Jason Harlow on 21 Jul 2010 06:55:25 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Problems with password-less SSH

  • From: Jason Harlow <jharlow1@gmail.com>
  • To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
  • Subject: Re: [PLUG] Problems with password-less SSH
  • Date: Wed, 21 Jul 2010 09:55:19 -0400
  • Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type; bh=WHcZRGFEhgs+oETTTt+rpuuY/LvchykhyvcsMyAgOYQ=; b=ZVCqrPWVfyQikvDbIcV08LLCSsqAUIig9iJi9ALF0WWTP9gl+Dy1/YJrzuoQ1FceGJ kFa8ybcdRrUdeQj7QIqhDg0yrlqUXh/DhlBS48DTzql40V8pT/nWO6yAx7TE+14p86RD 5nmHJozKHJ3F6jWOt0/SF/VcLnlaFRzT5Biqo=
  • Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
  • Sender: plug-bounces@lists.phillylinux.org

ssh -v on the client side can be ok, but not as helpful as you might want. It might also help to run a debug sshd on the server side (sshd -d -p 1234) , and try connecting to that (ssh -p 1234) and look at the log on the server side. It tends to give more information.

I'd also +1 Kyle that the file permissions on the home directory are my most common issue when getting this sort of thing working (You'd see that on the server debug output).

Also, double check that these aren't set to No or something other than ~/.ssh/authorized_keys

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile     .ssh/authorized_keys

(Above are the defaults, if they're not set to anything...at least in the openSSH I'm using on Solaris)

On Wed, Jul 21, 2010 at 9:45 AM, Kyle R. Burton <kyle.burton@gmail.com> wrote:
> What I need to do:
> I need to execute a command on a remote server in my DMZ, and I have been
> doing this via cron. So user "vadmin@admnftp002" needs to execute a command
> as "FileCollector@192.168.1.30".

I don't know the exact settings, but it is possible to restrict a key
(in the authorized keys file) to run a single command, even to
restrict it to a single host, I'm using a few settings in one of my
auth keys file:

from="host-or-ip-addr",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
ssh-rsa ...rsa.pub.key.here...


> What I did:
> As user "vadmin@admnftp002", I created new SSH keys, with no password. (I
> decided to make new keys, rather than keep the old ssh keys I used to use.
> This may have been a mistake ...I still have a copy of the old keys that
> worked on the old remote box, tho).
>
> I did this by "ssh-keygen -t rsa". Then I copied the public file to
> "FileCollector@192.168.1.30" with
>
> ssh-copy-id -i id_rsa.pub FileCollector@192.168.1.30

One thing that often gets me is to ensure that FileCollector's .ssh
directory is 700, and that the files within it are 600.

> But when I try and test it, I get prompted for a password:
>
> vadmin@admnftp002:~/.ssh$ ssh FileCollector@192.168.1.30 uptime
> FileCollector@192.168.1.30's password:


I've found that trying with verbosity turned up, 'ssh -v -v -v...',
and watching to see if it considers the ssh-key or not helpful.

> This used to work, when the remote server was a Debian box. These were the
> same directions I used back then. But now it's a no-go. Any ideas where to
> find out why? I'm guessing I forgot something in a config, or missed a step,
> but can't figure out where. If I look in "~/.ssh/authorized_keys" on
> 192.168.1.30, I do see my "vadmin@admnftp002" key listed.


HTH,

Kyle


--
Twitter: @kyleburton
Blog: http://asymmetrical-view.com/
Fun: http://snapclean.me/
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug