Solved

password less ssh working but scp not working from rhel to solaris and vice versa

Posted on 2013-12-05
14
1,441 Views
Last Modified: 2014-01-28
Hi all,

I am able to do paswordless login from Sun server 5.1 to rhel 5 - but i am not able to scp from sun to redhat or vice versa .

I have checked all but still not working .

please help me - it gives permission issues..

I have tried 3 or 4 folders having root owner .

strange thing regular user apart form root works fine only root not working.

pls help
0
Comment
Question by:apunkabollywood
  • 7
  • 4
  • 2
  • +1
14 Comments
 
LVL 19

Expert Comment

by:xterm
Comment Utility
Please paste the exact scp command you are using and the exact error you get.
0
 
LVL 6

Expert Comment

by:xeroxzerox
Comment Utility
run this cmd in terminal
#mount -o rw /

And do it again if you again face error then paste here.
0
 

Author Comment

by:apunkabollywood
Comment Utility
Hi Xterm , I have tried all combination like scp filename root@clienthostname/tmp   or scp root@hostname:/tmp/filename root@clienthostname:/tmp

but same issue.

Please keep in mind -
- We are scp from Sun solaris to rhel .
- we are able to do pasword less ssh login from solaris to rhel only via hostname.
- From IP passwordless not working
- from rhel to solaris password less and scp both not working
- if we create some test user then scp is working.

@ Xerox - do you want me to run at solaris or rhel machine?
0
 

Author Comment

by:apunkabollywood
Comment Utility
Look at this : on solaris box

scp -v /root/pctest/pctest root@redhathotname:/root/pctest/
Executing: program /usr/bin/ssh host redhathostname, user root, command scp -v -t /root/pctest/
Sun_SSH_1.1, SSH protocols 1.5/2.0, OpenSSL 0x0090704f
debug1: Reading configuration data /root/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to redhathostname [redhatboxIP] port 22.
debug1: Connection established.
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type 1
debug1: identity file /root/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-Sun_SSH_1.1
debug1: Failed to acquire GSS-API credentials for any mechanisms (No credentials were supplied, or the credentials were unavailable or inaccessible
Unknown code 0
)
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: Peer sent proposed langtags, ctos:
debug1: Peer sent proposed langtags, stoc:
debug1: We proposed langtags, ctos: i-default
debug1: We proposed langtags, stoc: i-default
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 135/256
debug1: bits set: 1032/2048
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'redhathostname' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1768
debug1: bits set: 1037/2048
debug1: ssh_rsa_verify: signature correct
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: got SSH2_MSG_SERVICE_ACCEPT

Using keyboard-interactive authentication.


debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Failed to acquire GSS-API credentials for any mechanisms (No credentials were supplied, or the credentials were unavailable or inaccessible
Unknown code 0
)
debug1: Next authentication method: publickey
debug1: Offering agent key: /var/gat/idd
debug1: Server accepts key: pkalg ssh-dss blen 434 lastkey 6e0b8 hint -1
debug1: Authentication succeeded (publickey)
debug1: fd 5 setting O_NONBLOCK
debug1: fd 6 setting O_NONBLOCK
debug1: channel 0: new [client-session]
debug1: send channel open 0
debug1: Entering interactive session.
debug1: ssh_session2_setup: id 0
debug1: Sending command: scp -v -t /root/pctest/
debug1: channel request 0: exec
debug1: channel 0: open confirm rwindow 0 rmax 32768
#############################################
root@solarishostname # debug1: channel 0: read<=0 rfd 5 len 0
debug1: channel 0: read failed
debug1: channel 0: close_read
debug1: channel 0: input open -> drain
debug1: channel 0: ibuf empty
debug1: channel 0: send eof
debug1: channel 0: input drain -> closed
debug1: channel 0: write failed
debug1: channel 0: close_write
debug1: channel 0: output open -> closed
debug1: channel 0: rcvd eof
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: rcvd close
debug1: channel 0: almost dead
debug1: channel 0: gc: notify user
debug1: channel 0: gc: user detached
debug1: channel 0: send close
debug1: channel 0: is dead
debug1: channel 0: garbage collecting
debug1: channel_free: channel 0: client-session, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
debug1: fd 1 clearing O_NONBLOCK
debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.2 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0
debug1: Exit status 0
0
 

Author Comment

by:apunkabollywood
Comment Utility
Solaris box sshd_config
==================

# Syslog facility and level
SyslogFacility auth
LogLevel info

# Protocol versions supported
#
# The sshd shipped in this release of Solaris has support for major versions
# 1 and 2.  It is recommended due to security weaknesses in the v1 protocol
# that sites run only v2 if possible. Support for v1 is provided to help sites
# with existing ssh v1 clients/servers to transition.
# Support for v1 may not be available in a future release of Solaris.
#
# To enable support for v1 an RSA1 key must be created with ssh-keygen(1).
# RSA and DSA keys for protocol v2 are created by /etc/init.d/sshd if they
# do not already exist, RSA1 keys for protocol v1 are not automatically created.

