SSH Athentification with public key

SSH Athentification with public key

[Gerd Müller]

Hello,

i want to update hourly a remote mirror-server with rsync via ssh. In order 
to enable the file-server to establish a ssh-session without password 
prompt, i created on file-server a keypair with ssh-keygen -t rsa (empty 
passphrase) and copied the public key (id_rsa.pub) to the 
/root/.ssh/authorized_keys File (on mirror-server). This file didn't exist 
before.
When establishing a ssh-sesssion with root@servername, the password request 
occurs nontheless!
(with root's password i am able to establish the connection).
Can anybody tell me what i did wrong? I am running RedHat 7.3 on both 
machines.

Gerd

Re: SSH Athentification with public key

[Matt Hemingway]

Could be a couple things:

1. When you copied the id_rsa.pub file, did you do a copy and paste from an xterm window to an xterm window or did you sftp/scp/ftp the file over?  I had a similar problem, where I had copied the contents from an xterm window to an xterm window and instead of the lines wrapping at the end of the window, line breaks were inserted.  Each public key entry must be one line.

2. Make sure the authorized_keys file is owned and readable by root.

Also, try ssh -vvv root@mirror-server and see if you get any usefull info.   strace can come in handy as well.

-Matt


On Tue, 27 May 2003 11:30:40 +0400
Gerd Müller <gerd.bomber.mueller@web.de> wrote:

> Hello,
> 
> i want to update hourly a remote mirror-server with rsync via ssh. In order 
> to enable the file-server to establish a ssh-session without password 
> prompt, i created on file-server a keypair with ssh-keygen -t rsa (empty 
> passphrase) and copied the public key (id_rsa.pub) to the 
> /root/.ssh/authorized_keys File (on mirror-server). This file didn't exist 
> before.
> When establishing a ssh-sesssion with root@servername, the password request 
> occurs nontheless!
> (with root's password i am able to establish the connection).
> Can anybody tell me what i did wrong? I am running RedHat 7.3 on both 
> machines.
> 
> Gerd
> 
> 
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


-- 
================
Matt Hemingway
PCNAlert
www.pcnalert.com
626-585-2788
================
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: SSH Athentification with public key

[Keith Morse]

On Tue, 27 May 2003, Matt Hemingway wrote:

> Could be a couple things:
> 
> 1. When you copied the id_rsa.pub file, did you do a copy and paste from an xterm window to an xterm window or did you sftp/scp/ftp the file over?  I had a similar problem, where I had copied the contents from an xterm window to an xterm window and instead of the lines wrapping at the end of the window, line breaks were inserted.  Each public key entry must be one line.
> 
> 2. Make sure the authorized_keys file is owned and readable by root.
> 
> Also, try ssh -vvv root@mirror-server and see if you get any usefull info.   strace can come in handy as well.
> 
> -Matt

So far, the following is my favorite way of doing this.

    function putkey {
        [ $# -eq 1 ] || return 1
        { fgrep -q $1 /etc/hosts || host $1 > /dev/null; } || return 1
        cat $HOME/.ssh/id_dsa.pub | ssh $1 'cat >> .ssh/authorized_keys'
    }



You'll need to adjust accordingly for rsa keys.





> 
> 
> On Tue, 27 May 2003 11:30:40 +0400
> Gerd Müller <gerd.bomber.mueller@web.de> wrote:
> 
> > Hello,
> > 
> > i want to update hourly a remote mirror-server with rsync via ssh. In order 
> > to enable the file-server to establish a ssh-session without password 
> > prompt, i created on file-server a keypair with ssh-keygen -t rsa (empty 
> > passphrase) and copied the public key (id_rsa.pub) to the 
> > /root/.ssh/authorized_keys File (on mirror-server). This file didn't exist 
> > before.
> > When establishing a ssh-sesssion with root@servername, the password request 
> > occurs nontheless!
> > (with root's password i am able to establish the connection).
> > Can anybody tell me what i did wrong? I am running RedHat 7.3 on both 
> > machines.
> > 
> > Gerd
> > 
> > 
> > 
> > -
> > To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
> 
> 

-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: SSH Athentification with public key

[Stephen Samuel]

Keith Morse wrote:
>
> 
> So far, the following is my favorite way of doing this.
> 
>     function putkey {
>         [ $# -eq 1 ] || return 1
>         { fgrep -q $1 /etc/hosts || host $1 > /dev/null; } || return 1
>         cat $HOME/.ssh/id_dsa.pub | ssh $1 'cat >> .ssh/authorized_keys'
>     }
> 
> 
> 
> You'll need to adjust accordingly for rsa keys.
     cat $HOME/.ssh/id_?sa.pub | ssh $1 'cat >> .ssh/authorized_keys'


The question mark should get both dsa and rsa keys in one shot.

