PDA

View Full Version : SSH password less log-in



provo1234
30th December 2004, 12:53 AM
Machine A - Redhat Linux Enterprise ES
Machine B - SCO Unixware 7.1.3

Machine A and Machine B are present on the same LAN.

I can log-in from A to B. But when I try SSH from B to A, I am being asked to type a password.

This is what I did.
A -> B : SUCCESS
1) Using the command "sh-keygen -t dsa", I created id_dsa.pub on Machine A.
2) Copied id_dsa.pub to the .ssh folder (in my home directory) of Machine B.
3) Renamed it to authorized_keys.
4) Changed the file permissions to 644.

B -> A : FAILURE
1) Using the command "sh-keygen -t dsa", I created id_dsa.pub on Machine B.
2) Copied id_dsa.pub to the .ssh folder (in my home directory) of Machine A.
3) Renamed it to authorized_keys.
4) Changed the file permissions to 644.

How should I add the password-less login capability to my Linux box?

Thanks in advance.
Andre

kosmosik
30th December 2004, 01:04 AM
try connecting in verbose mode (ssh -vvv) and see what the output looks like... or paste it here...

provo1234
30th December 2004, 01:11 AM
Here's the verbose output
$ ssh -v linuxbox
OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090607f
debug1: Reading configuration data /etc/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to scobox [192.168.21.2] port 22.
debug1: Connection established.
debug1: identity file /home/shashi/.ssh/identity type -1
debug1: identity file /home/shashi/.ssh/id_rsa type 1
debug1: identity file /home/shashi/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.4p1
debug1: match: OpenSSH_3.4p1 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.4p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 129/256
debug1: bits set: 1596/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'scobox' is known and matches the RSA host key.
debug1: Found key in /home/shashi/.ssh/known_hosts:3
debug1: bits set: 1599/3191
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: publickey,password,keyboard-interacti
ve
debug1: next auth method to try is publickey
debug1: try privkey: /home/shashi/.ssh/identity
debug1: try pubkey: /home/shashi/.ssh/id_rsa
debug1: authentications that can continue: publickey,password,keyboard-interacti
ve
debug1: try pubkey: /home/shashi/.ssh/id_dsa
debug1: authentications that can continue: publickey,password,keyboard-interacti
ve
debug1: next auth method to try is keyboard-interactive
debug1: authentications that can continue: publickey,password,keyboard-interacti
ve
debug1: next auth method to try is password
shashi@scobox's password:

kosmosik
30th December 2004, 01:18 AM
can you do "ls ~/.ssh/" on SCO (sick) box? can you see that ssh on SCO box does look for private key but apparently it can't find it... maybe it is not there?

debug1: authentications that can continue: publickey,password,keyboard-interacti
ve
debug1: next auth method to try is publickey
debug1: try privkey: /home/shashi/.ssh/identity
debug1: try pubkey: /home/shashi/.ssh/id_rsa
debug1: authentications that can continue: publickey,password,keyboard-interacti
ve
debug1: try pubkey: /home/shashi/.ssh/id_dsa
debug1: authentications that can continue: publickey,password,keyboard-interacti
ve
debug1: next auth method to try is keyboard-interactive
debug1: authentications that can continue: publickey,password,keyboard-interacti
ve
debug1: next auth method to try is password

provo1234
30th December 2004, 01:23 AM
$ls -al
total 24
-rw-r--r-- 1 shashi csi 606 Dec 23 14:07 authorized_keys
-rw------- 1 shashi csi 672 Dec 29 16:26 id_dsa
-rw-r--r-- 1 shashi csi 604 Dec 29 16:26 id_dsa.pub
-rw------- 1 shashi csi 883 Aug 23 17:07 id_rsa
-rw-r--r-- 1 shashi csi 224 Aug 23 17:07 id_rsa.pub
-rw-r--r-- 1 shashi csi 684 Dec 29 16:30 known_hosts

kosmosik
30th December 2004, 01:25 AM
other thing you can do is set linux sshd to debug mode and look at it log when you try to ssh from SCO box...

provo1234
30th December 2004, 01:58 AM
$ sshd -d
debug1: sshd version OpenSSH_3.6.1p2
debug1: private host key: #0 type 0 RSA1
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
socket: Address family not supported by protocol
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from 192.168.21.2 port 34545
debug1: Client protocol version 2.0; client software version OpenSSH_3.4p1
debug1: match: OpenSSH_3.4p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_3.6.1p2
debug1: permanently_set_uid: 74/74
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user shashi service ssh-connection method none
debug1: attempt 0 failures 0
debug1: Starting up PAM with username "shashi"
debug1: PAM setting rhost to "scobox"
Failed none for shashi from 192.168.21.2 port 34545 ssh2
debug1: userauth-request for user shashi service ssh-connection method publickeydebug1: attempt 1 failures 1
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 500/501 (e=0/0)
debug1: trying public key file /home/shashi/.ssh/authorized_keys
Authentication refused: bad ownership or modes for directory /home/shashi/.ssh
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 500/501 (e=0/0)
debug1: trying public key file /home/shashi/.ssh/authorized_keys2
debug1: restore_uid: 0/0
Failed publickey for shashi from 192.168.21.2 port 34545 ssh2
debug1: userauth-request for user shashi service ssh-connection method publickeydebug1: attempt 2 failures 2
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 500/501 (e=0/0)
debug1: trying public key file /home/shashi/.ssh/authorized_keys
Authentication refused: bad ownership or modes for directory /home/shashi/.ssh
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 500/501 (e=0/0)
debug1: trying public key file /home/shashi/.ssh/authorized_keys2
debug1: restore_uid: 0/0
Failed publickey for shashi from 192.168.21.2 port 34545 ssh2
debug1: userauth-request for user shashi service ssh-connection method keyboard-interactive
debug1: attempt 3 failures 3
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=shashi devs=
debug1: kbdint_alloc: devices ''
Failed keyboard-interactive for shashi from 192.168.21.2 port 34545 ssh2

kosmosik
30th December 2004, 02:00 AM
Authentication refused: bad ownership or modes for directory /home/shashi/.ssh

provo1234
30th December 2004, 02:12 AM
I wonder why thats happening!

The .ssh folder on the Linux box has the following permissions...
drwxr-xr-x 2 shashi csi 4096 Dec 29 16:14 .ssh

The files in the .ssh folder are as follows..
-rw-r--r-- 1 shashi csi 604 Dec 29 16:14 authorized_keys
-rw------- 1 shashi csi 672 Dec 23 13:52 id_dsa
-rw-r--r-- 1 shashi csi 606 Dec 23 13:52 id_dsa.pub
-rw-r--r-- 1 shashi csi 230 Dec 14 17:20 known_hosts

I dont see anything wrong with the permissions as such. What do you think?
Thank you.

provo1234
30th December 2004, 02:20 AM
Boy, sshd is too picky. The home directory /home/shashi had file permissions of 755, i had to change it to 700 (removed the group/others permissions) to make it work. Thanks for your inputs kosmosik. I really appreciate your help.

Thanks again.

kosmosik
30th December 2004, 02:26 AM
it was picky about /home/shashi/.ssh - this should be set to 700...