topic Re: Trusted rlogin between HPUX boxes using ssh in Operating System - HP-UX

Trusted rlogin between HPUX boxes using ssh

hp_user_1 — Mon, 29 Aug 2005 10:35:08 GMT

Hi,

I have a user account that always uses ssh to login to hpux 11i boxes. He wants to do ssh between the boxes without entering his password. I know for rlogin you require an entry either in $HOME/.rhosts file or /etc/hosts.equiv.

What do I need to do in this case.

Points will be awarded...

Thanks

Re: Trusted rlogin between HPUX boxes using ssh

Steven E. Protter — Mon, 29 Aug 2005 10:50:05 GMT

Different procedure. I'm attaching a link to a powerpoint on the subject I never got to give at HP World.

www.hpuxconsulting.com/5004.ppt

Also a word doc that is more succint.

SEP

Re: Trusted rlogin between HPUX boxes using ssh

Rick Garland — Mon, 29 Aug 2005 10:50:13 GMT

There are numerous posts on this subject. I did a search for "ssh logins no password" and many matches - some with attached HOWTOs and some just providing troubleshooting.

As an example, check out this post I found from the search. Has some attachment as well as tutorials.

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=859024

Re: Trusted rlogin between HPUX boxes using ssh

CSG Office — Mon, 29 Aug 2005 11:37:04 GMT

Asghar,

The basic procedure is to create an ssh key pair, putlic and private. You will put one key on the server and one key on the client. The advantage over rsh and rlogin is that the session is still encrypted. You would be better off following a howto on this or reading through the man pages.

Re: Trusted rlogin between HPUX boxes using ssh

hp_user_1 — Tue, 30 Aug 2005 11:23:13 GMT

The requirement is changed a little bit.

I want to login as user1 on server1 and then ssh into server2 as user2 without entering either user1 or user2's password. I also want the reverse of it.

How can I achieve that.

Thanks

Re: Trusted rlogin between HPUX boxes using ssh

Q4you — Tue, 30 Aug 2005 11:36:08 GMT

by reading the manual ( LOL, just kidding)

Re: Trusted rlogin between HPUX boxes using ssh

hp_user_1 — Tue, 30 Aug 2005 14:53:45 GMT

Hello,,, Any help.....

Re: Trusted rlogin between HPUX boxes using ssh

Rick Garland — Tue, 30 Aug 2005 15:04:48 GMT

The document attached with a prior post, this will explain how you set up 'keys'.

By generating keys and sharing these keys with the various servers (and for the various users on these servers) you can have the password prompt omitted.

As a simplified example;
Doing an ssh as user1 to server1. Assuming the start is from a Linux desktop system. You will generate keys, public and private, on the Linux system. The public key you will share with server1 for user1. Once this share is comfigured and complete you can ssh login without a passwd from Linux desktop to server1 as user1.

Same concept with user2/server2.

Again, this is a very simplified example. Read the attachment from earlier post by SEP.
Also good tutorials/attachments with the post I put up.

Re: Trusted rlogin between HPUX boxes using ssh

hp_user_1 — Tue, 30 Aug 2005 15:23:22 GMT

Hi,

I did the setup and it worked for user1:server1 to user1:server2.

What I want now is "user1" from server1 ssh'ing as "user2" into server2 which means:

server1:user1> ssh server2 -l user2

It always prompt me for user2 password which I don't want.

Thanks

Re: Trusted rlogin between HPUX boxes using ssh

Rick Garland — Tue, 30 Aug 2005 15:24:44 GMT

When you generated the key for user1, place a copy of this public key for user1 onto the server2 in the user2:$HOME/.ssh directory.

Re: Trusted rlogin between HPUX boxes using ssh

CSG Office — Wed, 31 Aug 2005 06:36:27 GMT

Asqhar,

I think the previous post is correct, but I think you will have to add the user name to the ssh command. Once you login as user1, instead of "ssh server2" use "ssh user2@server2". Then with key pair in user1@server1 and user2@server2, it should work. Otherwise, server2 will look for keys under user1's profile.

Re: Trusted rlogin between HPUX boxes using ssh

Raj D. — Wed, 31 Aug 2005 06:47:24 GMT

The short answer will be , to setup ssh-keygen , and will need to copy the id_dsa.pub file to the other server , to allow without password.

Cheers ,
Raj.

Re: Trusted rlogin between HPUX boxes using ssh

hp_user_1 — Wed, 31 Aug 2005 12:58:13 GMT

I have successfully setup for 9 out of 10 to login from serverA to serverB and vice versa. There is one user account for which I have done the same stuff multiple times and each time it prompts for the password. Not sure why...

Any ideas........

Re: Trusted rlogin between HPUX boxes using ssh

RAC_1 — Wed, 31 Aug 2005 13:04:10 GMT

For that user , post
ssh -vvvv from client
and
sshd -ddd from server

Re: Trusted rlogin between HPUX boxes using ssh

hp_user_1 — Wed, 31 Aug 2005 13:10:23 GMT

Client output:

-> ssh -vvvv yyzgui@ppccii1
OpenSSH_3.9, OpenSSL 0.9.7d 17 Mar 2004
HP-UX Secure Shell-A.03.91.002, HP-UX Secure Shell version
debug1: Reading configuration data /opt/ssh/etc/ssh_config
debug3: Seeding PRNG from /opt/ssh/libexec/ssh-rand-helper
debug2: ssh_connect: needpriv 0
debug1: Connecting to ppccii1 [199.81.76.241] port 22.
debug1: Connection established.
debug1: identity file /opt/fedex/ccii/.ssh/id_rsa type -1
debug3: Not a RSA1 key file /opt/fedex/ccii/.ssh/id_dsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /opt/fedex/ccii/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.9
debug1: match: OpenSSH_3.9 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.9
debug2: fd 4 setting O_NONBLOCK
debug3: RNG is ready, skipping seeding
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-gro
up14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-c
tr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-c
tr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@open
ssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@open
ssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-gro
up14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-c
tr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-c
tr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@open
ssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@open
ssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 118/256
debug2: bits set: 520/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /opt/fedex/ccii/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug3: check_host_in_hostfile: filename /opt/fedex/ccii/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host 'ppccii1' is known and matches the RSA host key.
debug1: Found key in /opt/fedex/ccii/.ssh/known_hosts:1
debug2: bits set: 519/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /opt/fedex/ccii/.ssh/id_rsa (00000000)
debug2: key: /opt/fedex/ccii/.ssh/id_dsa (4002e590)
debug1: Authentications that can continue: publickey,password,keyboard-interacti
ve
debug3: start over, passed a different list publickey,password,keyboard-interact
ive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /opt/fedex/ccii/.ssh/id_rsa
debug3: no such identity: /opt/fedex/ccii/.ssh/id_rsa
debug1: Offering public key: /opt/fedex/ccii/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interacti
ve
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:

Server output:
# /usr/sbin/sshd -ddd
debug3: Seeding PRNG from /opt/ssh/libexec/ssh-rand-helper
debug2: load_server_config: filename /opt/ssh/etc/sshd_config
debug2: load_server_config: done config len = 244
debug2: parse_server_config: config /opt/ssh/etc/sshd_config len 244
debug1: sshd version OpenSSH_3.9 [ HP-UX Secure Shell-A.03.91.002 ]
debug3: Not a RSA1 key file /opt/ssh/etc/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug3: Not a RSA1 key file /opt/ssh/etc/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-ddd'
debug2: fd 4 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
Bind to port 22 on 0.0.0.0 failed: Address already in use.
Cannot bind any address.
<>
#

FYI