Re: Non-interactive SSH Login.

From: ColoC (colocoloc@yahoo.com)
Date: 04/25/03 

From: colocoloc@yahoo.com (ColoC)
Date: 24 Apr 2003 17:24:41 -0700

"Alex" <alex.ferguson@NOSPAMdartmouth.edu> wrote in message news:<20030424111520.440f86ac.alex.ferguson@NOSPAMdartmouth.edu>...
> On 24 Apr 2003 04:48:43 -0700
> ......
>
> The authorized_keys file can contain several public keys. For example, you might have different private keys on a couple of computers and wish to log in to the ssh account from any of them. Just append each public key to authorized_keys. You don't need to keep id_rsa.pub on the remote host; sshd only looks at authorized_keys.
>
> In general sftp respects the ~/.ssh/authorized_keys file just as ssh does (because sftp is ssh under the hood). If you don't have write access to your home directory, then you will need help from your sysadmin.
>
> --Alex

Well, let's forget that ftp-only account for a while. Let's focus on
the first part -- how I can get through a non-interactive ssh login
correctly.

I did some testing on my local netwrok, and I found something that is
not good.

In my first post, I ony did the testing on the same box (via
127.0.0.1), of course, the files are all in the same directory. Now I
did it on two boxes.

First I generated rsa key on box_1. And I have the following files
under "~/.ssh/":

authorized_keys (which I "mv id_rsa.pub authorized_keys")
id_rsa
known_hosts
prng_seed
ssh_config (in which I only have "Protocol 2" open)

Then on box_2, I did "ssh myuser@box_1" to build that "~/.ssh/"
directory, and I have the following files:

prng_seed
known_hosts

Then I ftp box_1's "authorized_keys" to box_2 "~/.ssh/" directory, try
the following:

ssh -o BatchMode=yes myuser@box_1

The system prompt:

Permission denied (publickey,password,keyboard-interactive).

Then I ftp box_1's "id_rsa" to box_2 "~/.ssh/" try the following:

ssh -o BatchMode=yes myuser@box_1

suceeded in logon box_1 without password prompt. And I even tried

ssh myuser@box_1

succeeded in logon box_1 without password prompt. Then I tried

mv authorized_keys abc
ssh myuser@box_1

suceeded in logon box_1 without password prompt.

So this seems to me that it makes no difference if I have that public
key on box_2 or not, and it does not matter too much how "ssh_config"
on box_1 restricts the BatchMode=no or not, whenever I have that
"id_rsa" on box_2, I can logon.

Certainly, I know this is NOT correct for a good ssh configuration --
if you have got to have that "id_rsa", then why bother to generate its
"id_rsa.pub"? Plus "id_rsa" seems to be the very thing ssh is
meaningful in security, why do I have to share it on other boxes in
order to have a non-interactive login?

Can you help me explain the above testing results?

ColoC

Relevant Pages

  • Re: Random Linux SERVER hangups (production)
    ... also cannot logon via ssh. ... tail command hangs up in a bad way -- ^c or ^Z does not work. ... After that, Ssh kind of works, connects up to the point of saying ... until the system grinds to a very slow crawl. ...
    (comp.os.linux.misc)
  • Re: Random Linux SERVER hangups (production)
    ... The symptoms would be that our main process is hanging and we ... also cannot logon via ssh. ... the logs. ...
    (comp.os.linux.misc)
  • RE: Tightening up ssh
    ... The fact of life is there is no way to stop ssh logon attacks ... as long as you have port 22 open to the public internet. ...
    (freebsd-questions)
  • Re: Moving users Keys to new SSH server
    ... I checked the Permissions of home and .ssh and they are 755. ... I try and logon with public key, the session terminates almost ...
    (comp.security.ssh)
  • Re: ssh operation timed out
    ... > Instead of denying me outright it gives me a password prompt. ... You may be trying to log in over SSH as root, ... Best practice server setup makes you log in as a normal user ...
    (comp.unix.bsd.freebsd.misc)