Solved

SSH and not password prompt using root (Linux)

Posted on 2009-07-13
11
600 Views
Last Modified: 2013-12-15
I'm trying to determine how to SSH from BOXA to BOXB, using the root account, without it prompting me for a password.  I've done a lot of research and here are the steps I've taken so far and unfortunately still prompting me for the password.  Any help would be GREATLY appreciated.  Thanks guys!


Box A-  #>  ssh-keygen -t dsa  (No passphrase, places the files in /root/.ssh)

Box B-  #>  mkdir /root/.ssh

Box A- #>  cat .ssh/id_dsa.pub | ssh BOXB 'cat >> .ssh/authorized_keys'  (copies and renames id_dsa.pub to BOXB /root/.ssh/authorized_keys)

Here are the alternate steps I've taken:
- I've tried doing the same steps using 'rsa' instead of 'dsa', still prompts for password (I don't know the difference but others claim it works both ways).  

- Gone as far as chmod 777 on /root/.ssh directory, as well as authorized_keys.

- Copied authorized_keys and created authorized_keys2.

- I've verified the contents of id_dsa.pub and authorized_keys.

Added these lines to BOXA, /etc/ssh/ssh_config
  HostbasedAuthentication yes
  EnableSSHKeysign yes

Added these lines to BOXB, /etc/ssh/sshd_config
  RhostsRSAAuthentication yes
  HostbasedAuthentication yes



Here are the results of ssh -v BOXB

OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to BOXB [xxx.xx.xxx.xx] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type 2
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.9p1
debug1: match: OpenSSH_3.9p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.9p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'era01sb20' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:24
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Offering public key: /root/.ssh/id_dsa
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: password
root@BOXB's password:


Any help would be GREATLY appreciated.  Thank you!
0
Comment
Question by:Grant
  • 4
  • 4
  • 3
11 Comments
 
LVL 48

Expert Comment

by:Tintin
ID: 24843787
On BOXB, make sure the .ssh directory has perms of 700 and authorized_keys has permissions of 644

0
 
LVL 48

Expert Comment

by:Tintin
ID: 24843800
On BOXB, make sure the .ssh directory has perms of 700 and authorized_keys has permissions of 644

0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24844400
Hi,

when you set oyour $HOME/.ssh to 777 it will be "untrusted" for SSH and no SSH key stored in this directory will no longer succeed authentication.  The permissions should be 600.

The same is ture for the authenticated_keys. It should be at least 644 while I' prefer 600.

You don't need these options in BOXB

RhostsRSAAuthentication yes
HostbasedAuthentication yes

The first is for RSA key usage over rhosts auth. The second is for hostname verification. You won't need them for SSH authentication. You won't need authorized_keys2 file.

For a through reading about SSH key authentication please check this out:
http://www.experts-exchange.com/articles/OS/Linux/SSH-access-using-public-key.html
0
 

Author Comment

by:Grant
ID: 24848580
Still no luck.  I did as Tintin and KeremE advised (thanks for the help!), and I read the article thoroughly but no luck.  I do have some confusion about the article - the very last sentence.  

On BOXA, I have id_dsa, id_dsa.pub.  On BOXB, I have authorized_keys (which was copied from id_dsa.pub).  Am I missing some files from either box?!?

Plz help!  Thanks guys!
0
 

Author Comment

by:Grant
ID: 24848648
KeremE and TinTin thank you for your information - I wasn't aware of the 777 issue.  

FYI - As of now, BOXA ./.ssh perms are 600.  authorized_keys perms are 644.  Can anyone else assist!?  Thank you!
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:Grant
ID: 24848993
Bumping to 500 points
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24849177
Hi,

Remove all these lines fyour config and restart both ssh servers and retry please:

Added these lines to BOXA, /etc/ssh/ssh_config
  HostbasedAuthentication yes
  EnableSSHKeysign yes

Added these lines to BOXB, /etc/ssh/sshd_config
  RhostsRSAAuthentication yes
  HostbasedAuthentication yes

0
 
LVL 30

Accepted Solution

by:
Kerem ERSOY earned 500 total points
ID: 24849239
Hi,

there's another problem with your settings. The previous trace shoved that:

debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type 2

you did not have any line such as :
debug1: loaded 3 keys

So it seems that the server BOXA can not access any of your keys especially your private key. You'd better check for BOXA .ssh and key file permissions too.

Please set all to 600

Then copy your id_dsa at host a to identity and make sure that it is set to 600 by permissions and retry.

The last sentence in the article is not confusing. It is assuming that you create the key over the target system. It is just suggesting you to remove id_dsa and id_dsa.pub and just leave authorized_keys there.
This might be a good idea for your systems too.

0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24849252
BTW your OpenSSH and OpenSSL versions are outdated. Please consider to update them to the latest version. The version you use have several security loopholes.
0
 
LVL 48

Expert Comment

by:Tintin
ID: 24853757
You've set the wrong permissions on .ssh directory.  It should be 700 and not 600.
0
 

Author Comment

by:Grant
ID: 24881213
Someone else apparently stepped in and resolved it about 10 minutes after I was fooling with it, so I can't guarantee this was the fix but I believe it was close enough to work.  Thanks for everyones help.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

We all know how boring and exhausting it is to transfer huge web projects developed locally to a webserver simply via FTP. The File Transfer Protocol is a really nice solution if you need to transfer small amounts of files, but if you're plannin…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now