RE: Problems with passwordless ssh/scp (W2K client , Solaris 8 se rver).

• Previous message: David Liber: "Problems with passwordless ssh/scp (W2K client , Solaris 8 server)."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'David Liber'" <david.liber@the401kcompany.com>, secureshell@securityfocus.com
Date: Tue, 29 Jul 2003 16:46:15 -0700

> -----Original Message-----
> From: David Liber [mailto:david.liber@the401kcompany.com]
> Sent: Tuesday, July 29, 2003 3:47 PM
> To: secureshell@securityfocus.com
> Cc: David Liber
> Subject: Problems with passwordless ssh/scp (W2K client ,
> Solaris 8 server).
>
>
> Hi,
>
> I am trying to use a passwordless ssh/scp from some ANT
> scripts. That is I
> want to be able to execute ssh and scp from my ANT scripts at
> night time,
> when I am not around to type in passwords.
>
> So far I have tried few things, and none of them worked. Here is my
> configuration for the ssh client and server. At this point I
> am not sure
> where to take it from here to get it going:
>
> 1) W2K client. Installed cygwin with the latest ssh
> (OpenSSH_3.6.1p1, SSH
> protocols 1.5/2.0, OpenSSL 0x0090702f).
> 2) Generated a public key by running 'ssh-keygen -t rsa'.
> Left passphrase
> *empty* (this is to avoid password prompting). As the result,
> a private key
> file 'id_rsa' and public key file 'id_rsa.pub' will be
> generated in your
> ${HOME}/.ssh directory.
> 3) I then scp-ed the id_rsa.pub file to the remote UNIX ssh
> server machine.
> On the remote server machine I copied the is_rsa.pub to
> ~/.ssh/authorized_keys2
> 4) The SSH server configuration is a pretty standard
> configuration (Solaris
> 8):
> <<<
> $ pwd
> /etc/ssh
> $ ssh -V
> OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090700f
> $ cat ssh_config
> # $OpenBSD: ssh_config,v 1.16 2002/07/03 14:21:05 markus Exp $
>
> # This is the ssh client system-wide configuration file. See
> # ssh_config(5) for more information. This file provides defaults for
> # users, and the values can be changed in per-user configuration files
> # or on the command line.
>
> # Configuration data is parsed as follows:
> # 1. command line options
> # 2. user-specific file
> # 3. system-wide file
> # Any configuration value is only changed the first time it is set.
> # Thus, host-specific definitions should be at the beginning of the
> # configuration file, and defaults at the end.
>
> # Site-wide defaults for various options
>
> Host *
> # ForwardAgent no
> ForwardX11 yes
> # RhostsAuthentication no
> # RhostsRSAAuthentication no
> # RSAAuthentication yes
> # PasswordAuthentication yes
> # HostbasedAuthentication no
> # BatchMode no
> # CheckHostIP yes
> # StrictHostKeyChecking ask
> # IdentityFile ~/.ssh/identity
> # IdentityFile ~/.ssh/id_rsa
> # IdentityFile ~/.ssh/id_dsa
> # Port 22
> # Protocol 2,1
> # Cipher 3des
> # Ciphers
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cb
> c,aes256-cbc
> # EscapeChar ~
> $
> >>>
> 5) When I try now the "ssh -l username SSHSERVERNAME" I am
> still prompted
> for a password.
>
> Any ideas on how I can have the password disabled for the
> ssh/scp and what I
> did wrong so far?
>
> Thanks,
> David
>
> <<< Here is the excerpt from the verbose command that may
> show why I cannot
> perform the passwordless commands
>
> $ ssh -v -l tuxedo tuxstage3
> OpenSSH_3.6.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090702f
> debug1: Rhosts Authentication disabled, originating port will not be
> trusted.
> debug1: Connecting to tuxstage3 [192.168.186.67] port 22.
> debug1: Connection established.
> debug1: identity file /cygdrive/c/.ssh/identity type -1
> debug1: identity file /cygdrive/c/.ssh/id_rsa type 1
> debug1: identity file /cygdrive/c/.ssh/id_dsa type -1
> debug1: Remote protocol version 1.99, remote software version
> OpenSSH_3.5p1
> debug1: match: OpenSSH_3.5p1 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_3.6.1p1
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: server->client aes128-cbc hmac-md5 none
> debug1: kex: client->server aes128-cbc hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug1: Host 'tuxstage3' is known and matches the RSA host key.
> debug1: Found key in /cygdrive/c/.ssh/known_hosts:1
> debug1: ssh_rsa_verify: signature correct
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug1: SSH2_MSG_NEWKEYS received
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentications that can continue:
> publickey,password,keyboard-interactive
> debug1: Next authentication method: publickey
> debug1: Trying private key: /cygdrive/c/.ssh/identity
> debug1: Offering public key: /cygdrive/c/.ssh/id_rsa
> debug1: Authentications that can continue:
> publickey,password,keyboard-interactive
> debug1: Trying private key: /cygdrive/c/.ssh/id_dsa
> debug1: Next authentication method: keyboard-interactive
> debug1: Authentications that can continue:
> publickey,password,keyboard-interactive
> debug1: Next authentication method: password
> tuxedo@tuxstage3's password:
> >>>
>
> At the red signing location above I actually expected to get
> something back
> from the SSH server such below (sign that it worked), but I
> didn't and I
> cannot figure out why:
> <<<
> debug1: Next authentication method: publickey
> debug1: Trying private key: /cygdrive/c/.ssh/ident ity
> debug1: Offering public key: /cygdrive/c/.ssh/id_rsa
> debug1: Server accepts key: pkalg ssh-rsa blen 149 lastkey
> 0x100f90e0 hint 1
> debug1: read PEM private key done: type RSA
> debug1: Authentication succeeded (publickey).
> >>>
>
> Any help is appreciated...
>
>
>
>

1. Connect to your solaris box (tuxstage3) from your Windoze box running
cygwin (ssh with password user-auth).
2. run sshd on a non-default port as a test with debug logging (use sudo or
su):
# sshd -ddd -p 2222
3. Open another cygwin shell window on your Windoze box and try to ssh over
to tuxstage3 on this non-default port.
$ ssh -vvv tuxedo@tuxstage3 -p 2222
4. Look at the output of the sshd window and see if there are any clues. You
can also redirect stdout/stderr to a file and send this back.

You mentioned concatenating id_rsa.pub into ~/.ssh/authorized_keys2. Does
your /etc/ssh/sshd_config have that selected as the authorized keys file? I
thought those were deprecated. You attached the /etc/ssh/ssh_config which
applies to clients running on tuxstage3 if they are configured to use a
global config file.

cheers,
scott

• Previous message: David Liber: "Problems with passwordless ssh/scp (W2K client , Solaris 8 server)."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]