topic Re: ssh without password but with differenct account in Operating System - Linux

ssh without password but with differenct account

steven chang_1 — Mon, 16 May 2005 03:26:27 GMT

hi :

ssh could login without password through the public/private key pair. But if the local account and remote account are different,how to use the pk authentication. Thank you!!

steven chang

Re: ssh without password but with differenct account

Stuart Browne — Mon, 16 May 2005 03:39:13 GMT

Ok.

To do password-less SSH login's, the remote-user must have an entry in their 'authorized_keys' file that matchines the user you are coming from.

i.e. from:

johnsmith@machine1:

has a key generated in ~/.ssh/id_rsa.pub

The line from here needs to be in:

remoteuser@machine2: ~/.ssh/authorized_keys

SSH doesn't care what user you're coming from or going too (apart from if you omit the user when ssh'n to a machine).

Just remember to 'ssh remoteuser@machine2' and you'll be fine.

Re: ssh without password but with differenct account

steven chang_1 — Mon, 16 May 2005 04:05:21 GMT

now i need root@aptest to oracle@dbtest
here is the oracle authorized_keys2
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA1kbKhVVdEfs8ItqrPoLoyQxTfuUuoYmwU3fbpY6ZTm3dVWJKTxcJvl9wxyIbfs4zLqZOBBogrFi
Iyq7hkZyPzz1MAJiZCnpco7QCDMv4kNcoWMMEu5CZkznMeUKrQ0AdIcoqmwRdK/E4WhLHZcvdzCZqQ2x7P3+1aOIJHZwjaWU= root@aptest

but use the command
ssh -l oracle dbtest
or ssh oracle@dbtest
sshd would prompt the password request
if the same authorized_keys2 file in the root .ssh directory , it's ok, no password prompt

steven

Re: ssh without password but with differenct account

steven chang_1 — Mon, 16 May 2005 04:45:55 GMT

hi :

I think i need hostbase ssh authentication. Does anybody get the document? Thank you

steven

Re: ssh without password but with differenct account

Stuart Browne — Mon, 16 May 2005 05:25:15 GMT

Hrm.. 'oracle@dbtest:~/.ssh/known_hosts' exists?

And why are you using 'authorized_keys2' and not just 'authorized_keys' ?

Re: ssh without password but with differenct account

Naveej.K.A — Mon, 16 May 2005 06:05:33 GMT

Hi Steven,

Passwordless SSH using public/private keys

Including how to set up rsync and unison (syncronisation software)
Here is a list of the steps that I had to do to get automatic replication of /home/folder1 (or any other folder) on one server to /home/folder2 on another server:

Passwordless SSH
To get replication working securly you firstly need to be able to connect via SSH without using passwords:

First server setup
ssh-keygen -t dsa(press enter twice to give a blank password)

cd
cd .ssh
vi .configPress "i" to enter insert mode and copy this into the file:

Host remotehost
User remoteuser
Compression yes
Protocol 2
RSAAuthentication yes
StrictHostKeyChecking no
ForwardAgent yes
ForwardX11 yes
IdentityFile /home/localuser/.ssh/id_remotehost_dsaDo NOT change the last line - it is supposed to say remotehost (not an actual host name). the remoteuser specify as the other username Now,

:wq(save and exit vi)

vi id_dsa.pubIt should look like this:

ssh-dss AAAA..............v root@HOSTNAMEOFSRV01where there is lots of random letters/numbers where the dots are. Select it all and copy it. Make sure that it is all on one line with no spaces at the start or finish (which will happen if you copy it using putty on windows; test it by pasting it into notepad)
Tip: To copy from putty on windows select the text from within vi and pres Ctrl + Shift. To paste text enter insert mode and press the right mouse button. (best way would be to copy the file through scp)

Second Server Setup
cd
vi .ssh/authorized_keysEnter insert mode (press i) and paste the key, again ensuring that there are no spare newlines or spaces. Save the file and exit vi (press :wq then return, as above)

Testing passwordless SSH
On the first server, type

ssh -l other_user_name srv02

Regards,
Naveej

Re: ssh without password but with differenct account

steven chang_1 — Mon, 16 May 2005 08:07:14 GMT

hi :

I user athorized_keys2 because using"
ssh-keygen -t rsa" to generate the pubkey/private key pair

steven

Re: ssh without password but with differenct account

Gopi Sekar — Mon, 16 May 2005 09:11:33 GMT

So you are saying the same public key works from root login and not from oracle login, correct?

try ssh -vvv oracle@dbtest and paste the output here, let us see whether we can find something from there.

Also one more thing to check is the file permission and ownership of the .authorized_keys2

I believe SSH requires 600 permission for .authorized_keys2, check that out too.

Hope this helps,
Gopi

Re: ssh without password but with differenct account

steven chang_1 — Mon, 16 May 2005 10:02:59 GMT

hi :
here is the debug messsage, when I use rsa or dsa, ssh could not find the id_rsa or id_dsa, only could be rsa1, my client is unixware 7.1.1 , I think it's the cypher/decyper problem, but it's still could not use public key through identity.pub
==============================
ssh -v tmsap2
OpenSSH_3.9p1, OpenSSL 0.9.7d 17 Mar 2004
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to tmsap2 [172.26.33.23] port 22.
debug1: Connection established.
debug1: identity file /home/oracle/.ssh/identity type 0
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.4p1
debug1: match: OpenSSH_3.4p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.9p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'tmsap2' is known and matches the RSA host key.
debug1: Found key in /home/oracle/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interacti
ve
debug1: Next authentication method: publickey
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interacti
ve
debug1: Next authentication method: password
oracle@tmsap2's password:
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.

steven

Re: ssh without password but with differenct account

Gopi Sekar — Mon, 16 May 2005 10:14:24 GMT

I am really could not find anything from this output, i am sorry. Can you please try with debug level 3 (ssh -vvv oracle@host). Also check the /var/log/messages and /var/log/secure on the SSH server to find out is there any error messages reported there.

Also did you change the permission of the file .authorized_keys2 on the server and see whether it helped.

I dont think this is related to cipher problem or server problem because you said it works fine when you put this file in /root/ directory and login as root.

Also, do not add the log output to message body, rather attach it as attachment.

Regards,
Gopi

Re: ssh without password but with differenct account

steven chang_1 — Mon, 16 May 2005 11:42:04 GMT

hi :

here is the v3 for dsa trace and rsa1 trace, i don't know why client sending public key authetication , and the server not responding. Therefore, ssh would choose password authentication. This is the same user for client and server. The previous situation I mentioned before is for tow linux system for different user.

Re: ssh without password but with differenct account

Gopi Sekar — Tue, 17 May 2005 05:40:59 GMT

There are few observations made in this long output.

* SSH tries to use the file named identity as your key file, this is mentioned so in ssh_config file, please uncomment it so that SSH will decide on which file to use for private key and public key

* remove spaces before each newly uncommented variable in your configuration file.

* identity file is used if SSH protocol version 1 is being used by server and client, to force the server to deal only with protocol 2 then try with -2 option in ssh.

Regards,
Gopi

Re: ssh without password but with differenct account

Ross Minkov — Tue, 17 May 2005 08:44:26 GMT

You can use ssh -i to point to the key you want to use:

-i identity_file

Selects a file from which the identity (private key) for RSA or DSA authentication is read. The default is $HOME/.ssh/identity for protocol version 1, and $HOME/.ssh/id_rsa and $HOME/.ssh/id_dsa for protocol version 2. Identity files may
also be specified on a per-host basis in the configuration file. It is possible to
have multiple -i options (and multiple identities specified in configuration files).