Solved

"ssh localhost" prompts for key but ssh from other servers prompts for password

Posted on 2008-11-02
6
617 Views
Last Modified: 2013-12-04
We have a Solaris 10 server (call it svr10)  :
when other servers within the same subnet "ssh" to it, it prompts
for password instead of ssh keys.

However, when issuing "ssh localhost' from the server itself (back
to itself), it prompts for ssh keys (first time it prompts, subsequent
times, it just login straight without prompting for anything as the
public/private keys have been exported??)

Why is it when other servers (within the same subnet, ie don't go
thru firewall) ssh to it, it does not prompt for keys but password?

The above observation is a side-phenomenon that I noticed.  I'm
actually trying to solve the following problem :
a) this server listens on port 5555 (Data Protector backup tool) &
    when issuing "telnet localhost 5555" from svr10 itself, could
    see connection on Tcp 5555 established
    (netstat -a | grep 5555;
      "netstat -a | grep -i listen" showed it's listening on 5555)
b)however, when issuing "telnet svr10 5555" from any other servers
   (which are on the same subnet), the connection closes within a
   split of second

What's described about ssh & "telnet ...  5555" appeared to imply
there's some sort of "local firewall" within svr10 that prevents any
other servers from getting into it other than itself.

Appreciate any suggestions/insights
 
0
Comment
Question by:sunhux
6 Comments
 
LVL 40

Assisted Solution

by:omarfarid
omarfarid earned 50 total points
ID: 22861099
can you show the output of

netstat -na

0
 
LVL 43

Accepted Solution

by:
ravenpl earned 200 total points
ID: 22862772
You mean something like:

[raven@kruk tmp]$ ssh somewhere.com
The authenticity of host 'somewhere.com (193.0.0.0)' can't be established.
RSA key fingerprint is 18:25:d0:cd:55:01:e9:0b:4f:26:1d:75:c8:1e:40:66.
Are you sure you want to continue connecting (yes/no)?

It's very normal when You trying ssh to some name for the first time. It saves the remote (localhost in Your case) in $HOME/.ssh/known_hosts
Then, next time You connect it verifies remote key against the one saved in known_hosts - ssh warns if it mismatches.
0
 
LVL 48

Assisted Solution

by:Tintin
Tintin earned 150 total points
ID: 22863241
I don't see what the relationship between ssh and your problem access the Data Protector backup tool running on port 5555 (unless the Data Protector tool is running a modified ssh version).

Can you please clarify.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 3

Assisted Solution

by:Saranyakkali
Saranyakkali earned 100 total points
ID: 22866821
did you checked /etc/hosts.allow file like bellow..?

ALL:    localhost
sshd:   ALL
0
 

Author Comment

by:sunhux
ID: 22873275
Thought this has to do with /etc/hosts.allow but this is not the case.

Tintin is right that the ssh issue has nothing to do with the DP issue.

Problem has just been resolved after several attempts by HP DP team
so appending the solution below to serve as documentation :

=================== HP's reply =======================

Check if any TCP wrappers are enabled or not.
# svcprop -p defaults inetd
defaults/tcp_wrappers boolean true
true=enabled
 
Disable TCP Wrappers completely and check if Cell Manager  can "telnet jag51 5555".
# inetadm -M tcp_wrappers=false         <== this is the solution; the rest are not the cause
# svcadm refresh inetd

Settings Check
-Check if the file /var/svc/manifest/network/omni-tcp.xml
 is executing the right DP binary ie.
exec='/opt/omni/lbin/inet -log /var/opt/omni//log/inet.log'
Does the log file /var/opt/omni//log/inet.log exist?
 
Binary check :
 # cksum /opt/omni/lbin/inet
# ls -al /opt/omni/lbin
0
 

Author Closing Comment

by:sunhux
ID: 31512967
Thought this has to do with /etc/hosts.allow but this is not the case.

Tintin is right that the ssh issue has nothing to do with the DP issue.

It's got something to do with Solaris Tcp wrapper, so I'll have to use
tcp wrapper from sunfreeware.com (or .org?)

Problem has just been resolved after several attempts by HP DP team
so appending the solution below to serve as documentation :

=================== HP's reply =======================

Check if any TCP wrappers are enabled or not.
# svcprop -p defaults inetd
defaults/tcp_wrappers boolean true
true=enabled
 
Disable TCP Wrappers completely and check if Cell Manager  can "telnet jag51 5555".
# inetadm -M tcp_wrappers=false         <== this is the solution; the rest are not the cause
# svcadm refresh inetd

Settings Check
-Check if the file /var/svc/manifest/network/omni-tcp.xml
 is executing the right DP binary ie.
exec='/opt/omni/lbin/inet -log /var/opt/omni//log/inet.log'
Does the log file /var/opt/omni//log/inet.log exist?
 
Binary check :
 # cksum /opt/omni/lbin/inet
# ls -al /opt/omni/lbin
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Windows Master Password 11 49
UNIX SCP 5 47
Changing the domain admin password 9 38
UAC Controls - confused 9 32
FreeBSD on EC2 FreeBSD (https://www.freebsd.org) is a robust Unix-like operating system that has been around for many years. FreeBSD is available on Amazon EC2 through Amazon Machine Images (AMIs) provided by FreeBSD developer and security office…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now