[wplug] OpenSSH keys problem

Scott Eicher Scott.Eicher at e-Profile.com
Wed Aug 20 14:41:59 EDT 2003 

Thanks for the idea on running sshd in debug mode. After I did that I was
able to tell that my problem was with mode permissions on the /home/backup
directory. I was seeing this error on the server:

Authentication refused: bad ownership or modes for directory /home/backup

The permissions were 777 so I changed them to 700. After I did this I was
able to ssh into the server without having to enter a password.

Thanks all for the help,
Scott

-----Original Message-----
From: kuzman at sccs.swarthmore.edu [mailto:kuzman at sccs.swarthmore.edu]
Sent: Wednesday, August 20, 2003 1:32 PM
To: 'wplug at wplug.org'
Subject: Re: [wplug] OpenSSH keys problem


if you run an ssh server on the server with the -d command, you can
then try 

sshd -d -p 2222

or add more d's to suit. Look for something like:

debug1: restore_uid
debug1: ssh_dss_verify: signature correct
Accepted publickey for kuzman from 127.0.0.1 port 1292 ssh2
Accepted publickey for kuzman from 127.0.0.1 port 1292 ssh2
debug1: monitor_child_preauth: kuzman has been authenticated by privileged
process
debug1: PAM establishing creds

If you still have trouble, post the output somewhere mail the link to
the list. 

Kuzman


On Wed, Aug 20, 2003 at 11:09:55AM -0400, Scott Eicher wrote:
> My configs look the same as what you listed for the server and the client.
> I'll look into ssh-agent to see if that helps but since I can't
authenticate
> via the keys and always get prompted for the password on the server I'm
not
> sure how much help the agent will be.
> 
> Thanks,
> Scott
> 
> -----Original Message-----
> From: Edward C. Smith [mailto:esmith at tranzor.net]
> Sent: Wednesday, August 20, 2003 9:06 AM
> To: wplug at wplug.org
> Subject: Re: [wplug] OpenSSH keys problem
> 
> 
> A few things to note:
> 
> 1) You don't need an ssh-agent, youa re correct about that. However what 
> that means is that to have passwordless logins without ssh-agent you are 
> using a private key with no passphrase. If you are not working on a 
> secure local network (even if you are I advise you to consider using 
> ssh-agent) then you should definetly setup ssh-agent to store your 
> passphrase. You'll only need to type the passphrase in once at login 
> time and it'll remain stored for use and create a "typless login" that 
> is password protected.
> 
> 2) Examine your ssh_config (on the server) file make sure you have 
> something like:
> # HostKey for protocol version 1
> #HostKey /etc/ssh_host_key
> # HostKeys for protocol version 2
> #HostKey /etc/ssh_host_rsa_key
> #HostKey /etc/ssh_host_dsa_key
> 
> #RSAAuthentication yes
> #PubkeyAuthentication yes
> #AuthorizedKeysFile     .ssh/authorized_keys
> 
> NOTE: all of these should be default values and should not need to be 
> uncommented. If yours differs from this let me know.
> 
> 3) take a look at your ssh_config on the client it should have somethign 
> similar to:
> # Host *
> #   ForwardAgent no
> #   ForwardX11 no
> #   RhostsAuthentication no
> #   RhostsRSAAuthentication no
> #   RSAAuthentication yes
> #   PasswordAuthentication yes
> #   BatchMode no
> #   CheckHostIP yes
> #   StrictHostKeyChecking ask
> #   IdentityFile ~/.ssh/identity
> #   IdentityFile ~/.ssh/id_dsa
> #   IdentityFile ~/.ssh/id_rsa
> #   Port 22
> #   Protocol 2,1
> 
> 
> There's several good websites that talk about setting this up. Search 
> google for ssh-agent and you'll get some good hits.
> 
> -Ed
> 
> 
> Carl Benedict wrote:
> 
> >Try editing /etc/ssh/sshd_config on the new server. I took a brief look
> >and there is a line that says:
> >
> >#PasswordAuthentication yes
> >
> >Prehaps this is what you want to change?  Surely what you are looking
> >for is under the "authentication" section of the sshd_config file.
> >
> >If you have access to the old server, try taking a look at it's
> >sshd_config file and see what options are different versus the new
> >server.  Your second option would be the man pages. 
> >
> >If this is on a secure network, you could always use RSH.  IMHO that
> >would be a more simple solution if security is not important in this
> >scenario.
> >
> >- Carl
> >
> >
> >
> >On Tue, 2003-08-19 at 18:05, Scott Eicher wrote:
> >  
> >
> >>I haven't setup an ssh-agent. I've read a little about it but I don't
> think
> >>that's what I'm looking for. What I'm trying to accomplisth is to be
able
> to
> >>create some scripts that will run from cron and scp some files from the
> >>client to the server without prompting for a password. I've got this
> working
> >>from the same client system to a different server that is running the
same
> >>version of OpenSSH. It doesn't prompt me for a password but uses my RSA
> key
> >>every time.
> >>
> >>Scott
> >>
> >>-----Original Message-----
> >>From: Jonathan S Billings [mailto:billings at negate.org]
> >>Sent: Tuesday, August 19, 2003 5:28 PM
> >>To: wplug at wplug.org
> >>Subject: Re: [wplug] OpenSSH keys problem
> >>
> >>
> >>Have you set up an ssh-agent before trying to connect?  That's when you
> >>will enter your password, not during the connection session.  I suggest
> >>reading the 'ssh' and 'ssh-agent' manpages.  Also, make sure that if you
> >>are using the 2.0 protocol, you've created the appropriate rsa2 keys and
> >>stored the keys in the authorized_keys2 file.
> >>
> >>Jonathan Billings
> >>
> >>
> >>
> >>On Tue, 2003-08-19 at 17:10, Scott Eicher wrote:
> >>    
> >>
> >>>I am trying to setup RSA/DSA key authentication from a RedHat 7.2
system
> >>>running OpenSSH-3.1p1-6 to a RedHat8.0 system running OpenSSH-3.4p1-2.
I
> >>>have generated both RSA and DSA keys via the command ssh-keygen -t rsa
> and
> >>>ssh-keygen -t dsa. I have appended the keys to the
> >>>/home/username/.ssh/authorized_keys file on the system that I'm
> connecting
