ssh-keygen pb

Message

mamani · Post by **mamani** » Tue Sep 27, 2005 12:45 pm

Hi all,
I have to connect via a script to a remote machine using ssh.
The goal is to use keys to avoid typing the password.
The same account is used on both hosts

So i did the followings :

Generate the keys
Local machine

Code: Select all

ssh-keygen -t dsa

No paraphrase chosen

Create the .ssh directory in my home
remote host

Code: Select all

mkdir ~/.ssh

Copy the public key on the remote host]
local host

Code: Select all

cat .ssh/id_dsa.pub | ssh remote_host "cat - >> .ssh/authorized_keys

and when i try connecting :

Code: Select all

ssh account@remote_host

i obtain this :

Code: Select all

OpenSSH_3.9p1, OpenSSL 0.9.7d 17 Mar 2004
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to remote_host.fr [XXX.XXX.XXX.XXX] port 22.
debug1: Connection established.
debug1: identity file /opt/tomcat/.ssh/id_dsa type 2
debug1: identity file /opt/tomcat/.ssh/id_dsa.pub type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.0
debug1: match: OpenSSH_4.0 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.9p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'remote_host.fr' is known and matches the DSA host key.
debug1: Found key in /opt/tomcat/.ssh/known_hosts:3
debug1: ssh_dss_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
=================== Connection to remote_host.fr ====================
 Bienvenue 
==========================================================================

debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /opt/tomcat/.ssh/id_dsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Offering public key: /opt/tomcat/.ssh/id_dsa.pub
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
Password:

The system don't use the public key and ask for the passwd.

If anybody has an idea to fix this ...

My ssh_config :

Code: Select all

# Host *
#   ForwardAgent no
#   ForwardX11 no
   RhostsRSAAuthentication no
   RSAAuthentication no
   PasswordAuthentication yes
#   HostbasedAuthentication no
#   BatchMode yes
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
   IdentityFile ~/.ssh/id_dsa
   IdentityFile ~/.ssh/id_dsa.pub
   Port 22
#   Protocol 2,1
#   Cipher 3des
#   Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
#   EscapeChar

My sshd_config file :

Code: Select all

Port 22
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6

RSAAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
UsePAM yes

#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10

# no default banner path
#Banner /some/path

# override default of no subsystems
#Subsystem      sftp    /usr/lib/misc/sftp-server

limn · Post by **limn** » Tue Sep 27, 2005 12:58 pm

Try

Code: Select all

.ssh/authorized_keys

instead of

Code: Select all

.ssh/authorized-keys

mamani · Post by **mamani** » Tue Sep 27, 2005 1:16 pm

Oh sorry, on my system it is

Code: Select all

.ssh/authorized_keys

i made a mistake by writting the message

limn · Post by **limn** » Wed Sep 28, 2005 1:04 pm

Means the problem still exists, and your listing above was not accurate?
Your user's $HOME on the remote box is /opt/tomcat and /opt/tomcat/.ssh/authorized_keys has id_rsa.pub from the local box in it?

mamani · Post by **mamani** » Thu Sep 29, 2005 5:01 am

limn wrote:Means the problem still exists, and your listing above was not accurate?

Yes, i have corrected the mistake now in the listing.

limn wrote:Your user's $HOME on the remote box is /opt/tomcat and /opt/tomcat/.ssh/authorized_keys has id_rsa.pub from the local box in it?

Yes the $HOME is /opt/tomcat, but in the .ssh/authorizedkeys, this is id-dsa.pub of .ssh/id_dsa.pub of the local box

limn · Post by **limn** » Thu Sep 29, 2005 12:39 pm

Aside from this

Code: Select all

   IdentityFile ~/.ssh/id_dsa.pub

which should not be in your ssh_config, your configs look ok.

Code: Select all

debug1: Offering public key: /opt/tomcat/.ssh/id_dsa

says ssh found the private key on the local machine and tried to use it.
On the remote machine, as your user, what says

Code: Select all

ls -ld $HOME
ls -ld $HOME/.ssh
ls -l $HOME/authorized_keys

The permissions on these must allow only your user to modify them, otherwise ssh skips publickey authentication.

mamani · Post by **mamani** » Mon Oct 03, 2005 9:51 am

limn wrote:Aside from this
Code: Select all
   IdentityFile ~/.ssh/id_dsa.pub 
which should not be in your ssh_config, your configs look ok.

Ok, corrected !

limn wrote: On the remote machine, as your user, what says
Code: Select all
ls -ld $HOME

drwxr-x---

limn wrote:
Code: Select all
ls -ld $HOME/.ssh

drwxr-x---

limn wrote:
Code: Select all
ls -l $HOME/authorized_keys 

i have instead $HOME/.ssh/authorized_keys and -rw-------

limn wrote:The permissions on these must allow only your user to modify them, otherwise ssh skips publickey authentication.

Write permission is in all the cases for owner only. But it doesn't work either

davidblewett · Post by **davidblewett** » Mon Oct 03, 2005 7:08 pm

mamani wrote:
limn wrote:
Code: Select all
ls -ld $HOME/.ssh
drwxr-x---

limn wrote:The permissions on these must allow only your user to modify them, otherwise ssh skips publickey authentication.
Write permission is in all the cases for owner only. But it doesn't work either

The .ssh directory must have permissions only for the user. So, $HOME/.ssh should be:

Code: Select all

drwx------

As well as all files in the directory.

mamani · Post by **mamani** » Tue Oct 04, 2005 5:04 am

davidblewett wrote: The .ssh directory must have permissions only for the user. So, $HOME/.ssh should be:
Code: Select all
drwx------
As well as all files in the directory.

Ok now .ssh is drwx------ and all the files inside : rw-------
But it still doesn't work

davidblewett · Post by **davidblewett** » Tue Oct 04, 2005 11:23 am

Try running the server in debug mode, or run it from the command line without detaching as a daemon. That should give some more insight into what the problem is.