Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 15
I am setting up a server so "userA" is using keys from "serverA" to access "serverB, userB". I created keys using "ssh-keygen -t rsa -f id_rsa" in /home/userA/.ssh copy .pub ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    mjc
    mjc is offline
    Just Joined!
    Join Date
    Jul 2007
    Posts
    21

    Question ssh keygen; asking for password


    I am setting up a server so "userA" is using keys from "serverA" to access "serverB, userB".

    I created keys using "ssh-keygen -t rsa -f id_rsa" in /home/userA/.ssh
    copy .pub file to serverB/user B/.ssh
    copied contents of .pub file into the /.ssh/authorized_keys file
    chmod 700 to the .ssh directories and .pub files
    chmod 600 to the authorized_key file

    From serverA as userA, "ssh - v userB@serverB"
    the debug1 message indicates it found the key file and took it but later prompts me for "userB password: " I enter the password and the connection continues.

    But after making a connection, I'm prompted to enter the password for "user B".

    I've gone back and forth on this several times; reinstalling trying different type of keys (rsa, dsa, ssh), each having the same symptom of asking for the password and as you might imagine, it's getting a bit frustrating.

    Any thoughts or suggestions?

    Thanks in advance

  2. #2
    Linux Newbie mazer's Avatar
    Join Date
    Jul 2006
    Location
    Tucson, Arizona, USA
    Posts
    109
    Quote Originally Posted by mjc View Post
    From serverA as userA, "ssh - v userB@serverB"
    the debug1 message indicates it found the key file and took it but later prompts me for "userB password: " I enter the password and the connection continues.

    But after making a connection, I'm prompted to enter the password for "user B".
    I do not understand this part. Are you asked twice for the same password? Or do you want to login without a password?

    Mazer

  3. #3
    mjc
    mjc is offline
    Just Joined!
    Join Date
    Jul 2007
    Posts
    21
    I'm trying to login without password, using keys. In this instance / case; it's accepting the keys but also asking for a password.

    When I ssh to the server, using " ssh - v userB@10.1.1.2" it finds and accept the key but also asks for password.

  4. #4
    Linux Newbie mazer's Avatar
    Join Date
    Jul 2006
    Location
    Tucson, Arizona, USA
    Posts
    109
    Quote Originally Posted by mjc View Post
    I'm trying to login without password, using keys. In this instance / case; it's accepting the keys but also asking for a password.

    When I ssh to the server, using " ssh - v userB@10.1.1.2" it finds and accept the key but also asks for password.
    Ok. I show you how I have configured my ssh daemon in order to achieve that.
    sshd on serverB (sshd_config in /etc/ssh):
    Code:
    # Authentication:
    
    LoginGraceTime 30
    PermitRootLogin no
    StrictModes yes
    MaxAuthTries 3
    
    RSAAuthentication no
    PubkeyAuthentication yes
    #AuthorizedKeysFile	.ssh/authorized_keys
    
    # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
    RhostsRSAAuthentication no
    # similar for protocol version 2
    HostbasedAuthentication no
    # Change to yes if you don't trust ~/.ssh/known_hosts for
    # RhostsRSAAuthentication and HostbasedAuthentication
    IgnoreUserKnownHosts yes
    # Don't read the user's ~/.rhosts and ~/.shosts files
    IgnoreRhosts yes
    
    # To disable tunneled clear text passwords, change to no here!
    #PasswordAuthentication yes
    PermitEmptyPasswords no
    PasswordAuthentication no
    Of course, you have to restart sshd so that this configurations are accepted.
    Then, I have generated a key by typing
    Code:
    ssh-keygen -t dsa
    When the ssh-keygen asked me for the passphrase I just hit enter twice to indicate that I do not want any passphrase.

    And as you have already described I have copied the key in the authorized_keys file in
    the ~userB/.ssh/ directory.

    That should do it. What did you different?

    Mazer

  5. #5
    Linux Guru bigtomrodney's Avatar
    Join Date
    Nov 2004
    Location
    Ireland
    Posts
    6,132
    I think the bit you missed is that you do not enter the password when generating the key. If you do you are creating a key based on that password. The idea is to create a key based on having no password.

