Setting up passwordless ssh

blackdragonblood · 01-20-2006, 03:59 PM

I'm setting up passwordless ssh and I still get prompted for passwords. I generated the keys, copied the pub key to the server, cat the file /.ssh/autorized_keys, and still get asked for passwords. I double checked permissions and log files. I see no evidence that my keys are being checked.

Hangdog42 · 01-20-2006, 04:13 PM

When you generated the keys, did you remember to not create a passphrase?

blackdragonblood · 01-20-2006, 04:24 PM

Yes, the keys were generated w/o a passphrase.

fotoguy · 01-20-2006, 06:54 PM

Sounds like it maybe the configuration on the server, can you post the contents of the sshd_config file from the server.

blackdragonblood · 01-20-2006, 10:25 PM

Here it is.

Code:

#       $OpenBSD: sshd_config,v 1.72 2005/07/25 11:59:40 markus Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#Protocol 2,1
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6

#RSAAuthentication yes
#PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes

#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#ShowPatchLevel no

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem       sftp    /usr/libexec/openssh/sftp-server

dombrowsky · 01-21-2006, 01:40 AM

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

try setting the empty passwords line to yes. maybe the default in ssh changed and the config file wasn't updated.

just a guess.

-dave

Hangdog42 · 01-21-2006, 07:25 AM

Quote:

PasswordAuthentication yes

That has to be set to no to disable passwords.

blackdragonblood · 01-21-2006, 12:34 PM

I made the suggested changes to sshd_config and now my client generates the following error.

Quote:

Permission denied (publickey,gssapi-with-mic).

Hangdog42 · 01-21-2006, 05:22 PM

I noticed that there are a couple other changed in the config, namely the ChallengeResponseAuthentication and the GSSAPI settings. Are those things you changed or is that the standard config for FC?

blackdragonblood · 01-21-2006, 09:46 PM

I did change some stuff and it's possible that I may have changed them although, I don't think I did. I must appoligize b/c I looked at other log files and realized I was looking at the wrong one for ssh activity.

Quote:

Authentication refused: bad ownership or modes for file /home/identity/.ssh/authorized_keys

I messed around with permissions and still couldn't figure it out. Could some one plz clear make it clear what the permissions should be for authorized_keys? Also, if there are things that I should change back in my sshd_config plz let me know. Again sorry for leading everyone down the wrong path.

scowles · 01-21-2006, 10:08 PM

Obviously the user/group shown below will be different at your end, but take special note of the permissions on the .ssh directory. i.e. 700

Code:

[scowles@excelsior .ssh]$ ls -la
total 16
drwx------   2 scowles scowles 4096 Dec  4 19:01 .
drwxr-xr-x  34 scowles scowles 4096 Jan 20 04:17 ..
-rw-r--r--   1 scowles scowles 2223 Nov 25 23:22 authorized_keys
-rw-r--r--   1 scowles scowles 1074 Dec  4 19:01 known_hosts
[scowles@excelsior .ssh]$ pwd
/home/scowles/.ssh

blackdragonblood · 01-21-2006, 10:58 PM

I changed the permissions. I still get the same error messange and nothing shows up in /var/log/secure.

Hangdog42 · 01-22-2006, 07:48 AM

Check the permissions on your home directory. Basically if anybody besides the user can write to the home directory, the .ssh directory or any of its files, sshd is going to pitch a fit. I would also seriously reccomend setting all your sshd_config values back to whatever they normally should be for FC.

blackdragonblood · 01-22-2006, 11:10 AM

I tried changing permissions for /home/identity, changing sshd_config back, and changing more options sshd_config. Is it possible to get a fresh file from somewhere? I'll post sshd_config in it's current state.

Code:

#	$OpenBSD: sshd_config,v 1.72 2005/07/25 11:59:40 markus Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#Protocol 2,1
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile	.ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
PermitEmptyPasswords yes
PasswordAuthentication no

# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes
#ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
GSSAPIAuthentication no
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication mechanism. 
# Depending on your PAM configuration, this may bypass the setting of 
# PasswordAuthentication, PermitEmptyPasswords, and 
# "PermitRootLogin without-password". If you just want the PAM account and 
# session checks to run without PAM authentication, then enable this but set 
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes

#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#ShowPatchLevel no

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem	sftp	/usr/libexec/openssh/sftp-server

Hangdog42 · 01-22-2006, 01:51 PM

From what I've seen on the net I think you should change the following:

ChallengeResponseAuthentication no
GSSAPIAuthentication yes
PermitEmptyPasswords no