topic Re: ssh authorized_keys not working in Operating System - HP-UX

ssh authorized_keys not working

CRollins — Mon, 22 Oct 2007 12:54:25 GMT

i have authorized keys set up between 2 servers for the root and oracle accounts. the ssh connection is working 3 of the 4 ways without a passwd. i.e.

ssh is working without a passwd ...
root server1 to root server2
root server2 to root server1
oracle server2 to oracle server1

ssh is not working ...

oracle server1 to oracle server2

all of the keys have been set up and copied exactly the same way. i have also regenerated the key and redone the process multiple times for that account. i have checked filesystem permissoins. And i have verified the sshd_config file is the same on both servers.

This is driving me absolutely nuts. Please help!

Re: ssh authorized_keys not working

Patrick Wallek — Mon, 22 Oct 2007 13:01:04 GMT

Try doing an 'ssh -v' or 'ssh -vvv' between server1 and server2 as oracle and see what errors come up.

Generally ssh not working is due to permissions being too open on the home directory, the .ssh dir in the home directory or the files in the .ssh dir.

Re: ssh authorized_keys not working

CRollins — Mon, 22 Oct 2007 13:04:01 GMT

$ ssh -v server2
OpenSSH_4.5p1+sftpfilecontrol-v1.1-hpn12v14, OpenSSL 0.9.7l 28 Sep 2006
HP-UX Secure Shell-A.04.50.003, HP-UX Secure Shell version
debug1: Reading configuration data /opt/ssh/etc/ssh_config
debug1: Connecting to kdippi2 [166.20.121.29] port 22.
debug1: Connection established.
debug1: identity file /u01/app/oracle/.ssh/id_rsa type 1
debug1: identity file /u01/app/oracle/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.5p1+sftpfilecontrol-v1.1-hpn12v14
debug1: match: OpenSSH_4.5p1+sftpfilecontrol-v1.1-hpn12v14 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.5p1+sftpfilecontrol-v1.1-hpn12v14
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'kdippi2' is known and matches the RSA host key.
debug1: Found key in /u01/app/oracle/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /u01/app/oracle/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /u01/app/oracle/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
Password:

Re: ssh authorized_keys not working

Patrick Wallek — Mon, 22 Oct 2007 13:06:35 GMT

Hmm...Not much there. Check /var/adm/syslog/syslog.log on server2 for any ssh related errors.

Re: ssh authorized_keys not working

CRollins — Mon, 22 Oct 2007 13:12:56 GMT

do you know what the permissions should be?

Oct 22 14:13:37 server1 sshd[2761]: Authentication refused: bad ownership or modes for directory /u01/app/oracle

Re: ssh authorized_keys not working

Patrick Wallek — Mon, 22 Oct 2007 13:28:40 GMT

Compare to the permissions for the oracle dir between server1 and server2. Since it appears that server2 to server1 works, try setting the permissions on server2 to the same as server1.

Re: ssh authorized_keys not working

Doug O'Leary — Mon, 22 Oct 2007 15:07:54 GMT

Hey;

permissions should be

no more than 755 for ${HOME}
700 for ~/.ssh and
no more than 644 for ~/.ssh/authorized_keys

Oracle installations tend to use 775 for directories and 664 for files as it allows dba group write access. That will prevent ssh/PKA from working.

Doug

Re: ssh authorized_keys not working

Tim Nelson — Mon, 22 Oct 2007 16:57:48 GMT

All the above and...

/var/adm/syslog/syslog.log does a good job at pointing out the ssh issues if any. Especially if the home directory permissions are wrong.