topic Re: Another SSH issue in Operating System - HP-UX

Another SSH issue

Karen Birkelbach — Mon, 27 Apr 2009 20:54:29 GMT

I have a user (oracle) that would like to ssh to all of the oracle servers from one server. I have generated the RSA and DSA key pairs for the account on the primary server and copied the public keys to the authorized_keys file on each of the servers. There are some systems that still require a password. The ones that work without the password are 11.23 boxes, as is the one primary. The ones still requiring a password are 11.11 servers. I have looked at permissions on the directories and files, modeled it completely after one of the working clients. I have even upgraded to the latest version of SSH on both 11.11 and 11.23, so they are matching versions. I've verified that "UsePAM" is set to yes and uncommented in the sshd_config file.

On the HP-UX 11.11 server:
# ssh -V
OpenSSH_5.1p1+sftpfilecontrol-v1.2-hpn13v5, OpenSSL 0.9.8j 07 Jan 2009
HP-UX Secure Shell-A.05.10.045, HP-UX Secure Shell version

On the HP-UX 11.23 server:
# ssh -V
OpenSSH_5.1p1+sftpfilecontrol-v1.2-hpn13v5, OpenSSL 0.9.8j 07 Jan 2009
HP-UX Secure Shell-A.05.10.046, HP-UX Secure Shell version

I'm not sure what else to check at this point.

Re: Another SSH issue

Steven Schweda — Mon, 27 Apr 2009 22:14:23 GMT

> Another SSH issue

Is that anything like a _problem_?

> [...] the RSA and DSA key pairs [...]

Both? Why both? Which one(s) are you using?

The usual next step is to run comparisons
between working and non-working commands with
some diagnostics enabled:

ssh -v [...]

What's in the users' ".ssh" directories?

> [...] I have looked at permissions [...]

I'm glad that you're happy. Sadly, my
psychic powers are too weak to tell me what
you saw, so I don't know if your joy is
justified. As usual, showing actual commands
with their actual output can be more helpful
than vague descriptions.

Looking at the server log files can also be
informative.

A Forum search for "ssh" should find many
examples of similar experiences.

Re: Another SSH issue

Mark Fenton — Mon, 27 Apr 2009 22:26:57 GMT

That's interesting. I use RSA/DSA key authentication on SSH in 11.11 environment (trusted server) with no problems.
Does it work the other way around? I.e. can mr oracle ssh to the 11.23 server FROM the 11.11 using just the trusted key?

Re: Another SSH issue

OldSchool — Mon, 27 Apr 2009 23:47:25 GMT

running the daemon in debug mode on the server(s) one or more of the servers might shed some light on the issue (sshd -ddd_, as would running the client in debug (ssh -vvv).

In addition, you can use the "-p " to run both on otherwise unused port so it won't interfere w/ the daemon already running.

one note, permissions on the authorized_keys file *and its parent directory* are critical.

Re: Another SSH issue

Karen Birkelbach — Tue, 28 Apr 2009 12:57:18 GMT

Mr. Schweda, instead of being snotty about not having enough information, just ask for what you want. As it is, your suggestion to check the logs was the reminder that I needed. I determined that the home directory permissions were incorrect for password-less login.

Mark, I was able to go server-to-server in reverse.

O.S. - Thanks for the suggestion, that would have been my next step.

I just need to remember to check those logs!

Re: Another SSH issue

Steven Schweda — Tue, 28 Apr 2009 17:22:27 GMT

> [...] instead of being snotty [...]

Instead of getting all huffy, try to put
yourself in the position of the reader, who
can't read your mind, and who doesn't know if
you know what you're talking about. It
remains true that "showing actual commands
with their actual output can be more helpful
than vague descriptions."

Note that if you _really_ knew what you
were talking about, you might not be asking
questions in this forum, which makes any
evidence-free conclusions presented here
immediately (and reasonably) suspect.

Re: Another SSH issue

Karen Birkelbach — Tue, 28 Apr 2009 17:51:08 GMT

quoting...
Instead of getting all huffy, try to put
yourself in the position of the reader, who
can't read your mind, and who doesn't know if
you know what you're talking about. It
remains true that "showing actual commands
with their actual output can be more helpful
than vague descriptions."

Note that if you _really_ knew what you
were talking about, you might not be asking
questions in this forum, which makes any
evidence-free conclusions presented here
immediately (and reasonably) suspect.
not quoting...

You know, people come here looking for help, not to get blasted. For your information, I was following the instructions I found in the forum archives. Forgive me for not telling you that I had. When you're in a situation of thinking of many things, sometimes things fall through the cracks. The reaction was to your attitude. All I'm asking is that you be more compassionate instead of denigrating to people in a bind. Lucky for you try to be a forgiving person. You almost got 0 points for that attitude.

Re: Another SSH issue

Karen Birkelbach — Tue, 28 Apr 2009 17:51:57 GMT

Permissions on the user home directory were wrong, which I discovered after looking at the syslog on the affected system.

Re: Another SSH issue

Steven Schweda — Tue, 28 Apr 2009 18:19:03 GMT

> You almost got 0 points for that attitude.

I'd almost care.

Re: Another SSH issue

Steven Schweda — Tue, 28 Apr 2009 18:25:29 GMT

My point, in case you missed it, was that "I
have looked at permissions" was misleading
rather than useful, and I explained why.

> Permissions [...] were wrong [...]

See?

Re: Another SSH issue

Paul Maglinger — Tue, 28 Apr 2009 19:51:46 GMT

Don't feel too bad about it Karen. He treats everyone that way, and the moderator's don't care.

Re: Another SSH issue

Steven Schweda — Tue, 28 Apr 2009 20:59:13 GMT

The moderators don't care about misuse of
apostrophes, either, but it bothers me
tremendously. Not as much as problem
descriptions which lack obviously important
information, but tremendously, even so.

Re: Another SSH issue

Paul Maglinger — Wed, 29 Apr 2009 12:00:36 GMT

From the forum overview:

Are there rules of conduct I must adhere to?
The Support Forums community is a valued area with well-behaved members. Everyone benefits from a positive experience. So, HP encourages active and open discussions among the community members, but do insist that conduct is civil - be it posting a message or emailing another member. You may not use or allow others to use your registration membership to:

1. Post or transmit any content that is abusive, vulgar, obscene, hateful, fraudulent, threatening, harassing, defamatory, or which discloses private or personal matters concerning any person.