cancel
Showing results for 
Search instead for 
Did you mean: 

Another SSH issue

SOLVED
Go to solution

Another SSH issue

I have a user (oracle) that would like to ssh to all of the oracle servers from one server. I have generated the RSA and DSA key pairs for the account on the primary server and copied the public keys to the authorized_keys file on each of the servers. There are some systems that still require a password. The ones that work without the password are 11.23 boxes, as is the one primary. The ones still requiring a password are 11.11 servers. I have looked at permissions on the directories and files, modeled it completely after one of the working clients. I have even upgraded to the latest version of SSH on both 11.11 and 11.23, so they are matching versions. I've verified that "UsePAM" is set to yes and uncommented in the sshd_config file.

On the HP-UX 11.11 server:
# ssh -V
OpenSSH_5.1p1+sftpfilecontrol-v1.2-hpn13v5, OpenSSL 0.9.8j 07 Jan 2009
HP-UX Secure Shell-A.05.10.045, HP-UX Secure Shell version

On the HP-UX 11.23 server:
# ssh -V
OpenSSH_5.1p1+sftpfilecontrol-v1.2-hpn13v5, OpenSSL 0.9.8j 07 Jan 2009
HP-UX Secure Shell-A.05.10.046, HP-UX Secure Shell version

I'm not sure what else to check at this point.
12 REPLIES
Steven Schweda
Honored Contributor
Solution

Re: Another SSH issue

> Another SSH issue

Is that anything like a _problem_?

> [...] the RSA and DSA key pairs [...]

Both? Why both? Which one(s) are you using?

The usual next step is to run comparisons
between working and non-working commands with
some diagnostics enabled:

ssh -v [...]


What's in the users' ".ssh" directories?

> [...] I have looked at permissions [...]

I'm glad that you're happy. Sadly, my
psychic powers are too weak to tell me what
you saw, so I don't know if your joy is
justified. As usual, showing actual commands
with their actual output can be more helpful
than vague descriptions.

Looking at the server log files can also be
informative.

A Forum search for "ssh" should find many
examples of similar experiences.
Mark Fenton
Esteemed Contributor

Re: Another SSH issue

That's interesting. I use RSA/DSA key authentication on SSH in 11.11 environment (trusted server) with no problems.
Does it work the other way around? I.e. can mr oracle ssh to the 11.23 server FROM the 11.11 using just the trusted key?
OldSchool
Honored Contributor

Re: Another SSH issue

running the daemon in debug mode on the server(s) one or more of the servers might shed some light on the issue (sshd -ddd_, as would running the client in debug (ssh -vvv).

In addition, you can use the "-p " to run both on otherwise unused port so it won't interfere w/ the daemon already running.

one note, permissions on the authorized_keys file *and its parent directory* are critical.

Re: Another SSH issue

Mr. Schweda, instead of being snotty about not having enough information, just ask for what you want. As it is, your suggestion to check the logs was the reminder that I needed. I determined that the home directory permissions were incorrect for password-less login.

Mark, I was able to go server-to-server in reverse.

O.S. - Thanks for the suggestion, that would have been my next step.

I just need to remember to check those logs!
Steven Schweda
Honored Contributor

Re: Another SSH issue

> [...] instead of being snotty [...]

Instead of getting all huffy, try to put
yourself in the position of the reader, who
can't read your mind, and who doesn't know if
you know what you're talking about. It
remains true that "showing actual commands
with their actual output can be more helpful
than vague descriptions."


Note that if you _really_ knew what you
were talking about, you might not be asking
questions in this forum, which makes any
evidence-free conclusions presented here
immediately (and reasonably) suspect.

Re: Another SSH issue

quoting...
Instead of getting all huffy, try to put
yourself in the position of the reader, who
can't read your mind, and who doesn't know if
you know what you're talking about. It
remains true that "showing actual commands
with their actual output can be more helpful
than vague descriptions."


Note that if you _really_ knew what you
were talking about, you might not be asking
questions in this forum, which makes any
evidence-free conclusions presented here
immediately (and reasonably) suspect.
not quoting...

You know, people come here looking for help, not to get blasted. For your information, I was following the instructions I found in the forum archives. Forgive me for not telling you that I had. When you're in a situation of thinking of many things, sometimes things fall through the cracks. The reaction was to your attitude. All I'm asking is that you be more compassionate instead of denigrating to people in a bind. Lucky for you try to be a forgiving person. You almost got 0 points for that attitude.

Re: Another SSH issue

Permissions on the user home directory were wrong, which I discovered after looking at the syslog on the affected system.
Steven Schweda
Honored Contributor

Re: Another SSH issue

> You almost got 0 points for that attitude.

I'd almost care.
Steven Schweda
Honored Contributor

Re: Another SSH issue

My point, in case you missed it, was that "I
have looked at permissions" was misleading
rather than useful, and I explained why.

> Permissions [...] were wrong [...]

See?
Paul Maglinger
Regular Advisor

Re: Another SSH issue

Don't feel too bad about it Karen. He treats everyone that way, and the moderator's don't care.
Steven Schweda
Honored Contributor

Re: Another SSH issue

The moderators don't care about misuse of
apostrophes, either, but it bothers me
tremendously. Not as much as problem
descriptions which lack obviously important
information, but tremendously, even so.
Paul Maglinger
Regular Advisor

Re: Another SSH issue

From the forum overview:

Are there rules of conduct I must adhere to?
The Support Forums community is a valued area with well-behaved members. Everyone benefits from a positive experience. So, HP encourages active and open discussions among the community members, but do insist that conduct is civil - be it posting a message or emailing another member. You may not use or allow others to use your registration membership to:

1. Post or transmit any content that is abusive, vulgar, obscene, hateful, fraudulent, threatening, harassing, defamatory, or which discloses private or personal matters concerning any person.