topic Re: ssh2 login without password in Operating System - HP-UX

ssh2 login without password

Igor Sovin — Mon, 18 Apr 2005 03:29:23 GMT

Hi
I need to login from my client on HP-UX into server (also HP-UX) without providing password, using ssh2.
I've generated dsa and rsa keys using ssh-keygen on client, then I've created file authorized_keys in /.ssh/ on server, and have copied client's file id_dsa.pub to /.ssh/authorized_keys. As described in manual after that action I would be granted to server without promting password, but
I still get a promt to provide password.
What did I do wrong?

thanx

Re: ssh2 login without password

Tom Ward_1 — Mon, 18 Apr 2005 05:09:41 GMT

Hello Igor,

Try connecting with "ssh -v host". It may give you information about the problem. Also check the permissions on your .ssh directory and the files within. I've seen ssh not trust keys when the permissions are too loose.

Good luck,
Tom

Re: ssh2 login without password

Alex Lavrov. — Mon, 18 Apr 2005 05:09:42 GMT

Here are some good tutorials:
http://www.cvrti.utah.edu/~dustman/no-more-pw-ssh/
http://www.ifi.uio.no/in228/scripting/doc/ssh-no-password.html

Be sure you didn't miss something. Also check ssh configuraion file, sometimes authorized keys file is configured to be "authorized_keys2". I had this problem once, took a while to find.

Re: ssh2 login without password

Joe Harrison_1 — Mon, 18 Apr 2005 10:19:28 GMT

(server)$ cd /home/
(server)$ ssh-keygen -t dsa -f id_dsa
(server)$ cat id_dsa.pub >> .ssh/authorized_keys
(server)$ scp id_dsa @:
(server)$ chmod 750 /home/
(server)$ chmod 700 /home//.ssh
(server)$ chmod 600 /home//.ssh/*
(client)$ cd /home/
(client)$ mv id_dsa .ssh/
(client)$ chmod 750 /home/
(client)$ chmod 700 /home//.ssh/
(client)$ chmod 600 /home//.ssh/*
(client)$ ssh @

Re: ssh2 login without password

Joe Harrison_1 — Mon, 18 Apr 2005 10:21:42 GMT

(server)$ scp id_dsa @:

Re: ssh2 login without password

Igor Sovin — Mon, 18 Apr 2005 23:59:40 GMT

Permissions are okay
I've read the given links, I did exactly the same things as described in these documents.

I did the same om another host with the same OS and same version of Secure Shell, everything worked perfect.
Dont know what to do...

Re: ssh2 login without password

Alex Lavrov. — Tue, 19 Apr 2005 00:51:48 GMT

Did you check in ssh configuration file, that the file for quthorized keys is indeed "authorized_keys" and not "authorized_keys2"?

Re: ssh2 login without password

wip — Tue, 19 Apr 2005 01:13:47 GMT

What Version of SSH are you using ?What is the settings in /etc/sshd_cocnfig file.Do you have a centrlised user authentication software installed.It depends on this

Re: ssh2 login without password

Igor Sovin — Tue, 19 Apr 2005 01:29:09 GMT

version of Secure Shell is A.03.10.007 on client and on server.

Re: ssh2 login without password

Alex Lavrov. — Tue, 19 Apr 2005 01:31:44 GMT

What about settings in sshd config file?

Re: ssh2 login without password

Igor Sovin — Tue, 19 Apr 2005 01:35:21 GMT

my sshd_config

$OpenBSD: sshd_config,v 1.48 2002/02/19 02:50:59 deraadt Exp $

# This is the sshd server system-wide configuration file. See sshd(8)
# for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/opt/ssh/bin

# The strategy used for options in the default sshd_config shipped with
# HP-UX Secure Shell is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

#Port 22
#
# WARNING: enabling protocol 1 will cause HP-UX Secure Shell vulnerable
# to security attacks. It is strongly recommended NOT to enable protocol 1.
# Use "2,1" to notify sshd to use version 2 and fall back to version 1 if
# version 2 is not available. The default is "2".
#
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /opt/ssh/etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /opt/ssh/etc/ssh_host_rsa_key
#HostKey /opt/ssh/etc/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 3600
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 600
#PermitRootLogin yes
#StrictModes yes

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

# rhosts authentication should not be used
#RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# For this to work you will also need host keys in /opt/ssh/etc/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
# KerberosAuthentication automatically enabled if keyfile exists
#KerberosAuthentication yes
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# AFSTokenPassing automatically enabled if k_hasafs() is true
#AFSTokenPassing yes

# Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no

# Set this to 'yes' to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt yes

# From A.03.10.005 onwards
X11Forwarding yes
#X11DisplayOffset 10
X11UseLocalhost no
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no

#MaxStartups 10
# no default banner path
#Banner /some/path
#VerifyReverseMapping no

# override default of no subsystems
Subsystem sftp /opt/ssh/libexec/sftp-server

Re: ssh2 login without password

Alex Lavrov. — Tue, 19 Apr 2005 01:58:07 GMT

AS I thought:
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

This section is commented, so sshd ignore authorized_key file.

Uncomment it and restart sshd.

Re: ssh2 login without password

Andrew Cowan — Tue, 19 Apr 2005 02:00:58 GMT

Check that both hosts know one another by the names that you think they do. Ssh into the target box and do a "whoami" and ensure that the hostname supplied is exactly the same as the one in "authorized_keys" because if it doesn't then SSH assumes you don't have a public key.

The other major problem is when you inadvertantly put carriage returns into the "authorized_keys" file.

Re: ssh2 login without password

Ermin Borovac — Tue, 19 Apr 2005 02:01:49 GMT

To test if it's permission problem set StrictModes parameter in sshd_config to 'no' or run sshd as follows.

# sshd -p 22222 -o'StrictModes no'
# ssh -p 22222

If that works then you know that directory permissions are incorrect and you can troubleshoot further.

Re: ssh2 login without password

Nguyen Anh Tien — Tue, 19 Apr 2005 02:34:33 GMT

You need to refer these links:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=244540

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=822731

tienna

Re: ssh2 login without password

Igor Sovin — Tue, 19 Apr 2005 04:47:36 GMT

Uncommenting the sections adviced above didnt help

Hosts know each other and file known_hosts is ok.

the output of # sshd -p 22222 -o'StrictModes no' gave nothing

my ssh passwordless connection seems to be big problem ... hm, so why on other hosts everything is ok, configurations of ssh, permissions, etc. are the same.
I wonder what the problem could be?

Re: ssh2 login without password

Alex Lavrov. — Tue, 19 Apr 2005 04:55:12 GMT

Did you restart sshd? (kill -1 )

Re: ssh2 login without password

Igor Sovin — Tue, 19 Apr 2005 05:00:15 GMT

yes, I restarted sshd

Re: ssh2 login without password

Ermin Borovac — Tue, 19 Apr 2005 19:07:37 GMT

Does account you are trying to login to have a password assigned (i.e. can you telnet to it)? If it has '*' in encrypted password field you won't be able to do passwordless ssh login as it will consider account as locked.

I suggest you check your permissions again. Not only on $HOME but also on all parent directories and /tmp. For example if $HOME is /home/ you should make sure that

/ and /home are owned by root and not group/world writable (e.g. 755)
/tmp should be 1777
/home/ and /home//.ssh are owned by and not group/world writable
None of the files in /home//.ssh should be group/world writable.

Re: ssh2 login without password

Igor Sovin — Tue, 19 Apr 2005 21:41:11 GMT

Thank you all for answers!

The problem was so stupid, user account on server was deactivated due to 3 unsuccessful login attempts.
I reactivated it and everything gone wright.