Find the answer to your Linux question:
Results 1 to 7 of 7
Greetings, This issue appears related to many other posts I have seen in forums on ssh public keys/automatic logins. I have followed multiple tutorials and tried everything mentioned in forums ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    May 2012
    Posts
    4

    SSH Public Key password problem


    Greetings,

    This issue appears related to many other posts I have seen in forums on ssh public keys/automatic logins. I have followed multiple tutorials and tried everything mentioned in forums that I have seen (including permissions and ensuring the my sshd_config file is correct).

    I have 2 servers running RH Linux 6.0 on 64 bit machines. Server1 is 'hardened' (locked down as it needs to be as secure as possible). Server2 is not. I generated a public key on a third box (ssh-keygen -t rsa) and used scp to copy the public key to both machines (my_home_dir/.ssh). I restarted the ssh daemon on both boxes.

    When I attempt to log in to server1, I get prompted for a password. When I log in to server2, I do not.

    I have gone as far as copying the sshd_config from server2 to server1 and restarting the sshd daemon on server1. I have checked permissions and have tried everything I can find on various forums

    When I run the ssh command from the 3rd box in debug mode (ssh -vvv server1 or ssh -vvv server2) I notice that I get the same debug output UP TO the point where I see the output "we sent a public key package, wait for reply". The next line in the debug output from server2 is "Server accepts key, pkalg ssh-rsa blen 149". The next line in the debug output from server1 is "Authentications that can continue: publickey, gssapi-keyex......."

    What other issues could possibly cause this situation?

    Any help is appreciated.
    thanks,
    Bill

  2. #2
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    when you say you copied the public key to servers 1 and 2, what exactly does that mean? did you just copy the files there
    Code:
    e.g. scp ~/.ssh/id_dsa.pub server1:.ssh/
    or did you actually copy their contents into the remote file ~/.ssh/authorized_keys2 (which is what you should have done)?

    this is what the ssh-keygen program does for you, btw.

  3. #3
    Just Joined!
    Join Date
    May 2012
    Posts
    4
    I have tried both ways. I used keygen to gen the public and private key on client1. I tried using scp to copy the public key (id_rsa.pub) to 'my_home_dir/.ssh/authorized_keys' on server1 and also to server2. I also tried cutting and pasting the contents of the id_rsa.pub to authorized_keys on server1 and server2. So, the scenario is that I did a keygen on the client. Copied public key from client to both servers 'authorized_keys'. Made sure that the /etc/ssh/sshd_config file on both servers contained lines:
    RSAAuthentication yes
    PubkeyAuthentication yes
    AuthorizedKeysFile %h/.ssh/authorized_keys

    When I log in to server2 from client1, I dont get prompted for a password. When I log in to server1 from client1, I do get prompted for a password. Both servers are running RH linux and are 64 bit machines. The difference is that I had to put some 'hardening' techniques (e.g., more secure) on the server that still prompts for password.

  4. #4
    Just Joined!
    Join Date
    May 2012
    Posts
    4
    I know its a shot in the dark, but:

    As I mentioned, I have server1 and server2 (I will call them server_pw, server_nopw). server_nopw is the one that doesnt prompt me for a password.

    I noticed something different in the systems. There are different services running. I used a 'chkconfig --list | grep on' command. Could this have something to do with the problem on the server_pw machine? The services that ARE running on the server_nopw but NOT running on the server_pw (the one that asks me for a password) are:

    NetworkManager
    abrtd
    acpid
    atd
    autofs
    bluetooth
    cups
    iscsi
    iscsid
    ksm
    ksmtuned
    libvirt-guests
    libvirtd
    nfslock
    portreserve
    postfix
    rhnsd
    rpcbind
    rpcgssd
    rpcidmapd
    rsyslog
    sysstat
    udev-post

    Are any of those services pertinent to getting the public key authentication to work?

  5. #5
    Trusted Penguin
    Join Date
    May 2011
    Posts
    4,353
    Quote Originally Posted by paraglidersd View Post
    I have tried both ways. I used keygen to gen the public and private key on client1. I tried using scp to copy the public key (id_rsa.pub) to 'my_home_dir/.ssh/authorized_keys' on server1 and also to server2. I also tried cutting and pasting the contents of the id_rsa.pub to authorized_keys on server1 and server2. So, the scenario is that I did a keygen on the client. Copied public key from client to both servers 'authorized_keys'. Made sure that the /etc/ssh/sshd_config file on both servers contained lines:
    RSAAuthentication yes
    PubkeyAuthentication yes
    AuthorizedKeysFile %h/.ssh/authorized_keys

    When I log in to server2 from client1, I dont get prompted for a password. When I log in to server1 from client1, I do get prompted for a password. Both servers are running RH linux and are 64 bit machines. The difference is that I had to put some 'hardening' techniques (e.g., more secure) on the server that still prompts for password.
    try the file authorized_keys2 (note the 2 at the end of the file.

  6. #6
    Linux Newbie
    Join Date
    Apr 2012
    Posts
    112
    you could use the diff command to compare both sshd_config files and post the results here.

    Since you have used hardened one of the servers it's possible that it might be preventing passphraseless key logins (not sure if this is actually possible, i've never tried to do it myself)

  7. #7
    Just Joined!
    Join Date
    May 2012
    Posts
    4
    Problem solved. Not only does the .ssh directory have strict permissions (along with files in that directory), but the parent directory has strict permission requirements. Changed directory permissions to 750 and all was well. Also, found out that you can set a parameter in the sshd_config file to override that strict permission requirement (StrictMode = no)

    Thank you very much for all of your help on this issue.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •