- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- SFTP without prompting a password
Operating System - HP-UX
1819682
Members
3804
Online
109605
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Go to solution
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-05-2004 06:08 PM
тАО09-05-2004 06:08 PM
Hi All,
Pls help. My customer's requesting to use SFTP to transfer some files regularly from serverA to serverB using a simple script. Because public/private keys policy is not so clear in my company, so we avoid to use public/private keys. Is there any way to use SFTP without prompting a password except using public/private key? FYI that I have tried to use .netrc, but it seems like .netrc is only for ftp and it is not applicable for sftp.
Please help. High score will be given.
Thanks and Best Regards,
Negara
Pls help. My customer's requesting to use SFTP to transfer some files regularly from serverA to serverB using a simple script. Because public/private keys policy is not so clear in my company, so we avoid to use public/private keys. Is there any way to use SFTP without prompting a password except using public/private key? FYI that I have tried to use .netrc, but it seems like .netrc is only for ftp and it is not applicable for sftp.
Please help. High score will be given.
Thanks and Best Regards,
Negara
Santos
Solved! Go to Solution.
10 REPLIES 10
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-05-2004 06:26 PM
тАО09-05-2004 06:26 PM
Re: SFTP without prompting a password
We can do this with hosts.equiv file (.shosts) as,
First, if the machine the user logs in from is listed in
/etc/hosts.equiv or /opt/ssh/etc/shosts.equiv on the remote machine,
and the user names are the same on both sides, the user is immediately
permitted to log in. Second, if .rhosts or .shosts exists in the
user's home directory on the remote machine and contains a line
containing the name of the client machine and the name of the user on
that machine, the user is permitted to log in. This form of
authentication alone is normally not allowed by the server because it
is not secure.
Make a setup as,
machine1:
/etc/hosts.equiv
remote-hostname user
If you are trying for root then,
/.shosts
remote-hostname root
Change the permission to 400
Do it on both side to make it possible.
We can use .netrc for ftp not for sftp.
Why don't you prefer scp instead of sftp ??
It is easy to handle more.
Regards
Muthu
First, if the machine the user logs in from is listed in
/etc/hosts.equiv or /opt/ssh/etc/shosts.equiv on the remote machine,
and the user names are the same on both sides, the user is immediately
permitted to log in. Second, if .rhosts or .shosts exists in the
user's home directory on the remote machine and contains a line
containing the name of the client machine and the name of the user on
that machine, the user is permitted to log in. This form of
authentication alone is normally not allowed by the server because it
is not secure.
Make a setup as,
machine1:
/etc/hosts.equiv
remote-hostname user
If you are trying for root then,
/.shosts
remote-hostname root
Change the permission to 400
Do it on both side to make it possible.
We can use .netrc for ftp not for sftp.
Why don't you prefer scp instead of sftp ??
It is easy to handle more.
Regards
Muthu
Easy to suggest when don't know about the problem!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-05-2004 07:00 PM
тАО09-05-2004 07:00 PM
Re: SFTP without prompting a password
Hi Muthu,
Thanks alot. I have tried to configure
like below, but when I tried to run #ssh sihp8012 from sihp8029, it's still prompting a password. Can you pls help? Is there any wrong configuration on the setup below?
Thanks alot.
Negara
[root@sihp8012:/home/ap1030]
# more .shosts
sihp8029 ap1030
[root@sihp8012:/home/ap1030]
sihp8029 ap1030
[root@sihp8012:/home/ap1030]
# cd /opt/openssh/etc
[root@sihp8012:/opt/openssh/etc]
# more shosts.equiv
sihp8029 ap1030
[root@sihp8012:/opt/openssh/etc]
# ll shosts.equiv
-r-------- 1 root sys 16 Sep 6 14:48 shosts.equiv
[root@sihp8012:/opt/openssh/etc]
# ll /home/ap1030/.shosts
-r-------- 1 ap1030 other 42 Sep 6 14:51 /home/ap1030/.shosts
[root@sihp8012:/opt/openssh/etc]
# ll /etc/hosts.equiv
-rw------- 1 root sys 106 Sep 6 14:42 /etc/hosts.equiv
Thanks alot. I have tried to configure
like below, but when I tried to run #ssh sihp8012 from sihp8029, it's still prompting a password. Can you pls help? Is there any wrong configuration on the setup below?
