

# override default of no subsystems
Subsystem      sftp      /usr/libexec/openssh/sftp-server
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 20344957
I was asking for /root/.ssh and its files not /etc/ssh.
In your debug output you also see that the files are read from /root/.ssh/.
Also, please just post the proper entry from /root/.ssh/config, no comments etc.
0
 

Author Comment

by:akaodin
ID: 20345535
Hi,

    Here are the files in /root/.ssh

[root@tjw root]# ls -lrt .ssh
-rwx------    1 root     root           48 Nov 19 18:22 tjw
-rw-r--r--    1 root     root           44 Nov 19 18:22 pass.txt
-rw-r--r--    1 root     root          448 Nov 19 18:22 known_hosts
-rw-r--r--    1 root     root          381 Nov 19 18:22 id_tjw.pub
-rw-------    1 root     root         1743 Nov 19 18:22 id_tjw
-rw-r--r--    1 root     root          381 Nov 19 18:22 id_djx.pub
-rw-------    1 root     root         1743 Nov 19 18:22 id_djx
-rwx------    1 root     root           48 Nov 19 18:22 djx
-rwxr-xr-x    1 root     root         1143 Nov 19 18:22 authorized_keys
-rw-r--r--    1 root     root          381 Nov 21 06:36 id_rsa.pub
-rw-------    1 root     root         1743 Nov 21 06:36 id_rsa
[root@tjw root]#

As you see, there is no /root/.ssh/config/ on this version of openssh 3.5p1 (at least on my machine).  I had posted earlier the config files on my machines: /etc/ssh/ss[d]_config.  I do not know which is relevant.  The only non-commented lines are:

    /etc/ssh/ssh_config
        Host *
              ForwardX11 yes
    /etc/ssh/sshd_config
        SyslogFacility AUTHPRIV
        X11Forwarding yes
        Subsystem      sftp      /usr/libexec/openssh/sftp-server

Hope this helps.  Thx.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 51

Expert Comment

by:ahoffmann
ID: 20346918
> As you see, there is no /root/.ssh/config/
then you have to tell ssh (in your cron script) to use a key file, something like:
  /path/to/ssh -i /root/.ssh/keyfile user@remote /path/to/cat sendit
0
 

Author Comment

by:akaodin
ID: 20347422
Hi,
  Would it be easier in the long run to chg my config to /root/config in stead of /etc/ssh/sshd_config.  If so, is that an item in the config file or does ssh have to be rebuilt?  I hav not tried your suggestion yet, but I certainly will.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 20351819
yes you should use /root/.ssh/config and you don't need to rebuild ssh or sshd
0
 

Author Comment

by:akaodin
ID: 20355341
Hi,
   Pardon me for being dense.  Do I simply cp /etc/ssh/sshd_config /root/ssh/cofig.  Then what?  There must be a step I am missing.  Pls advise.  Thx.
0
 

Author Comment

by:akaodin
ID: 20357127
Hi,
   I tried linking /etc/ssh/sshd_config to /root/.ssh/config.  This time I got the error msgs:
        Bad configuration options:  Syslog Facility, X11Forsarding, Subsystem, ...
I then tried linking instead /etc/ssh/ssh_config. Again, wrong permissions.  Any suggestions?
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 500 total points
ID: 20359023
NO, don't copy. You need to setup your own file, in particulat for user root.
Please read the man-page and get used to the configuration, it's far too much to post here ...

Security is a process, not a product.
0
 

Author Comment

by:akaodin
ID: 20359484
Hi,
  How does one setup a configuration file?  It was done automatically for me when I built ssh.  I checked the man-pages of ssh and found no mention of how to create a configuration file.  It does mention (as you said) the per-user configuration file of $HOME/.ssh/config.  Unfortunately, it does not tell how to create it.  Any suggestions on where to look further"  Thx.
0
 

Author Comment

by:akaodin
ID: 20359715
Hi,
  I think I get it.  The $HOME/.ssh/config can be built by inserting only relevant options.  All others will be checked in the system configuration files.  Any idea which options might help me?
0
 

Author Comment

by:akaodin
ID: 20364958
Hi,
    Gave you the points you well deserved.  However,   I am not sure I will ever solve my problem.  I did learn more about SSH and that is worth a lot.  Thx again.  My next goal is to try and add several options to $HOME/.ssh/config to see if it makes a difference.  Thx again.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 20367990
# ~/.ssh/config usally consist of entries (blocks) as follows:

Host whatever-alias-you-want
        HostName        FQDN
        Port            22
        Protocol        1
        CheckHostIP     yes
        User            remoteusername
        ForwardAgent    yes
        ForwardX11      yes
        Compression     yes
        IdentityFile    ~/.ssh/public-file
        KeepAlive       no

# If you look at your ssh sample in http:#20342628 I'd expect a block stating with

Host djx
0
 

Author Comment

by:akaodin
ID: 20369427
Hi aHoffman,

  I really appreciate al your help.  I should have read the ssh_config earlier.  It is as you said.  But I doubt seriously if I could have figured it out for myself w/o your help.

   The file states 'Host *'  Can I use that, or should I use the hostname of the server
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 20388140
not sure if you can use * as alias (value for the Host directive), you need to try yourself
I'd not use * 'cause you'll have to take special care with it in most shells.
The value of the Host directive is a name (aka alias) for you to identify a special ssh configuration for a specific connection. Without that a corresponding (to my config example) ssh call would look like:
  ssh -1 -P 22 -X -o "KeepAlive=no" remoteusername@FQGN
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Creating a Samba server for a small office. Ubuntu Linux and Samba can breathe new life into a retired PC and save an office money on new hardware/software. Our example server will have two hard disks, one exclusively for storing shared data. …
After running Ubuntu some time, you will be asked to download updates for fixing bugs and security updates. All the packages you download replace the previous ones, except for the kernel, also called "linux-image". This is due to the fact that w…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now