  6. #6
    mjc
    mjc is offline
    Just Joined!
    Join Date
    Jul 2007
    Posts
    21
    Hi Mazer

    Yes thank you, the steps you outline is what I performed on ServerA as UserA:
    "ssh-keygen -t rsa -f id_rsa"
    press enter twice when asked for passphrase
    created two files, id_rsa and id_rsa.pub
    copied id_rsa.pub to ServerB, UserB
    cat contents of id_rsa.pub into authorized_keys
    from ServerA "ssh -v UserB@ServerB"
    it found keys, accepted
    However, further along, it will ask for password

    In terms of my ServerB sshd_config file, it is:


    # $OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $

    # This is the sshd server system-wide configuration file. See
    # sshd_config(5) for more information.

    # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

    # The strategy used for options in the default sshd_config shipped with
    # OpenSSH is to specify options with their default value where
    # possible, but leave them commented. Uncommented options change a
    # default value.

    #Port 22
    #Protocol 2,1
    #ListenAddress 0.0.0.0
    #ListenAddress ::
    ################################################## #########
    #
    Protocol 2
    PermitRootLogin no
    ChallengeResponseAuthentication no

    #HostKey /etc/ssh/ssh_host_key
    #HostKeys for protocol version 2
    #HostKey /etc/ssh/ssh_host_rsa_key
    #HostKey /etc/ssh/ssh_host_dsa_key

    # Lifetime and size of ephemeral version 1 server key
    #KeyRegenerationInterval 1h
    #ServerKeyBits 768

    # Logging
    #obsoletes QuietMode and FascistLogging
    #SyslogFacility AUTH
    SyslogFacility AUTHPRIV
    #LogLevel INFO

    # Authentication:

    #LoginGraceTime 30
    #PermitRootLogin no
    #StrictModes yes
    #MaxAuthTries 4

    #RSAAuthentication yes
    #PubkeyAuthentication yes
    #AuthorizedKeysFile .ssh/authorized_keys

    # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
    #RhostsRSAAuthentication no
    # similar for protocol version 2
    #HostbasedAuthentication no
    # Change to yes if you don't trust ~/.ssh/known_hosts for
    # RhostsRSAAuthentication and HostbasedAuthentication
    #IgnoreUserKnownHosts no
    # Don't read the user's ~/.rhosts and ~/.shosts files
    #IgnoreRhosts yes

    # To disable tunneled clear text passwords, change to no here!
    #PasswordAuthentication yes
    #PermitEmptyPasswords no
    PasswordAuthentication yes

    # Change to no to disable s/key passwords
    #ChallengeResponseAuthentication yes
    ChallengeResponseAuthentication no

    # Kerberos options
    #KerberosAuthentication no
    #KerberosOrLocalPasswd yes
    #KerberosTicketCleanup yes
    #KerberosGetAFSToken no

    # GSSAPI options
    #GSSAPIAuthentication no
    GSSAPIAuthentication yes
    #GSSAPICleanupCredentials yes
    GSSAPICleanupCredentials yes

    # Set this to 'yes' to enable PAM authentication, account processing,
    # and session processing. If this is enabled, PAM authentication will
    # be allowed through the ChallengeResponseAuthentication mechanism.
    # Depending on your PAM configuration, this may bypass the setting of
    # PasswordAuthentication, PermitEmptyPasswords, and
    # "PermitRootLogin without-password". If you just want the PAM account and
    # session checks to run without PAM authentication, then enable this but set
    # ChallengeResponseAuthentication=no
    #UsePAM no
    UsePAM yes


    Any thoughts?

    Thanks in advance

  7. #7
    Linux Enthusiast
    Join Date
    Jul 2005
    Location
    Maryland
    Posts
    522
    try:
    Code:
    chmod 710 .ssh
    and check this thread for more information:
    http://www.linuxforums.org/forum/ser...-password.html

  8. #8
    mjc
    mjc is offline
    Just Joined!
    Join Date
    Jul 2007
    Posts
    21
    "chmod 710?" Why is that may I ask?

  9. #9
    Linux Enthusiast
    Join Date
    Jul 2005
    Location
    Maryland
    Posts
    522
    Don't know why, but it seems that execute permission for "group" is needed (at least according to that thread).

  10. #10
    Linux Newbie mazer's Avatar
    Join Date
    Jul 2006
    Location
    Tucson, Arizona, USA
    Posts
    109
    Quote Originally Posted by mjc View Post
    Hi Mazer

    Yes thank you, the steps you outline is what I performed on ServerA as UserA:
    "ssh-keygen -t rsa -f id_rsa"
    press enter twice when asked for passphrase
    created two files, id_rsa and id_rsa.pub
    copied id_rsa.pub to ServerB, UserB
    cat contents of id_rsa.pub into authorized_keys
    from ServerA "ssh -v UserB@ServerB"
    it found keys, accepted
    However, further along, it will ask for password

    In terms of my ServerB sshd_config file, it is:


    # $OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $

    # This is the sshd server system-wide configuration file. See
    # sshd_config(5) for more information.

    # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

    # The strategy used for options in the default sshd_config shipped with
    # OpenSSH is to specify options with their default value where
    # possible, but leave them commented. Uncommented options change a
    # default value.

    #Port 22
    #Protocol 2,1
    #ListenAddress 0.0.0.0
    #ListenAddress ::
    ################################################## #########
    #
    Protocol 2
    PermitRootLogin no
    ChallengeResponseAuthentication no

    #HostKey /etc/ssh/ssh_host_key
    #HostKeys for protocol version 2
    #HostKey /etc/ssh/ssh_host_rsa_key
    #HostKey /etc/ssh/ssh_host_dsa_key

    # Lifetime and size of ephemeral version 1 server key
    #KeyRegenerationInterval 1h
    #ServerKeyBits 768

    # Logging
    #obsoletes QuietMode and FascistLogging
    #SyslogFacility AUTH
    SyslogFacility AUTHPRIV
    #LogLevel INFO

    # Authentication:

    #LoginGraceTime 30
    #PermitRootLogin no
    #StrictModes yes
    #MaxAuthTries 4

    #RSAAuthentication yes
    #PubkeyAuthentication yes
    #AuthorizedKeysFile .ssh/authorized_keys

    # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
    #RhostsRSAAuthentication no
    # similar for protocol version 2
    #HostbasedAuthentication no
    # Change to yes if you don't trust ~/.ssh/known_hosts for
    # RhostsRSAAuthentication and HostbasedAuthentication
    #IgnoreUserKnownHosts no
    # Don't read the user's ~/.rhosts and ~/.shosts files
    #IgnoreRhosts yes

    # To disable tunneled clear text passwords, change to no here!
    #PasswordAuthentication yes
    #PermitEmptyPasswords no
    PasswordAuthentication yes

    # Change to no to disable s/key passwords
    #ChallengeResponseAuthentication yes
    ChallengeResponseAuthentication no

    # Kerberos options
    #KerberosAuthentication no
    #KerberosOrLocalPasswd yes
    #KerberosTicketCleanup yes
    #KerberosGetAFSToken no

    # GSSAPI options
    #GSSAPIAuthentication no
    GSSAPIAuthentication yes
    #GSSAPICleanupCredentials yes
    GSSAPICleanupCredentials yes

    # Set this to 'yes' to enable PAM authentication, account processing,
    # and session processing. If this is enabled, PAM authentication will
    # be allowed through the ChallengeResponseAuthentication mechanism.
    # Depending on your PAM configuration, this may bypass the setting of
    # PasswordAuthentication, PermitEmptyPasswords, and
    # "PermitRootLogin without-password". If you just want the PAM account and
    # session checks to run without PAM authentication, then enable this but set
    # ChallengeResponseAuthentication=no
    #UsePAM no
    UsePAM yes


    Any thoughts?

    Thanks in advance

    Hi mjc,

    did you try to set
    Code:
    PubkeyAuthentication yes
    PasswordAuthentication no
    in your sshd_config?

    That should be the problem. If you check my setting that I have posted before, you can
    find that I have marked these lines.

    Hope that helps,
    mazer

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •