Problems with passwordless ssh/scp (W2K client , Solaris 8 server).

From: David Liber (david.liber_at_the401kcompany.com)
Date: 07/30/03

  • Next message: Scott Rankin: "RE: Problems with passwordless ssh/scp (W2K client , Solaris 8 se rver)." 
    To: <secureshell@securityfocus.com>
Date: Tue, 29 Jul 2003 17:47:12 -0500

    Hi,

    I am trying to use a passwordless ssh/scp from some ANT scripts. That is I
    want to be able to execute ssh and scp from my ANT scripts at night time,
    when I am not around to type in passwords.

    So far I have tried few things, and none of them worked. Here is my
    configuration for the ssh client and server. At this point I am not sure
    where to take it from here to get it going:

    1) W2K client. Installed cygwin with the latest ssh (OpenSSH_3.6.1p1, SSH
    protocols 1.5/2.0, OpenSSL 0x0090702f).
    2) Generated a public key by running 'ssh-keygen -t rsa'. Left passphrase
    *empty* (this is to avoid password prompting). As the result, a private key
    file 'id_rsa' and public key file 'id_rsa.pub' will be generated in your
    ${HOME}/.ssh directory.
    3) I then scp-ed the id_rsa.pub file to the remote UNIX ssh server machine.
    On the remote server machine I copied the is_rsa.pub to
    ~/.ssh/authorized_keys2
    4) The SSH server configuration is a pretty standard configuration (Solaris
    8):
    <<<
    $ pwd
    /etc/ssh
    $ ssh -V
    OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090700f
    $ cat ssh_config
    # $OpenBSD: ssh_config,v 1.16 2002/07/03 14:21:05 markus Exp $

    # This is the ssh client system-wide configuration file. See
    # ssh_config(5) for more information. This file provides defaults for
    # users, and the values can be changed in per-user configuration files
    # or on the command line.

    # Configuration data is parsed as follows:
    # 1. command line options
    # 2. user-specific file
    # 3. system-wide file
    # Any configuration value is only changed the first time it is set.
    # Thus, host-specific definitions should be at the beginning of the
    # configuration file, and defaults at the end.

    # Site-wide defaults for various options

    Host *
    # ForwardAgent no
      ForwardX11 yes
    # RhostsAuthentication no
    # RhostsRSAAuthentication no
    # RSAAuthentication yes
    # PasswordAuthentication yes
    # HostbasedAuthentication no
    # BatchMode no
    # CheckHostIP yes
    # StrictHostKeyChecking ask
    # IdentityFile ~/.ssh/identity
    # IdentityFile ~/.ssh/id_rsa
    # IdentityFile ~/.ssh/id_dsa
    # Port 22
    # Protocol 2,1
    # Cipher 3des
    # Ciphers
    aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
    # EscapeChar ~
    $
    >>>
    5) When I try now the "ssh -l username SSHSERVERNAME" I am still prompted
    for a password.

    Any ideas on how I can have the password disabled for the ssh/scp and what I
    did wrong so far?

    Thanks,
    David

    <<< Here is the excerpt from the verbose command that may show why I cannot
    perform the passwordless commands

    $ ssh -v -l tuxedo tuxstage3
    OpenSSH_3.6.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090702f
    debug1: Rhosts Authentication disabled, originating port will not be
    trusted.
    debug1: Connecting to tuxstage3 [192.168.186.67] port 22.
    debug1: Connection established.
    debug1: identity file /cygdrive/c/.ssh/identity type -1
    debug1: identity file /cygdrive/c/.ssh/id_rsa type 1
    debug1: identity file /cygdrive/c/.ssh/id_dsa type -1
    debug1: Remote protocol version 1.99, remote software version OpenSSH_3.5p1
    debug1: match: OpenSSH_3.5p1 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_3.6.1p1
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: server->client aes128-cbc hmac-md5 none
    debug1: kex: client->server aes128-cbc hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug1: Host 'tuxstage3' is known and matches the RSA host key.
    debug1: Found key in /cygdrive/c/.ssh/known_hosts:1
    debug1: ssh_rsa_verify: signature correct
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue:
    publickey,password,keyboard-interactive
    debug1: Next authentication method: publickey
    debug1: Trying private key: /cygdrive/c/.ssh/identity
    debug1: Offering public key: /cygdrive/c/.ssh/id_rsa
    debug1: Authentications that can continue:
    publickey,password,keyboard-interactive
    debug1: Trying private key: /cygdrive/c/.ssh/id_dsa
    debug1: Next authentication method: keyboard-interactive
    debug1: Authentications that can continue:
    publickey,password,keyboard-interactive
    debug1: Next authentication method: password
    tuxedo@tuxstage3's password:
    >>>

    At the red signing location above I actually expected to get something back
    from the SSH server such below (sign that it worked), but I didn't and I
    cannot figure out why:
    <<<
    debug1: Next authentication method: publickey
    debug1: Trying private key: /cygdrive/c/.ssh/ident ity
    debug1: Offering public key: /cygdrive/c/.ssh/id_rsa
    debug1: Server accepts key: pkalg ssh-rsa blen 149 lastkey 0x100f90e0 hint 1
    debug1: read PEM private key done: type RSA
    debug1: Authentication succeeded (publickey).
    >>>

    Any help is appreciated...

  • Next message: Scott Rankin: "RE: Problems with passwordless ssh/scp (W2K client , Solaris 8 se rver)."

    Relevant Pages

    • LDAP Authentication via SSH
      ... authenticate via SSH to the LDAP server. ... debug1: Connecting to ldapclient.domain port 22. ... debug1: Next authentication method: keyboard-interactive ... # rlogin service (explicit because of pam_rhost_auth) ...
      (SunManagers)
    • Help request: problems with a 5.1 server and large numbers of ssh users.
      ... FreeBSD 5.1 because I need to be able to support ldap authentication.) ... My version of ssh is 3.6.1p2 patched to address the security concerns. ... debug1: Rhosts Authentication disabled, ... debug1: Connection established. ...
      (freebsd-current)
    • Help request: problems with a 5.1 server and large numbers of ssh users.
      ... FreeBSD 5.1 because I need to be able to support ldap authentication.) ... My version of ssh is 3.6.1p2 patched to address the security concerns. ... debug1: Rhosts Authentication disabled, ... debug1: Connection established. ...
      (freebsd-hackers)
    • RE: RE : RE : X11Forwarding problem on Solaris.
      ... The program is using the display environment variable. ... First i use ssh to connect from node2 to node4 and then I start the PROGRAM ... debug1: Connection established. ... Subject: RE: RE: X11Forwarding problem on Solaris. ...
      (SSH)
    • Update: Unable to login without password using ssh
      ... The permission on the .ssh directory was following ... I have other servers which are working. ... debug1: Rhosts Authentication disabled, originating port will not be trusted. ... debug1: sent kexinit: none ...
      (SunManagers)