Link to home
Start Free TrialLog in
Avatar of binadmin
binadmin

asked on

ssh key issue on Solaris 10

ssh key issue on Solaris 10...ssh key(rsa) works for local acounts..I can ssh from one Solaris 10 server to another with password but when I generate a rsa key for an ldap user and share it it request password.

Generated the like this and it generates successfully:

ssh-keygen -t rsa

perm on .ssh dir
drwx------   2 piy      conn    4096 Aug 22 16:01 .ssh
-rw-r--r--   1 piy      conn    1450 Aug 22 16:03 authorized_keys

This verbose when going form Solaris to Solaris...it prompts for password

.ssh_4 %ssh -v gser01
Sun_SSH_1.1, SSH protocols 1.5/2.0, OpenSSL 0x0090704f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to gser01 [] port 22.
debug1: Connection established.
debug1: identity file /home/piy/.ssh/identity type -1
debug1: identity file /home/piy/.ssh/id_rsa type 1
debug1: identity file /home/piy/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version Sun_SSH_1.1
debug1: no match: Sun_SSH_1.1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-Sun_SSH_1.1
debug1: Failed to acquire GSS-API credentials for any mechanisms (No credentials were supplied, or the credentials were unavailable or inaccessible
Unknown code 0
)
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: Peer sent proposed langtags, ctos: en-CA,en-US,es,es-MX,fr,fr-CA,i-default
debug1: Peer sent proposed langtags, stoc: en-CA,en-US,es,es-MX,fr,fr-CA,i-default
debug1: We proposed langtags, ctos: i-default
debug1: We proposed langtags, stoc: i-default
debug1: Negotiated lang: i-default
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: Remote: Negotiated main locale: C
debug1: Remote: Negotiated messages locale: C
debug1: dh_gen_key: priv key bits set: 137/256
debug1: bits set: 1553/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'gsera01' is known and matches the RSA host key.
debug1: Found key in /home/piy/.ssh/known_hosts:3
debug1: bits set: 1615/3191
debug1: ssh_rsa_verify: signature correct
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive
debug1: Next authentication method: gssapi-keyex
debug1: Next authentication method: gssapi-with-mic
debug1: Failed to acquire GSS-API credentials for any mechanisms (No credentials were supplied, or the credentials were unavailable or inaccessible
Unknown code 0
)
debug1: Next authentication method: publickey
debug1: Trying private key: /home/piy/.ssh/identity
debug1: Trying public key: /home/piy/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 277 lastkey 6cb88 hint 1
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive
debug1: Trying public key: /home/piy/.ssh/id_dsa
debug1: Server accepts key: pkalg ssh-dss blen 435 lastkey 6c9a8 hint 2
debug1: read PEM private key done: type DSA
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
Password:

It works when going solaris 10 to a Linux servers using ldap acct

verbose output

.ssh_6 %ssh -v x8serv
Sun_SSH_1.1, SSH protocols 1.5/2.0, OpenSSL 0x0090704f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to x8serv [] port 22.
debug1: Connection established.
debug1: identity file /home/piy/.ssh/identity type -1
debug1: identity file /home/piy/.ssh/id_rsa type 1
debug1: identity file /home/piy/.ssh/id_dsa type 2
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.4p1
debug1: match: OpenSSH_3.4p1 pat OpenSSH_3.2*,OpenSSH_3.3*,OpenSSH_3.4*,OpenSSH_3.5*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-Sun_SSH_1.1
debug1: Failed to acquire GSS-API credentials for any mechanisms (No credentials were supplied, or the credentials were unavailable or inaccessible
Unknown code 0
)
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: Peer sent proposed langtags, ctos:
debug1: Peer sent proposed langtags, stoc:
debug1: We proposed langtags, ctos: i-default
debug1: We proposed langtags, stoc: i-default
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 132/256
debug1: bits set: 1621/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'x8serv' is known and matches the RSA host key.
debug1: Found key in /home/piy/.ssh/known_hosts:1
debug1: bits set: 1606/3191
debug1: ssh_rsa_verify: signature correct
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/piy/.ssh/identity
debug1: Trying public key: /home/piy/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 277 lastkey 6cb88 hint 1
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey)
debug1: channel 0: new [client-session]
debug1: send channel open 0
debug1: Entering interactive session.
debug1: ssh_session2_setup: id 0
debug1: channel request 0: env
debug1: channel request 0: env
debug1: channel request 0: env
debug1: channel request 0: env
debug1: channel request 0: env
debug1: channel request 0: env
debug1: channel request 0: env
debug1: channel request 0: env
debug1: channel request 0: pty-req
debug1: channel request 0: shell
debug1: fd 4 setting TCP_NODELAY
debug1: channel 0: open confirm rwindow 0 rmax 32768
/home/piy_1 %


# cat /etc/ssh/sshd_config
#
# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# ident "@(#)sshd_config        1.8     04/05/10 SMI"
#
# Configuration file for sshd(1m)

# Protocol versions supported
#
# The sshd shipped in this release of Solaris has support for major versions
# 1 and 2.  It is recommended due to security weaknesses in the v1 protocol
# that sites run only v2 if possible. Support for v1 is provided to help sites
# with existing ssh v1 clients/servers to transition.
# Support for v1 may not be available in a future release of Solaris.
#
# To enable support for v1 an RSA1 key must be created with ssh-keygen(1).
# RSA and DSA keys for protocol v2 are created by /etc/init.d/sshd if they
# do not already exist, RSA1 keys for protocol v1 are not automatically created.

# Uncomment ONLY ONE of the following Protocol statements.

# Only v2 (recommended)
Protocol 2

# Both v1 and v2 (not recommended)
#Protocol 2,1

# Only v1 (not recommended)
#Protocol 1

# Listen port (the IANA registered port number for ssh is 22)
#Port 22

# The default listen address is all interfaces, this may need to be changed
# if you wish to restrict the interfaces sshd listens on for a multi homed host.
# Multiple ListenAddress entries are allowed.

# IPv4 only
#ListenAddress 0.0.0.0
# IPv4 & IPv6
ListenAddress ::

# Port forwarding
AllowTcpForwarding no

# If port forwarding is enabled, specify if the server can bind to INADDR_ANY.
# This allows the local port forwarding to work when connections are received
# from any remote host.
GatewayPorts no

# X11 tunneling options
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes

# The maximum number of concurrent unauthenticated connections to sshd.
# start:rate:full see sshd(1) for more information.
# The default is 10 unauthenticated clients.
#MaxStartups 10:30:60

# Banner to be printed before authentication starts.
Banner /etc/issue

# Should sshd print the /etc/motd file and check for mail.
# On Solaris it is assumed that the login shell will do these (eg /etc/profile).
PrintMotd no

# KeepAlive specifies whether keep alive messages are sent to the client.
# See sshd(1) for detailed description of what this means.
# Note that the client may also be sending keep alive messages to the server.
KeepAlive yes

# Syslog facility and level
SyslogFacility auth
LogLevel info

#
# Authentication configuration
#

# Host private key files
# Must be on a local disk and readable only by the root user (root:sys 600).
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key

# Default Encryption algorithms and Message Authentication codes
#Ciphers        aes128-ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc
#MACS   hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96

# Length of the server key
# Default 768, Minimum 512
ServerKeyBits 768

# sshd regenerates the key every KeyRegenerationInterval seconds.
# The key is never stored anywhere except the memory of sshd.
# The default is 1 hour (3600 seconds).
KeyRegenerationInterval 3600

# Ensure secure permissions on users .ssh directory.
StrictModes yes

# Length of time in seconds before a client that hasn't completed
# authentication is disconnected.
# Default is 600 seconds. 0 means no time limit.
LoginGraceTime 600

# Maximum number of retries for authentication
# Default is 6. Default (if unset) for MaxAuthTriesLog is MaxAuthTries / 2
MaxAuthTries    6
MaxAuthTriesLog 3

# Are logins to accounts with empty passwords allowed.
# If PermitEmptyPasswords is no, pass PAM_DISALLOW_NULL_AUTHTOK
# to pam_authenticate(3PAM).
PermitEmptyPasswords no

# To disable tunneled clear text passwords, change PasswordAuthentication to no.
PasswordAuthentication yes

# Use PAM via keyboard interactive method for authentication.
# Depending on the setup of pam.conf(4) this may allow tunneled clear text
# passwords even when PasswordAuthentication is set to no. This is dependent
# on what the individual modules request and is out of the control of sshd
# or the protocol.
PAMAuthenticationViaKBDInt yes

# Are root logins permitted using sshd.
# Note that sshd uses pam_authenticate(3PAM) so the root (or any other) user
# maybe denied access by a PAM module regardless of this setting.
# Valid options are yes, without-password, no.
PermitRootLogin no

# sftp subsystem
Subsystem       sftp    /usr/lib/ssh/sftp-server


# SSH protocol v1 specific options
#
# The following options only apply to the v1 protocol and provide
# some form of backwards compatibility with the very weak security
# of /usr/bin/rsh.  Their use is not recommended and the functionality
# will be removed when support for v1 protocol is removed.

