Solved

AIX, SSH Key Exchange

Posted on 2011-09-22
11
2,411 Views
Last Modified: 2012-06-27
Hello,

I am trying to connect from my Ubuntu to my AIX box using ssh-key exchange to avoid having to authenticate. However, I am having trouble and keep getting a password prompt no mater what I try to avoid it.

My steps:

- On my Ubuntu box, I have generated a pair of keys using ssh-keygen -t rsa to get pub/private keys.
- SCP'ed the public key to AIX box, added it to authorized_keys in the .ssh folder of the user that I will be logging in as.
- On my Ubuntu box, I run the below as root:

ssh -l nagios -i /omd/sites/oppy/.ssh/id.rsa.nagios 172.16.4.14 OppyCheck.aix

I would be expecting to login as user "nagios" on the remove box, however it asks for a password prompt. The pub/priv key was generated under the user nagios. I have tried generating it from the AIX box, and moving the private key to the Ubuntu box, no go.

Am I doing something wrong? I have this working successfully on my RHEL and VMWare linux boxes.

I looked on my AIX box the /etc/ssh/sshd_config and I see:

PubkeyAuthentication yes
AuthorizedKeysFile      ~/.ssh/authorized_keys

Back on AIX, I can see in /var/log/secure..

Sep 22 20:47:45 van-xxxx auth|security:info sshd[33882244]: Failed password for nagios from 172.xx.x.xxx port 42272 ssh2

Any idea why this is not working?

Permissions list:


Ubuntu BOX
root@van-nagios-vm:/omd/sites/oppy/.ssh# ls -l
total 20
-r--r----- 1 root root  397 2011-09-22 20:36 id.rsa.nagios
-rw-r--r-- 1 oppy oppy  400 2011-09-22 08:13 id.rsa.pub.root
-rw------- 1 oppy oppy 1675 2011-09-22 08:13 id.rsa.root
-rw-r--r-- 1 oppy oppy 6776 2011-09-22 19:20 known_hosts

AIX BOX:

# ls -l
Directory:
drwx------    2 nagios   usr             256 Sep 22 20:37 .ssh
Files:
-r--r-----    1 nagios   usr            1679 Sep 22 20:37 authorized_keys
-rw-------    1 nagios   usr            1679 Sep 22 20:35 id_rsa
-rw-r--r--    1 nagios   usr             397 Sep 22 20:35 id_rsa.pub
-rw-r--r--    1 nagios   usr             394 Sep 22 20:36 known_hosts
0
Comment
Question by:mirde
  • 6
  • 4
11 Comments
 
LVL 21

Expert Comment

by:Papertrip
ID: 36584985
Judging by the file size of id.rsa.nagios, it is a public key.  ssh -i needs a private key.

     -i identity_file
             Selects a file from which the identity (private key) for RSA or DSA authentication is read.  The default is
             ~/.ssh/identity for protocol version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol version 2.  Identity
             files may also be specified on a per-host basis in the configuration file.  It is possible to have multiple -i
             options (and multiple identities specified in configuration files).

Open in new window

0
 

Author Comment

by:mirde
ID: 36585071
I went back to confirm...


root@van-nagios-vm:/omd/sites/oppy/.ssh# pwd
/omd/sites/oppy/.ssh
root@van-nagios-vm:/omd/sites/oppy/.ssh# ls -l
total 20
-r--r--r-- 1 nagios nagios 1679 2011-09-22 21:36 id.rsa.nagios
-rw-r--r-- 1 oppy   oppy    400 2011-09-22 08:13 id.rsa.pub.root
-rw------- 1 oppy   oppy   1675 2011-09-22 08:13 id.rsa.root
-rw-r--r-- 1 oppy   oppy   6776 2011-09-22 19:20 known_hosts
root@van-nagios-vm:/omd/sites/oppy/.ssh# ssh -l nagios -i id.rsa.nagios van-oppy
nagios@van-oppy's password:
Permission denied, please try again.
nagios@van-oppy's password:

root@van-nagios-vm:/omd/sites/oppy/.ssh#

Open in new window


I am now using the private key from the Ubuntu box connecting to Oppy (AIX) as user Nagios.

In /home/nagios/.ssh on AIX box I have an authorized_keys file with:

# cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9BQzxxxxxxxxxxxxxxxxxxxxxg7IMzGSRCY0eR1C3TmzW8opSI6M+/bS6lojhjO721zUBgTl1jH4jSLRz0Tgp1ye6cCTV0xT8uMEA9APGRTJF+Mv6CNCz4qpR4ct7LYFv1xc+Jexa9zBYMRadfihYcxxxxxxxxxxxxxxxxxxxxxX8+fcZij2Dxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx+DIfVn9cPQlhWEmjAB8PxxxxxxxxxxxxxxxxxxxxxxxxaOKCjjOFUNH4DAOqTpK+8hkOgbxGdFMN0+SNZhNGeHQQE7VjqAVBFDfYsV8nmcNmkSbDUzE6eocs6ZW+d9MQdAqJ9e9lvn5 nagios@van-nagios-vm


On my Nagios (Ubuntu) box I have..


