passwordless ssh from one host to another host

EricTRA · 04-25-2011, 04:46 AM

Hi,

Sorry, my mistake. The man page for ssh-keysign states:

Quote:

ssh-keysign is not intended to be invoked by the user, but from ssh(1). See
ssh(1) and sshd(8) for more information about host-based authentication.

so it's called by SSH directly. Can you try to connect to the remote host?

Kind regards,

Eric

mahmoodn · 04-25-2011, 04:48 AM

with password, yes:

Code:

mahmood@server:~$ ssh client
get_socket_address: getnameinfo 8 failed: Name or service not known
get_socket_address: getnameinfo 8 failed: Name or service not known
cannot get sockname for fd
ssh_keysign: no reply
key_sign failed
mahmood@client's password:
Linux harrier 2.6.32-24-server #39-Ubuntu SMP Wed Jul 28 06:21:40 UTC 2010 x86_64 GNU/Linux
Ubuntu 10.04 LTS

Welcome to the Ubuntu Server!
 * Documentation:  http://www.ubuntu.com/server/doc
Last login: Sun Mar 27 08:16:06 2011 from server
mahmood@client:~$

EricTRA · 04-25-2011, 04:57 AM

Hi,

Something is still off. I just reviewed your posts and in none of the configs you posted there is a key mentioned as is in the manual.
That's why you get:

Quote:

ssh_keysign: no reply
key_sign failed

this error I imagine. Check with sss-keyscan what the key is for the remote machine and add it to your config file. Then restart SSH and try again.

Kind regards,

Eric

mahmoodn · 04-25-2011, 05:09 AM

Nothing happened.
On the serve side, I ran "ssh-keysign client" and added that to /etc/ssh/ssh_known_hosts. After running "/etc/init.d/ssh restart", I still get the same prompt and message.

EricTRA · 04-25-2011, 05:15 AM

Hello,

No, not ssh-keysign, but ssh-keyscan host. From the man page of ssh-keyscan:

Quote:

ssh-keyscan is a utility for gathering the public ssh host keys of a number of
hosts. It was designed to aid in building and verifying ssh_known_hosts files.
ssh-keyscan provides a minimal interface suitable for use by shell and perl
scripts

That should get you the key you need to put in the configuration file in order to connect.

Kind regards,

Eric

EricTRA · 04-25-2011, 05:26 AM

Hello,

Just found something:

Code:

ssh-keyscan -t rsa name_of_client_machine >> /etc/ssh/ssh_known_hosts

for each client machine from which you want to allow password-less logins.

Check for more differences between Reuti's manual and this one. I didn't find the way to get the key in Reuti's manual so looked at Google for help and that site came up. Seems pretty straightforward to me.

Kind regards,

Eric

mahmoodn · 04-25-2011, 05:33 AM

On the server side:

Code:

mahmood@server:~$ cat /etc/ssh/ssh_known_hosts
# server SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4
server,192.168.1.1 ssh-rsa AAAAB3NzaC1yc2EAAAAB....
# client SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu6
client,192.168.1.3 ssh-rsa AAAAB3NzaC1yc2EAAA....

on the client side (I manually changed that file)

Code:

mahmood@server:~$ sudo chroot /home/nfsroot/
[sudo] password for mahmood:
root@server:/# cat etc/ssh/ssh_known_hosts
server,192.168.1.1 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuBCfN+TMtNok1WezSr7aj7LqFm01NAlITGgLBRN4juw1yfj+lbqkPaWQZg9bHUyH5iBge7HqjM0eFf0a8KRxL0yYB3nfcWJebWJ+XuEBIRPTAoZkJdsi26omY8fStN8fzqXsgVNCnrY8k16zTXMltcN+MNPG7x9nutZQu9uvNIteshthRLJyD34KzOIqf4anW1A2MRfGkQUJEc9Kwg/FYRSS2Y6irAaQq3dgO7hlwnesdXNJZRPeI1JmaxT20NVgWbZn4gbozuxrj21gFXKLJTioTy1FtKleY9mjPlCRBZJGw1MKfKtvhmSfyno8fvPV35iB0m+LMRYI/Q==
# client SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu6
client,192.168.1.3 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA9Mi0TEUzMLJ1i2gascvkXilTE2g3BIYKcs6qIcFXw8GB+LN6GoH3uJ+0PujwQVdzO4B8qpQ+ClM9uwYxo61x9bIYh/nwqaVqJrI5VOtbzlzXPCs0SWeDAjVTJzTcPk+D10lfqLDL2jLblzZD7yJpm0Elb8tuF4ISMeFaKP6MeG4m+Ygl+zbcvYzpvqtTpQSmM2u9SIEW+Cg62VuMxkrXqNg671ewdc53SvCQM8PysJCRUNDPcy1nKA4chhq/HDuyvpKVaPrFWugaoKGWkAz3Y0Ny6Xge4O3EJsclQt3AY6oXPsOkyBMm3QRU+I4Tjl7TCm0EjS+B8QXTEQ==

root@server:/# exit
exit
mahmood@server:~$

restarting the ssh service on server and rebooting the client....
still get the same messages:

Code:

mahmood@server:~$ ssh client 
get_socket_address: getnameinfo 8 failed: Name or service not known
get_socket_address: getnameinfo 8 failed: Name or service not known
cannot get sockname for fd
ssh_keysign: no reply
key_sign failed
mahmood@client's password:

I am really confused with that.

EricTRA · 04-25-2011, 05:39 AM

Hi,

Have you checked point 4 on the site I pointed to?

Quote:

Make the account of each permitted user accept password-less logins, on the server. For this, you typically will not need administrator access. For our Linux example, log in as the user who will be logging in without a password, and then add this line to the ~/.shosts file:

name_of_client_machine.domain_of_client_machine username

Kind regards,

Eric

mahmoodn · 04-25-2011, 05:40 AM

yes

Code:

mahmood@server:~$ domainname
(none)
mahmood@server:~$ cat .shosts
client mahmood

Step 1 in your link says:
IgnoreRhosts no
Is that necessary? it is not mentioned in the Reuti manual

EricTRA · 04-25-2011, 05:46 AM

Hi,

Can you confirm that on the client side you have the following in /etc/ssh/ssh_config:

Code:

HostbasedAuthentication yes
EnableSSHKeysign yes

and on the server side in /etc/ssh/sshd_config the following:

Code:

IgnoreRhosts no
HostbasedAuthentication yes

Also can you post what version of SSH you're using:

Code:

ssh -v

Kind regards,

Eric

mahmoodn · 04-25-2011, 05:57 AM

Code:

mahmood@client:~$ cat /etc/ssh/ssh_config | grep "HostbasedAuthentication"
   HostbasedAuthentication yes
mahmood@client:~$ cat /etc/ssh/ssh_config | grep "EnableSSHKeysign"
   EnableSSHKeysign yes
mahmood@client:~$ exit
logout
Connection to clientclosed.
mahmood@server:~$ cat /etc/ssh/sshd_config | grep "IgnoreRhosts"
IgnoreRhosts no
mahmood@server:~$ cat /etc/ssh/sshd_config | grep "HostbasedAuthentication"
HostbasedAuthentication yes
mahmood@server:~$ ssh -v
OpenSSH_5.3p1 Debian-3ubuntu4, OpenSSL 0.9.8k 25 Mar 2009
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
           [-D [bind_address:]port] [-e escape_char] [-F configfile]
           [-i identity_file] [-L [bind_address:]port:host:hostport]
           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
           [-R [bind_address:]port:host:hostport] [-S ctl_path]
           [-w local_tun[:remote_tun]] [user@]hostname [command]

after restarting the service and rebooting the client:

Code:

mahmood@server:~$ ssh client
get_socket_address: getnameinfo 8 failed: Name or service not known
get_socket_address: getnameinfo 8 failed: Name or service not known
cannot get sockname for fd
ssh_keysign: no reply
key_sign failed
mahmood@client's password:

I really appreciate your kind and quick replies.

EricTRA · 04-25-2011, 06:03 AM

Hello,

No problem at all, I'm glad to help but this is really confusing me. At first I thought you were suffering from a bug that exists in an older version, that's why I asked for your version of SSH. But that seems to be out of the question. One last thing comes to mind. Did you add for both computers 'IP computername' to the /etc/hosts file?

Kind regards,

Eric

EricTRA · 04-25-2011, 06:05 AM

Hi,

Hold the press!!! I just noticed this:

Quote:

ssh client

The way I understand it you've set up everything to allow connection FROM client TO server yet you are connecting to the client???? Try connecting from the client to the server.

Kind regards,

Eric

mahmoodn · 04-25-2011, 06:13 AM

Code:

mahmood@server:~$ ssh client
get_socket_address: getnameinfo 8 failed: Name or service not known
get_socket_address: getnameinfo 8 failed: Name or service not known
cannot get sockname for fd
ssh_keysign: no reply
key_sign failed
mahmood@client's password:
Linux client 2.6.32-24-server #39-Ubuntu SMP Wed Jul 28 06:21:40 UTC 2010 x86_64 GNU/                                                                       Linux
Ubuntu 10.04 LTS

Welcome to the Ubuntu Server!
 * Documentation:  http://www.ubuntu.com/server/doc
Last login: Sun Mar 27 09:40:19 2011 from server
mahmood@client:~$

So I am in the client. Now:

Code:

mahmood@client:~$ ssh server
buffer_get_ret: trying to get more bytes 257 than in buffer 251
buffer_get_string_ret: buffer_get failed
buffer_get_bignum2_ret: invalid bignum
key_from_blob: can't read rsa key
key_read: key_from_blob AAAAB3NzaC1yc2EAAAABIwAAAQEAuBCfN+TMtNok1WezSr7aj7LqFm01NAlITG                                                                       gLBRN4juw1yfj+lbqkPaWQZg9bHUyH5iBge7HqjM0eFf0a8KRxL0yYB3nfcWJebWJ+XuEBIRPTAoZkJdsi26om                                                                       Y8fStN8fzqXsgVNCnrY8k16zTXMltcN+MNPG7x9nutZQu9uvNIteshthRLJyD34KzOIqf4anW1A2MRfGkQUJEc                                                                       9Kwg/FYRSS2Y6irAaQq3dgO7hlwnesdXNJZRPeI1JmaxT20NVgWbZn4gbozuxrj21gFXKLJTioTy1FtKleY9mj                                                                       PlCRBZJGw1MKfKtvhmSfyno8fvPV35iB0m+LMRYI/Q==
 failed
buffer_get_ret: trying to get more bytes 257 than in buffer 251
buffer_get_string_ret: buffer_get failed
buffer_get_bignum2_ret: invalid bignum
key_from_blob: can't read rsa key
key_read: key_from_blob AAAAB3NzaC1yc2EAAAABIwAAAQEAuBCfN+TMtNok1WezSr7aj7LqFm01NAlITG                                                                       gLBRN4juw1yfj+lbqkPaWQZg9bHUyH5iBge7HqjM0eFf0a8KRxL0yYB3nfcWJebWJ+XuEBIRPTAoZkJdsi26om                                                                       Y8fStN8fzqXsgVNCnrY8k16zTXMltcN+MNPG7x9nutZQu9uvNIteshthRLJyD34KzOIqf4anW1A2MRfGkQUJEc                                                                       9Kwg/FYRSS2Y6irAaQq3dgO7hlwnesdXNJZRPeI1JmaxT20NVgWbZn4gbozuxrj21gFXKLJTioTy1FtKleY9mj                                                                       PlCRBZJGw1MKfKtvhmSfyno8fvPV35iB0m+LMRYI/Q==
 failed
The authenticity of host 'server (192.168.1.1)' can't be established.
RSA key fingerprint is 98:16:bc:1c:f9:a7:a8:76:37:20:13:97:24:b1:58:8b.
Are you sure you want to continue connecting (yes/no)?

Interesting. The message of server->client is different from client->server.

Also What are the "spaces" in the key?

EricTRA · 04-25-2011, 06:18 AM

Hi,

And after you accepted the authenticity when connecting from client to server? What happened then? Did you get connected? Also check the permissions on the file you created, this looks like a permission issue.

Of course output from server to client is different then from client to server because you only have set up your server to accept host based authentication. If you want to work it both ways you'll have to repeat the necessary steps on the client machine for the SSH server part (sshd_config) and on the server machine for the client part (ssh_config). If I'm not mistaking you've only set it up one way, from your client to your server.

Kind regards,

Eric