# Uncomment ONLY ONE of the following Protocol statements.

# Only v2 (recommended)
#Protocol 2

# Both v1 and v2 (not recommended)
Protocol 2,1

# Only v1 (not recommended)
#Protocol 1

# Listen port (the IANA registered port number for ssh is 22)
Port 22

# The default listen address is all interfaces, this may need to be changed
# if you wish to restrict the interfaces sshd listens on for a multi homed host.
# Multiple ListenAddress entries are allowed.

# IPv4 only
#ListenAddress 0.0.0.0
# IPv4 & IPv6
ListenAddress ::

# Port forwarding
AllowTcpForwarding yes

# If port forwarding is enabled, specify if the server can bind to INADDR_ANY.
# This allows the local port forwarding to work when connections are received
# from any remote host.
GatewayPorts no

# X11 tunneling options
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes

# The maximum number of concurrent unauthenticated connections to sshd.
# start:rate:full see sshd(1) for more information.
# The default is 10 unauthenticated clients.
#MaxStartups 10:30:60

# Banner to be printed before authentication starts.
Banner /etc/issue

# Should sshd print the /etc/motd file and check for mail.
# On Solaris it is assumed that the login shell will do these (eg /etc/profile).
PrintMotd no

# KeepAlive specifies whether keep alive messages are sent to the client.
# See sshd(1) for detailed description of what this means.
# Note that the client may also be sending keep alive messages to the server.
KeepAlive yes

# Syslog facility and level
SyslogFacility auth
LogLevel info

#
# Authentication configuration
#

# Host private key files
# Must be on a local disk and readable only by the root user (root:sys 600).
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key

# Default Encryption algorithms and Message Authentication codes
#Ciphers        aes128-ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc
#MACS   hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96

# Length of the server key
# Default 768, Minimum 512
ServerKeyBits 768

# sshd regenerates the key every KeyRegenerationInterval seconds.
# The key is never stored anywhere except the memory of sshd.
# The default is 1 hour (3600 seconds).
KeyRegenerationInterval 3600

# Ensure secure permissions on users .ssh directory.
StrictModes yes

# Length of time in seconds before a client that hasn't completed
# authentication is disconnected.
# Default is 600 seconds. 0 means no time limit.
LoginGraceTime 600

# Maximum number of retries for authentication
# Default is 6. Default (if unset) for MaxAuthTriesLog is MaxAuthTries / 2
MaxAuthTries    6
MaxAuthTriesLog 3

# Are logins to accounts with empty passwords allowed.
# If PermitEmptyPasswords is no, pass PAM_DISALLOW_NULL_AUTHTOK
# to pam_authenticate(3PAM).
PermitEmptyPasswords no

# To disable tunneled clear text passwords, change PasswordAuthentication to no.
PasswordAuthentication yes

# Use PAM via keyboard interactive method for authentication.
# Depending on the setup of pam.conf(4) this may allow tunneled clear text
# passwords even when PasswordAuthentication is set to no. This is dependent
# on what the individual modules request and is out of the control of sshd
# or the protocol.
PAMAuthenticationViaKBDInt yes

# Are root logins permitted using sshd.
# Note that sshd uses pam_authenticate(3PAM) so the root (or any other) user
# maybe denied access by a PAM module regardless of this setting.
# Valid options are yes, without-password, no.
PermitRootLogin yes

# sftp subsystem
Subsystem       sftp    /usr/lib/ssh/sftp-server


# SSH protocol v1 specific options
#
# The following options only apply to the v1 protocol and provide
# some form of backwards compatibility with the very weak security
# of /usr/bin/rsh.  Their use is not recommended and the functionality
# will be removed when support for v1 protocol is removed.

