Re: Problems with passwordless ssh/scp (W2K client , Solaris 8 server).

From: Greg Wooledge (wooledg_at_eeg.ccf.org)
Date: 07/30/03

  • Next message: Schubert, John [NTWK SVCS]: "RE: Keyboard-interactive authentication refused?" 
    Date: Wed, 30 Jul 2003 08:29:26 -0400
To: David Liber <david.liber@the401kcompany.com>

    On Tue, Jul 29, 2003 at 05:47:12PM -0500, David Liber wrote:
    > I am trying to use a passwordless ssh/scp

    > 1) W2K client. Installed cygwin with the latest ssh (OpenSSH_3.6.1p1, SSH
    > protocols 1.5/2.0, OpenSSL 0x0090702f).

    OK, OpenSSH on both ends, so you don't have to convert the public key
    to the other format.

    > 2) Generated a public key by running 'ssh-keygen -t rsa'. Left passphrase
    > *empty* (this is to avoid password prompting). As the result, a private key
    > file 'id_rsa' and public key file 'id_rsa.pub' will be generated in your
    > ${HOME}/.ssh directory.
    > 3) I then scp-ed the id_rsa.pub file to the remote UNIX ssh server machine.
    > On the remote server machine I copied the is_rsa.pub to
    > ~/.ssh/authorized_keys2

    authorized_keys2 is the old OpenSSH 2.x name. I believe it still works,
    but it's deprecated; you should be using authorized_keys for both
    protocols (1 and 2) now.

    > 4) The SSH server configuration is a pretty standard configuration (Solaris
    > 8):
    > <<<
    > $ pwd
    > /etc/ssh
    > $ ssh -V
    > OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090700f

    Fine, but you didn't show the permissions and ownerships on the files
    and directories. OpenSSH is very sensitive to these matters. The
    authorized_keys file must NOT be group- or world-writable. The .ssh
    directory that it's sitting in must not be group- or world-writable
    either. The same for your $HOME directory. The same for all the
    directories leading *up* to your $HOME directory (e.g. /home or /u).

    > $ ssh -v -l tuxedo tuxstage3
    > OpenSSH_3.6.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090702f

    Client-side verbose output is not useful in debugging authentication
    issues, because the interesting bits all happen on the server side.
    If you want useful verbose output for this situation, you need to
    run the *server* (sshd) in debug mode. For example, (as root):

      # sshd -d -p 2222

    And then use

      $ ssh tuxedo@tuxstage3 -p 2222

    on the client.

  • Next message: Schubert, John [NTWK SVCS]: "RE: Keyboard-interactive authentication refused?"

    Relevant Pages

    • Announce: OpenSSH 4.2 released
      ... OpenSSH 4.2 has just been released. ... implementation and includes sftp client and server support. ...
      (SSH)
    • Re: GSSAPI SSH WIN 2003
      ... OpenSSH does not have this flexibility. ... server that does; it is one of the most long-standing inadequacies of most ... used publickey authentication, for the simple reasons that it's ... > group will get Service ticket for my HP-UX box. ...
      (comp.security.ssh)
    • Announce: OpenSSH 4.3 released
      ... OpenSSH 4.3 has just been released. ... implementation and includes sftp client and server support. ...
      (SSH)
    • =?Utf-8?Q?DC_hin=C3=BCber_nach_=C3=84nderung_von_Pri?= =?Utf-8?Q?vilegien_=28OpenSSH_auf_Ser
      ... Server, zusammen bilden die eine AD Domäne ab. ... Jetzt versuche ich OpenSSH auf beiden zum Laufen zu bekommen. ... dass der Local System Account unter Windows Server 2003 nicht ... GPOs, da unsere GPO zuerst zieht und damit die Benutzer, die in den o.g. ...
      (microsoft.public.de.german.windows.server.general)
    • RE: SecureID Question
      ... I used to work for RSA Security and built most of their "unsupported" Linux ... OpenSSH or the native Login is used. ... I did some work to integrate SecurID with OpenSSH for a couple of specific ... When I log into my openssh server I then try to ssh to a server from there ...
      (SSH)