RE: Problems with passwordless ssh/scp (W2K client , Solaris 8 se rver).

From: Scott Rankin (scottra_at_wrq.com)
Date: 07/30/03

  • Next message: Steven Clark: "Re: Problems with passwordless ssh/scp (W2K client , Solaris 8 server)."
    To: "'David Liber'" <david.liber@the401kcompany.com>, secureshell@securityfocus.com
    Date: Tue, 29 Jul 2003 16:46:15 -0700
    
    

    > -----Original Message-----
    > From: David Liber [mailto:david.liber@the401kcompany.com]
    > Sent: Tuesday, July 29, 2003 3:47 PM
    > To: secureshell@securityfocus.com
    > Cc: David Liber
    > Subject: Problems with passwordless ssh/scp (W2K client ,
    > Solaris 8 server).
    >
    >
    > Hi,
    >
    > I am trying to use a passwordless ssh/scp from some ANT
    > scripts. That is I
    > want to be able to execute ssh and scp from my ANT scripts at
    > night time,
    > when I am not around to type in passwords.
    >
    > So far I have tried few things, and none of them worked. Here is my
    > configuration for the ssh client and server. At this point I
    > am not sure
    > where to take it from here to get it going:
    >
    > 1) W2K client. Installed cygwin with the latest ssh
    > (OpenSSH_3.6.1p1, SSH
    > protocols 1.5/2.0, OpenSSL 0x0090702f).
    > 2) Generated a public key by running 'ssh-keygen -t rsa'.
    > Left passphrase
    > *empty* (this is to avoid password prompting). As the result,
    > a private key
    > file 'id_rsa' and public key file 'id_rsa.pub' will be
    > generated in your
    > ${HOME}/.ssh directory.
    > 3) I then scp-ed the id_rsa.pub file to the remote UNIX ssh
    > server machine.
    > On the remote server machine I copied the is_rsa.pub to
    > ~/.ssh/authorized_keys2
    > 4) The SSH server configuration is a pretty standard
    > configuration (Solaris
    > 8):
    > <<<
    > $ pwd
    > /etc/ssh
    > $ ssh -V
    > OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090700f
    > $ cat ssh_config
    > # $OpenBSD: ssh_config,v 1.16 2002/07/03 14:21:05 markus Exp $
    >
    > # This is the ssh client system-wide configuration file. See
    > # ssh_config(5) for more information. This file provides defaults for
    > # users, and the values can be changed in per-user configuration files
    > # or on the command line.
    >
    > # Configuration data is parsed as follows:
    > # 1. command line options
    > # 2. user-specific file
    > # 3. system-wide file
    > # Any configuration value is only changed the first time it is set.
    > # Thus, host-specific definitions should be at the beginning of the
    > # configuration file, and defaults at the end.
    >
    > # Site-wide defaults for various options
    >
    > Host *
    > # ForwardAgent no
    > ForwardX11 yes
    > # RhostsAuthentication no
    > # RhostsRSAAuthentication no
    > # RSAAuthentication yes
    > # PasswordAuthentication yes
    > # HostbasedAuthentication no
    > # BatchMode no
    > # CheckHostIP yes
    > # StrictHostKeyChecking ask
    > # IdentityFile ~/.ssh/identity
    > # IdentityFile ~/.ssh/id_rsa
    > # IdentityFile ~/.ssh/id_dsa
    > # Port 22
    > # Protocol 2,1
    > # Cipher 3des
    > # Ciphers
    > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cb
    > c,aes256-cbc
    > # EscapeChar ~
    > $
    > >>>
    > 5) When I try now the "ssh -l username SSHSERVERNAME" I am
    > still prompted
    > for a password.
    >
    > Any ideas on how I can have the password disabled for the
    > ssh/scp and what I
    > did wrong so far?
    >
    > Thanks,
    > David
    >
    > <<< Here is the excerpt from the verbose command that may
    > show why I cannot
    > perform the passwordless commands
    >
    > $ ssh -v -l tuxedo tuxstage3
    > OpenSSH_3.6.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090702f
    > debug1: Rhosts Authentication disabled, originating port will not be
    > trusted.
    > debug1: Connecting to tuxstage3 [192.168.186.67] port 22.
    > debug1: Connection established.
    > debug1: identity file /cygdrive/c/.ssh/identity type -1
    > debug1: identity file /cygdrive/c/.ssh/id_rsa type 1
    > debug1: identity file /cygdrive/c/.ssh/id_dsa type -1
    > debug1: Remote protocol version 1.99, remote software version
    > OpenSSH_3.5p1
    > debug1: match: OpenSSH_3.5p1 pat OpenSSH*
    > debug1: Enabling compatibility mode for protocol 2.0
    > debug1: Local version string SSH-2.0-OpenSSH_3.6.1p1
    > debug1: SSH2_MSG_KEXINIT sent
    > debug1: SSH2_MSG_KEXINIT received
    > debug1: kex: server->client aes128-cbc hmac-md5 none
    > debug1: kex: client->server aes128-cbc hmac-md5 none
    > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
    > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    > debug1: Host 'tuxstage3' is known and matches the RSA host key.
    > debug1: Found key in /cygdrive/c/.ssh/known_hosts:1
    > debug1: ssh_rsa_verify: signature correct
    > debug1: SSH2_MSG_NEWKEYS sent
    > debug1: expecting SSH2_MSG_NEWKEYS
    > debug1: SSH2_MSG_NEWKEYS received
    > debug1: SSH2_MSG_SERVICE_REQUEST sent
    > debug1: SSH2_MSG_SERVICE_ACCEPT received
    > debug1: Authentications that can continue:
    > publickey,password,keyboard-interactive
    > debug1: Next authentication method: publickey
    > debug1: Trying private key: /cygdrive/c/.ssh/identity
    > debug1: Offering public key: /cygdrive/c/.ssh/id_rsa
    > debug1: Authentications that can continue:
    > publickey,password,keyboard-interactive
    > debug1: Trying private key: /cygdrive/c/.ssh/id_dsa
    > debug1: Next authentication method: keyboard-interactive
    > debug1: Authentications that can continue:
    > publickey,password,keyboard-interactive
    > debug1: Next authentication method: password
    > tuxedo@tuxstage3's password:
    > >>>
    >
    > At the red signing location above I actually expected to get
    > something back
    > from the SSH server such below (sign that it worked), but I
    > didn't and I
    > cannot figure out why:
    > <<<
    > debug1: Next authentication method: publickey
    > debug1: Trying private key: /cygdrive/c/.ssh/ident ity
    > debug1: Offering public key: /cygdrive/c/.ssh/id_rsa
    > debug1: Server accepts key: pkalg ssh-rsa blen 149 lastkey
    > 0x100f90e0 hint 1
    > debug1: read PEM private key done: type RSA
    > debug1: Authentication succeeded (publickey).
    > >>>
    >
    > Any help is appreciated...
    >
    >
    >
    >

