Solved

SSH and not password prompt using root (Linux)

Posted on 2009-07-13
11
610 Views
Last Modified: 2013-12-15
I'm trying to determine how to SSH from BOXA to BOXB, using the root account, without it prompting me for a password.  I've done a lot of research and here are the steps I've taken so far and unfortunately still prompting me for the password.  Any help would be GREATLY appreciated.  Thanks guys!


Box A-  #>  ssh-keygen -t dsa  (No passphrase, places the files in /root/.ssh)

Box B-  #>  mkdir /root/.ssh

Box A- #>  cat .ssh/id_dsa.pub | ssh BOXB 'cat >> .ssh/authorized_keys'  (copies and renames id_dsa.pub to BOXB /root/.ssh/authorized_keys)

Here are the alternate steps I've taken:
- I've tried doing the same steps using 'rsa' instead of 'dsa', still prompts for password (I don't know the difference but others claim it works both ways).  

- Gone as far as chmod 777 on /root/.ssh directory, as well as authorized_keys.

- Copied authorized_keys and created authorized_keys2.

- I've verified the contents of id_dsa.pub and authorized_keys.

Added these lines to BOXA, /etc/ssh/ssh_config
  HostbasedAuthentication yes
  EnableSSHKeysign yes

Added these lines to BOXB, /etc/ssh/sshd_config
  RhostsRSAAuthentication yes
  HostbasedAuthentication yes



Here are the results of ssh -v BOXB

OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to BOXB [xxx.xx.xxx.xx] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type 2
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.9p1
debug1: match: OpenSSH_3.9p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.9p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'era01sb20' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:24
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Offering public key: /root/.ssh/id_dsa
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: password
root@BOXB's password:


Any help would be GREATLY appreciated.  Thank you!
0
Comment
Question by:Grant
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
11 Comments
 
LVL 48

Expert Comment

by:Tintin
ID: 24843787
On BOXB, make sure the .ssh directory has perms of 700 and authorized_keys has permissions of 644

0
 
LVL 48

Expert Comment

by:Tintin
ID: 24843800
On BOXB, make sure the .ssh directory has perms of 700 and authorized_keys has permissions of 644

0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24844400
Hi,

when you set oyour $HOME/.ssh to 777 it will be "untrusted" for SSH and no SSH key stored in this directory will no longer succeed authentication.  The permissions should be 600.

The same is ture for the authenticated_keys. It should be at least 644 while I' prefer 600.

You don't need these options in BOXB

RhostsRSAAuthentication yes
HostbasedAuthentication yes

The first is for RSA key usage over rhosts auth. The second is for hostname verification. You won't need them for SSH authentication. You won't need authorized_keys2 file.

For a through reading about SSH key authentication please check this out:
http://www.experts-exchange.com/articles/OS/Linux/SSH-access-using-public-key.html
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 

Author Comment

by:Grant
ID: 24848580
Still no luck.  I did as Tintin and KeremE advised (thanks for the help!), and I read the article thoroughly but no luck.  I do have some confusion about the article - the very last sentence.  

On BOXA, I have id_dsa, id_dsa.pub.  On BOXB, I have authorized_keys (which was copied from id_dsa.pub).  Am I missing some files from either box?!?

Plz help!  Thanks guys!
0
 

Author Comment

by:Grant
ID: 24848648
KeremE and TinTin thank you for your information - I wasn't aware of the 777 issue.  

FYI - As of now, BOXA ./.ssh perms are 600.  authorized_keys perms are 644.  Can anyone else assist!?  Thank you!
0
 

Author Comment

by:Grant
ID: 24848993
Bumping to 500 points
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24849177
Hi,

Remove all these lines fyour config and restart both ssh servers and retry please:

Added these lines to BOXA, /etc/ssh/ssh_config
  HostbasedAuthentication yes
  EnableSSHKeysign yes

Added these lines to BOXB, /etc/ssh/sshd_config
  RhostsRSAAuthentication yes
  HostbasedAuthentication yes

0
 
LVL 30

Accepted Solution

by:
Kerem ERSOY earned 500 total points
ID: 24849239
Hi,

there's another problem with your settings. The previous trace shoved that:

debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type 2

you did not have any line such as :
debug1: loaded 3 keys

So it seems that the server BOXA can not access any of your keys especially your private key. You'd better check for BOXA .ssh and key file permissions too.

Please set all to 600

Then copy your id_dsa at host a to identity and make sure that it is set to 600 by permissions and retry.

The last sentence in the article is not confusing. It is assuming that you create the key over the target system. It is just suggesting you to remove id_dsa and id_dsa.pub and just leave authorized_keys there.
This might be a good idea for your systems too.

0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24849252
BTW your OpenSSH and OpenSSL versions are outdated. Please consider to update them to the latest version. The version you use have several security loopholes.
0
 
LVL 48

Expert Comment

by:Tintin
ID: 24853757
You've set the wrong permissions on .ssh directory.  It should be 700 and not 600.
0
 

Author Comment

by:Grant
ID: 24881213
Someone else apparently stepped in and resolved it about 10 minutes after I was fooling with it, so I can't guarantee this was the fix but I believe it was close enough to work.  Thanks for everyones help.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have a server on collocation with the super-fast CPU, that doesn't mean that you get it running at full power. Here is a preamble. When doing inventory of Linux servers, that I'm administering, I've found that some of them are running on l…
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question