Thanks alot.
Negara
[root@sihp8012:/home/ap1030]
# more .shosts
sihp8029 ap1030
[root@sihp8012:/home/ap1030]
sihp8029 ap1030
[root@sihp8012:/home/ap1030]
# cd /opt/openssh/etc
[root@sihp8012:/opt/openssh/etc]
# more shosts.equiv
sihp8029 ap1030
[root@sihp8012:/opt/openssh/etc]
# ll shosts.equiv
-r-------- 1 root sys 16 Sep 6 14:48 shosts.equiv
[root@sihp8012:/opt/openssh/etc]
# ll /home/ap1030/.shosts
-r-------- 1 ap1030 other 42 Sep 6 14:51 /home/ap1030/.shosts
[root@sihp8012:/opt/openssh/etc]
# ll /etc/hosts.equiv
-rw------- 1 root sys 106 Sep 6 14:42 /etc/hosts.equiv
Santos
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-05-2004 07:05 PM
тАО09-05-2004 07:05 PM
Solution
Hi Negara,
If you are going to use .shosts/.rhosts or .netrc (there is nothing exists) for sftp, you are compromising atleast 50% of the security provided by openssh. Make sure shosts/rhosts authentication is enabled in sshd_config of the remote system.
It's very easy to setup public/private key authentication. Just two steps. Generate the public/private key pair and copy it as authorized_keys on the other server) If you doing sftp from serverA to serverB, then do the following for DSA authentication.
on serverA run
$cd (to go back to the home directory)
$ll .ssh
See if you have a file called id_dsa.pub. If so, then skip the ssh-keygen step.
$ssh-keygen -t dsa -N ""
$cd .ssh
Logon to serverB
$cd .ssh
$cat id_dsa.serverA >> authorized_keys
Ensure the permissions are proper (atleast 755 on the user's home direcotry and 700 on .ssh directory under it)
From server A try
$sftp serverB
This shouldn't prompt for the password.
You can use scp instead of sftp. That will be helpful if you have to copy subdirectories too.
-Sri
$
If you are going to use .shosts/.rhosts or .netrc (there is nothing exists) for sftp, you are compromising atleast 50% of the security provided by openssh. Make sure shosts/rhosts authentication is enabled in sshd_config of the remote system.
It's very easy to setup public/private key authentication. Just two steps. Generate the public/private key pair and copy it as authorized_keys on the other server) If you doing sftp from serverA to serverB, then do the following for DSA authentication.
on serverA run
$cd (to go back to the home directory)
$ll .ssh
See if you have a file called id_dsa.pub. If so, then skip the ssh-keygen step.
$ssh-keygen -t dsa -N ""
$cd .ssh
Logon to serverB
$cd .ssh
$cat id_dsa.serverA >> authorized_keys
Ensure the permissions are proper (atleast 755 on the user's home direcotry and 700 on .ssh directory under it)
From server A try
$sftp serverB
This shouldn't prompt for the password.
You can use scp instead of sftp. That will be helpful if you have to copy subdirectories too.
-Sri
$
You may be disappointed if you fail, but you are doomed if you don't try
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-05-2004 07:44 PM
тАО09-05-2004 07:44 PM
Re: SFTP without prompting a password
Hi Sridhar,
Thanks alot. We do not use public/private keys for now since there is now policy generated yet. So for the temporary solution, we just use .shosts/.rhosts. May I know the details steps how to configure .shosts/.rhosts? and what is the parameter on sshd_config that need to be enable? is it "IgnoreRhosts no"? Since I have tried it already, but it still prompting a password when I run sftp.
Pls help.
Thanks and Best Regards,
Dewa
Thanks alot. We do not use public/private keys for now since there is now policy generated yet. So for the temporary solution, we just use .shosts/.rhosts. May I know the details steps how to configure .shosts/.rhosts? and what is the parameter on sshd_config that need to be enable? is it "IgnoreRhosts no"? Since I have tried it already, but it still prompting a password when I run sftp.
Pls help.
Thanks and Best Regards,
Dewa
Santos
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-05-2004 09:30 PM
тАО09-05-2004 09:30 PM
Re: SFTP without prompting a password
Hi Negara,
Try generating the debugging information. If ssh works, then scp and sftp will work, so try
ssh -vvv serverB
and post the information you have. The following are the options for sshd_config
RhostsRSAAuthentication yes
RhostsAuthentication yes
IgnoreRhosts no
HostbasedAuthentication yes
for ssh_config (you can override them with command line options)
RhostsAuthentication yes
RhostsRSAAuthentication yes
EnableSSHKeysign yes
You can determine what is missing by looking at the ssh -vvv output.
-Sri
Try generating the debugging information. If ssh works, then scp and sftp will work, so try
ssh -vvv serverB
and post the information you have. The following are the options for sshd_config
RhostsRSAAuthentication yes
RhostsAuthentication yes
IgnoreRhosts no
HostbasedAuthentication yes
for ssh_config (you can override them with command line options)
RhostsAuthentication yes
RhostsRSAAuthentication yes
EnableSSHKeysign yes
You can determine what is missing by looking at the ssh -vvv output.
-Sri
You may be disappointed if you fail, but you are doomed if you don't try
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-05-2004 10:18 PM - last edited on тАО11-13-2020 04:21 AM by Vajith V
тАО09-05-2004 10:18 PM - last edited on тАО11-13-2020 04:21 AM by Vajith V
Re: SFTP without prompting a password
Refer the following link for Hostbased authentication set up
http://64.233.167.104/search?q=cache:93jZuVpfJ14J:acs.ucsd.edu/info/ssh.php+rhosts+shosts+file&hl=en
-> set your .shosts (.rhosts) file permission to 0644.
Trying first with ip address in these files may also help.
Refer the following link for debugging
http://64.233.167.104/search?q=cache:GQP3k-bB6PgJ:hepunx.rl.ac.uk/BFROOT/www/Computing/Online/EventProc/docs/shosts-instructions.html+rhosts+shosts+file&hl=en
http://www.snailbook.com/faq/general-debugging.auto.html
But I am echoing, this method has potential security breach and subjectable to ipspoofing, dns spoofing.,so be heedful
All the best
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-05-2004 10:34 PM
тАО09-05-2004 10:34 PM
Re: SFTP without prompting a password
Hai Negra,
What is your openssh version? Is it 3.1? I hope there is Rhostsauthentication disabled.
I have tried on that and default it is disabled.
If you want to use other than key transcation then using shosts is the only usage and we have to loose some secutiry there.
Why don't we go for r* commands with almost secured way as,
Allowing only r* calls between two machines for the exact user as,
If you are tying for root then,
machine1:
/.rhosts
machine2 root
chmod 400 /.rhosts
Do the same on machine2.
IF you are trying for non-root users then,
machine1:
/etc/hosts.equiv
machine2
Do the same on machine2
It will restict only between two machines and for that user only. Permission 400 will be effective so that other's can not change it.
You can now transfer files with rcp (very fastly )..
What is your openssh version? Is it 3.1? I hope there is Rhostsauthentication disabled.
I have tried on that and default it is disabled.
If you want to use other than key transcation then using shosts is the only usage and we have to loose some secutiry there.
Why don't we go for r* commands with almost secured way as,
Allowing only r* calls between two machines for the exact user as,
If you are tying for root then,
machine1:
/.rhosts
machine2 root
chmod 400 /.rhosts
Do the same on machine2.
IF you are trying for non-root users then,
machine1:
/etc/hosts.equiv
machine2
Do the same on machine2
It will restict only between two machines and for that user only. Permission 400 will be effective so that other's can not change it.
You can now transfer files with rcp (very fastly )..
Easy to suggest when don't know about the problem!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-06-2004 03:35 PM
тАО09-06-2004 03:35 PM
Re: SFTP without prompting a password
Hi Sridhan,
Thanks alot.
Below is my configuration.
[root@sihp8044:/home/ap1030]
# more .shosts
sihp8029 ap1030
[root@sihp8044:/home/ap1030]
# more .rhosts
sihp8029 ap1030
[root@sihp8044:/home/ap1030]
# ll .shosts
-r-------- 1 ap1030 other 16 Sep 7 12:18 .shosts
[root@sihp8044:/home/ap1030]
# more /etc/hosts.equiv
sihp8029 ap1030
When I tried to sftp from sihp8029 to sihp8044 as below :
[ap1030@sihp8029:/home/ap1030]
$ sftp -vvv sihp8044
Connecting to sihp8044...