-- 
Stephen Samuel +1(604)876-0426                samuel@bcgreen.com
		   http://www.bcgreen.com/~samuel/
Powerful committed communication, reaching through fear, uncertainty and
doubt to touch the jewel within each person and bring it to life.

Re: SSH Athentification with public key

[Keith Morse]

On Wed, 28 May 2003, Stephen Samuel wrote:

> Keith Morse wrote:
> >
> > 
> > So far, the following is my favorite way of doing this.
> > 
> >     function putkey {
> >         [ $# -eq 1 ] || return 1
> >         { fgrep -q $1 /etc/hosts || host $1 > /dev/null; } || return 1
> >         cat $HOME/.ssh/id_dsa.pub | ssh $1 'cat >> .ssh/authorized_keys'
> >     }
> > 
> > 
> > 
> > You'll need to adjust accordingly for rsa keys.
>      cat $HOME/.ssh/id_?sa.pub | ssh $1 'cat >> .ssh/authorized_keys'
> 
> 
> The question mark should get both dsa and rsa keys in one shot.


Aye, thanks.  This came from another list and I wasn't paying attention as 
I only use DSA keys.

Re: SSH Athentification with public key

[Stephen Samuel]

Gerd Müller wrote:
> Hello,
> 
> i want to update hourly a remote mirror-server with rsync via ssh. In 
> order to enable the file-server to establish a ssh-session without 
> password prompt, i created on file-server a keypair with ssh-keygen -t 
> rsa (empty passphrase) and copied the public key (id_rsa.pub) to the 
> /root/.ssh/authorized_keys File (on mirror-server). This file didn't 
> exist before.

Try:
	cd .ssh
	chmod og-w auth* . ..
	mv authorized_keys authorized_keys2

The authorized_keys file must be owned and readable by root,
(or owned and readable by the user that  is being authenticated for)
The authorized_keys file, the .ssh directory and your home directory
must ONLY be writable by the owner. They CANNOT be group-writable.

Matt Hemingway wrote:
 > Could be a couple things:
 >
 > 1. When you copied the id_rsa.pub file, did you do a copy and paste from an xterm window to an xterm window or did you sftp/scp/ftp the file over?  I had a similar 
problem, where I had copied the contents from an xterm window to an xterm window and instead of the lines wrapping at the end of the window, line breaks were inserted. 
Each public key entry must be one line.
 >
 > 2. Make sure the authorized_keys file is owned and readable by root.
 >
 > Also, try ssh -vvv root@mirror-server and see if you get any usefull info.   strace can come in handy as well.

if you're using the DSA or RSA public keys. They should go into the
authorized_keys2 file.
                ^
It's only identity.pub (the ssh1 public key file) who'se contents
get coppied into authorized_keys


-- 
Stephen Samuel +1(604)876-0426                samuel@bcgreen.com
		   http://www.bcgreen.com/~samuel/
Powerful committed communication, reaching through fear, uncertainty and
doubt to touch the jewel within each person and bring it to life.

-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: SSH Athentification with public key

[Mikel Bauer]

Please realize with a redhat 7.3 install, that "authorized_keys" is 
perfectly valid, and infact SHOULD be used as you would need to changed 
the default sshd_config file to point to the "authorized_keys2" file.

And it's required to append the contents of your public rsa key to the 
authrized_keys file (man ssh-keygen):

      $HOME/.ssh/id_rsa.pub
              Contains the protocol version 2 RSA public key for authentica-
              tion.  The contents of this file should be added to
              $HOME/.ssh/authorized_keys on all machines where the user 
wishes
              to log in using public key authentication.  There is no 
need to
              keep the contents of this file secret.

with redhat7.3, there should be no need for any identify files (identity 
or identity.pub).

Doing a verbose connection should help figure out what the problem is 
(ssh -v hostname).  This should show you step by step how it's trying to 
authenticate.