> >>>to. When I try to ssh to the RedHat8 system it always authenticates me
> >>>      
> >>>
> >>back
> >>    
> >>
> >>>to my password instead of to either of the keys. I have tried using
both
> >>>keys independently by removing each of them from the keys file one at a
> >>>      
> >>>
> >>time
> >>    
> >>
> >>>but neither want to work properly.
> >>>
> >>>Here are the verbose debug lines:
> >>>
> >>>OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
> >>>debug1: Reading configuration data /etc/ssh/ssh_config
> >>>debug1: Applying options for *
> >>>debug1: Rhosts Authentication disabled, originating port will not be
> >>>trusted.
> >>>debug1: restore_uid
> >>>debug1: ssh_connect: getuid 0 geteuid 0 anon 1
> >>>debug1: Connecting to HOSTIPADDRESS [HOSTIPADDRESS] port 22.
> >>>debug1: temporarily_use_uid: 0/0 (e=0)
> >>>debug1: restore_uid
> >>>debug1: temporarily_use_uid: 0/0 (e=0)
> >>>debug1: restore_uid
> >>>debug1: Connection established.
> >>>debug1: read PEM private key done: type DSA
> >>>debug1: read PEM private key done: type RSA
> >>>debug1: identity file /root/.ssh/identity type -1
> >>>debug1: identity file /root/.ssh/id_rsa type 1
> >>>debug1: identity file /root/.ssh/id_dsa type -1
> >>>debug1: Remote protocol version 1.99, remote software version
> >>>      
> >>>
> >>OpenSSH_3.4p1
> >>    
> >>
> >>>debug1: match: OpenSSH_3.4p1 pat OpenSSH*
> >>>Enabling compatibility mode for protocol 2.0
> >>>debug1: Local version string SSH-2.0-OpenSSH_3.1p1
> >>>debug1: SSH2_MSG_KEXINIT sent
> >>>debug1: SSH2_MSG_KEXINIT received
> >>>debug1: kex: server->client aes128-cbc hmac-md5 none
> >>>debug1: kex: client->server aes128-cbc hmac-md5 none
> >>>debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
> >>>debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> >>>debug1: dh_gen_key: priv key bits set: 124/256
> >>>debug1: bits set: 1647/3191
> >>>debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> >>>debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> >>>debug1: Host 'HOSTIPADDRESS' is known and matches the RSA host key.
> >>>debug1: Found key in /root/.ssh/known_hosts:1
> >>>debug1: bits set: 1635/3191
> >>>debug1: ssh_rsa_verify: signature correct
> >>>debug1: kex_derive_keys
> >>>debug1: newkeys: mode 1
> >>>debug1: SSH2_MSG_NEWKEYS sent
> >>>debug1: waiting for SSH2_MSG_NEWKEYS
> >>>debug1: newkeys: mode 0
> >>>debug1: SSH2_MSG_NEWKEYS received
> >>>debug1: done: ssh_kex2.
> >>>debug1: send SSH2_MSG_SERVICE_REQUEST
> >>>debug1: service_accept: ssh-userauth
> >>>debug1: got SSH2_MSG_SERVICE_ACCEPT
> >>>debug1: authentications that can continue:
> >>>publickey,password,keyboard-interactive
> >>>debug1: next auth method to try is publickey
> >>>debug1: try privkey: /root/.ssh/identity
> >>>debug1: try pubkey: /root/.ssh/id_rsa
> >>>debug1: authentications that can continue:
> >>>publickey,password,keyboard-interactive
> >>>debug1: try privkey: /root/.ssh/id_dsa
> >>>debug1: next auth method to try is keyboard-interactive
> >>>debug1: authentications that can continue:
> >>>publickey,password,keyboard-interactive
> >>>debug1: next auth method to try is password 
> >>>(HERE IT PROMPTS FOR THE PASSWORD, NOT THE PASSPHRASE)
> >>>
> >>>Could this be a bug or am I doing something wrong? I'd like to get this
> >>>working without having to upgrade the openssh package on the client
> >>>      
> >>>
> >>system.
> >>    
> >>
> >>>Thanks,
> >>>Scott
> >>>_______________________________________________
> >>>wplug mailing list
> >>>wplug at wplug.org
> >>>http://www.wplug.org/mailman/listinfo/wplug
> >>>      
> >>>
> >>-- 
> >>Jonathan S Billings <billings at negate.org>
> >>TSFNKP, President and Chief Lackey
> >>
> >>_______________________________________________
> >>wplug mailing list
> >>wplug at wplug.org
> >>http://www.wplug.org/mailman/listinfo/wplug
> >>_______________________________________________
> >>wplug mailing list
> >>wplug at wplug.org
> >>http://www.wplug.org/mailman/listinfo/wplug
> >>
> >>    
> >>
> >
> >
> >_______________________________________________
> >wplug mailing list
> >wplug at wplug.org
> >http://www.wplug.org/mailman/listinfo/wplug
> >
> >  
> >
> 
> _______________________________________________
> wplug mailing list
> wplug at wplug.org
> http://www.wplug.org/mailman/listinfo/wplug
> _______________________________________________
> wplug mailing list
> wplug at wplug.org
> http://www.wplug.org/mailman/listinfo/wplug
_______________________________________________
wplug mailing list
wplug at wplug.org
http://www.wplug.org/mailman/listinfo/wplug

More information about the wplug mailing list