ssh keygen; asking for password

[mjc]

I am setting up a server so "userA" is using keys from "serverA" to access "serverB, userB".

I created keys using "ssh-keygen -t rsa -f id_rsa" in /home/userA/.ssh
copy .pub file to serverB/user B/.ssh
copied contents of .pub file into the /.ssh/authorized_keys file
chmod 700 to the .ssh directories and .pub files
chmod 600 to the authorized_key file

From serverA as userA, "ssh - v userB@serverB"
the debug1 message indicates it found the key file and took it but later prompts me for "userB password: " I enter the password and the connection continues.

But after making a connection, I'm prompted to enter the password for "user B".

I've gone back and forth on this several times; reinstalling trying different type of keys (rsa, dsa, ssh), each having the same symptom of asking for the password and as you might imagine, it's getting a bit frustrating.

Any thoughts or suggestions?

Thanks in advance

[mazer]

From serverA as userA, "ssh - v userB@serverB"
the debug1 message indicates it found the key file and took it but later prompts me for "userB password: " I enter the password and the connection continues.

But after making a connection, I'm prompted to enter the password for "user B".

I do not understand this part. Are you asked twice for the same password? Or do you want to login without a password?

Mazer

[mjc]

I'm trying to login without password, using keys. In this instance / case; it's accepting the keys but also asking for a password.

When I ssh to the server, using " ssh - v userB@10.1.1.2" it finds and accept the key but also asks for password.

[mazer]

I'm trying to login without password, using keys. In this instance / case; it's accepting the keys but also asking for a password.

When I ssh to the server, using " ssh - v userB@10.1.1.2" it finds and accept the key but also asks for password.

Ok. I show you how I have configured my ssh daemon in order to achieve that.
sshd on serverB (sshd_config in /etc/ssh):

Code:

# Authentication:

LoginGraceTime 30
PermitRootLogin no
StrictModes yes
MaxAuthTries 3

RSAAuthentication no
PubkeyAuthentication yes
#AuthorizedKeysFile	.ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
IgnoreUserKnownHosts yes
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
PermitEmptyPasswords no
PasswordAuthentication no

Of course, you have to restart sshd so that this configurations are accepted.
Then, I have generated a key by typing

Code:

ssh-keygen -t dsa

When the ssh-keygen asked me for the passphrase I just hit enter twice to indicate that I do not want any passphrase.

And as you have already described I have copied the key in the authorized_keys file in
the ~userB/.ssh/ directory.

That should do it. What did you different?

Mazer

[bigtomrodney]

I think the bit you missed is that you do not enter the password when generating the key. If you do you are creating a key based on that password. The idea is to create a key based on having no password.

[mjc]

Hi Mazer

Yes thank you, the steps you outline is what I performed on ServerA as UserA:
"ssh-keygen -t rsa -f id_rsa"
press enter twice when asked for passphrase
created two files, id_rsa and id_rsa.pub
copied id_rsa.pub to ServerB, UserB
cat contents of id_rsa.pub into authorized_keys
from ServerA "ssh -v UserB@ServerB"
it found keys, accepted
However, further along, it will ask for password

In terms of my ServerB sshd_config file, it is:


# $OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::
################################################## #########
#
Protocol 2
PermitRootLogin no
ChallengeResponseAuthentication no

#HostKey /etc/ssh/ssh_host_key
#HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 30
#PermitRootLogin no
#StrictModes yes
#MaxAuthTries 4

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes


Any thoughts?

Thanks in advance

[pavlo_7]

try:

Code:

chmod 710 .ssh

and check this thread for more information:
http://www.linuxforums.org/forum/ser...-password.html

[mjc]

"chmod 710?" Why is that may I ask?

[pavlo_7]

Don't know why, but it seems that execute permission for "group" is needed (at least according to that thread).

[mazer]

Hi Mazer

Yes thank you, the steps you outline is what I performed on ServerA as UserA:
"ssh-keygen -t rsa -f id_rsa"
press enter twice when asked for passphrase
created two files, id_rsa and id_rsa.pub
copied id_rsa.pub to ServerB, UserB
cat contents of id_rsa.pub into authorized_keys
from ServerA "ssh -v UserB@ServerB"
it found keys, accepted
However, further along, it will ask for password

In terms of my ServerB sshd_config file, it is:


# $OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::
################################################## #########
#
Protocol 2
PermitRootLogin no
ChallengeResponseAuthentication no

#HostKey /etc/ssh/ssh_host_key
#HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 30
#PermitRootLogin no
#StrictModes yes
#MaxAuthTries 4

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes


Any thoughts?

Thanks in advance

Hi mjc,

did you try to set

Code:

PubkeyAuthentication yes
PasswordAuthentication no

in your sshd_config?

That should be the problem. If you check my setting that I have posted before, you can
find that I have marked these lines.

Hope that helps,
mazer