Re: scp authentication

Rushank · ‎01-29-2002

Hi,

I would like to run scp between a server with OS 10.20 and 11.00

I've downloaded respected files (openssh,openssl and zlib ) and installed it. I also configured it (Thanks to some prevoius postings) My problem is While scp it still asks for the password. How do I get rid of this.
BTW, I've created private and public files with ssh-keygen and copied over the .pub file on target server.

S.K. Chan · ‎01-29-2002

This might help ..

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xbe69039599eed5118ff40090279cd0f9,00.html

Kenny Chau · ‎01-29-2002

Hi,

Did you create the authorization and identification files in the directory? If not, it still prompts to ask for password.

Hope this helps.
Kenny.

Kenny

Darrell Allen · ‎01-29-2002

Hi,

Did you generate your key pair without a passphrase? I believe you need to do that as well (at least you do in the commercial ssh).

Can you ssh to the same system without having to provide a password?

Darrell

"What, Me Worry?" - Alfred E. Neuman (Mad Magazine)

Wilfred Chau_1 · ‎01-29-2002

check on the remote server if sshd_config
or sshd2_config has been configured to use
publickey authentication.

Also make sure on the remote host, you have
the public key added to the authorized_keys or
authrization etc file.

To help troubleshoot, use the -v option with scp.

Rushank · ‎01-30-2002

Well,

I've created identification and authorization files. sshd_config file is configured for publickey, While creating passpharse I 've enterered some password.

I 've read various postings related to ssh/scp in this forum, some of the postings explains about authoriaztion file, and some says authorization_key file. Do I need to create this file. If yes What should this file contain.?
And some postings says file called id_dsa_1024 etc.. I'm really confused which is correct file.
I'am using scp and ssh ver 3.0. on OS 10.20 and 11.00.
My sshd_config file for public key is like this.

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys

Kenny Chau · ‎01-31-2002

Hi,

You need to create the authorization and the identification files. The authorization file will contain all the public key that generate from other servers. Also the identification file will contain the private key that generate from the original machine.

eg. In Server 03
# cat authorizationb
Key id_dsa_1024_01.pub ##Server 01
Key id_dsa_1024_02.pub ##Server 02
Key id_dsa_1024_04.pub ##Server 04
Key id_dsa_1024_05.pub ##Server 05

# cat identification
IdKey id_dsa_1024_03

Hope this helps.
Kenny.

Kenny

Rushank · ‎01-31-2002

I tried all this but unfortunetly no progress. I'm trying to execute ssh between 11.00 and 10.20 box. Is that a issue..?
I mean client is 11.00 and I'm trying to reach on 10.2 box

Rushank · ‎01-31-2002

This is the screen shot when I run
$/opt/openssh2/bin/ssh -v user2@remotehost
debug1: authentications that can continue: publickey,password,keyboard-interactive
debug1: next auth method to try is publickey
debug1: try privkey: /home/user2/.ssh/id_rsa
debug1: try privkey: /home/user2/.ssh/id_dsa
debug1: next auth method to try is keyboard-interactive
debug1: authentications that can continue: publickey,password,keyboard-interactive
debug1: next auth method to try is password
user2@remotehost's password:

I have to give here unix password for that user.

Secondly I don't have file with name like id_dsa_1024.. but instead I've identity.pub identity

Darrell Allen · ‎01-31-2002

Hi (again),

identity is the default name used for protocol 1 rsa keys. id_dsa_1024 is the default name for protocol 2 dsa 1024 bit keys.

man ssh-keygen for more info. You can choose which type key you want to use. By default, ssh-keygen creates protocol 1 keys. You should choose a protocol 2 key because of increased security.

Assuming you downloaded the package from an HP software porting center, the man page will be in /opt/openssh2/man. Add that to you MANPATH.

From above I see your sshd_config file allows RSA authentication so create your key pair with: ssh-keygen -t rsa
You will be prompted for the key file with the default $HOME/.ssh/id_rsa listed. You will then be prompted for a passphrase. If you leave this blank you can use rsa authentication without a password. However, it is better to enter a passphrase and use ssh-add to add your passphrase into memory. I am no expert in ssh-add but I believe that's would be best. man ssh-add.

I also see from your sshd-config that you keys should be in $HOME/.ssh/authorized_keys. Use that, not authorization.

I wish I could be more clear. My experience has been with a commercial version of SSH which has different defaults. I'm just now coming up with OpenSSH but I'm fairly sure what I've written here is true.

Darrell

"What, Me Worry?" - Alfred E. Neuman (Mad Magazine)

Rushank · ‎01-31-2002

Thanks Darrel, I created rsa -keys and then did ssh-add. but still asks for password.
Few questions:
1.Do I need to run sshd-agent on the source ??
2. Is there any changes to be made in sshd_config file not to ask password everytime?
3. What exactly I need to put in authorization_keys file. ( Is it Key adentity.pub or I need o copy identity.pub as authorized_keys)

Darrell Allen · ‎01-31-2002

I just got it to work doing the following:

-Start sshd on the remote system. See the attached sshd_config I used.

-Generate key pair on local system:
ssh-keygen -t rsa
use default file name (id_rsa)
enter a passphrase

-Copy id_rsa.pub from local system to remote system's $HOME/.ssh/authorized_keys

-Run ssh-agent (no options) on the local system

-Verify SSH_AUTH_SOCK and SSH_AGENT_PID are set in your current shell (env | grep SSH). If not, set them as shown from the ssh-agent output.

-Add a passphrase into the ssh-agent's memory:
ssh-add id_rsa
enter the passphrase (the one you created the keys with) when prompted

-ssh to the remote system

Darrell

"What, Me Worry?" - Alfred E. Neuman (Mad Magazine)

Darrell Allen · ‎01-31-2002

If you are not in $HOME/.ssh directory, you need to specify the full path to id_rsa with the ssh-add command:
ssh-add $HOME/.ssh/id_rsa

Also, it appears you have to set SSH_AUTH_SOCK and SSH_AGENT_PID manually after running ssh-agent.

Darrell

"What, Me Worry?" - Alfred E. Neuman (Mad Magazine)

Glenn L. Stewart · ‎01-31-2002

I have removed the need for login's with a slightly different method. Almost a lazy method, so I am unsure if this is the best way to solve the problem.

I am currently in an environment on a private intranet, so attack from outside isn't an issue. We have always user .rhosts and rlogin/remsh so this ssh solution is a slight improvement.

Generate keys on each and every server so that an identity.pub key is generated for the particular user (e.g. root) within directory ~/.ssh

This is in format (for the particular bit strength)
1024 XX XXXXX......XXXXXX root@servername

NOTE: I use a blank passphrase when generating this particular key. I believe this might be the key to not requiring a password, but I have not tested with a passphrase to ensure this.

For 10 servers you will have 10 of these files
All in servername:~/.ssh/identity.pub

1024 XX XXXXX......XXXXXX root@server1
1024 XX XXXXX......XXXXXX root@server2
...
1024 XX XXXXX......XXXXXX root@server10

Using rcp on a single server having access to all servers, create a file containing all 10 identity pub's

E.g.

From server1

for i in server1 server2 server3 .....
do
rcp i:/.ssh/identity.pub /tmp/identity.$i
done

You will then have 10 identity.pub files.
Concatenate these 10 files together so that you have 10 identity.pub's in one file.

Rcp this back out to the 10 server's naming the concatenated file as ~/.ssh/authorized_keys

Now, root@server3 for example will be able to ssh as root to server6 without password.
You will however for the first login in a particular direction, require answering yes to adding to known hosts.

Hope this helps

Glenn

Rushank · ‎01-31-2002

Hi Darell,

Yes that solved my problem , Thanks a lot. I' Think I was doing mistake in ssh-add command
I'll analyze it and inform.
Thanks once again

Rushank · ‎02-01-2002

Hi,

Once the SSH_AUTH_SOCK SSH_AGENT_PID set in users environment ssh started working. But now scp doesn't work! I get this error.

ksh: scp: not found
lost connection

My command is /opt/openssh2/scp filename user@remotehost:/home/dir

Any clue..?

Darrell Allen · ‎02-01-2002

scp is in /opt/openssh2/bin

Darrell

"What, Me Worry?" - Alfred E. Neuman (Mad Magazine)

Rushank · ‎02-01-2002

YES.. All the the file ssh, scp sftp are in /opt/openssh2/bin directory
and has execute permissions

Darrell Allen · ‎02-01-2002

You know what? You and I might just learn a little about OpenSSH before this is done!

Okay, how about posting the complete command or script and the error message you are getting.

Darrell

"What, Me Worry?" - Alfred E. Neuman (Mad Magazine)

Rushank · ‎02-01-2002

Here is my command

If I try /opt/openssh2/bin/scp without any syntex

usage: scp [-pqrvBC46] [-F config] [-S ssh] [-P port] [-c cipher] [-i identity]
[-o option] f1 f2
or: scp [options] f1 ... fn directory

This means It is reading scp file

But then If I try

$/opt/openssh2/bin/scp -v sysinfo.sh remotehost:/home/scptest

I get this error

debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: publickey,password,keyboard-interactive
debug1: next auth method to try is publickey
debug1: userauth_pubkey_agent: testing agent key id_rsa
debug1: input_userauth_pk_ok: pkalg ssh-rsa blen 149 lastkey 40023f88 hint -1
debug1: ssh-userauth2 successful: method publickey
debug1: fd 8 setting O_NONBLOCK
debug1: fd 9 setting O_NONBLOCK
debug1: channel 0: new [client-session]
debug1: send channel open 0
debug1: Entering interactive session.
debug1: ssh_session2_setup: id 0
debug1: Sending command: scp -v -t /home/scptest
debug1: channel 0: open confirm rwindow 0 rmax 16384
debug1: channel 0: rcvd eof
debug1: channel 0: output open -> drain
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: rcvd close
debug1: channel 0: input open -> closed
debug1: channel 0: close_read
debug1: channel 0: obuf empty
debug1: channel 0: output drain -> closed
debug1: channel 0: close_write
ksh: scp: not found
debug1: channel 0: almost dead
debug1: channel 0: gc: notify user
debug1: channel 0: gc: user detached
debug1: channel 0: send close
debug1: channel 0: is dead
debug1: channel 0: garbage collecting
debug1: channel_free: channel 0: client-session, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
debug1: fd 1 clearing O_NONBLOCK
debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.1 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0
debug1: Exit status 1
debug1: writing PRNG seed to file /home/scptest/.ssh/prng_seed
lost connection

Darrell Allen · ‎02-01-2002

I can only guess at this point as I'm not able to duplicate your problem.

In the past I had trouble with the commercial version's scp not finding ssh. scp would work if my PATH was set like this:
PATH=$PATH:/opt/openssh2/bin

If my PATH didn't contain the directory for ssh executables, I had to use scp like this:
/opt/openssh2/bin/scp -S /opt/openssh2/bin/ssh source_pathname dest_pathname

For scp in cron jobs, I had to use scp's -S argument as shown above.

So, first try adding /opt/openssh2/bin to PATH. If that fails, try using the -S arg for scp.

If that fails I suggest you open a new thread. You can reference this thread. People may be ignoring this thread because it shows as already having a magic answer.

Darrell

"What, Me Worry?" - Alfred E. Neuman (Mad Magazine)

Rushank · ‎02-01-2002

Darell,

On the target host permissions were screwd up by some reason once that was corrected everything was OK.

Thanks for your help

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: scp authentication

scp authentication