Re: Non-interactive SSH Login.
From: Darren Dunham (ddunham_at_redwood.taos.com)
Date: 04/26/03
- Previous message: Tai: "How to pass DCE creds with openSSH and AIX?"
- In reply to: ColoC: "Re: Non-interactive SSH Login."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 26 Apr 2003 00:24:18 GMT
ColoC <colocoloc@yahoo.com> wrote:
> First I generated rsa key on box_1. And I have the following files
> under "~/.ssh/":
> authorized_keys (which I "mv id_rsa.pub authorized_keys")
> id_rsa
> known_hosts
> prng_seed
> ssh_config (in which I only have "Protocol 2" open)
> Then on box_2, I did "ssh myuser@box_1" to build that "~/.ssh/"
> directory, and I have the following files:
> prng_seed
> known_hosts
> Then I ftp box_1's "authorized_keys" to box_2 "~/.ssh/" directory, try
> the following:
By putting the "authorized_keys" file on box 2, then you have now
authorized that key to connect *to* box 2.
> ssh -o BatchMode=yes myuser@box_1
Ah, but that looks like you're trying to connect from box 2 to box 1.
That won't work since you don't have the key on Box 2.
> The system prompt:
> Permission denied (publickey,password,keyboard-interactive).
> Then I ftp box_1's "id_rsa" to box_2 "~/.ssh/" try the following:
> ssh -o BatchMode=yes myuser@box_1
> suceeded in logon box_1 without password prompt. And I even tried
> ssh myuser@box_1
> succeeded in logon box_1 without password prompt. Then I tried
> mv authorized_keys abc
> ssh myuser@box_1
> suceeded in logon box_1 without password prompt.
> So this seems to me that it makes no difference if I have that public
> key on box_2 or not, and it does not matter too much how "ssh_config"
> on box_1 restricts the BatchMode=no or not, whenever I have that
> "id_rsa" on box_2, I can logon.
1) Of course it makes a difference. You've put both the key information
(id_rsa) and the authroization (authorized_keys) on both hosts, so
you can ssh to both hosts.
2) BathMode=no will only prevent questions from being asked. It doesn't
prevent publickey authentication from being used.
> Certainly, I know this is NOT correct for a good ssh configuration --
> if you have got to have that "id_rsa", then why bother to generate its
> "id_rsa.pub"? Plus "id_rsa" seems to be the very thing ssh is
> meaningful in security, why do I have to share it on other boxes in
> order to have a non-interactive login?
id_rsa is the *key*. You must have it on the client.
authorized_keys is the authorization. By putting the public part of a
key (id_rsa.pub) in it on the *server*, you athorize an account holding
the other part of the key to connect.
> Can you help me explain the above testing results?
It looked to me that you were trying to put the key on the server and
the authorization on the client, which is backward.
--
Darren Dunham ddunham@taos.com
Unix System Administrator Taos - The SysAdmin Company
Got some Dr Pepper? San Francisco, CA bay area
< This line left intentionally blank to confuse you. >
- Previous message: Tai: "How to pass DCE creds with openSSH and AIX?"
- In reply to: ColoC: "Re: Non-interactive SSH Login."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