OpenSSH_3.7.1p2, SSH protocols 1.5/2.0, OpenSSL 0.9.7c 30 Sep 2003
debug1: Reading configuration data /opt/openssh-3.7.1p2/etc/ssh_config
debug3: Seeding PRNG from /opt/openssh-3.7.1p2/libexec/ssh-rand-helper
debug2: ssh_connect: needpriv 0
debug1: Connecting to sihp8044 [155.126.81.5] port 22.
debug1: Connection established.
debug1: identity file /home/ap1030/.ssh/id_rsa type -1
debug1: identity file /home/ap1030/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.7.1p2
debug1: match: OpenSSH_3.7.1p2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.7.1p2
debug3: RNG is ready, skipping seeding
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 123/256
debug2: bits set: 1622/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/ap1030/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 3
debug3: check_host_in_hostfile: filename /home/ap1030/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 3
debug1: Host 'sihp8044' is known and matches the RSA host key.
debug1: Found key in /home/ap1030/.ssh/known_hosts:3
debug2: bits set: 1598/3191
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/ap1030/.ssh/id_rsa (00000000)
debug2: key: /home/ap1030/.ssh/id_dsa (00000000)
debug1: Authentications that can continue: publickey,password,keyboard-interactive,hostbased
debug3: start over, passed a different list publickey,password,keyboard-interactive,hostbased
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/ap1030/.ssh/id_rsa
debug3: no such identity: /home/ap1030/.ssh/id_rsa
debug1: Trying private key: /home/ap1030/.ssh/id_dsa
debug3: no such identity: /home/ap1030/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive,hostbased
debug3: userauth_kbdint: disable: no info_req_seen
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred:
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
ap1030@sihp8044's password:
Is there anything missing?
Thanks alot for your help.
Best Regards,
Negara
Thanks alot.
Below is my configuration.
[root@sihp8044:/home/ap1030]
# more .shosts
sihp8029 ap1030
[root@sihp8044:/home/ap1030]
# more .rhosts
sihp8029 ap1030
[root@sihp8044:/home/ap1030]
# ll .shosts
-r-------- 1 ap1030 other 16 Sep 7 12:18 .shosts
[root@sihp8044:/home/ap1030]
# more /etc/hosts.equiv
sihp8029 ap1030
When I tried to sftp from sihp8029 to sihp8044 as below :
[ap1030@sihp8029:/home/ap1030]
$ sftp -vvv sihp8044
Connecting to sihp8044...
OpenSSH_3.7.1p2, SSH protocols 1.5/2.0, OpenSSL 0.9.7c 30 Sep 2003
debug1: Reading configuration data /opt/openssh-3.7.1p2/etc/ssh_config
debug3: Seeding PRNG from /opt/openssh-3.7.1p2/libexec/ssh-rand-helper
debug2: ssh_connect: needpriv 0
debug1: Connecting to sihp8044 [155.126.81.5] port 22.
debug1: Connection established.
debug1: identity file /home/ap1030/.ssh/id_rsa type -1
debug1: identity file /home/ap1030/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.7.1p2
debug1: match: OpenSSH_3.7.1p2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.7.1p2
debug3: RNG is ready, skipping seeding
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 123/256
debug2: bits set: 1622/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/ap1030/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 3
debug3: check_host_in_hostfile: filename /home/ap1030/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 3
debug1: Host 'sihp8044' is known and matches the RSA host key.
debug1: Found key in /home/ap1030/.ssh/known_hosts:3
debug2: bits set: 1598/3191
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/ap1030/.ssh/id_rsa (00000000)
debug2: key: /home/ap1030/.ssh/id_dsa (00000000)
debug1: Authentications that can continue: publickey,password,keyboard-interactive,hostbased
debug3: start over, passed a different list publickey,password,keyboard-interactive,hostbased
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/ap1030/.ssh/id_rsa
debug3: no such identity: /home/ap1030/.ssh/id_rsa
debug1: Trying private key: /home/ap1030/.ssh/id_dsa
debug3: no such identity: /home/ap1030/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive,hostbased
debug3: userauth_kbdint: disable: no info_req_seen
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred:
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
ap1030@sihp8044's password:
Is there anything missing?
Thanks alot for your help.
Best Regards,
Negara
Santos
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-06-2004 03:39 PM
тАО09-06-2004 03:39 PM
Re: SFTP without prompting a password
Sridhan,
I forgot to attach sshd_config and ssh_config.