# Should sshd use .rhosts and .shosts for password less authentication.
IgnoreRhosts yes
RhostsAuthentication no

# Rhosts RSA Authentication
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts.
# If the user on the client side is not root then this won't work on
# Solaris since /usr/bin/ssh is not installed setuid.
RhostsRSAAuthentication no

# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication.
#IgnoreUserKnownHosts yes

# Is pure RSA authentication allowed.
# Default is yes
RSAAuthentication yes
#

Open in new window


Any suggestions?

Thnx!
Avatar of gheist
gheist
Flag of Belgium image

it asks to unlock dsa key with password.
you must put the public key in authorized_keys file
Avatar of binadmin
binadmin

ASKER

the key is in a authorized-keys file
rw-r--r--   1 piy      conn    1450 Aug 22 16:03 authorized_keys
do u put the public key that generated from ssh-keygen command ?
yes..I ran ssh-keygen -t rsa
also tried ssh-keygen -t dsa
The key was generated and I copied to the user's homedir ~/.ssh file
The process of creating the key and copying it to the authorized_keys file in the user's homedir is fine because local user can ssh between two Solaris 10 servers without entering password. And it work as expected on Linux systems. However, the ssh key does not work for openldap accounts on solaris 10/08....The openldap server is on a rhel5. They can ssh successfully and enter their ldap password no problem with that but when a ssh key is generated somehow it still request password.

Im thinking maybe there is something missing from pam configuration to allow ldap password or ssh public/private key for ldap accounts so im looking to see if anyone have seen this issue and have a suggestion on what line to add to pam configuration if that is the fix..

Any suggestion is welcome...Thnx!
You are being asked for a password on second private key.
Look like it read both keys correctly and then prompted for password.....It still prompted for password even when I deleted all the other keys in the user homedir.....

ssh key works successfully without entering passwd for local account..only ldap account has this issue.

I came across this link and I think it is very close to want I am experiencing..
http://www.semicomplete.com/blog/geekery/solaris-10-sshd-publickey-solution.html

This line explains why i don't have to specify sshd_pubkey in pam configuration:
That doesn't appear to be needed on the Solaris 10 box I've just banged my head on, as its /etc/pam.conf already contains the generic line with "other", that should act as a catch-all for services that aren't listed (included ssh-pubkey of course):

However when i add the suggested fix to my pam.conf file it didn't work
sshd-pubkey    auth required           pam_unix_cred.so.1

So because ssh key is working for ldap users on Linux I compared Linux /etc/nsswitch.conf to Solaris 10 and the only difference I saw is that there is no ref of shadow

Solaris 10:
# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
passwd:     files ldap
group:      files ldap


Linux:
passwd:     files ldap
group:      files ldap
shadow:     files ldap

Looking at this link again especially the two comments below from the link
http://www.semicomplete.com/blog/geekery/solaris-10-sshd-publickey-solution.html

comment;
My problem (with your exact symptoms above) was due to having created the UNIX user without setting a password for it. Once I initialized its password with the 'passwd' command, the apparently-fine ssh setup finally began to work.

Ady McClure wrote at Tue Jan 23 03:14:53 2007...
I had this issues as a result of not having a password set, more specifically having the password field set to :LK: in the shadow file.  Setting a password or changing the password field to :NP: resolved the issue.

It seems that in later versions of Solaris :LK: causes the account to be treated as if it were disabled.

dmangot wrote at Thu Jul 12 17:14:15 2007...
Thanks Ady, you saved my day.  I was missing the account from /etc/shadow.  Running pwconv fixed me right up.


the ldap accts in my case were not created on the solaris 10 system so im wondering if that could be my issue..

Any thought?
 
ASKER CERTIFIED SOLUTION
Avatar of binadmin
binadmin

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Resolved.