topic Re: SFTP without prompting a password in Operating System - HP-UX

SFTP without prompting a password

Dewa Negara_4 — Mon, 06 Sep 2004 01:08:11 GMT

Hi All,

Pls help. My customer's requesting to use SFTP to transfer some files regularly from serverA to serverB using a simple script. Because public/private keys policy is not so clear in my company, so we avoid to use public/private keys. Is there any way to use SFTP without prompting a password except using public/private key? FYI that I have tried to use .netrc, but it seems like .netrc is only for ftp and it is not applicable for sftp.

Please help. High score will be given.

Thanks and Best Regards,
Negara

Re: SFTP without prompting a password

Muthukumar_5 — Mon, 06 Sep 2004 01:26:05 GMT

We can do this with hosts.equiv file (.shosts) as,

First, if the machine the user logs in from is listed in
/etc/hosts.equiv or /opt/ssh/etc/shosts.equiv on the remote machine,
and the user names are the same on both sides, the user is immediately
permitted to log in. Second, if .rhosts or .shosts exists in the
user's home directory on the remote machine and contains a line
containing the name of the client machine and the name of the user on
that machine, the user is permitted to log in. This form of
authentication alone is normally not allowed by the server because it
is not secure.

Make a setup as,

machine1:

/etc/hosts.equiv
remote-hostname user

If you are trying for root then,

/.shosts
remote-hostname root

Change the permission to 400

Do it on both side to make it possible.

We can use .netrc for ftp not for sftp.

Why don't you prefer scp instead of sftp ??
It is easy to handle more.

Regards
Muthu

Re: SFTP without prompting a password

Dewa Negara_4 — Mon, 06 Sep 2004 02:00:12 GMT

Hi Muthu,

Thanks alot. I have tried to configure
like below, but when I tried to run #ssh sihp8012 from sihp8029, it's still prompting a password. Can you pls help? Is there any wrong configuration on the setup below?

Thanks alot.
Negara

[root@sihp8012:/home/ap1030]
# more .shosts
sihp8029 ap1030

[root@sihp8012:/home/ap1030]
sihp8029 ap1030

[root@sihp8012:/home/ap1030]
# cd /opt/openssh/etc

[root@sihp8012:/opt/openssh/etc]
# more shosts.equiv
sihp8029 ap1030

[root@sihp8012:/opt/openssh/etc]
# ll shosts.equiv
-r-------- 1 root sys 16 Sep 6 14:48 shosts.equiv

[root@sihp8012:/opt/openssh/etc]
# ll /home/ap1030/.shosts
-r-------- 1 ap1030 other 42 Sep 6 14:51 /home/ap1030/.shosts

[root@sihp8012:/opt/openssh/etc]
# ll /etc/hosts.equiv
-rw------- 1 root sys 106 Sep 6 14:42 /etc/hosts.equiv

Re: SFTP without prompting a password

Sridhar Bhaskarla — Mon, 06 Sep 2004 02:05:22 GMT

Hi Negara,

If you are going to use .shosts/.rhosts or .netrc (there is nothing exists) for sftp, you are compromising atleast 50% of the security provided by openssh. Make sure shosts/rhosts authentication is enabled in sshd_config of the remote system.

It's very easy to setup public/private key authentication. Just two steps. Generate the public/private key pair and copy it as authorized_keys on the other server) If you doing sftp from serverA to serverB, then do the following for DSA authentication.

on serverA run

$cd (to go back to the home directory)
$ll .ssh
See if you have a file called id_dsa.pub. If so, then skip the ssh-keygen step.
$ssh-keygen -t dsa -N ""

$cd .ssh

Logon to serverB
$cd .ssh
$cat id_dsa.serverA >> authorized_keys

Ensure the permissions are proper (atleast 755 on the user's home direcotry and 700 on .ssh directory under it)

From server A try

$sftp serverB

This shouldn't prompt for the password.