[root@sihp8044:/opt/openssh/etc]
# cat sshd_config
# $OpenBSD: sshd_config,v 1.65 2003/08/28 12:54:34 markus Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/usr/sbin:/opt/openssh-3.7.1p2/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::
# HostKey for protocol version 1
#HostKey /opt/openssh/etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /opt/openssh/etc/ssh_host_rsa_key
#HostKey /opt/openssh/etc/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768
# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /opt/openssh/etc/ssh_known_hosts
#RhostsRSAAuthentication no
RhostsRSAAuthentication yes
# similar for protocol version 2
#HostbasedAuthentication no
HostbasedAuthentication yes
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
IgnoreRhosts no
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCreds yes
# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication'
#UsePAM yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
# no default banner path
#Banner /some/path
# override default of no subsystems
Subsystem sftp /opt/openssh-3.7.1p2/libexec/sftp-server
Protocol 2
PermitRootLogin no
X11Forwarding yes
UsePrivilegeSeparation no
PrintMotd no
[root@sihp8044:/opt/openssh/etc]
# cat ssh_config
# $OpenBSD: ssh_config,v 1.19 2003/08/13 08:46:31 markus Exp $
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for various options
# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsRSAAuthentication no
RhostsRSAAuthentication yes
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
HostbasedAuthentication yes
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
# Protocol 2,1
# Cipher 3des
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
# EscapeChar ~
Protocol 2
Cipher blowfish-cbc
Ciphers blowfish-cbc
I forgot to attach sshd_config and ssh_config.
[root@sihp8044:/opt/openssh/etc]
# cat sshd_config
# $OpenBSD: sshd_config,v 1.65 2003/08/28 12:54:34 markus Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/usr/sbin:/opt/openssh-3.7.1p2/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::
# HostKey for protocol version 1
#HostKey /opt/openssh/etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /opt/openssh/etc/ssh_host_rsa_key
#HostKey /opt/openssh/etc/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768
# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /opt/openssh/etc/ssh_known_hosts
#RhostsRSAAuthentication no
RhostsRSAAuthentication yes
# similar for protocol version 2
#HostbasedAuthentication no
HostbasedAuthentication yes
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
IgnoreRhosts no
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCreds yes
# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication'
#UsePAM yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
# no default banner path
#Banner /some/path
# override default of no subsystems
Subsystem sftp /opt/openssh-3.7.1p2/libexec/sftp-server
Protocol 2
PermitRootLogin no
X11Forwarding yes
UsePrivilegeSeparation no
PrintMotd no
[root@sihp8044:/opt/openssh/etc]
# cat ssh_config
# $OpenBSD: ssh_config,v 1.19 2003/08/13 08:46:31 markus Exp $
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for various options
# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsRSAAuthentication no
RhostsRSAAuthentication yes
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
HostbasedAuthentication yes
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
# Protocol 2,1
# Cipher 3des
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
# EscapeChar ~
Protocol 2
Cipher blowfish-cbc
Ciphers blowfish-cbc
Santos
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-07-2004 01:47 PM
тАО09-07-2004 01:47 PM
Re: SFTP without prompting a password
Hi Negara,
Looks like your problem hasn't been solved yet. I agree that it is painful to configure ssh to work with .rhosts/.shosts. I am rather happy about it ;-).
All your problems can be easily solved by public/private key authentication which is more secured than others. I don't know why you are so reluctant about it.
I guess you are almost there. Try overriding preferred authentications options by running
ssh -vvv -o "PreferredAuthentications hostbased" your_host
and see if it works. If it logs you in without password, then sftp will work. Use it with the same options. Otherwise post the output again.
-Sri
Looks like your problem hasn't been solved yet. I agree that it is painful to configure ssh to work with .rhosts/.shosts. I am rather happy about it ;-).
All your problems can be easily solved by public/private key authentication which is more secured than others. I don't know why you are so reluctant about it.
I guess you are almost there. Try overriding preferred authentications options by running
ssh -vvv -o "PreferredAuthentications hostbased" your_host
and see if it works. If it logs you in without password, then sftp will work. Use it with the same options. Otherwise post the output again.
-Sri
You may be disappointed if you fail, but you are doomed if you don't try
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Learn About
News and Events
Support
© Copyright 2025 Hewlett Packard Enterprise Development LP