Login or Register to Ask a Question and Join Our Community


Cybersecurity

ssh connection without password

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Special Forums Cybersecurity ssh connection without password
# 1  
Old 05-29-2009
ssh connection without password
The subject has been outlined in many articles, yet I can not establish a password-less ssh connection. Below I show what I did and then I include ssh debug info, maybe someone would be able to point out something I am not doing right.

My setup: two SCO 5.0.7 boxes on a private lan, user equivalency established, rcmd/rcp working from one to another just fine. The user account, which is the same on both sides, has no password.

on both boxes:
Code:
$ grep -v '^#' /etc/ssh/sshd_config | grep -v '^$'
RSAAuthentication yes
PubkeyAuthentication yes
Subsystem       sftp    /usr/lib/openssh/sftp-server

On my source box I generated public key
Code:
 
$ ssh-keygen -t rsa
$ l -g
-rw-------   1 group        887 May 29 11:39 id_rsa
-rw-r--r--   1 group        229 May 29 11:39 id_rsa.pub

And I copied pub file to the target box

On the target box:
Code:
 
$ cd; mkdir .ssh; chmod 700 .ssh; l -dg .ssh
drwx------   2 group        512 May 29 11:33 .ssh
$ cd .ssh
$ cat ../my_pub > authorized_keys; chmod 600 authorized_keys
$ l -g
-rw-------   1 group        229 May 29 11:33 authorized_keys

Now, when I try to connect from my source box:

Code:
 
 $ ssh -v target_server
OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7d 17 Mar 2004
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to target_server [192.168.1.74] port 22.
debug1: Connection established.
debug1: identity file /u/target_user/.ssh/identity type -1
debug1: identity file /u/target_user/.ssh/id_rsa type 1
debug1: identity file /u/target_user/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'target_server' is known and matches the RSA host key.
debug1: Found key in /u/target_user/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /u/target_user/.ssh/identity
debug1: Offering public key: /u/target_user/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /u/target_user/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password
target_user@target_server's password: 
debug1: Authentications that can continue: publickey,password,keyboard-interactive
Permission denied, please try again.
target_user@target_server's password:

I see message "ssh_rsa_verify: signature correct" in the debug, which looks like a promising sign, but something is not clicking and it does ask for password, which is removed for this user account, so it is no go.

Any pointers would be appreciated.
Last edited by migurus; 05-29-2009 at 05:14 PM.. Reason: forgot to show sshd_config
# 2  
Old 05-29-2009
One thing I would do from the start is make sure that the .ssh directory and autorized_keys files are owned by the user. Looks like one of them is owned by 1, and the other by 2.

-----Post Update-----

Also, make sure there are no line breaks in the authorized_keys file from copying and pasting.
Padow
# 3  
Old 05-29-2009
On my setup, I copied it to authorized_keys2 (note the difference in filename). I always use root account and there is a password (so a little different from yours).
# 4  
Old 05-29-2009
Quote:
Originally Posted by Padow
One thing I would do from the start is make sure that the .ssh directory and autorized_keys files are owned by the user. Looks like one of them is owned by 1, and the other by 2.

-----Post Update-----

Also, make sure there are no line breaks in the authorized_keys file from copying and pasting.

Well, this is just "l -g" format, 1 and 2 are not user id, the user id is definitely same target_user.

-----Post Update-----

Quote:
Originally Posted by wireonfire
On my setup, I copied it to authorized_keys2 (note the difference in filename). I always use root account and there is a password (so a little different from yours).
I copied authorized_keys to authorized_keys2 and result is the same.
# 5  
Old 05-29-2009
Can you try ssh -vvv to see more?
# 6  
Old 05-30-2009
Quote:
Originally Posted by nj78
Can you try ssh -vvv to see more?
Here is -vvv output:

Code:
$ ssh -vvv target_srvr
OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7d 17 Mar 2004
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to target_srvr [192.168.123.123] port 22.
debug1: Connection established.
debug1: identity file /u/target_user/.ssh/identity type -1
debug3: Not a RSA1 key file /u/target_user/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /u/target_user/.ssh/id_rsa type 1
debug1: identity file /u/target_user/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 120/256
debug2: bits set: 486/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /u/target_user/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug3: check_host_in_hostfile: filename /u/target_user/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host 'target_srvr' is known and matches the RSA host key.
debug1: Found key in /u/target_user/.ssh/known_hosts:1
debug2: bits set: 486/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /u/target_user/.ssh/identity (0)
debug2: key: /u/target_user/.ssh/id_rsa (80856c4)
debug2: key: /u/target_user/.ssh/id_dsa (0)
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: start over, passed a different list publickey,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /u/target_user/.ssh/identity
debug3: no such identity: /u/target_user/.ssh/identity
debug1: Offering public key: /u/target_user/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /u/target_user/.ssh/id_dsa
debug3: no such identity: /u/target_user/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: userauth_kbdint: disable: no info_req_seen
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: 
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
target_user@target_srvr's password: 
$

