Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 626
  • Last Modified:

SSH and not password prompt using root (Linux)

I'm trying to determine how to SSH from BOXA to BOXB, using the root account, without it prompting me for a password.  I've done a lot of research and here are the steps I've taken so far and unfortunately still prompting me for the password.  Any help would be GREATLY appreciated.  Thanks guys!


Box A-  #>  ssh-keygen -t dsa  (No passphrase, places the files in /root/.ssh)

Box B-  #>  mkdir /root/.ssh

Box A- #>  cat .ssh/id_dsa.pub | ssh BOXB 'cat >> .ssh/authorized_keys'  (copies and renames id_dsa.pub to BOXB /root/.ssh/authorized_keys)

Here are the alternate steps I've taken:
- I've tried doing the same steps using 'rsa' instead of 'dsa', still prompts for password (I don't know the difference but others claim it works both ways).  

- Gone as far as chmod 777 on /root/.ssh directory, as well as authorized_keys.

- Copied authorized_keys and created authorized_keys2.

- I've verified the contents of id_dsa.pub and authorized_keys.

Added these lines to BOXA, /etc/ssh/ssh_config
  HostbasedAuthentication yes
  EnableSSHKeysign yes

Added these lines to BOXB, /etc/ssh/sshd_config
  RhostsRSAAuthentication yes
  HostbasedAuthentication yes



Here are the results of ssh -v BOXB

OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to BOXB [xxx.xx.xxx.xx] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type 2
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.9p1
debug1: match: OpenSSH_3.9p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.9p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'era01sb20' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:24
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Offering public key: /root/.ssh/id_dsa
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: password
root@BOXB's password:


Any help would be GREATLY appreciated.  Thank you!
0
Grant
Asked:
Grant
  • 4
  • 4
  • 3
1 Solution
 
TintinCommented:
On BOXB, make sure the .ssh directory has perms of 700 and authorized_keys has permissions of 644

0
 
TintinCommented:
On BOXB, make sure the .ssh directory has perms of 700 and authorized_keys has permissions of 644

0
 
Kerem ERSOYPresidentCommented:
Hi,

when you set oyour $HOME/.ssh to 777 it will be "untrusted" for SSH and no SSH key stored in this directory will no longer succeed authentication.  The permissions should be 600.

The same is ture for the authenticated_keys. It should be at least 644 while I' prefer 600.

You don't need these options in BOXB

RhostsRSAAuthentication yes
HostbasedAuthentication yes

The first is for RSA key usage over rhosts auth. The second is for hostname verification. You won't need them for SSH authentication. You won't need authorized_keys2 file.

For a through reading about SSH key authentication please check this out:
http://www.experts-exchange.com/articles/OS/Linux/SSH-access-using-public-key.html
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
GrantAuthor Commented:
Still no luck.  I did as Tintin and KeremE advised (thanks for the help!), and I read the article thoroughly but no luck.  I do have some confusion about the article - the very last sentence.  

On BOXA, I have id_dsa, id_dsa.pub.  On BOXB, I have authorized_keys (which was copied from id_dsa.pub).  Am I missing some files from either box?!?

Plz help!  Thanks guys!
0
 
GrantAuthor Commented:
KeremE and TinTin thank you for your information - I wasn't aware of the 777 issue.  

FYI - As of now, BOXA ./.ssh perms are 600.  authorized_keys perms are 644.  Can anyone else assist!?  Thank you!
0
 
GrantAuthor Commented:
Bumping to 500 points
0
 
Kerem ERSOYPresidentCommented:
Hi,

Remove all these lines fyour config and restart both ssh servers and retry please:

Added these lines to BOXA, /etc/ssh/ssh_config
  HostbasedAuthentication yes
  EnableSSHKeysign yes

Added these lines to BOXB, /etc/ssh/sshd_config
  RhostsRSAAuthentication yes
  HostbasedAuthentication yes

0
 
Kerem ERSOYPresidentCommented:
Hi,

there's another problem with your settings. The previous trace shoved that:

debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type 2

you did not have any line such as :
debug1: loaded 3 keys

So it seems that the server BOXA can not access any of your keys especially your private key. You'd better check for BOXA .ssh and key file permissions too.

Please set all to 600

Then copy your id_dsa at host a to identity and make sure that it is set to 600 by permissions and retry.

The last sentence in the article is not confusing. It is assuming that you create the key over the target system. It is just suggesting you to remove id_dsa and id_dsa.pub and just leave authorized_keys there.
This might be a good idea for your systems too.

0
 
Kerem ERSOYPresidentCommented:
BTW your OpenSSH and OpenSSL versions are outdated. Please consider to update them to the latest version. The version you use have several security loopholes.
0
 
TintinCommented:
You've set the wrong permissions on .ssh directory.  It should be 700 and not 600.
0
 
GrantAuthor Commented:
Someone else apparently stepped in and resolved it about 10 minutes after I was fooling with it, so I can't guarantee this was the fix but I believe it was close enough to work.  Thanks for everyones help.
0

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

  • 4
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now