Re: 'password-less' logins on solaris 2.5.1 boxen - subtle troubles.

• Previous message: Doug: "File xfer using PSCP from PuTTY 0.54- performance drop"
• In reply to: joeblow: "'password-less' logins on solaris 2.5.1 boxen - subtle troubles."
• Next in thread: Darren Dunham: "Re: 'password-less' logins on solaris 2.5.1 boxen - subtle troubles."
• Reply: Darren Dunham: "Re: 'password-less' logins on solaris 2.5.1 boxen - subtle troubles."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 20 Jan 2005 12:10:07 -0900

OK, a bit more information...

Looks like the only user accounts that have problems with the key
handshaking are old ones, that is, ones I didn't create. User accounts i
create have no problem. Shell (ksh or bash) makes no difference.

So this tells me there's a difference in environment, but how would I
discover what those differences are, and which one(s) is/are causin the
problems?

May be time to post to solaris forums....?

Thanks!

On Fri, 14 Jan 2005 10:52:23 -0900, joeblow wrote:

> Trying to set up password-less keypair logins between solaris 2.5.1 boxes.
> I can get them to work with some usernames, but not others. All using the
> exact same setup procedures:
>
> local hostname: spa1amlp
> remote hostname: adm1amlp
>
> username: spsy
>
> shell is ksh (and can't be changed)
>
> spa1amlp[spsy]> rm -rf .ssh
> spa1amlp[spsy]> ssh-keygen -t rsa -C "spsy" -N ""
> Generating public/private rsa key pair.
> Enter file in which to save the key (/home/spsy/.ssh/id_rsa):
> Created directory '/home/spsy/.ssh'.
> Your identification has been saved in /home/spsy/.ssh/id_rsa.
> Your public key has been saved in /home/spsy/.ssh/id_rsa.pub.
> The key fingerprint is:
> 73:2c:ab:d1:02:5f:81:4b:b2:02:7e:06:e4:b3:40:44 spsy
> spa1amlp[spsy]> cd .ssh
> /home/spsy/.ssh
> spa1amlp[spsy]> ssh spsy@adm1amlp mkdir .ssh
> The authenticity of host 'adm1amlp (10.70.1.10)' can't be established.
> RSA key fingerprint is b4:91:cb:1e:4d:94:ec:70:9f:cc:8b:11:21:51:40:0e.
> Are you sure you want to continue connecting (yes/no)? yes
> Warning: Permanently added 'adm1amlp,10.70.1.10' (RSA) to the list of known hosts.
> spsy@adm1amlp's password:
> spa1amlp[spsy]> scp * spsy@adm1amlp:.ssh
> spsy@adm1amlp's password:
> authorized_keys 100% 214 0.0KB/s 00:00
> id_rsa 100% 887 0.0KB/s 00:00
> id_rsa.pub 100% 214 0.0KB/s 00:00
> known_hosts 100% 229 0.0KB/s 00:00
> spa1amlp[spsy]> ssh adm1amlp
> spsy@adm1amlp's password:
>
> Why is it still asking me for a password?
>
> The first username I did this on works just fine.
>
> These were all installed using the same sun pkg (which I put together
> here), all using the same openssl-0.9.7e (which I got from sunfreeware).
>
> I've diff'ed the /etc/ssh/ssh_config and the /etc/ssh/sshd_config on both
> machines, they are identical....
>
> -----------------------------------------------------------
>
> sshd_config:
>
> spa1amlp[spsy]> cat /etc/ssh/sshd_config
> # $OpenBSD: sshd_config,v 1.65 2003/08/28 12:54:34 markus Exp $
>
> # This is the sshd server system-wide configuration file. See
> # sshd_config(5) for more information.
>
> # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
>
> # The strategy used for options in the default sshd_config shipped with
> # OpenSSH is to specify options with their default value where
> # possible, but leave them commented. Uncommented options change a
> # default value.
>
> Port 22
> Protocol 2
> AllowTCPForwarding yes
> X11Forwarding yes
> HostKey /usr/local/etc/ssh/ssh_host_rsa_key
> HostKey /usr/local/etc/ssh/ssh_host_dsa_key
>
> #Port 22
> #Protocol 2,1
> #ListenAddress 0.0.0.0
> #ListenAddress ::
>
> # HostKey for protocol version 1
> #HostKey /usr/local/etc/ssh/ssh_host_key
> # HostKeys for protocol version 2
> #HostKey /usr/local/etc/ssh/ssh_host_dsa_key
> #HostKey /usr/local/etc/ssh/ssh_host_rsa_key
>
> # Lifetime and size of ephemeral version 1 server key
