secure shell ssh demands password eventhough I set up keys

Kirk Reindl · ‎01-04-2005

Hello.

I'm new to secure shell and like many I can't seem to connect to another system without getting prompted for a password.
I've looked thru many threads but I can't seem to find a scenario that is similar to mine.

General info:
Client_A (really a server acting as a client) running HPUX 11.11, ssh A.03.61.002
Server_B running HPUX 11.11, A.03.61.002

Before I get into the details on how I set up the keys, here is the output I get when I make the ssh connection using debugging/verbose option:

@ClientA::creindk_ /home/creindk/.ssh> ssh -v ServerB bdf
OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090702f
debug1: Reading configuration data /opt/ssh/etc/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: Connecting to ServerB [IP Address is here] port 22.
debug1: Connection established.
debug1: identity file /home/creindk/.ssh/identity type -1
debug1: identity file /home/creindk/.ssh/id_rsa type -1
debug1: identity file /home/creindk/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.6.1p2
debug1: match: OpenSSH_3.6.1p2 pat OpenSSH*
debug1: Local version string SSH-1.5-OpenSSH_3.6.1p2
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (1024 bits).
debug1: Host 'ServerB' is known and matches the RSA1 host key.
debug1: Found key in /home/creindk/.ssh/known_hosts:6
debug1: Encryption type: 3des
debug1: Sent encrypted session key.
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug1: Trying Kerberos v5 authentication.
debug1: Kerberos v5: krb5_init_context failed
debug1: Trying Kerberos v4 authentication.
debug1: RSA authentication using agent refused.
debug1: Doing challenge response authentication.
debug1: No challenge.
debug1: Doing password authentication.
creindk@ServerB's password:

Here are the permissions on both systems in question:

ClientA:

ll -d home/creindk
drwxr-xr-x 5 creindk techsup 8192 Jan 4 07:19 home/creindk
ll -d home/creindk/.ssh
drwx------ 2 creindk techsup 8192 Dec 30 15:54 home/creindk/.ssh
ll -d home/creindk/.ssh/*
-rw------- 1 creindk techsup 951 Jan 4 07:44 home/creindk/.ssh/kirktest
-rw-r--r-- 1 creindk techsup 226 Jan 4 07:44 home/creindk/.ssh/kirktest.pub
-rw-r--r-- 1 creindk techsup 2027 Dec 30 14:57 home/creindk/.ssh/known_hosts
-rw------- 1 creindk techsup 1024 Jan 4 09:20 home/creindk/.ssh/prng_seed

ServerB:

ll -d home/creindk
drwxr-xr-x 5 creindk users 8192 Jan 4 09:16 home/creindk
ll -d home/creindk/.ssh
drwx------ 2 creindk techsup 8192 Jan 4 07:47 home/creindk/.ssh
ll -d home/creindk/.ssh/*
-rwxr-xr-x 1 creindk techsup 226 Jan 4 07:49 home/creindk/.ssh/authorized_keys
-rw-r--r-- 1 creindk techsup 226 Jan 4 07:47 home/creindk/.ssh/kirktest.pub
-rw-r--r-- 1 creindk techsup 911 Dec 30 13:56 home/creindk/.ssh/known_hosts
-rw------- 1 creindk techsup 1024 Dec 30 13:56 home/creindk/.ssh/prng_seed

Here is what I've done to try to make this work.

ClientA>ssh-keygen -t rsa -f kirktest
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): enter
Enter same passphrase again: enter
Your identification has been saved in kirktest.
Your public key has been saved in kirktest.pub.
The key fingerprint is:
5d:74:98:60:8e:01:f5:b1:9c:e7:b2:ca:9d:a9:52:4f creindk@ClientA

ClientA>ll
total 64
-rw------- 1 creindk techsup 883 Jan 4 09:42 kirktest
-rw-r--r-- 1 creindk techsup 226 Jan 4 09:42 kirktest.pub
-rw-r--r-- 1 creindk techsup 2027 Dec 30 14:57 known_hosts
-rw------- 1 creindk techsup 1024 Jan 4 09:42 prng_seed

Now, copy pub key to ServerB and append to a file called authorized_keys

@ClientA::creindk_ /home/creindk/.ssh> scp kirktest.pub ServerB:/home/creindk/.ssh/kirktest.pub
creindk@ServerB password:
kirktest.pub 100% 226 564.4KB/s 00:00
@ClientA::creindk_ /home/creindk/.ssh>