You can use scp instead of sftp. That will be helpful if you have to copy subdirectories too.

-Sri
$

Re: SFTP without prompting a password

Dewa Negara_4 — Mon, 06 Sep 2004 02:44:18 GMT

Hi Sridhar,

Thanks alot. We do not use public/private keys for now since there is now policy generated yet. So for the temporary solution, we just use .shosts/.rhosts. May I know the details steps how to configure .shosts/.rhosts? and what is the parameter on sshd_config that need to be enable? is it "IgnoreRhosts no"? Since I have tried it already, but it still prompting a password when I run sftp.

Pls help.

Thanks and Best Regards,
Dewa

Re: SFTP without prompting a password

Sridhar Bhaskarla — Mon, 06 Sep 2004 04:30:01 GMT

Hi Negara,

Try generating the debugging information. If ssh works, then scp and sftp will work, so try

ssh -vvv serverB

and post the information you have. The following are the options for sshd_config

RhostsRSAAuthentication yes
RhostsAuthentication yes
IgnoreRhosts no
HostbasedAuthentication yes

for ssh_config (you can override them with command line options)

RhostsAuthentication yes
RhostsRSAAuthentication yes
EnableSSHKeysign yes

You can determine what is missing by looking at the ssh -vvv output.

-Sri

Re: SFTP without prompting a password

Michael Selvesteen_2 — Fri, 13 Nov 2020 12:21:20 GMT

Refer the following link for Hostbased authentication set up

http://64.233.167.104/search?q=cache:93jZuVpfJ14J:acs.ucsd.edu/info/ssh.php+rhosts+shosts+file&hl=en

-> set your .shosts (.rhosts) file permission to 0644.

Trying first with ip address in these files may also help.

Refer the following link for debugging

http://64.233.167.104/search?q=cache:GQP3k-bB6PgJ:hepunx.rl.ac.uk/BFROOT/www/Computing/Online/EventProc/docs/shosts-instructions.html+rhosts+shosts+file&hl=en

http://www.snailbook.com/faq/general-debugging.auto.html

But I am echoing, this method has potential security breach and subjectable to ipspoofing, dns spoofing.,so be heedful

All the best

Re: SFTP without prompting a password

Muthukumar_5 — Mon, 06 Sep 2004 05:34:57 GMT

Hai Negra,

What is your openssh version? Is it 3.1? I hope there is Rhostsauthentication disabled.

I have tried on that and default it is disabled.

If you want to use other than key transcation then using shosts is the only usage and we have to loose some secutiry there.

Why don't we go for r* commands with almost secured way as,

Allowing only r* calls between two machines for the exact user as,

If you are tying for root then,

machine1:
/.rhosts
machine2 root

chmod 400 /.rhosts

Do the same on machine2.

IF you are trying for non-root users then,

machine1:
/etc/hosts.equiv
machine2

Do the same on machine2

It will restict only between two machines and for that user only. Permission 400 will be effective so that other's can not change it.

You can now transfer files with rcp (very fastly )..

Re: SFTP without prompting a password

Dewa Negara_4 — Mon, 06 Sep 2004 22:35:40 GMT

Hi Sridhan,

Thanks alot.

Below is my configuration.

[root@sihp8044:/home/ap1030]
# more .shosts
sihp8029 ap1030

[root@sihp8044:/home/ap1030]
# more .rhosts
sihp8029 ap1030

[root@sihp8044:/home/ap1030]
# ll .shosts
-r-------- 1 ap1030 other 16 Sep 7 12:18 .shosts

[root@sihp8044:/home/ap1030]
# more /etc/hosts.equiv
sihp8029 ap1030

When I tried to sftp from sihp8029 to sihp8044 as below :