-----Post Update-----

Just for the record,

the problem was that target_user home dir was 775. The group write permission was the culprit, so I changed it to 755. After that I received clear message:

Empty password restricted by ssh

So, I edited sshd_config on target_srvr and said
PermitEmptyPasswords yes
Then re-started sshd and it works like a charm.
# 7  
Old 06-08-2009
Thanks for updating, good information.
Login or Register to Ask a Question

Previous Thread | Next Thread

9 More Discussions You Might Find Interesting

1. UNIX for Beginners Questions & Answers

Ssh script to validate ssh connection to multiple serves with status

Hi, I want to validate ssh connection one after one for multiple servers..... password less keys already setup but now i want to validate if ssh is working fine or not... I have .sh script like below and i have servers.txt contains all the list of servers #/bin/bash for host in $(cat... (3 Replies)
Discussion started by: sreeram4
3 Replies

2. Shell Programming and Scripting

Sftp connection with password

I am running this script to copy pattern files in local but it is asking for password even passing the hardcode value Script:- PASSWORD="xyz" sftp -oport=1002 user@host:/dir/archive/file*.txt /di/data/ << EOF $PASSWORD quit EOF Got error :- -bash-4.1$ sh sftp_with_password.sh... (5 Replies)
Discussion started by: himanshupant
5 Replies

3. BSD

Connection SSH to remote by ssh

Hello guys! I am setting up a script to access a unix remote server. My problem is that when I put the ssh line "my host", the script does not wait for the server response asking for the password to execute the line in which I put the password, that is, I need to put a form in which script has a... (1 Reply)
Discussion started by: aroucasp
1 Replies

4. Red Hat

SSH password less setup asking for password

Hello Experts, when I am trying to connect my target server through sftp after creating ssh password less setup, it is asking for passowrd to connect. to setup this I followed below process: -->generated keys by executing the command "ssh-keygen -t rsa" -->this created my .ssh directory... (9 Replies)
Discussion started by: Devipriya Ch
9 Replies

5. Solaris

Password connection-less

Hi all! I need help in reconfiguring password connection-less on 3 servers. I had this feature on 3 servers, working fine for servers A, B and C, but for some unknown reason, and after a reboot was performed, from server B to server A is asking me for password, the same applies from server C... (15 Replies)
Discussion started by: fretagi
15 Replies

6. UNIX for Advanced & Expert Users

How keep running a program n an another computer via a connection ssh when the connection is closed?

Hi everybody, I am running a program on a supercomputer via my personal computer through a ssh connection. My program take more than a day to run, so when I left work with my PC I stop the connection with the supercomputer and the program stop. I am wondering if someone know how I can manage... (2 Replies)
Discussion started by: TomTomGre
2 Replies

7. Shell Programming and Scripting

Passing password in script for ssh connection - no except

Used the script posted on forum - unix.com/shell-programming-scripting/21597-script-change-passwords-same-user-multiple-servers.html but the last question posted on this seems to be still unanswered, tried different things with no success, can someone help giving an way to pass the password via... (5 Replies)
Discussion started by: sapadmin
5 Replies

8. Shell Programming and Scripting

Password less connection(sftp/ssh)

Dear All, I'm trying to configure a passwordless connection between two servers of HP-UX. i have srearched the configuration in google so many times and as per the guidence i have done all the steps, but still its not working and every time it is asking for password while trying to scp some file... (2 Replies)
Discussion started by: panknil
2 Replies

9. Solaris

SSH Password-less login fails on password expiry.

Hi Gurus I have a few Sol 5.9 servers and i have enabled password less authentication between them for my user ID. Often i have found that when my password has expired,the login fails. Resetting my password reenables the keys. Do i need to do something to avoid this scenario or is this... (2 Replies)
Discussion started by: Renjesh
2 Replies
Login or Register to Ask a Question