# Should sshd use .rhosts and .shosts for password less authentication.
IgnoreRhosts yes
RhostsAuthentication no

# Rhosts RSA Authentication
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts.
# If the user on the client side is not root then this won't work on
# Solaris since /usr/bin/ssh is not installed setuid.
RhostsRSAAuthentication no

# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication.
#IgnoreUserKnownHosts yes

# Is pure RSA authentication allowed.
# Default is yes
RSAAuthentication yes




Redhat Box SSHD_COnfig
======================

#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:
AllowUsers root
#LoginGraceTime 2m
#MaxAuthTries 6

#AuthorizedKeysFile     .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
# similar for protocol version 2
# Change to yes if you don't trust ~/.ssh/known_hosts for
# Don't read the user's ~/.rhosts and ~/.shosts files

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:
AllowUsers root
#LoginGraceTime 2m
#MaxAuthTries 6

#AuthorizedKeysFile     .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
# similar for protocol version 2
# Change to yes if you don't trust ~/.ssh/known_hosts for
# Don't read the user's ~/.rhosts and ~/.shosts files

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

# no default banner path

# override default of no subsystems
Subsystem       sftp    /usr/libexec/openssh/sftp-server
PermitRootLogin yes
Protocol 2
PubkeyAuthentication yes
RSAAuthentication yes
DSAAuthentication no
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
KerberosAuthentication no
PermitEmptyPasswords no
StrictModes yes
IgnoreUserKnownHosts yes
0
 
LVL 6

Expert Comment

by:xeroxzerox
Comment Utility
Run it on Destination (by default permission is read only)
you can also run it on source and destination system.
0
 

Author Comment

by:apunkabollywood
Comment Utility
exact same error - as i said other users able to do the stuff - problme coming only with root
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 19

Expert Comment

by:xterm
Comment Utility
Okay, this is likely easy but we're only going to be able to help you if you're VERY specific.  So I want you to answer each of these questions EXACTLY and any commands I ask you to run, please run them and paste the output into this question:

1)  What happens when you do as user root from the Sun machine:
scp /etc/group root@<linux_hostname>:/tmp
scp /etc/group root@<linux machine IP>:/tmp

2)  Please do on the Linux machine:
ls -l /root/.ssh/authorized_keys*

3) Please do on the Sun machine
ls -l /root/.ssh/*.pub
0
 

Author Comment

by:apunkabollywood
Comment Utility
Please find below:

scp /etc/group root@<linux_hostname>:/tmp   - give sucess with ssh banner message but dont do anything - no file copied


scp /etc/group root@<linux machine IP>:/tmp   - nothing happen just - need to do ctrl c to exit

REDHAT

-rw-r--r-- 1 root root 3387 Dec  9 17:35 /root/.ssh/authorized_keys

SUN

-rw-r-----   1 root     root         460 Jan 17  2012 /root/.ssh/emc_id_rsa.pub
-rw-r-----   1 root     root         609 May 29  2013 /root/.ssh/id_dsa.pub
-rw-r-----   1 root     root         609 May 27  2013 /root/.ssh/id_dsa_xcsf.pub
-rw-r-----   1 root     root         401 Jan 26  2007 /root/.ssh/id_rsa.pub
-rw-r-----   1 root     root         229 May 28  2013 /root/.ssh/id_rsa_xscf.pub


please advice
0
 
LVL 19

Accepted Solution

by:
xterm earned 500 total points
Comment Utility
Okay first thing I see is that you need to fix the permissions on authorized_keys - it will not work as they are now (mode 0644).   Please do:

chmod 600 /root/.ssh/authorized_keys

Now, I don't see how the first scp command gave success with a banner - please actually cut and paste the output of that - I don't understand what you mean.

Furthermore, using the IP of the Linux box just hangs?  That would mean the hostname is not looking up to the IP properly.

Please be sure that when you do "nslookup linux_hostname" it returns the IP of the Linux system.

So, please do the chmod command, and then cut & paste here the output of the first scp command.
0
 

Author Comment

by:apunkabollywood
Comment Utility
Strange and first time i have seen - after removing /etc/info line from .bashrc file under /root it works fine - thanks for  your effort.
0
 
LVL 19

Expert Comment

by:xterm
Comment Utility
Not sure I understand - there is no such file as /etc/info?  Can you elaborate on what you did so that others can benefit from your fix?
0
 

Author Closing Comment

by:apunkabollywood
Comment Utility
Sorry for delay and thanks for support yes some file permission change did the trick
0
 
LVL 27

Expert Comment

by:serialband
Comment Utility
Was it actually a permissions change on authorized_keys?  Would you mind posting the solution?

You only need 600 on the private key.  644 should work on authorized_keys, since those are only public keys.  You're supposed to be able to send them to each server admin or account user to ssh to their account, so it doesn't matter if it's readable by everyone.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

If you use Debian 6 Squeeze and you are tired of looking at the childish graphical GDM login screen that is used by default, here's an easy way to change it. If you've already tried to change it you've probably discovered that none of the old met…
FreeBSD on EC2 FreeBSD (https://www.freebsd.org) is a robust Unix-like operating system that has been around for many years. FreeBSD is available on Amazon EC2 through Amazon Machine Images (AMIs) provided by FreeBSD developer and security office…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now