hy people,
all the servers are sles8 with the lastest version of sshd from you.
I have a problem with sshd autentication with public keys, the thing is i
need to use scp in scripts without being asked for passwords thats why i am
using pub keys,
in our development machines(i am the admin) i have used pub keys with out
problem, but now in produciton servers(im not the admin) its not working, it
asks all the time for password input, the thing is i only have a normal user
in the 2 production boxes and this is what i have done:
created a key pair:
ssh-keygen -t rsa
.ssh]$ ls
id_rsa id_rsa.pub
lauched:
ssh-copy-id -i id_rsa.pub bebe@172.29.xx.xx
On Thursday 02 March 2006 15:11, daniel parkes wrote:
hy people,
all the servers are sles8 with the lastest version of sshd from you.
I have a problem with sshd autentication with public keys, the thing is i need to use scp in scripts without being asked for passwords thats why i am using pub keys, in our development machines(i am the admin) i have used pub keys with out problem, but now in produciton servers(im not the admin) its not working, it asks all the time for password input, the thing is i only have a normal user in the 2 production boxes and this is what i have done:
created a key pair: ssh-keygen -t rsa
.ssh]$ ls id_rsa id_rsa.pub
lauched: ssh-copy-id -i id_rsa.pub bebe@172.29.xx.xx
and checked in the other machine the authorized_keys was created:
/.ssh> more authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAo5SbiJdj4Njmwwa3Tz9ozKpgMbNywR7+FmEDlxXk2+XC ec/kVWYfzK6/Ig2CzFkybTbLq2K2Gwb6L8uQ4v8rGgS1ZRdi9YonEaP0CUfODggXZ6EgYXdIrGv h6dIh UCIa1u+QA7qFWvpdH2H7ub9GdK+= bebe@x.x.x.x
then ssh to the machine bebe@172.29.xx.xx
and it asks for a password all the time, this procedure works perfect in my machines, but not in production and i cant talk with the admins. so i was looking for places you could block public key authetication, i have looked in sshd_config and pub auth is on:
RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys
Sorry I am confused, you want to block pub key authentication or you are looking for somewhere in the config files where pub might be blocked by default and you wish to enable it? If it is the latter then your pub key statement in sshd_config has a capitilisation error (should it make some difference). It should be; PubKeyAuthentication yes #note, K not k. That is to say it has an error when compared to my setup which works with pub key authentication with both client and server running 10.0, openssh 4.1.p1. I also had to turn PAM off in the same file as the server defaulted to using this method first. Turned off thus; UsePAM no Also I specify the home directory of the user logging in to look for the authorized keys file, thus; AuthorizedKeysFile %h/.ssh/authorized_keys The %h token tells the ssh daemon to look in the home folder for that particular user. Apologies if I have got the wrong end of the stick. Allister -- Public Key to be found at www.keyserver.net. Search for tag@ukfsn
My point is where can u block sshd pub key auth in the system so it doesnt work, because i have it working in my servers but i cant make it work in other servers that are not mine and i would like to know where are they blocking me, so i cant use it, And the other question was is there another way to copy file from one box to another without having to type the password, not using nfs,samba??? and aboute the perms..The perms of the authorize key are: .ssh> ls -l total 4 -rw------- 1 es02XXXX spresXXX 232 mar 3 11:13 authorized_keys and the config in sshd is #RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys but it makes no diference if you change it with ~/.ssh/authorized_keys or %h/.ssh/authorized_keys and restart the daemon, because i dont no why its not reading the .ssh whe i logon because as u say the accestime doest change in the .ssh dir when i try to access the file.
On Friday 03 March 2006 10:47, daniel parkes wrote:
My point is where can u block sshd pub key auth in the system so it doesnt work, because i have it working in my servers but i cant make it work in other servers that are not mine and i would like to know where are they blocking me, so i cant use it,
And the other question was is there another way to copy file from one box to another without having to type the password, not using nfs,samba???