@ServerB::creindk_ /home/creindk/.ssh> touch authorized_keys
@ServerB::creindk_ /home/creindk/.ssh> chmod 644 authorized_keys
@ServerB::creindk_ /home/creindk/.ssh> cat kirktest.pub >> authorized_keys
@ServerB::creindk_ /home/creindk/.ssh> ls -la
total 96
drwx------ 2 creindk techsup 8192 Jan 4 09:50 .
drwxr-xr-x 5 creindk users 8192 Jan 4 09:49 ..
-rw-r--r-- 1 creindk techsup 226 Jan 4 09:52 authorized_keys
-rw-r--r-- 1 creindk techsup 226 Jan 4 09:48 kirktest.pub
-rw-r--r-- 1 creindk techsup 911 Dec 30 13:56 known_hosts
-rw------- 1 creindk techsup 1024 Dec 30 13:56 prng_seed
@ServerB::creindk_ /home/creindk/.ssh>

Again try the connection from ClientA to ServerB

I get the exact same results as listed above.
Any ideas.

Steven E. Protter · ‎01-04-2005

Usually this is a permissions issue.

I'm attaching my cheat sheet and in your shoes would check permissions on files and directories.

Also 3.8 of openssh has been ported to hpux and might help.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Patrick Wallek · ‎01-04-2005

1) Check /var/adm/syslog/syslog.log for error messages from SSH. If there is a problem it is almost always logged there.

2) Remove the world read permission from ALL files in the /home/creindk directory and all sub-directories. SSH is VERY sensitive to permissions and there is absolutely no reason for anything in the .ssh sub-dir to be world-readable.

You probably should also remove the world read and execute bits from your homedir itself so that the permissions are just rwxr-x---

Sanjay_6 · ‎01-04-2005

Hi,

Try this link and see if it helps.

Make sure you are creating the correct key for the versions of sshd servers it is connecting to.

http://bumblebee.lcs.mit.edu/ssh2/

Hope this helps.

Regds

Chris Vail · ‎01-04-2005

Check the permissions on the files in the ~/.ssh directory (step O in the step-by-step cheat sheet I wrote and that Steve P. posts all the time). These should be 644. Anything else will get you the results you mention.

Chris

Kirk Reindl · ‎01-04-2005

I tightened permissions as was suggested but still no luck.

Here is a portion of the syslog.log file when I do a ssh from ClientA to ServerB.

It is almost like it doesn't even attempt to authenticate without prompting for a password, because all I see in the log is this:

Jan 4 12:09:46 c8mkes60 sshd[4313]: Accepted password for creindk from x.x.x.x port 52717

Any other ideas on how I could more easily troubleshoot this? Do my steps look correct for how I set up the keys??

Kirk Reindl · ‎01-04-2005

Chris thanks for reply.

I have checked permissions in both ~/.ssh directories on both client and server. I feel pretty confident on the permissions; I think I need to look somewhere else.

ClientA/home/creindk/.ssh> ll
total 64
-rw-r----- 1 creindk techsup 883 Jan 4 09:42 kirktest
-rw-r--r-- 1 creindk techsup 226 Jan 4 09:42 kirktest.pub
-rw-r--r-- 1 creindk techsup 2027 Dec 30 14:57 known_hosts
-rw-r--r-- 1 creindk techsup 1024 Jan 4 12:26 prng_seed

ServerB::creindk_ /home/creindk/.ssh> ll
total 64
-rw-r--r-- 1 creindk techsup 226 Jan 4 09:52 authorized_keys
-rw-r--r-- 1 creindk techsup 226 Jan 4 09:48 kirktest.pub
-rw-r--r-- 1 creindk techsup 911 Dec 30 13:56 known_hosts
-rw-r--r-- 1 creindk techsup 1024 Dec 30 13:56 prng_seed
ServerB::creindk_ /home/creindk/.ssh>

Chris Vail · ‎01-04-2005

Check the permissions on the ~home directories. I think they're supposed to be 755 instead of 644.

Chris

Patrick Wallek · ‎01-04-2005

Your permissions are still WAY too open in the .ssh directories.