[ap1030@sihp8029:/home/ap1030]
$ sftp -vvv sihp8044
Connecting to sihp8044...
OpenSSH_3.7.1p2, SSH protocols 1.5/2.0, OpenSSL 0.9.7c 30 Sep 2003
debug1: Reading configuration data /opt/openssh-3.7.1p2/etc/ssh_config
debug3: Seeding PRNG from /opt/openssh-3.7.1p2/libexec/ssh-rand-helper
debug2: ssh_connect: needpriv 0
debug1: Connecting to sihp8044 [155.126.81.5] port 22.
debug1: Connection established.
debug1: identity file /home/ap1030/.ssh/id_rsa type -1
debug1: identity file /home/ap1030/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.7.1p2
debug1: match: OpenSSH_3.7.1p2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.7.1p2
debug3: RNG is ready, skipping seeding
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 123/256
debug2: bits set: 1622/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/ap1030/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 3
debug3: check_host_in_hostfile: filename /home/ap1030/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 3
debug1: Host 'sihp8044' is known and matches the RSA host key.
debug1: Found key in /home/ap1030/.ssh/known_hosts:3
debug2: bits set: 1598/3191
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/ap1030/.ssh/id_rsa (00000000)
debug2: key: /home/ap1030/.ssh/id_dsa (00000000)
debug1: Authentications that can continue: publickey,password,keyboard-interactive,hostbased
debug3: start over, passed a different list publickey,password,keyboard-interactive,hostbased
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/ap1030/.ssh/id_rsa
debug3: no such identity: /home/ap1030/.ssh/id_rsa
debug1: Trying private key: /home/ap1030/.ssh/id_dsa
debug3: no such identity: /home/ap1030/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive,hostbased
debug3: userauth_kbdint: disable: no info_req_seen
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred:
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
ap1030@sihp8044's password:

Is there anything missing?

Thanks alot for your help.

Best Regards,
Negara

Re: SFTP without prompting a password

Dewa Negara_4 — Mon, 06 Sep 2004 22:39:04 GMT

Sridhan,

I forgot to attach sshd_config and ssh_config.

[root@sihp8044:/opt/openssh/etc]
# cat sshd_config
# $OpenBSD: sshd_config,v 1.65 2003/08/28 12:54:34 markus Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/usr/sbin:/opt/openssh-3.7.1p2/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /opt/openssh/etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /opt/openssh/etc/ssh_host_rsa_key
#HostKey /opt/openssh/etc/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

# For this to work you will also need host keys in /opt/openssh/etc/ssh_known_hosts
#RhostsRSAAuthentication no
RhostsRSAAuthentication yes
# similar for protocol version 2
#HostbasedAuthentication no
HostbasedAuthentication yes
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
IgnoreRhosts no

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCreds yes

# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication'
#UsePAM yes

#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem sftp /opt/openssh-3.7.1p2/libexec/sftp-server

Protocol 2
PermitRootLogin no
X11Forwarding yes
UsePrivilegeSeparation no

PrintMotd no

[root@sihp8044:/opt/openssh/etc]
# cat ssh_config
# $OpenBSD: ssh_config,v 1.19 2003/08/13 08:46:31 markus Exp $

# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for various options

# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsRSAAuthentication no
RhostsRSAAuthentication yes
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
HostbasedAuthentication yes
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
# Protocol 2,1
# Cipher 3des
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
# EscapeChar ~

Protocol 2
Cipher blowfish-cbc
Ciphers blowfish-cbc

Re: SFTP without prompting a password

Sridhar Bhaskarla — Tue, 07 Sep 2004 20:47:49 GMT

Hi Negara,

Looks like your problem hasn't been solved yet. I agree that it is painful to configure ssh to work with .rhosts/.shosts. I am rather happy about it ;-).

All your problems can be easily solved by public/private key authentication which is more secured than others. I don't know why you are so reluctant about it.

I guess you are almost there. Try overriding preferred authentications options by running

ssh -vvv -o "PreferredAuthentications hostbased" your_host

and see if it works. If it logs you in without password, then sftp will work. Use it with the same options. Otherwise post the output again.

-Sri