HPE Community
Operating System - HP-UX
1819687 Members
3607 Online
109605 Solutions
New Discussion юеВ

Password-less authentication in HP-UX SSH

 
SOLVED
Go to solution
shashi kanth
Super Advisor

тАО05-30-2009 05:12 AM

тАО05-30-2009 05:12 AM

Password-less authentication in HP-UX SSH

For me it's not working password-less authentication in two HP-UX boxes.

I am trying with 2 HP-UX boxes, one is 11iv2 and another is with 11iv3.

created RSA and DSA keys with "ssh-keygen -t rsa/dsa" on both nodes, add both nodes both rsa/dsa public keys to their authorized_keys file, but i am not able to SSH without password.

The permissions of .ssh/* directory/files are correct.

The configuration files (sshd_config) is correct ( PubkeyAuthentication yes )

I am not understanding why it is not working.

I have gone through the HP-UX secure shell documentation, in the documentation i found bellow line to add the public keys.

# cat $HOME/.ssh/id_dsa.pub ssh remoteuser@remotehost
тАЩcat - >> $HOME/.ssh/authorized_keysтАЩ


I fell this command somewhat wrong .


Anyone tell me what is the right way to do this SSH password-less authentication ?

Is the procedure is somewhat different in HP-UX ?

Thanks.

0 Kudos
6 REPLIES 6
Matti_Kurkela
Honored Contributor

тАО05-30-2009 05:18 AM

тАО05-30-2009 05:18 AM

Solution

Re: Password-less authentication in HP-UX SSH

The documented command is exactly correct, assuming that the $HOME/.ssh directory already exists in the remote host.

Please examine your /var/adm/syslog/syslog.log file: if sshd rejects your key authentication attempt, the reason for rejection will be listed in the log file.

MK
MK
0 Kudos
johnsonpk
Honored Contributor

тАО05-30-2009 06:51 AM

тАО05-30-2009 06:51 AM

Re: Password-less authentication in HP-UX SSH

Hi Shashi Kanth,

We are using the below procedure in our environment ,hope this will help you


On local machine (the steps for local machine are only done once):
=====================
Log in as user account
/usr/local/bin/ssh-keygen2 -t dsa -b 512
cd ~/.ssh2
echo "IDKey id_dsa_1024_a" > identification

On remote machines
==================
1)Log in as user account to remote machine
2)if ~/.ssh2 doesn't exist,create .ssh2 directory
mkdir ~/.ssh2
cd ~/.ssh2
mkdir keys
cd keys
3)Get(ftp, scp, etc) the file ~/.ssh2/id_dsa_1024_a.pub from source machine and
put it in the remote ~/.ssh2/keys directory. Name it something unique.
Something like ~/.ssh2/keys/userid.localmachinename.pub
cd ~/.ssh2
echo "Key keys/userid.localmachinename.pub" >> authorization
(replace userid.localmachinename.pub with whatever the file was named).


If you are still not able to do ssh then

do ssh -v useranme@remotemachine

and paste the logs


Rgds
Johnson
0 Kudos
OldSchool
Honored Contributor

тАО05-30-2009 06:57 AM

тАО05-30-2009 06:57 AM

Re: Password-less authentication in HP-UX SSH

"The permissions of .ssh/* directory/files are correct."

so you say, but you don't provide a listing? If the keys are in $HOME/.ssh, then the permissions on $HOME need to be set properly as well. This may show up in the syslog f the server you are trying to login to.

on either server, try logging in to the other with:

ssh -vvv

which should provide details as to what is going on. if you continue to have problems,
start sshd in "debug" mode on one server on an unused port, and ssh w/ the -v options to that port.

see this link:

http://forums13.itrc.hp.com/service/forums/questionanswer.do?admit=109447627+1243695013889+28353475&threadId=1335574

or search Admin forum for "ssh permission".

There is also a config file option for sshd which can relax the permissions required if necessary. see "man sshd_config" and "StrictModes" option for details.
0 Kudos
shashi kanth
Super Advisor

тАО05-30-2009 09:47 AM

тАО05-30-2009 09:47 AM

Re: Password-less authentication in HP-UX SSH


Thank you all.

/var/adm/syslog/syslog.log conatins a line "Authentication refused: bad ownership or modes for file /.ssh/authorized_keys"

Previous it was 666, i changed to 600, then it worked.
0 Kudos
Bill Hassell
Honored Contributor

тАО05-30-2009 09:50 AM

тАО05-30-2009 09:50 AM

Re: Password-less authentication in HP-UX SSH

As mentioned, you did not provide any values for permissions on $HOME (very important), .ssh and all the files in .ssh. $HOME cannot be world-writable (ie, 777). .ssh should be 700 and all the files in .ssh must be 600. While slightly more open permissions may work, these are recommended. Also, it is important to use ssh -vvv remote-host and paste the last 50 lines so we can examine the reason for the failure. HP-UX version(s) would be useful too.


Bill Hassell, sysadmin
0 Kudos
Bill Hassell
Honored Contributor

тАО05-30-2009 09:51 AM

тАО05-30-2009 09:51 AM

Re: Password-less authentication in HP-UX SSH

Oops, I see you are running 11.23 and 11.31...please post the -vvv output from ssh.


Bill Hassell, sysadmin
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.