    1. Connect to your solaris box (tuxstage3) from your Windoze box running
    cygwin (ssh with password user-auth).
    2. run sshd on a non-default port as a test with debug logging (use sudo or
    su):
    # sshd -ddd -p 2222
    3. Open another cygwin shell window on your Windoze box and try to ssh over
    to tuxstage3 on this non-default port.
    $ ssh -vvv tuxedo@tuxstage3 -p 2222
    4. Look at the output of the sshd window and see if there are any clues. You
    can also redirect stdout/stderr to a file and send this back.

    You mentioned concatenating id_rsa.pub into ~/.ssh/authorized_keys2. Does
    your /etc/ssh/sshd_config have that selected as the authorized keys file? I
    thought those were deprecated. You attached the /etc/ssh/ssh_config which
    applies to clients running on tuxstage3 if they are configured to use a
    global config file.

    cheers,
    scott


  • Next message: Steven Clark: "Re: Problems with passwordless ssh/scp (W2K client , Solaris 8 server)."

    Relevant Pages

    • Re: need an efficient and secure sshd_config
      ... Many NAT firewalls also have a connection timeout that affects ssh ... Setting the ServerAliveInternal (or the corresponding server ... configuration option) allows persistent ssh connections through such ... which would otherwise expire idle connections. ...
      (SSH)
    • Re: Problems running website
      ... Server Error in '/' Application. ... An error occurred during the processing of a configuration file ... It sounds like something wrong with IIS mapping in IIS - Website ...
      (microsoft.public.dotnet.framework.aspnet)
    • Re: .net 2.0 set up error
      ... You wouldn't want to check in customErrors = Off into ... SourceSafe it could make it to a production server. ... configuration file located in the root directory of the current web ...
      (microsoft.public.dotnet.framework.aspnet)
    • Web.config problem
      ... I am trying to move an application to a new server. ... configuration file required to service this request. ... Source Error: ...
      (microsoft.public.dotnet.framework.aspnet)
    • Re: Newbie to secure shell
      ... Now we configured one windows based SSH ... > software to access that server. ... > this kind for setting SSH connection, besides installing software at ... Any extra configuration needed? ...
      (comp.security.ssh)