SSH & Passwordless login to remote machine ?

SSH & Passwordless login to remote machine ?

Post by Patrick Kirchn » Sun, 28 Apr 2002 12:13:14



Hello,

I'm trying to setup ssh on a machine behind  my firewall so it
will allow me to login from another machine behind the firewall
without entering a password.

Here's what I've done so far (amongst other things that didnt' work ;)

1.  Ran "ssh-keygen -t rsa" on the client machine (also tried " -t RSA1").
    I used an empty passphrase.

2.  Copied /home/lanuser/.ssh/id_rsa.pub to the remote machine as
    /home/lanuser/.ssh/authorized-keys (also tried with identity.pub for RSA1)

3.  From the cient machine I ran "ssh -v -v remotehost"

4.  Below is what I got, along with a prompt for a password :(

/*** Further below this is the remote computer's sshd_config
         It has RH7.2 installed with openssh-3.1p1-2      ***/

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'remotehost' is known and matches the RSA host key.
debug1: Found key in /home/lanuser/.ssh/known_hosts:1
debug1: bits set: 505/1024
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: publickey,password,keyboard-interactive
debug1: next auth method to try is publickey
debug1: try privkey: /home/lanuser/.ssh/identity
debug1: try pubkey: /home/lanuser/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: authentications that can continue: publickey,password,keyboard-interactive
debug1: try privkey: /home/lanuser/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: next auth method to try is keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: authentications that can continue: publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug1: next auth method to try is password

--> Here is the sshd_config file from the remotehost <--

#       $OpenBSD: sshd_config,v 1.48 2002/02/19 02:50:59 deraadt Exp $
# This is the sshd server system-wide configuration file.  See sshd(8)
# for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 3600
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 600
PermitRootLogin no
#StrictModes yes

#RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys

# rhosts authentication should not be used
#RhostsAuthentication yes
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts no
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication yes
# similar for protocol version 2
#HostbasedAuthentication yes
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
# KerberosAuthentication automatically enabled if keyfile exists
#KerberosAuthentication yes
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# AFSTokenPassing automatically enabled if k_hasafs() is true
#AFSTokenPassing yes

# Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no

# Set this to 'yes' to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt yes

#X11Forwarding no
#X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost no
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no

#MaxStartups 10
# no default banner path
Banner /etc/issue.ssh
#VerifyReverseMapping no

# override default of no subsystems
Subsystem       sftp    /usr/libexec/openssh/sftp-server

<----------------------------->

If anyone could lend me some advice or lead me in the right direction I
would greatly appreciate it.

Thanks much,

Patrick Kirchner.

 
 
 

SSH & Passwordless login to remote machine ?

Post by ken_yap_c9230232_.. » Sun, 28 Apr 2002 13:18:43


|2.  Copied /home/lanuser/.ssh/id_rsa.pub to the remote machine as
|    /home/lanuser/.ssh/authorized-keys (also tried with identity.pub for RSA1)

It's authorized_keys (underscore, not hyphen).

 
 
 

SSH & Passwordless login to remote machine ?

Post by Alan Johnso » Sun, 28 Apr 2002 16:09:18



> |2.  Copied /home/lanuser/.ssh/id_rsa.pub to the remote machine as
> |    /home/lanuser/.ssh/authorized-keys (also tried with identity.pub for
> |    RSA1)

> It's authorized_keys (underscore, not hyphen).

Additionally, make sure that authorized_keys is not writable by group (and
certainly not by everybody). Permissions 644 should be okay, unless you
care about other people reading your public keys (which shoudln't matter
since they are public).

Alan

 
 
 

SSH & Passwordless login to remote machine ?

Post by Patrick Kirchn » Mon, 29 Apr 2002 02:42:27




> > |2.  Copied /home/lanuser/.ssh/id_rsa.pub to the remote machine as
> > |    /home/lanuser/.ssh/authorized-keys (also tried with identity.pub for
> > |    RSA1)
> > It's authorized_keys (underscore, not hyphen).
> Additionally, make sure that authorized_keys is not writable by group (and
> certainly not by everybody). Permissions 644 should be okay, unless you
> care about other people reading your public keys (which shoudln't matter
> since they are public).
> Alan

Wow, nice call Alan!

I can't thank you enough for responding to my post and I can't believe
that it came down to a dumb mistake like that, uggh.

Thanks again very much.
Patrick.

 
 
 

SSH & Passwordless login to remote machine ?

Post by Patrick Kirchn » Tue, 30 Apr 2002 07:34:06



> |2.  Copied /home/lanuser/.ssh/id_rsa.pub to the remote machine as
> |    /home/lanuser/.ssh/authorized-keys (also tried with identity.pub for RSA1)

> It's authorized_keys (underscore, not hyphen).

Thanks  ken_yap, you had the right answer.  I appreciate your help.

pK.

 
 
 

1. How can one restrict remote login access to a Solaris 2.6 machine via ssh or ftp?

Hi.  I'm looking for a way to restrict certain users from ssh'ing or
ftp'ing into my Solaris 2.6 box but still allow those same users to log
in at the console.  I also want to allow other users to ssh or ftp into
the same machine.  For example, I would like to be able to ssh into my
machine with my own account and then su to one of the users who isn't
allowed to ssh or ftp into the machine.  That is, I'm looking for a way
to restrict or control remote access to my Solaris 2.6 machine.  Does
anyone know how to do this?

Thanks,
Angie

Sent via Deja.com http://www.deja.com/
Before you buy.

2. problem with my new 56k modem

3. faillog & remote ssh login not working as expected

4. SCO Gateway for Netware asks for too large a frame

5. Remote login ssh & faillog

6. forwarding ports for PC Anywhere

7. faillog & remote ssh login not working as expected

8. Strange experience with GTK+

9. automate file access on server using SSH and passwordless access

10. ADSL, ssh & X (Was: ssh & X)

11. remote login to Solaris using ssh

12. SSH cannot login , remote system say /bin/bash: no such file or directory

13. Disbaling direct remote root logins using SSH