> #KeyRegenerationInterval 1h
> #ServerKeyBits 768
>
> # Logging
> #obsoletes QuietMode and FascistLogging
> #SyslogFacility AUTH
> #LogLevel INFO
>
> # Authentication:
>
> #LoginGraceTime 2m
> #PermitRootLogin yes
> #StrictModes yes
>
> #RSAAuthentication yes
> #PubkeyAuthentication yes
> #AuthorizedKeysFile .ssh/authorized_keys
>
> # For this to work you will also need host keys in /usr/local/etc/ssh/ssh_known_hosts
> #RhostsRSAAuthentication no
> # similar for protocol version 2
> #HostbasedAuthentication no
> # Change to yes if you don't trust ~/.ssh/known_hosts for
> # RhostsRSAAuthentication and HostbasedAuthentication
> #IgnoreUserKnownHosts no
> # Don't read the user's ~/.rhosts and ~/.shosts files
> #IgnoreRhosts yes
>
> # To disable tunneled clear text passwords, change to no here!
> #PasswordAuthentication yes
> #PermitEmptyPasswords no
>
> # Change to no to disable s/key passwords
> #ChallengeResponseAuthentication yes
>
> # Kerberos options
> #KerberosAuthentication no
> #KerberosOrLocalPasswd yes
> #KerberosTicketCleanup yes
>
> # GSSAPI options
> #GSSAPIAuthentication no
> #GSSAPICleanupCreds yes
>
> # Set this to 'yes' to enable PAM authentication (via challenge-response)
> # and session processing. Depending on your PAM configuration, this may
> # bypass the setting of 'PasswordAuthentication'
> #UsePAM yes
>
> #AllowTcpForwarding yes
> #GatewayPorts no
> #X11Forwarding no
> #X11DisplayOffset 10
> #X11UseLocalhost yes
> #PrintMotd yes
> #PrintLastLog yes
> #KeepAlive yes
> #UseLogin no
> #UsePrivilegeSeparation yes
> #PermitUserEnvironment no
> #Compression yes
> #ClientAliveInterval 0
> #ClientAliveCountMax 3
> #UseDNS yes
> #PidFile /var/run/sshd.pid
> #MaxStartups 10
>
> # no default banner path
> #Banner /some/path
>
> # override default of no subsystems
> Subsystem sftp /usr/local/libexec/sftp-server
>
> ----------------------------------------------------------
>
> ssh_config:
>
> spa1amlp[spsy]> cat /etc/ssh/ssh_config
> # $OpenBSD: ssh_config,v 1.19 2003/08/13 08:46:31 markus Exp $
>
> # This is the ssh client system-wide configuration file. See
> # ssh_config(5) for more information. This file provides defaults for
> # users, and the values can be changed in per-user configuration files
> # or on the command line.
>
> # Configuration data is parsed as follows:
> # 1. command line options
> # 2. user-specific file
> # 3. system-wide file
> # Any configuration value is only changed the first time it is set.
> # Thus, host-specific definitions should be at the beginning of the
> # configuration file, and defaults at the end.
>
> # Site-wide defaults for various options
>
> Host *
> Port 22
> Protocol 2
> ForwardX11 yes
>
> # Host *
> # ForwardAgent no
> # ForwardX11 no
> # RhostsRSAAuthentication no
> # RSAAuthentication yes
> # PasswordAuthentication yes
> # HostbasedAuthentication no
> # BatchMode no
> # CheckHostIP yes
> # AddressFamily any
> # ConnectTimeout 0
> # StrictHostKeyChecking ask
> # IdentityFile ~/.ssh/identity
> # IdentityFile ~/.ssh/id_rsa
> # IdentityFile ~/.ssh/id_dsa
> # Port 22
> # Protocol 2,1
> # Cipher 3des
> # Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
> # EscapeChar ~
> spa1amlp[spsy]>
>
> -------------------------------------------
>
> Here's the ssh -vvv adm1amlp:
>
> spa1amlp[spsy]> ssh -vvv adm1amlp
> OpenSSH_3.7.1p2, SSH protocols 1.5/2.0, OpenSSL 0.9.7b 10 Apr 2003
> debug1: Reading configuration data /usr/local/etc/ssh/ssh_config
> debug1: Applying options for *
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to adm1amlp [10.70.1.10] port 22.
> debug1: Connection established.
> debug3: Not a RSA1 key file /home/spsy/.ssh/id_rsa.
> debug2: key_type_from_name: unknown key type '-----BEGIN'
> debug3: key_read: missing keytype
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug2: key_type_from_name: unknown key type '-----END'
> debug3: key_read: missing keytype
> debug1: identity file /home/spsy/.ssh/id_rsa type 1
> debug1: identity file /home/spsy/.ssh/id_dsa type -1
> debug1: Remote protocol version 2.0, remote software version OpenSSH_3.7.1p2
> debug1: match: OpenSSH_3.7.1p2 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_3.7.1p2
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: mac_init: found hmac-md5
> debug1: kex: server->client aes128-cbc hmac-md5 none
> debug2: mac_init: found hmac-md5
> debug1: kex: client->server aes128-cbc hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug2: dh_gen_key: priv key bits set: 127/256
> debug2: bits set: 511/1024
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug3: check_host_in_hostfile: filename /home/spsy/.ssh/known_hosts
> debug3: check_host_in_hostfile: match line 1
> debug3: check_host_in_hostfile: filename /home/spsy/.ssh/known_hosts
> debug3: check_host_in_hostfile: match line 1
> debug1: Host 'adm1amlp' is known and matches the RSA host key.
> debug1: Found key in /home/spsy/.ssh/known_hosts:1
> debug2: bits set: 526/1024
> debug1: ssh_rsa_verify: signature correct
> debug2: kex_derive_keys
> debug2: set_newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug2: set_newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug2: key: /home/spsy/.ssh/id_rsa (67180)
> debug2: key: /home/spsy/.ssh/id_dsa (0)
> debug1: Authentications that can continue: publickey,password,keyboard-interactive
> debug3: start over, passed a different list publickey,password,keyboard-interactive
> debug3: preferred publickey,keyboard-interactive,password
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_is_enabled publickey
> debug1: Next authentication method: publickey
> debug1: Offering public key: /home/spsy/.ssh/id_rsa
> ->debug3: send_pubkey_test
> ->debug2: we sent a publickey packet, wait for reply
> ->debug1: Authentications that can continue:
> publickey,password,keyboard-interactive debug1: Trying private key:
> /home/spsy/.ssh/id_dsa debug3: no such identity: /home/spsy/.ssh/id_dsa
> debug2: we did not send a packet, disable method debug3: authmethod_lookup
> keyboard-interactive debug3: remaining preferred: password debug3:
> authmethod_is_enabled keyboard-interactive debug1: Next authentication
> method: keyboard-interactive debug2: userauth_kbdint
> debug2: we sent a keyboard-interactive packet, wait for reply debug1:
> Authentications that can continue: publickey,password,keyboard-interactive
> debug3: userauth_kbdint: disable: no info_req_seen debug2: we did not send
> a packet, disable method debug3: authmethod_lookup password
> debug3: remaining preferred:
> debug3: authmethod_is_enabled password debug1: Next authentication method:
> password spsy@adm1amlp's password:
>
> ---------------------------
>
> I've marked the lines I think point to the problem with ->, but I don't
> know what to do next.
>
> It looks like it takes the hostkey authentication, no problem, but when it
> sends the user's publickey, it never gets a reply back?
>
> It's really weird that it works on one username, but not another.
>
> I've verified that the uid and gid on both machines for all the usernames
> are the same. the only difference between the usernames I can see is the
> shell, but I've changed the working username's shell to ksh, and ssh still
> would passwordless connect just fine. (I changed it back to /bin/bash
> after the test)
>
> Any ideas? What do I do next?
>
> Thanks in advance!

• Previous message: Doug: "File xfer using PSCP from PuTTY 0.54- performance drop"
• In reply to: joeblow: "'password-less' logins on solaris 2.5.1 boxen - subtle troubles."
• Next in thread: Darren Dunham: "Re: 'password-less' logins on solaris 2.5.1 boxen - subtle troubles."
• Reply: Darren Dunham: "Re: 'password-less' logins on solaris 2.5.1 boxen - subtle troubles."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]