OMD[oppy]:~/.ssh$ ls -l
total 24
-r--r--r-- 1 nagios nagios 1679 2011-09-22 21:44 id.rsa.nagios
-r--r--r-- 1 nagios nagios  402 2011-09-22 21:44 id.rsa.pub.nagios
-rw-r--r-- 1 oppy   oppy    400 2011-09-22 08:13 id.rsa.pub.root
-rw------- 1 oppy   oppy   1675 2011-09-22 08:13 id.rsa.root
-rw-r--r-- 1 oppy   oppy   6776 2011-09-22 19:20 known_hosts


I am using id.rsa.nagios to authenticate, which is the private key. but it is still failing.. Any help?
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36585084
That definitely is a step in the right direction :)

Curious, have you tried to ssh -i as user nagios instead of root?
0
 

Author Comment

by:mirde
ID: 36586578
I have now and I think we got just a little closer..


nagios@van-nagios-vm:/omd/sites/oppy/.ssh$ ssh -l nagios -i id.rsa.nagios van-oppy
The authenticity of host 'van-oppy (172.16.4.14)' can't be established.
RSA key fingerprint is 32:e6:34:18:20:4a:88:07:05:41:3a:45:5b:2b:aa:6a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'van-oppy,172.16.4.14' (RSA) to the list of known hosts.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0444 for 'id.rsa.nagios' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: id.rsa.nagios
nagios@van-oppy's password:


What CHMOD should I have on my id.rsa.nagios ? It is saying that 440 is too open.

I tried...

nagios@van-nagios-vm:/omd/sites/oppy/.ssh$ chmod 400 id.rsa.nagios
nagios@van-nagios-vm:/omd/sites/oppy/.ssh$ ssh -l nagios -i id.rsa.nagios van-oppy
nagios@van-oppy's password:


But I get back to the password prompt...
0
 
LVL 9

Expert Comment

by:parparov
ID: 36588312
chmod 600 for ALL files in .ssh directories on both server and client.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:mirde
ID: 36596516
How about the .ssh directory itself, what CHMOD should that be set to?

I tried 600, but then I did a test case, logging into the box under the user, and I am unable to get to .ssh with those chmods.
0
 

Author Comment

by:mirde
ID: 36596565
So I blew away .ssh and any keys I generated and tried again.. same error :( -v from ssh, for debug:

root@van-nagios-vm:/omd/sites/oppy# ssh van-oppy -l nagios -i /omd/sites/oppy/.ssh/id_rsa.nagios -v
OpenSSH_5.8p1 Debian-1ubuntu3, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to van-oppy [172.16.4.14] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /omd/sites/oppy/.ssh/id_rsa.nagios type -1
debug1: identity file /omd/sites/oppy/.ssh/id_rsa.nagios-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.4
debug1: match: OpenSSH_5.4 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.8p1 Debian-1ubuntu3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 32:e6:34:18:20:4a:88:07:05:41:3a:45:5b:2b:aa:6a
debug1: Host 'van-oppy' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:3
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /omd/sites/oppy/.ssh/id_rsa.nagios
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password
nagios@van-oppy's password:
debug1: Authentications that can continue: publickey,password,keyboard-interactive
Permission denied, please try again.
nagios@van-oppy's password:
debug1: Authentications that can continue: publickey,password,keyboard-interactive
Permission denied, please try again.
nagios@van-oppy's password:
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: No more authentication methods to try.
Permission denied (publickey,password,keyboard-interactive).
root@van-nagios-vm:/omd/sites/oppy#

Open in new window


It sees my SSH file, does not come back with an error but a password prompt.. why?

debug1: Trying private key: /omd/sites/oppy/.ssh/id_rsa.nagios
debug1: read PEM private key done: type RSA
0
 

Author Comment

by:mirde
ID: 36596570
Also, over on my AIX box.. I am trying to login as the user "nagios".. here are its properties..

# lsuser nagios
nagios id=883 pgrp=usr groups=usr home=/home/nagios shell=/usr/bin/ksh gecos=System Monitor login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=compat logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minloweralpha=0 minupperalpha=0 minother=0 mindigit=0 minspecialchar=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist= default_roles= fsize=-1 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 time_last_login=1316996130 time_last_unsuccessful_login=1316996747 tty_last_login=ssh tty_last_unsuccessful_login=ssh host_last_login=172.16.4.200 host_last_unsuccessful_login=172.16.4.200 unsuccessful_login_count=9 roles=

Open in new window

0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36596908
I don't know why it's talking about private key in the debug output instead of offering your public key to the remote server.

Are you able to ssh as user nagios to the AIX box with normal password auth, as opposed to ssh'ing as root using -l & -i ?
What about that same test with having the "normal" keys in ~nagios and not using -l & -i ?

Aside from that,
Need ls -l of .ssh on both servers
sshd_config of remote server wouldn't hurt.
Any log entries on the remote server pertaining to these failures.

Need to eliminate variables and start with the basics, then add complexity along the way.
0
 
LVL 21

Accepted Solution

by:
Papertrip earned 500 total points
ID: 36596912
Also ssh -vvv will show you some important info that debug1 will not.
0
 

Author Closing Comment

by:mirde
ID: 36906412
Your suggestions solved my problem, it was basically a bunch of permission related issues that was causing my key exchange to fail; more debugging helped.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

In tuning file systems on the Solaris Operating System, changing some parameters of a file system usually destroys the data on it. For instance, changing the cache segment block size in the volume of a T3 requires that you delete the existing volu…
Using libpcap/Jpcap to capture and send packets on Solaris version (10/11) Library used: 1.      Libpcap (http://www.tcpdump.org) Version 1.2 2.      Jpcap(http://netresearch.ics.uci.edu/kfujii/Jpcap/doc/index.html) Version 0.6 Prerequisite: 1.      GCC …
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now