Yes samba can be used and nfs to copy files from a local box to a remote server (serving nnfs or samba shares). Authentication is done on startup in nfs shares which if I remember rightly is done when file shares are mounted via fstab, passwords can be specified there. Samba can also be used and authentication can set up via local login passwords, but of course it will depend on what OS the client uses as to the the samba share setup. All of which will be made more difficult is the servers concerned are not under your control. Having said that it should be possible to setup an ssh login for your client machine. You are using protocol version 1, rsa based pubkey authentication. Your server should have the following declarations in /etc/ssh/sshd_config; -------------------------------------------------------------------------------- Port 22 #or whatever port your server is set up to listen on Protocol 1,2 # try protocol 1 first ListenAdresss xx.xx.xx.xx #whatever the ip adresss that your server should be setup to listen on Hostkey /etc/ssh/ssh_host_key # as you are using protocol version 1 Loglevel VERBOSE # assuming that you have some method to view the log RSAAuthentication no # as you want to use pubkey (is no by default) PubkeyAuthentication yes AuthorizedKeysFile %h/.ssh/authorized_keys PasswordAuthentication no # again as you want to use pubkey ChallengeResponseAuthentication no # see above UsePAM no Subsystem sftp /usr/lib/ssh/sftp-server # another method of file copying between boxes #All other declarations should be at default values ------------------------------------------------------------------------------- You have created your keypair on on your client, your private key resides in ~/.ssh/identity which should be readable by the user but NOT accessible any others (read/write/execute). SSH will ignore keys which are accessible by others. The user on your client has an account on the server with the same name as on the client. You have copied the publc part of the key to the server and placed in it your client's (home) directory under ~/.ssh/authorized_keys and chowned that file root:root with perms of maximum 600/0/0 (rwx/---/---). Restart the sshd server (rcsshd restart) on the remote machine and use the following command to copy a file using pubkey authentication (-v for verbose output), assuming that you are logged in on the client machine as the user for whom the public keypair was earlier created; scp -v filetobecopied <ip address or name of remote server>:/location/to/be/copied/to/filetobecopied All the above works on SuSE 10.0. HTH Allister -- Public Key to be found at www.keyserver.net. Search for tag@ukfsn
i have launched the ssh with -v parameter and i get:
What i get related to pubkey is this:
27864: debug1: authentications that can continue: publickey,password
27864: debug1: next auth method to try is publickey
27864: debug1: try privkey: /home/bebe/.ssh/identity
27864: debug1: try pubkey: /home/bebe/.ssh/id_rsa
27864: debug1: authentications that can continue: publickey,password
27864: debug1: try privkey: /home/bebe/.ssh/id_dsa
27864: debug1: next auth method to try is password
bebe@emamel506pru's password:
but i cant w0rk out whats the prob here?? why doesnt it like the pubkey
auth??
On 04/03/06, Allister
On Friday 03 March 2006 10:47, daniel parkes wrote:
My point is where can u block sshd pub key auth in the system so it doesnt work, because i have it working in my servers but i cant make it work in other servers that are not mine and i would like to know where are they blocking me, so i cant use it,
And the other question was is there another way to copy file from one box to another without having to type the password, not using nfs,samba???
Yes samba can be used and nfs to copy files from a local box to a remote server (serving nnfs or samba shares). Authentication is done on startup in nfs shares which if I remember rightly is done when file shares are mounted via fstab, passwords can be specified there. Samba can also be used and authentication can set up via local login passwords, but of course it will depend on what OS the client uses as to the the samba share setup. All of which will be made more difficult is the servers concerned are not under your control. Having said that it should be possible to setup an ssh login for your client machine. You are using protocol version 1, rsa based pubkey authentication. Your server should have the following declarations in /etc/ssh/sshd_config;
-------------------------------------------------------------------------------- Port 22 #or whatever port your server is set up to listen on Protocol 1,2 # try protocol 1 first ListenAdresss xx.xx.xx.xx #whatever the ip adresss that your server should be setup to listen on Hostkey /etc/ssh/ssh_host_key # as you are using protocol version 1
Loglevel VERBOSE # assuming that you have some method to view the log RSAAuthentication no # as you want to use pubkey (is no by default) PubkeyAuthentication yes AuthorizedKeysFile %h/.ssh/authorized_keys
PasswordAuthentication no # again as you want to use pubkey ChallengeResponseAuthentication no # see above
UsePAM no
Subsystem sftp /usr/lib/ssh/sftp-server # another method of file copying between boxes
#All other declarations should be at default values
------------------------------------------------------------------------------- You have created your keypair on on your client, your private key resides in ~/.ssh/identity which should be readable by the user but NOT accessible any others (read/write/execute). SSH will ignore keys which are accessible by others. The user on your client has an account on the server with the same name as on the client. You have copied the publc part of the key to the server and placed in it your client's (home) directory under ~/.ssh/authorized_keys and chowned that file root:root with perms of maximum 600/0/0 (rwx/---/---). Restart the sshd server (rcsshd restart) on the remote machine and use the following command to copy a file using pubkey authentication (-v for verbose output), assuming that you are logged in on the client machine as the user for whom the public keypair was earlier created;
scp -v filetobecopied <ip address or name of remote server>:/location/to/be/copied/to/filetobecopied
All the above works on SuSE 10.0. HTH Allister
--
Public Key to be found at www.keyserver.net. Search for tag@ukfsn
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Monday 2006-03-06 at 09:37 +0100, daniel parkes wrote:
i have launched the ssh with -v parameter and i get:
What i get related to pubkey is this:
....
but i cant w0rk out whats the prob here?? why doesnt it like the pubkey auth??