-- 
Mikel Bauer


Stephen Samuel wrote:
> Gerd Müller wrote:
> 
>> Hello,
>>
>> i want to update hourly a remote mirror-server with rsync via ssh. In 
>> order to enable the file-server to establish a ssh-session without 
>> password prompt, i created on file-server a keypair with ssh-keygen -t 
>> rsa (empty passphrase) and copied the public key (id_rsa.pub) to the 
>> /root/.ssh/authorized_keys File (on mirror-server). This file didn't 
>> exist before.
> 
> 
> Try:
>     cd .ssh
>     chmod og-w auth* . ..
>     mv authorized_keys authorized_keys2
> 
> The authorized_keys file must be owned and readable by root,
> (or owned and readable by the user that  is being authenticated for)
> The authorized_keys file, the .ssh directory and your home directory
> must ONLY be writable by the owner. They CANNOT be group-writable.
> 
> Matt Hemingway wrote:
>  > Could be a couple things:
>  >
>  > 1. When you copied the id_rsa.pub file, did you do a copy and paste 
> from an xterm window to an xterm window or did you sftp/scp/ftp the file 
> over?  I had a similar problem, where I had copied the contents from an 
> xterm window to an xterm window and instead of the lines wrapping at the 
> end of the window, line breaks were inserted. Each public key entry must 
> be one line.
>  >
>  > 2. Make sure the authorized_keys file is owned and readable by root.
>  >
>  > Also, try ssh -vvv root@mirror-server and see if you get any usefull 
> info.   strace can come in handy as well.
> 
> if you're using the DSA or RSA public keys. They should go into the
> authorized_keys2 file.
>                ^
> It's only identity.pub (the ssh1 public key file) who'se contents
> get coppied into authorized_keys
> 
>

-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: SSH Athentification with public key

[Jean M. Bouchara]

>>> Hello,
>>>
>>> i want to update hourly a remote mirror-server with rsync via ssh. In
>>>  order to enable the file-server to establish a ssh-session without
>>> password prompt, i created on file-server a keypair with ssh-keygen
>>> -t  rsa (empty passphrase) and copied the public key (id_rsa.pub) to
>>> the  /root/.ssh/authorized_keys File (on mirror-server). This file
>>> didn't  exist before.

Gerd,

It isn't clear. Try to increment log level. Set 'LogLevel DEBUG'
in 'ssh_config' (client side) and/or 'sshd_config' (server side).


-- 
Jean Michel Bouchara
Completo Tecnologia S/C Ltda. - http://www.completo.com.br/
Fone / Fax: (0xx11) 3887.9911
--
Visite o site http://www.escrevinhadora.com.br/

Re: SSH Athentification with public key

[pacho baratta]

> i want to update hourly a remote mirror-server with rsync via ssh. In
> order  to enable the file-server to establish a ssh-session without
> password  prompt, i created on file-server a keypair with ssh-keygen -t
> rsa (empty  passphrase) and copied the public key (id_rsa.pub) to the
> /root/.ssh/authorized_keys File (on mirror-server). This file didn't
> exist  before.
something fool now:
when u generated rsa key did u press enter 2 times or inserted a password?
cause if u inserted a password... well the trick doesn't work

pacho

Solved: SSH Athentification with public key

[Gerd Müller]

Hello,

thank you very much for all the helpful hints! Changing permissions of 
/$HOME/.ssh to 700 solved the problem (it was 770)!

Gerd



<gerd.bomber.mueller@web.de> wrote:

> Hello,
>
> i want to update hourly a remote mirror-server with rsync via ssh. In 
> order to enable the file-server to establish a ssh-session without 
> password prompt, i created on file-server a keypair with ssh-keygen -t 
> rsa (empty passphrase) and copied the public key (id_rsa.pub) to the 
> /root/.ssh/authorized_keys File (on mirror-server). This file didn't 
> exist before.
> When establishing a ssh-sesssion with root@servername, the password 
> request occurs nontheless!
> (with root's password i am able to establish the connection).
> Can anybody tell me what i did wrong? I am running RedHat 7.3 on both 
> machines.
>
> Gerd
>
>
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>



-- 
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/

Re: SSH Athentification with public key

[gerardo juarez-mondragon]

Gerd,

Check:

- permissions. For security reasons, SSH is quite picky about this.
Furthermore, diagnostics are very terse, for the same reasons I 
assume. If any related file, authorized_keys, the public or private 
portions of the keys, etc. has the  wrong permissions, key 
authentication will fail. What you'll see is that it falls back to 
password authentication -if it's configured that way.

- key format. RSA and DSA keys are different and are stored in 
different files. 

- configuration: there is an order in which authentications are 
tried  and other options that are controlled in the config files: 
/etc/ssh/ssh_config  and /etc/ssh/sshd_config. I'm afraid this 
location may   have changed with ssh2 to something  related. In old 
servers, this location was directly  /etc/ssh_config. Notice that 
ssh_config refers to clients. A user could have its own cient 
configuration and I don't know to what extent it overrides the system-
wide client config. The sshd_config is the server config file,  which 
is only modifiable by root however.

Gerardo


Searching for the best free email?  Try MetaCrawler Mail, from the #1 metasearch service on the Web, http://www.metacrawler.com