On both system do this:

# cd /home/creindk
# chmod -R 600 .ssh

There is absolutely NO reason for the .ssh directory to be available to anyone but the owner. That is in fact a big security hole. Someone could easily steal your keys that way.

If you do that, I think you will have much better luck.

Kirk Reindl · ‎01-04-2005

Okay,

The permissions on the ~/home/creindk on both systems were 644.

I changed to 755 on both systems. Still no luck.

One thing I can add is this.
After I made the permissions 755, I did a tail -f /var/adm/syslog/syslog.log on the server the one with the .pub file.

Then I said okay, let's see what happens right away when right when I do the $ssh ServerB (For example, don't key in the password just look if the syslog.log sees you trying to authenticate.

The result was, nothing got logged to syslog. But when I key in my password and strike return, then I get:

Jan 4 13:15:53 ServerB sshd[2105]: Accepted password for creindk from 10.10.72.63 port 52941

It almost seems like it isn't trying to "automatically log in".

Patrick Wallek · ‎01-04-2005

THE PERMISSIONS MUST BE 600. NOT 644, DEFINITELY NOT 755. 600. -rw-------

YOU ARE WAY TOO WIDE OPEN ON PERMISSIONS.

Please just try the permissions at 600 and see what happens.

Kirk Reindl · ‎01-04-2005

Patrick,

I chmoded 600 -R .ssh, but it bombed because it couldn't change permissions on the files in .ssh/

Did you mean $ chmod 600 -R .ssh/* ??

I made the changes with .ssh being 600 and the files beneath .ssh 600 and I got the following results.

clientA::creindk_ /home/creindk> ssh ServerB
The authenticity of host 'ServerB (IP Address)' can't be established.
RSA1 key fingerprint is 37:0f:2c:02:22:66:aa:ea:0a:db:b6:8a:fd:6a:c6:31.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/creindk/.ssh/known_hosts).
creindk@c8mkes60's password:

Kirk Reindl · ‎01-04-2005

Patrick,

Sorry about the permissions mix up. I was just trying to test the solution in an earlier reply from Chris Vail.

I'm desparate here.

Patrick Wallek · ‎01-04-2005

OK, we're making progress now. Now you need to figure out why it can't add the entry into the known_hosts file.

I did mean .ssh/* for the 600 permissions. The .ssh directory itself should be 700 (drwx------) permissions.

Try that and see what happens.

Kirk Reindl · ‎01-04-2005

Okay, no more ClientA and ServerB. Too much work to change names in the output I copy and paste to this post.

Client A=c8mkes34
Server B=c8mkes60

c8mkes34 settings

@c8mkes34::creindk_ /home/creindk> ll -d .ssh
drwx------ 2 creindk techsup 96 Jan 4 09:42 .ssh
@c8mkes34::creindk_ /home/creindk> ll .ssh/*
-rw------- 1 creindk techsup 883 Jan 4 09:42 .ssh/kirktest
-rw------- 1 creindk techsup 226 Jan 4 09:42 .ssh/kirktest.pub
-rw------- 1 creindk techsup 2027 Dec 30 14:57 .ssh/known_hosts
-rw------- 1 creindk techsup 1024 Jan 4 13:39 .ssh/prng_seed
@c8mkes34::creindk_ /home/creindk>

From c8mkes34, when I cat known_hosts I can see entries for c8mkes60 listed inside the file. I'd expect this.

c8mkes60 settings

@c8mkes60::creindk_ /home/creindk> ll -d .ssh
drwx------ 2 creindk techsup 8192 Jan 4 09:50 .ssh
@c8mkes60::creindk_ /home/creindk> ll -d .ssh/*
-rw------- 1 creindk techsup 226 Jan 4 09:52 .ssh/authorized_keys
-rw------- 1 creindk techsup 226 Jan 4 09:48 .ssh/kirktest.pub
-rw------- 1 creindk techsup 911 Dec 30 13:56 .ssh/known_hosts
-rw------- 1 creindk techsup 1024 Jan 4 13:06 .ssh/prng_seed
@c8mkes60::creindk_ /home/creindk>

From c8mkes60, when I cat known_hosts I see entries for c8mkes34. I'd expect this.

Still no luck and /var/adm/syslog.log doesn't show anything other then when I key in the correct password and hit enter.

