openSSH no passwd problem

[zkab]

I am running Ubuntu 7.10 and followed the guidelines in https://help.ubuntu.com/community/AdvancedOpenSSH to
set up a RSA Key-Based SSH Logins with no password since I need to run a rsync via cron

There are a lot of instructions and howto:s but somehow I have missed something very important.
Here is what I did ...

1. ssh-keygen -t rsa
2. I did not enter a passphrase
3. ssh-copy-id -i ~/.ssh/id_rsa.pub john@server-x
4. When 'ssh john@server-x' first time --> asked if server-x could be trusted (OK) and asked for password (was given)
5. But from now on every time when ssh is used to login to server-x it asks for password ... why ?
Here is some output from 'ssh -v john@server-x'

OpenSSH_4.6p1 Debian-5build1, OpenSSL 0.9.8e 23 Feb 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to server-x [192.168.10.2] port 22.
debug1: Connection established.
debug1: identity file /home/bob/.ssh/identity type -1
debug1: identity file /home/bob/.ssh/id_rsa type 1
debug1: identity file /home/bob/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.6p1 Debian-5build1
debug1: match: OpenSSH_4.6p1 Debian-5build1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.6p1 Debian-5build1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'server-x' is known and matches the RSA host key.
debug1: Found key in /home/bob/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/bob/.ssh/identity
debug1: Offering public key: /home/bob/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/bob/.ssh/id_dsa
debug1: Next authentication method: password

6. I have chmod 644 for 'authorized_keys' in /home/john/.ssh for server-x
7. In /etc/ssh/sshd_config for server-x there is:

RSAAuthentication yes
PubkeyAuthentication yes


So what is wrong ... ??

Have to mention that I have deleted ~/.ssh many time as I have regenerated both rsa and dsa keypairs ... same story
I don't know if that has degenerated my ssh-system but I have allways 'sudo /etc/init.d/ssh restart' before a new ssh-keygen

[RobinVossen]

You might want to do:
chmod 644 ~/.ssh/authorized_keys

OpenSSH doesnt have the rights at default to write there..

Hope that helps

[matonb]

What are the permissions on /home/john and /home/john/.ssh ?

Also have you checked that your key has actually been stored in .ssh/authorized_keys ?

[zkab]

Permissions are:

/home/john/.ssh 700
/home/john/.ssh/authorized_keys 644
/home/john 775

Yes - the public key is stored in .ssh/authorized_keys

[RobinVossen]

not sure.
But I think that you should do

Code:

chmod +r /home/john/.ssh

[zkab]

Didn't help with chmod +r /home/john/.ssh

I don't think it's a permission issue ... all permissions are default openSSH.
It seems to me that the login does not get the right key ... if you look at the debug-list (line 4 from the end) it says 'Offering public key: /home/bob/.ssh/id_rsa' but it is not accepted and it goes on with 'Next authentication method: password' ... hmmm strange

[RobinVossen]

Umm, try regenerating the Key (rsa)
It might now be the same since of some error.

Well, I hope it is *any* help.

[matonb]

You'll probably find that it's the permissions on /home/john

Set it to 700 and the keys should work fine.

If you must allow access to anyone other than the individual user, there is a setting in /etc/ssh/sshd.conf - StrictModes, set this to no if you absolutly must!

[zkab]

I deleted ~/.ssi both on client and server and regenerated a new keypair ... this time with dsa instead of rsa ... restarted ssh ... same story

BTW ... the files in /etc/ssh/

ssh_host_dsa_key
ssh_host_dsa_key.pub
ssh_host_rsa_key
ssh_host_rsa_key.pub

what are they for ? I haven't touched them between key-generations

[matonb]

BTW ... the files in /etc/ssh/

ssh_host_dsa_key
ssh_host_dsa_key.pub
ssh_host_rsa_key
ssh_host_rsa_key.pub

They're the host keys (usually generated when you install ssh for the first time). These keys are used to identify the host (they get put in the known_hosts files on remote servers)