[wplug] OpenSSH keys problem
Scott Eicher
Scott.Eicher at e-Profile.com
Wed Aug 20 11:09:55 EDT 2003
My configs look the same as what you listed for the server and the client.
I'll look into ssh-agent to see if that helps but since I can't authenticate
via the keys and always get prompted for the password on the server I'm not
sure how much help the agent will be.
Thanks,
Scott
-----Original Message-----
From: Edward C. Smith [mailto:esmith at tranzor.net]
Sent: Wednesday, August 20, 2003 9:06 AM
To: wplug at wplug.org
Subject: Re: [wplug] OpenSSH keys problem
A few things to note:
1) You don't need an ssh-agent, youa re correct about that. However what
that means is that to have passwordless logins without ssh-agent you are
using a private key with no passphrase. If you are not working on a
secure local network (even if you are I advise you to consider using
ssh-agent) then you should definetly setup ssh-agent to store your
passphrase. You'll only need to type the passphrase in once at login
time and it'll remain stored for use and create a "typless login" that
is password protected.
2) Examine your ssh_config (on the server) file make sure you have
something like:
# HostKey for protocol version 1
#HostKey /etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh_host_rsa_key
#HostKey /etc/ssh_host_dsa_key
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
NOTE: all of these should be default values and should not need to be
uncommented. If yours differs from this let me know.
3) take a look at your ssh_config on the client it should have somethign
similar to:
# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsAuthentication no
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# BatchMode no
# CheckHostIP yes
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_dsa
# IdentityFile ~/.ssh/id_rsa
# Port 22
# Protocol 2,1
There's several good websites that talk about setting this up. Search
google for ssh-agent and you'll get some good hits.
-Ed
Carl Benedict wrote:
>Try editing /etc/ssh/sshd_config on the new server. I took a brief look
>and there is a line that says:
>
>#PasswordAuthentication yes
>
>Prehaps this is what you want to change? Surely what you are looking
>for is under the "authentication" section of the sshd_config file.
>
>If you have access to the old server, try taking a look at it's
>sshd_config file and see what options are different versus the new
>server. Your second option would be the man pages.
>
>If this is on a secure network, you could always use RSH. IMHO that
>would be a more simple solution if security is not important in this
>scenario.
>
>- Carl
>
>
>
>On Tue, 2003-08-19 at 18:05, Scott Eicher wrote:
>
>
>>I haven't setup an ssh-agent. I've read a little about it but I don't
think
>>that's what I'm looking for. What I'm trying to accomplisth is to be able
to
>>create some scripts that will run from cron and scp some files from the
>>client to the server without prompting for a password. I've got this
working
>>from the same client system to a different server that is running the same
>>version of OpenSSH. It doesn't prompt me for a password but uses my RSA
key
>>every time.
>>
>>Scott
>>
>>-----Original Message-----
>>From: Jonathan S Billings [mailto:billings at negate.org]
>>Sent: Tuesday, August 19, 2003 5:28 PM
>>To: wplug at wplug.org
>>Subject: Re: [wplug] OpenSSH keys problem
>>
>>
>>Have you set up an ssh-agent before trying to connect? That's when you
>>will enter your password, not during the connection session. I suggest
>>reading the 'ssh' and 'ssh-agent' manpages. Also, make sure that if you
>>are using the 2.0 protocol, you've created the appropriate rsa2 keys and
>>stored the keys in the authorized_keys2 file.
>>
>>Jonathan Billings
>>
>>
>>
>>On Tue, 2003-08-19 at 17:10, Scott Eicher wrote:
>>
>>
>>>I am trying to setup RSA/DSA key authentication from a RedHat 7.2 system
>>>running OpenSSH-3.1p1-6 to a RedHat8.0 system running OpenSSH-3.4p1-2. I
>>>have generated both RSA and DSA keys via the command ssh-keygen -t rsa
and
>>>ssh-keygen -t dsa. I have appended the keys to the
>>>/home/username/.ssh/authorized_keys file on the system that I'm
connecting
>>>to. When I try to ssh to the RedHat8 system it always authenticates me
>>>
>>>
>>back
>>
>>
>>>to my password instead of to either of the keys. I have tried using both
>>>keys independently by removing each of them from the keys file one at a
>>>
>>>
>>time
>>
>>
>>>but neither want to work properly.
>>>
>>>Here are the verbose debug lines:
>>>
>>>OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
>>>debug1: Reading configuration data /etc/ssh/ssh_config
>>>debug1: Applying options for *
>>>debug1: Rhosts Authentication disabled, originating port will not be
>>>trusted.
>>>debug1: restore_uid
>>>debug1: ssh_connect: getuid 0 geteuid 0 anon 1
>>>debug1: Connecting to HOSTIPADDRESS [HOSTIPADDRESS] port 22.
>>>debug1: temporarily_use_uid: 0/0 (e=0)
>>>debug1: restore_uid
>>>debug1: temporarily_use_uid: 0/0 (e=0)
>>>debug1: restore_uid
>>>debug1: Connection established.
>>>debug1: read PEM private key done: type DSA
>>>debug1: read PEM private key done: type RSA
>>>debug1: identity file /root/.ssh/identity type -1
>>>debug1: identity file /root/.ssh/id_rsa type 1
>>>debug1: identity file /root/.ssh/id_dsa type -1
>>>debug1: Remote protocol version 1.99, remote software version
>>>
>>>
>>OpenSSH_3.4p1
>>
>>
>>>debug1: match: OpenSSH_3.4p1 pat OpenSSH*
>>>Enabling compatibility mode for protocol 2.0
>>>debug1: Local version string SSH-2.0-OpenSSH_3.1p1
>>>debug1: SSH2_MSG_KEXINIT sent
>>>debug1: SSH2_MSG_KEXINIT received
>>>debug1: kex: server->client aes128-cbc hmac-md5 none
>>>debug1: kex: client->server aes128-cbc hmac-md5 none
>>>debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
>>>debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
>>>debug1: dh_gen_key: priv key bits set: 124/256
>>>debug1: bits set: 1647/3191
>>>debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
>>>debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
>>>debug1: Host 'HOSTIPADDRESS' is known and matches the RSA host key.
>>>debug1: Found key in /root/.ssh/known_hosts:1
>>>debug1: bits set: 1635/3191
>>>debug1: ssh_rsa_verify: signature correct
>>>debug1: kex_derive_keys
>>>debug1: newkeys: mode 1
>>>debug1: SSH2_MSG_NEWKEYS sent
>>>debug1: waiting for SSH2_MSG_NEWKEYS
>>>debug1: newkeys: mode 0
>>>debug1: SSH2_MSG_NEWKEYS received
>>>debug1: done: ssh_kex2.
>>>debug1: send SSH2_MSG_SERVICE_REQUEST
>>>debug1: service_accept: ssh-userauth
>>>debug1: got SSH2_MSG_SERVICE_ACCEPT
>>>debug1: authentications that can continue:
>>>publickey,password,keyboard-interactive
>>>debug1: next auth method to try is publickey
>>>debug1: try privkey: /root/.ssh/identity
>>>debug1: try pubkey: /root/.ssh/id_rsa
>>>debug1: authentications that can continue:
>>>publickey,password,keyboard-interactive
>>>debug1: try privkey: /root/.ssh/id_dsa
>>>debug1: next auth method to try is keyboard-interactive
>>>debug1: authentications that can continue:
>>>publickey,password,keyboard-interactive
>>>debug1: next auth method to try is password
>>>(HERE IT PROMPTS FOR THE PASSWORD, NOT THE PASSPHRASE)
>>>
>>>Could this be a bug or am I doing something wrong? I'd like to get this
>>>working without having to upgrade the openssh package on the client
>>>
>>>
>>system.
>>
>>
>>>Thanks,
>>>Scott
>>>_______________________________________________
>>>wplug mailing list
>>>wplug at wplug.org
>>>http://www.wplug.org/mailman/listinfo/wplug
>>>
>>>
>>--
>>Jonathan S Billings <billings at negate.org>
>>TSFNKP, President and Chief Lackey
>>
>>_______________________________________________
>>wplug mailing list
>>wplug at wplug.org
>>http://www.wplug.org/mailman/listinfo/wplug
>>_______________________________________________
>>wplug mailing list
>>wplug at wplug.org
>>http://www.wplug.org/mailman/listinfo/wplug
>>
>>
>>
>
>
>_______________________________________________
>wplug mailing list
>wplug at wplug.org
>http://www.wplug.org/mailman/listinfo/wplug
>
>
>
_______________________________________________
wplug mailing list
wplug at wplug.org
http://www.wplug.org/mailman/listinfo/wplug
More information about the wplug
mailing list