topic Re: Disabling passwd for SSH in Operating System - HP-UX

Disabling passwd for SSH

Chern Jian Leaw — Wed, 01 Jan 2003 11:13:23 GMT

HI,

I'm running SSH on a HP11.0 machine of version:
F-Secure SSH 2.4.0 (build 12) on hppa1.1-hp-hpux11.00

However, I keep getting passwd prompts whenever I try connecting into another HP11 machine with SSH of the same version installed.
The output is as below:

pghc0001[11]% ssh pglc0050
Host key not found from database.
Key fingerprint:
xesek-selut-gerev-dosyg-sicot-pepim-rituh-rikak-tuhyn-fynig-fyxex
You can get a public key's fingerprint by running
% ssh-keygen -F publickey.pub
on the keyfile.
Are you sure you want to continue connecting (yes/no)? y
Please answer 'yes' or 'no': yes
Host key saved to /home/cs/ken_lee/.ssh2/hostkeys/key_22_pglc0050.pub
host key for pglc0050, accepted by ken_lee Wed Jan 01 2003 10:26:43
ken_lee's password:
Authentication successful.
Last login: Fri Aug 30 2002 09:17:04 +0800 from tigger.willowglen.com
No mail.
SOURCING /home/cs/environment/cshrc
SOURCING /home/cs/environment/login
pglc0050[1]%

I've tried disabling the following attributes in the files ssh2_config and sshd2_config, but it had still prompted for a password:
1)ssh2_config
#PasswordPrompt "%U@%H's passwd: "
#PasswordPrompt "%U's password: "

#AllowedAuthentications publickey, password
#AllowedAuthentications hostbased,publickey,
password

2)sshd2_config
#AllowedAuthentications hostbased,publickey,
password
#AllowedAuthentications publickey,pam-1@ssh.com
#AllowedAuthentications publickey, password
#RequiredAuthentications publickey,password

I've even tried, on a desperate attempt, adding the machines and usernames in .rhosts file on both machines, but that failed too.

In the case when public keys, host keys and fingerprint were already generated, it had still prompted for a passwd as below:
pglc0050[1]%ssh snoopy
ken_lee's password:

I was wondering if there are ways to disable the passwd prompt when a user logs into another machine with SSH?

Could someone kindly help me out?

Thanks

Re: Disabling passwd for SSH

avsrini — Thu, 02 Jan 2003 01:59:36 GMT

Hi Chern,
I dont know about F-Secure,
But we are using HP-UX Secure Shell, A.03.10.002. (T1471AA)
You can download this from the depot site of hp.

Here you have to create keys for each user with ssh-keygen and copy these id files to remote host. It will allow you to login to remote host without password.

If u need detail procedure about this, let me know.

Srini.

Re: Disabling passwd for SSH

Sridhar Bhaskarla — Thu, 02 Jan 2003 02:46:19 GMT

Hi,

ssh-keygen -t dsa(or rsa) -C "" -N ""

Append your_home/.ssh/id_dsa.pub (ex., dsa) to the other host into your_home/.ssh/authorized_keys

If you are sure that you copied the public key properly to the other system into authorized_keys file, then the other thing that I can think of is to check if "strictmodes" is set to yes on the remote server. Look at the sshd_config and see if it is set to yes. If that is case, then you have to keep strict permissions (750 max) on the home directory.

TO find more details, run "sshd" in debug mode on the remote server. kill sshd and run it manually with the command

#sshd -d

Observe the debugged output generated while you connect through ssh. YOu should be able to find the reason.

-Sri

Re: Disabling passwd for SSH

Wilfred Chau_1 — Thu, 02 Jan 2003 03:01:55 GMT

1) put the public key generated on pglc0050 onto pghc0001's ~/.ssh2

2) put the public key file name into ~/.ssh2/authorization

Something like
Keys pglc0050.pub

3) Save file
4) try connect from pglc0050 to pghc0001 again

Re: Disabling passwd for SSH

Steven E. Protter — Thu, 02 Jan 2003 05:09:11 GMT

Srinivasan A

I'd like to see the procedure. I want to use scp to replace rcp

Thanks.

Steve

Re: Disabling passwd for SSH

Chern Jian Leaw — Thu, 02 Jan 2003 06:30:44 GMT

Srinivasan

Could you provide the procedure on how to have the keys for each user created with ssh-keygen?

This is because I have about 100 client machines with F-secure version of SSH installed.

Appreciate it if you could show the procedure required.

Thanks

Re: Disabling passwd for SSH

Chern Jian Leaw — Thu, 02 Jan 2003 06:33:39 GMT

Re: Disabling passwd for SSH

Chern Jian Leaw — Thu, 02 Jan 2003 06:38:25 GMT

Re: Disabling passwd for SSH

Darrell Allen — Thu, 02 Jan 2003 15:39:38 GMT

Do you have F-Secure's SSH User's and Administrator's Guide? There's a good section in it on using public-key authentication.

Here's an overview of the steps you need to take:

-Generate a key pair with ssh-keygen2 on the client system.

-Create a file named "identification" in your $HOME/.ssh2 directory. The file must contain a line with the name of the key you want to use. Example:
IdKey id_dsa_1024_a

-Copy your public key to the remote host and place it in your $HOME/.ssh2 directory

-On the remote host, create a file named "authorization" in you $HOME/.ssh2 directory. It must contain a line with the name of the public key that matches what you specified on the client. Example:
Key id_dsa_1024_a.pub
This file is case sensitive so "Key" must have a capitol "K".

The above process must be done for each user. You may want to use a unique name for your keys. I like the format: user@host

Be sure you uncomment the following in the client's ssh2_config and the server's sshd2_config:
AllowedAuthentications publickey, password
That allows users to ssh with a key or a password.

When using keys, you have 2 methods for ssh'ing without the requirement of specifying a password or a passphrase. The first method is to specify a null passphrase. Do this with "ssh-keygen2 -P". This is not the most secure method because if you private key is stolen, whoever has it can ssh in.

The more secure method is to generate the key with a passphrase and then utilize ssh-agent2 and ssh-add2. ssh-agent2 should be executed on the client system before you attempt to ssh to the server. Then you run ssh-add2 to input the passphrase for the key you are using.

You really should read the User's and Administrator's Guide. Hopefully what I've written is enough to get you started but there's much more in the manual.

Darrell

Re: Disabling passwd for SSH

Chris Vail — Thu, 02 Jan 2003 17:51:24 GMT

I have attached a MS Word document that I send to all users so that they may enable SSH for their own accounts. The executive brief is that the key for each remote host has to be in the ~/.ssh/authorized_keys file. The permissions on this file and various directories have to be exact, so look at this document for details. Write if you have any questions.

Chris

Re: Disabling passwd for SSH

avsrini — Fri, 03 Jan 2003 04:40:20 GMT

Hi Chern,
Sorry i was off yesterday. so could'nt reply u soon.
Cheril gave you a good reference. you can use that.

But as you have 100 client machines, I'll check for the procedures of using ssh_known_hosts method. Do you have all the users id's same in all the machines?.

Srini.

Re: Disabling passwd for SSH

Ajay Tyagi — Fri, 03 Jan 2003 07:49:57 GMT

Hi
Frist u can genreate a ssk public key

#ssh-keygen -tdsa
than copy public key into server with login name which u want to login

#scp /.ssh/id_dsa.pub loginname@:/tmp

#ssh loginname@>/home//.ssh/authorized_keys2"

afther this u will be able to connect with ssh witout a password