Perhaps looking at the server side of the log for the same connection. - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFEDhvTtTMYHG2NR9URAvCRAJ93gXTQWZSAwaAX6dyCbVEmuMUaAwCfXo5E vkI5D6xbzsuAtvjUke4/zuc= =QY8H -----END PGP SIGNATURE-----
Yep the finally gave me access to the server log, and the prob was the home
directory of the user had 777, now they have changed it and it works ok.
On 08/03/06, Carlos E. R.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The Monday 2006-03-06 at 09:37 +0100, daniel parkes wrote:
i have launched the ssh with -v parameter and i get:
What i get related to pubkey is this:
....
but i cant w0rk out whats the prob here?? why doesnt it like the pubkey auth??
Perhaps looking at the server side of the log for the same connection.
- -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76
iD8DBQFEDhvTtTMYHG2NR9URAvCRAJ93gXTQWZSAwaAX6dyCbVEmuMUaAwCfXo5E vkI5D6xbzsuAtvjUke4/zuc= =QY8H -----END PGP SIGNATURE-----
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
just to test out i tried out using pubkey the otherway round, before i was
triying from box 1 to 2 now i have tried 2 to 1 and it works ok! :***, but i
need it the other way round, but its so strange i dont understand, i have
reviewd all the config files ssh_config, sshd_config and /etc/pam.d/ssh and
the only diference is in sshd_config in machine 2 it has #protocol 2 only,
but that should make no diferrence because when i connect from 2 to 1 i use
protocol 2 to connect with no probs, so the mistery cotinues....
25036: debug1: authentications that can continue: publickey,password
25036: debug1: next auth method to try is publickey
25036: debug1: try privkey: /interfaces_mqgp/.ssh/identity
25036: debug1: try pubkey: /interfaces_mqgp/.ssh/id_rsa
25036: debug1: input_userauth_pk_ok: pkalg ssh-rsa blen 149 lastkey 0x8hint
1
25036: debug1: read PEM private key done: type RSA
25036: debug1: ssh-userauth2 successful: method publickey
25036: debug1: channel 0: new [client-session]
it Worked! but the other way round ;D
Thnx for your help.
On 04/03/06, Allister
On Friday 03 March 2006 10:47, daniel parkes wrote:
My point is where can u block sshd pub key auth in the system so it doesnt work, because i have it working in my servers but i cant make it work in other servers that are not mine and i would like to know where are they blocking me, so i cant use it,
And the other question was is there another way to copy file from one box to another without having to type the password, not using nfs,samba???
Yes samba can be used and nfs to copy files from a local box to a remote server (serving nnfs or samba shares). Authentication is done on startup in nfs shares which if I remember rightly is done when file shares are mounted via fstab, passwords can be specified there. Samba can also be used and authentication can set up via local login passwords, but of course it will depend on what OS the client uses as to the the samba share setup. All of which will be made more difficult is the servers concerned are not under your control. Having said that it should be possible to setup an ssh login for your client machine. You are using protocol version 1, rsa based pubkey authentication. Your server should have the following declarations in /etc/ssh/sshd_config;
-------------------------------------------------------------------------------- Port 22 #or whatever port your server is set up to listen on Protocol 1,2 # try protocol 1 first ListenAdresss xx.xx.xx.xx #whatever the ip adresss that your server should be setup to listen on Hostkey /etc/ssh/ssh_host_key # as you are using protocol version 1
Loglevel VERBOSE # assuming that you have some method to view the log RSAAuthentication no # as you want to use pubkey (is no by default) PubkeyAuthentication yes AuthorizedKeysFile %h/.ssh/authorized_keys
PasswordAuthentication no # again as you want to use pubkey ChallengeResponseAuthentication no # see above
UsePAM no
Subsystem sftp /usr/lib/ssh/sftp-server # another method of file copying between boxes
#All other declarations should be at default values
------------------------------------------------------------------------------- You have created your keypair on on your client, your private key resides in ~/.ssh/identity which should be readable by the user but NOT accessible any others (read/write/execute). SSH will ignore keys which are accessible by others. The user on your client has an account on the server with the same name as on the client. You have copied the publc part of the key to the server and placed in it your client's (home) directory under ~/.ssh/authorized_keys and chowned that file root:root with perms of maximum 600/0/0 (rwx/---/---). Restart the sshd server (rcsshd restart) on the remote machine and use the following command to copy a file using pubkey authentication (-v for verbose output), assuming that you are logged in on the client machine as the user for whom the public keypair was earlier created;
scp -v filetobecopied <ip address or name of remote server>:/location/to/be/copied/to/filetobecopied
All the above works on SuSE 10.0. HTH Allister
--
Public Key to be found at www.keyserver.net. Search for tag@ukfsn
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
participants (3)
-
Allister
-
Carlos E. R.
-
daniel parkes