System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Password-less authentication in HP-UX SSH

SOLVED
Go to solution
shashi kanth
Super Advisor

Password-less authentication in HP-UX SSH

For me it's not working password-less authentication in two HP-UX boxes.

I am trying with 2 HP-UX boxes, one is 11iv2 and another is with 11iv3.

created RSA and DSA keys with "ssh-keygen -t rsa/dsa" on both nodes, add both nodes both rsa/dsa public keys to their authorized_keys file, but i am not able to SSH without password.

The permissions of .ssh/* directory/files are correct.

The configuration files (sshd_config) is correct ( PubkeyAuthentication yes )

I am not understanding why it is not working.

I have gone through the HP-UX secure shell documentation, in the documentation i found bellow line to add the public keys.

# cat $HOME/.ssh/id_dsa.pub ssh remoteuser@remotehost
’cat - >> $HOME/.ssh/authorized_keys’


I fell this command somewhat wrong .


Anyone tell me what is the right way to do this SSH password-less authentication ?

Is the procedure is somewhat different in HP-UX ?

Thanks.

6 REPLIES
Matti_Kurkela
Honored Contributor
Solution

Re: Password-less authentication in HP-UX SSH

The documented command is exactly correct, assuming that the $HOME/.ssh directory already exists in the remote host.

Please examine your /var/adm/syslog/syslog.log file: if sshd rejects your key authentication attempt, the reason for rejection will be listed in the log file.

MK
MK
johnsonpk
Honored Contributor

Re: Password-less authentication in HP-UX SSH

Hi Shashi Kanth,

We are using the below procedure in our environment ,hope this will help you


On local machine (the steps for local machine are only done once):
=====================
Log in as user account
/usr/local/bin/ssh-keygen2 -t dsa -b 512
cd ~/.ssh2
echo "IDKey id_dsa_1024_a" > identification

On remote machines
==================
1)Log in as user account to remote machine
2)if ~/.ssh2 doesn't exist,create .ssh2 directory
mkdir ~/.ssh2
cd ~/.ssh2
mkdir keys
cd keys
3)Get(ftp, scp, etc) the file ~/.ssh2/id_dsa_1024_a.pub from source machine and
put it in the remote ~/.ssh2/keys directory. Name it something unique.
Something like ~/.ssh2/keys/userid.localmachinename.pub
cd ~/.ssh2
echo "Key keys/userid.localmachinename.pub" >> authorization
(replace userid.localmachinename.pub with whatever the file was named).


If you are still not able to do ssh then

do ssh -v useranme@remotemachine

and paste the logs


Rgds
Johnson
OldSchool
Honored Contributor

Re: Password-less authentication in HP-UX SSH

"The permissions of .ssh/* directory/files are correct."

so you say, but you don't provide a listing? If the keys are in $HOME/.ssh, then the permissions on $HOME need to be set properly as well. This may show up in the syslog f the server you are trying to login to.

on either server, try logging in to the other with:

ssh -vvv

which should provide details as to what is going on. if you continue to have problems,
start sshd in "debug" mode on one server on an unused port, and ssh w/ the -v options to that port.

see this link:

http://forums13.itrc.hp.com/service/forums/questionanswer.do?admit=109447627+1243695013889+28353475&threadId=1335574

or search Admin forum for "ssh permission".

There is also a config file option for sshd which can relax the permissions required if necessary. see "man sshd_config" and "StrictModes" option for details.
shashi kanth
Super Advisor

Re: Password-less authentication in HP-UX SSH


Thank you all.

/var/adm/syslog/syslog.log conatins a line "Authentication refused: bad ownership or modes for file /.ssh/authorized_keys"

Previous it was 666, i changed to 600, then it worked.
Bill Hassell
Honored Contributor

Re: Password-less authentication in HP-UX SSH

As mentioned, you did not provide any values for permissions on $HOME (very important), .ssh and all the files in .ssh. $HOME cannot be world-writable (ie, 777). .ssh should be 700 and all the files in .ssh must be 600. While slightly more open permissions may work, these are recommended. Also, it is important to use ssh -vvv remote-host and paste the last 50 lines so we can examine the reason for the failure. HP-UX version(s) would be useful too.


Bill Hassell, sysadmin
Bill Hassell
Honored Contributor

Re: Password-less authentication in HP-UX SSH

Oops, I see you are running 11.23 and 11.31...please post the -vvv output from ssh.


Bill Hassell, sysadmin