Here is the login process with debug mode on.

c8mkes34::creindk_ /home/creindk> ssh -v c8mkes60
OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090702f
debug1: Reading configuration data /opt/ssh/etc/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: Connecting to c8mkes60 [IPAddress] port 22.
debug1: Connection established.
debug1: identity file /home/creindk/.ssh/identity type -1
debug1: identity file /home/creindk/.ssh/id_rsa type -1
debug1: identity file /home/creindk/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.6.1p2
debug1: match: OpenSSH_3.6.1p2 pat OpenSSH*
debug1: Local version string SSH-1.5-OpenSSH_3.6.1p2
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (1024 bits).
debug1: Host 'c8mkes60' is known and matches the RSA1 host key.
debug1: Found key in /home/creindk/.ssh/known_hosts:6
debug1: Encryption type: 3des
debug1: Sent encrypted session key.
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug1: Trying Kerberos v5 authentication.
debug1: Kerberos v5: krb5_init_context failed
debug1: Trying Kerberos v4 authentication.
debug1: Doing challenge response authentication.
debug1: No challenge.
debug1: Doing password authentication.
creindk@c8mkes60's password:
debug1: Requesting pty.
debug1: Requesting shell.
debug1: Entering interactive session.
Last successful login for creindk: Tue Jan 4 14:29:12 CST6CDT 2005 on pts/ti
Last unsuccessful login for creindk: Tue Jan 4 14:31:16 CST6CDT 2005
Last login: Tue Jan 4 14:29:12 2005 from c8mkes34.cg.na.
(c)Copyright 1983-2000 Hewlett-Packard Co., All Rights Reserved.
(c)Copyright 1979, 1980, 1983, 1985-1993 The Regents of the Univ. of California
(c)Copyright 1980, 1984, 1986 Novell, Inc.
(c)Copyright 1986-1992 Sun Microsystems, Inc.
(c)Copyright 1985, 1986, 1988 Massachusetts Institute of Technology
(c)Copyright 1989-1993 The Open Software Foundation, Inc.
(c)Copyright 1986 Digital Equipment Corp.
(c)Copyright 1990 Motorola, Inc.
(c)Copyright 1990, 1991, 1992 Cornell University
(c)Copyright 1989-1991 The University of Maryland
(c)Copyright 1988 Carnegie Mellon University
(c)Copyright 1991-2000 Mentat Inc.
(c)Copyright 1996 Morning Star Technologies, Inc.
(c)Copyright 1996 Progressive Systems, Inc.
(c)Copyright 1991-2000 Isogon Corporation, All Rights Reserved.

RESTRICTED RIGHTS LEGEND
Use, duplication, or disclosure by the U.S. Government is subject to
restrictions as set forth in sub-paragraph (c)(1)(ii) of the Rights in
Technical Data and Computer Software clause in DFARS 252.227-7013.

Hewlett-Packard Company
3000 Hanover Street
Palo Alto, CA 94304 U.S.A.

Rights for non-DOD U.S. Government Departments and Agencies are as set
forth in FAR 52.227-19(c)(1,2).
@c8mkes60::creindk_ /home/creindk>

Michael Selvesteen_2 · ‎01-04-2005

Hi,

Make sure your server supports public key authentication,

check the following directives are turned ON in sshd_config

PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

Try

ssh -l username -o PreferredAuthentications=publickey hostname

if it results

Permission denied (password,keyboard-interactive).

Then it is sure that server has no support to public key authentication.

A detailed server debug messages will be helpfull for further analysis.

Note: Use /opt/ssh/src/ssh/contrib/ssh-copy-id to copy your keys to remote host. (can be executed by root only)

Hope this helps
--
M

Kirk Reindl · ‎01-05-2005

Michael,

Here is a copy of the /opt/ssh/etc/ssh_config file that sits on the Server end (c8mkes60). Please note that I'm new to ssh and have entered an environment where it is believed connectivity works without password authentication.

To me it looks as though the majority of this file is commented out, which for all I know is normal.

@c8mkes60::creindk_ /home/creindk> cat /opt/ssh/etc/ssh_config
# $OpenBSD$

# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for various options

# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsAuthentication no
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# BatchMode no
# CheckHostIP yes
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
Protocol 2
# Cipher 3des
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
# EscapeChar ~

Question: If I were to add the directives you mentioned
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

Do I need to re-read the config into memory? Can I do this without stopping and starting the daemon?

