yet another "passwordless ssh" question

[soccercisco]

Ok. So I am trying to setup a passwordless ssh by doing (on the server):
1. ssh-keygen -t dsa
2. copying id_rsa.pub to authorized_keys

Of course, it doesn't work. I am working on a big project, and I am the only person for whom this method hasn't worked (well, it worked for a while but somehow I broke it).

I revised several troubleshooting posts (and unsuccessfully tried them all). So, I ran the verbose ssh -vv user@server:

If you get a line like this, not containing "publickey":
debug1: Authentications that can continue: password,keyboard-interactive

I do get "publickey" here.

If you don't get a line like:
debug1: try pubkey: /home/user/.ssh/id_dsa
Then check "ssh_config" on the client and if it exists, remove "PubkeyAuthentication no" if it exists.

I don't get this line, but I do not have access to the ssh_config. And as I previously stated, all other users have been able to setup passwordless ssh'ing on the same server.

If you still don't see that line then make sure that "~/.ssh/id_dsa" exists on the client.
If you get a line like:
debug2: we sent a publickey packet, wait for reply
Check that "~/.ssh/authorized_keys" exists on the server and contains a line the same as "~/.ssh/id_dsa.pub" on the client.

Yes, yes. All necessary files exist in both server and client.

Thanks for your help.

[soccercisco]

Btw, the error I get is that it keeps prompting me for the password.

[vijay_kernel]

Setting up the server for passwordless login

You will need to make sure that the server will accept passwordless logins. This means you have to enable public key authentication on the server. To do this, open up /etc/ssh/sshd_config in a text editor (I would suggest nano or kate). Then make sure that the following two lines are uncommented, or if not there, add them in. To uncomment the line, remove the '#' from the beginning of the line:

* RSAAuthentication yes
* PubkeyAuthentication yes

You will need to restart the ssh server. Do this with:

* /etc/init.d/ssh restart

Finally make sure that permissions are right on the server. If there's no ~/.ssh directory, make one:

* mkdir ~/.ssh

Once you've got a ~/.ssh directory, change the permissions using:

* chmod 700 ~/.ssh

that should be enough to setup the server side of things.


Setting up the client side of the equation

First you'll need to setup a keypair. If you already have the files ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub, you should be good to go. If not, then you need to add them. Use the following command:

* ssh-keygen -t rsa

You will then be asked some questions. Simply hit "Enter" to answer them all:

* Generating public/private rsa key pair.
* Enter file in which to save the key (/home/skx/.ssh/id_rsa):
* Enter passphrase (empty for no passphrase):
* Enter same passphrase again:
* Your identification has been saved in /home/skx/.ssh/id_rsa.
* Your public key has been saved in /home/skx/.ssh/id_rsa.pub.

Answering without putting in a password means that the keys can be unlocked without a password, which is the whole point of "passwordless" login. Now we can do a little magic. Previously when setting up passwordless logins with ssh, I've gone through a dance of copying keys from the local computer to the remote computer. However, now I've found a new programme that does all this automagically. So, type this into a terminal:

* ssh-copy-id -i ~/.ssh/id_rsa.pub username@remote_host

Obviously you will need to replace "username" with the user you want to login as on the remote computer, and "remote_host" with the ip/hostname of the ssh server. This command will ask you for a password - don't be alarmed; this sets up the passwordless-ness, so needs a password to do it. Once you've done this, you should be good to go. Try logging into the remote server, and you should be password free.


Hope this helps for you.....

Cheers,
Vijay.

[soccercisco]

Thanks Vijay for the insight.

I don't have root access.

passwordless ssh works fine for other people, why did it break for me (possible reasons and suggestions)?

Again, the configuration of ssh is already set to accept this.

Sorry for the trouble.

[anomie]

Short answer is: We don't know why it broke for you. What did you do to break it?

Longer answer is:

PubkeyAuthentication yes <- This directive is necessary in /etc/ssh/sshd_config on the server side. No other authentication methods need to be turned on for pubkey authentication to work.

On the server side, run the command: chmod -R go-rwx ~/.ssh

On the client side, run the same command.

Make sure the contents of your .pub key have been written / appended to ~/.ssh/authorized_keys on the server side.

[soccercisco]

Thx 2 all 4 the help.

Yep, ssh can be tricky when it comes to permissions. It ended up being that my home folder had writing permissions for the group, thus ssh would not allow me to configure passwordless mode because somebody could've copied my authorized_keys file (even though the file itself had the appropriate permissions).