Some SSH help please.

mcveigh

Diamond Member
Dec 20, 2000
6,457
6
81
OK i'm tryin to setup ssh authentication between two machines, my laptop "icarus" and remote server "redserver"
my user account is on both machines.
passwords are different though (shouldn't matter though I think)

I added my id_dsa.pub from both machines to the others authorized_keys

I have universal read permissions on my .ssh directory and all files in it.
but it still wants my password. I'm stuck, it's been to long since I tried to do this, I do remember that lst time I set tis up is was file permissons that stumped me for a while.
 

Aureius

Member
Jun 14, 2000
67
0
0
If you have regenerated the keys more than once you will need to wipe previous keys out of the authroizedkeys file. The first one takes so any other ones will fail.

-Andy
 

mcveigh

Diamond Member
Dec 20, 2000
6,457
6
81
I'm actually about to do that, i was planning on wiping the keys off both boxes and starting from scratch
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Try changing the require passwords (or whatever the option is called) in sshd_config and ssh_config to no.
 

mcveigh

Diamond Member
Dec 20, 2000
6,457
6
81
already checked that :(

OK i wiped all keys and file in ~/.ssh on both boxes except known_hosts
ssh-keygen
cp identity.pub authorized_keys

I then used scp to copy the indentity.pub files from one to the other.
then I cat identity.pub >>authorized_keys.

thats it.

redserver is redhat 7.2 using default encryption
icarus is mandrake 8.2 using rsa encryption

all files in .ssh are readable by all except identity key

I must be forgetting something simple:eek:
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
You should only need to cat the .pub from the client machine (icarus?) not the server. So scp the identity.pub file from the laptop to the desktop and mv it to authorized_keys. And remember, if you are using ssh2, the file should be authorized_keys2 or whatever (does it have an s? :p)
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0


<< you've got it right ;)

tried it no luck
>>



I feel like an ass saying it (but Im sick and out of ideas right now), you did kill -HUP sshd right?

The following article may help (its how I figured it out): ibm.com
 

mcveigh

Diamond Member
Dec 20, 2000
6,457
6
81
could someone PM /email/post their /etc/sshd_config and ssh_config?

I swear this box is posessed, Nothing seems to work I have add keys, deleted keys re-written config files, next step is an exorcism!!
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0


<< could someone PM /email/post their /etc/sshd_config and ssh_config?

I swear this box is posessed, Nothing seems to work I have add keys, deleted keys re-written config files, next step is an exorcism!!
>>



Ill try and find my old one and post it up here if I get a chance.
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Sorry it took so long. The machine these are coming from is not networked and I have no easy way to test if the config files are still setup correctly. Good luck.

sshd_config

# $OpenBSD: sshd_config,v 1.42 2001/09/20 20:57:51 mouring Exp $

# This is the sshd server system-wide configuration file. See sshd(8)
# for more information.

Port 22
Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
HostKey /etc/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh_host_rsa_key
HostKey /etc/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO
#obsoletes QuietMode and FascistLogging

# Authentication:

LoginGraceTime 600
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys

# rhosts authentication should not be used
RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PasswordAuthentication yes
PermitEmptyPasswords no

# Uncomment to disable s/key passwords
#ChallengeResponseAuthentication no

# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no

# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes

X11Forwarding no
X11DisplayOffset 10
PrintMotd yes
#PrintLastLog no
KeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net
#ReverseMappingCheck yes

Subsystem sftp /usr/libexec/sftp-server


ssh_config

# $OpenBSD: ssh_config,v 1.10 2001/04/03 21:19:38 todd Exp $

# This is ssh client systemwide configuration file. See ssh(1) for more
# information. This file provides defaults for users, and the values can
# be changed in per-user configuration files or on the command line.

# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for various options

Host *
ForwardAgent no
ForwardX11 yes
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
PasswordAuthentication yes
FallBackToRsh no
UseRsh no
BatchMode no
CheckHostIP yes
StrictHostKeyChecking no
IdentityFile ~/.ssh/identity
IdentityFile ~/.ssh/id_dsa
IdentityFile ~/.ssh/id_rsa
Port 22
Protocol 2,1
Cipher blowfish
EscapeChar ~
 

mcveigh

Diamond Member
Dec 20, 2000
6,457
6
81
can I ssh 127.0.0.1 to try is authentication works? against my self?
 

mcveigh

Diamond Member
Dec 20, 2000
6,457
6
81
AHHHHHHHHHHHHHHHHH!!!!!!!!!!

I can get it to work between my laptop and desktop at home

I uploaded my sshd_config and ssh_config to the server I want this to work on but still no go, I think it may be a problem with PAM modules?
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0


<< AHHHHHHHHHHHHHHHHH!!!!!!!!!!

I can get it to work between my laptop and desktop at home

I uploaded my sshd_config and ssh_config to the server I want this to work on but still no go, I think it may be a problem with PAM modules?
>>



Im running OpenBSD so I never had to mess with PAM. The IBM article didnt help at all?
 

mcveigh

Diamond Member
Dec 20, 2000
6,457
6
81
I think it's a PAM problem with redhat. I moved /etc/pam.d/sshd file in th server and now it keeps rejecting my login remotely, so i'll fix it tomorrow.

I did find a thread on a redhat forum saying I did have to have authorized_keys2 on the redhat side (i tried both but got it working locally with just authorized_keys)
also it said you had to have passwordauthentication set to no, i'll try it tomorrow.

my last thought is to remove ssh and compile from scratch. but I really don't feel like messing with that. that's for your help n0c:D
 

mcveigh

Diamond Member
Dec 20, 2000
6,457
6
81
I think I figured it out.

Redhat seems to want to use authorized_keys2 only (I'm using dsa encryption)

and it needs to have PasswordAuthentication set to NO, I didn't think it would matter, as long as host based authentiaction worked.
but even just commenting out that line didn't work.

tonight I'll try to set up the backup computer, then I'll know for sure. but I was able to get it to work between my laptop and the server.

Thanks !
 

LNXman

Senior member
Jul 27, 2000
404
0
0
That is weird, because I have PasswordAuthentication yes on my config file and it works fine.
BTW, If I recall, authorized_keys2 is the file for backwards compatibility (i.e. version 1) and authorized_keys is where you new version 2 keys go (i.e. dsa). So now I am confused as to which authorized_key file has what key. . . Hehe.

I am curious, though, to know what ssh is doing in your case. You could get a pretty detailed verbose output if you use ssh -v -v -v <host> at the cli when you try to connect . . . and then analyze it to get a better idea (you can do the same with sshd, btw).
Keep at it and GL.
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0


<< I think I figured it out.

Redhat seems to want to use authorized_keys2 only (I'm using dsa encryption)

and it needs to have PasswordAuthentication set to NO, I didn't think it would matter, as long as host based authentiaction worked.
but even just commenting out that line didn't work.

tonight I'll try to set up the backup computer, then I'll know for sure. but I was able to get it to work between my laptop and the server.

Thanks !
>>



I mentioned both of those things :p