I still get prompted for password using the PreferredAuthentications=publickey option
@c8mkes34::creindk_ /home/creindk> ssh -l creindk -o PreferredAuthentications=publickey c8mkes60
creindk@c8mkes60's password:

c8mkes34_#/opt/ssh/src/ssh/contrib/ssh-copy-id id_rsa.pub c8mkes60:/home/creindk/.ssh/id_rsa.pub
/opt/ssh/src/ssh/contrib/ssh-copy-id: ERROR: No identities found
c8mkes34_#

Michael Selvesteen_2 · ‎01-09-2005

Kirk,

The config directives belongs to the SSH server. Those config directives should be added to /opt/ssh/etc/sshd_config file of the remote server.

Once you changed a directive, you should restart the server, so that the changes take effect.

Following links may help you in setup the public key authentication

http://cfm.gs.washington.edu/security/ssh/client-pkauth/

http://snags.snu.ac.kr/~patria/ssh.html

http://snags.snu.ac.kr/~patria/ssh.html

Also try

man 5 sshd_config
man 5 ssh_config
man sshd
man ssh

All the best
--
M

Kirk Reindl · ‎01-10-2005

All,

Thanks to all for your direction and help.
I do have some situations between servers where I connect without asking for a password. For instance,

ServerA and ServerB acting as clients don't work not matter what. Meaning I always get prompted for a password.

But,,,
There are other servers in our environment that are functioning as I'd expect. Meaning

ServerC and ServerD acting as clients connect to other servers without prompting for passwords.

For now, I'm going to close this thread. Ultimately I'll need to read more and compare config files.

Thanks again
Kirk

Kirk Reindl · ‎01-10-2005

Need to research on my end to give the forum community more clues as to why I have this problem

David R · ‎02-16-2007

By default, ssh is probably not looking for the kirktest as the identity file.

Set up a 'config' file in the .ssh dir. Change the 'id_rsa' to 'kirktest'.

regaldc@jms0en24 ~/.ssh$ cat config
# $OpenBSD: ssh_config,v 1.12 2002/01/16 17:55:33 stevesk Exp $

# This is the ssh client system-wide configuration file. See ssh(1)
# for more information. This file provides defaults for users, and
# the values can be changed in per-user configuration files or on the
# command line.

# The strategy used for options in the default sshd_config shipped with
# HP-UX Secure Shell is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for various options

# Host *
# ForwardAgent no
ForwardAgent yes
# ForwardX11 no
# RhostsAuthentication yes
# RhostsRSAAuthentication yes
# RSAAuthentication yes
# PasswordAuthentication yes
# PasswordAuthentication no
# FallBackToRsh no
# UseRsh no
# BatchMode no
# CheckHostIP yes
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
#
# WARNING: enabling protocol 1 will cause HP-UX Secure Shell vulnerable
# to security attacks. It is strongly recommended NOT to enable protocol 1.
# Use "2,1" to notify ssh to use version 2 and fall back to version 1 if
# version 2 is not available. The default is "2".
#
Protocol 2
# Cipher 3des
# Cipher blowfish
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
# EscapeChar ~

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

secure shell ssh demands password eventhough I set up keys

secure shell ssh demands password eventhough I set up keys

Re: secure shell ssh demands password eventhough I set up keys

Re: secure shell ssh demands password eventhough I set up keys

Re: secure shell ssh demands password eventhough I set up keys

Re: secure shell ssh demands password eventhough I set up keys

Re: secure shell ssh demands password eventhough I set up keys

Re: secure shell ssh demands password eventhough I set up keys

Re: secure shell ssh demands password eventhough I set up keys

Re: secure shell ssh demands password eventhough I set up keys

Re: secure shell ssh demands password eventhough I set up keys

Re: secure shell ssh demands password eventhough I set up keys

Re: secure shell ssh demands password eventhough I set up keys

Re: secure shell ssh demands password eventhough I set up keys

Re: secure shell ssh demands password eventhough I set up keys

Re: secure shell ssh demands password eventhough I set up keys

Re: secure shell ssh demands password eventhough I set up keys

Re: secure shell ssh demands password eventhough I set up keys

Re: secure shell ssh demands password eventhough I set up keys

Re: secure shell ssh demands password eventhough I set up keys

Re: secure shell ssh demands password eventhough I set up keys

Re: secure shell ssh demands password eventhough I set up keys