SUMMARY: problems setting up SSH without passwords

From: Rob De Langhe (rob.delanghe@telindus.be)
Date: 04/02/03

  • Next message: Al Sparks: "public sig keys" 
    From: Rob De Langhe <rob.delanghe@telindus.be>
To: "'secureshell@securityfocus.com'" <secureshell@securityfocus.com>
Date: Wed, 2 Apr 2003 08:12:21 +0200

    Thanks all for the suggestions, as usual there were a lot of precise remarks
    that helped me pinpoint the reason of this problem:

    exactly ALL of the below conditions must be met in order to have the SSHD
    accept a authentication based on shared keys instead of the user password:
    1) the home-directory of the remote (target) user must be owned by that same
    user (not so obvious at all times)
    2) the home-directory of the remote user must not be writable to anyone else
    than itself (chmod go-w)
    3) the $HOME/.ssh direcctory of the remote user must not be writable to
    anyone else than itself (chmod go-w)
    4) the $HOME/.ssh/authorized_keys file of the remote user must not be
    writable to anyone else than itself (chmod go-w)

    All this is true when the option

    StrictModes

    in the sshd_config file is either commented out (so that it takes its
    default value of 'yes'), or set to 'yes'

    If it is set to 'no', it ignores all file/directory permissions and
    ownership.

    Thanks again to all !

    Rob

    > -----Original Message-----
    > From: Rob De Langhe
    > Sent: maandag 31 maart 2003 10:22
    > To: 'secureshell@securityfocus.com'
    > Subject: problems setting up SSH without passwords
    >
    >
    > Hi all,
    >
    > I am trying to configure an SSH login-sequence without having
    > to type the
    > password, but it doesn't work :
    >
    > configuration: Solaris-9, openSSH 3.5p1
    >
    > On serverA (source host), I did invoke the commands
    >
    > ssh-keygen -t rsa
    >
    > (with empty passphrase)
    >
    > and stored the generated $HOME/.ssh/id_rsa.pub file on the target host
    > 'serverB' in $HOME/.ssh/authorized_keys
    >
    > Then from serverA, I try "ssh serverB" but it still asks me
    > for a password.
    >
    > The output from "ssh -v -v -v serverB" is below.
    >
    > I have managed to apply this simply procedure in another
    > environment some
    > years ago, without problems. So something I'm doing is wrong (or some
    > missing option in the sshd_config file?)
    >
    > Any help is mostly appreciated.
    >
    > Rob
    >
    > output from "ssh -v -v -v serverB" invoked from serverA:
    >
    > ...
    > debug1: Host 'serverB' is known and matches the RSA host key.
    > debug1: Found key in /var/adm/sa/.ssh/known_hosts:1
    > debug1: bits set: 1585/3191
    > debug1: ssh_rsa_verify: signature correct
    > debug1: kex_derive_keys
    > debug1: newkeys: mode 1
    > debug1: SSH2_MSG_NEWKEYS sent
    > debug1: waiting for SSH2_MSG_NEWKEYS
    > debug1: newkeys: mode 0
    > debug1: SSH2_MSG_NEWKEYS received
    > debug1: done: ssh_kex2.
    > debug1: send SSH2_MSG_SERVICE_REQUEST
    > debug1: service_accept: ssh-userauth
    > debug1: got SSH2_MSG_SERVICE_ACCEPT
    > debug1: authentications that can continue:
    > publickey,password,keyboard-interactive,hostbased
    > debug3: start over, passed a different list
    > publickey,password,keyboard-interactive,hostbased
    > debug3: preferred publickey,keyboard-interactive,password
    > debug3: authmethod_lookup publickey
    > debug3: remaining preferred: keyboard-interactive,password
    > debug3: authmethod_is_enabled publickey
    > debug1: next auth method to try is publickey
    > debug1: try privkey: /var/adm/sa/.ssh/identity
    > debug3: no such identity: /var/adm/sa/.ssh/identity
    > debug1: try pubkey: /var/adm/sa/.ssh/id_rsa
    > debug3: send_pubkey_test
    > debug2: we sent a publickey packet, wait for reply
    > debug1: authentications that can continue:
    > publickey,password,keyboard-interactive,hostbased
    > debug1: try privkey: /var/adm/sa/.ssh/id_dsa
    > debug3: no such identity: /var/adm/sa/.ssh/id_dsa
    > debug2: we did not send a packet, disable method
    > debug3: authmethod_lookup keyboard-interactive
    > debug3: remaining preferred: password
    > debug3: authmethod_is_enabled keyboard-interactive
    > debug1: next auth method to try is keyboard-interactive
    > debug2: userauth_kbdint
    > debug2: we sent a keyboard-interactive packet, wait for reply
    > debug1: authentications that can continue:
    > publickey,password,keyboard-interactive,hostbased
    > debug3: userauth_kbdint: disable: no info_req_seen
    > debug2: we did not send a packet, disable method
    > debug3: authmethod_lookup password
    > debug3: remaining preferred:
    > debug3: authmethod_is_enabled password
    > debug1: next auth method to try is password
    > ...
    > (and password is prompted)
    >

  • Next message: Al Sparks: "public sig keys"