So therefore my RSA key should already be in my authorized_keys on any
host. However logging into the virtual network, I always get prompted
for a password. just for the heck of it, I scp'd the key over again to
one of the virtual hosts:
Considering that this key is internal network only and doesn't have a
passphrase set (it does not traverse internet boundaries) why on earth
am I being prompted for a password whenever I ssh into this machine?
thanks!
--
Here's my RSA Public key:
gpg --keyserver pgp.mit.edu --recv-keys 5A4873A9
Share and enjoy!!
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
11-16-2010, 08:09 PM
John Kennedy
ssh prompting for password
A few things to look for:
Make sure .ssh and authorized_keys files are permissioned to 700 and 600 respectively. If they are wide open then ssh will skip them.Check /var/log/secure on both machines. That may give you a clue
ssh with -vvv (or just -v) and see if you get errors.
I just had the same thing and my problem was .ssh permissions.
Hope this helps.John
On Tue, Nov 16, 2010 at 16:05, bluethundr <bluethundr@gmail.com> wrote:
hello list
I have a network mounted home directory shared between all hosts on my network:
Considering that this key is internal network only and doesn't have a
passphrase set (it does not traverse internet boundaries) why on earth
am I being prompted for a password whenever I ssh into this machine?
thanks!
--
Here's my RSA Public key:
gpg --keyserver pgp.mit.edu --recv-keys 5A4873A9
Share and enjoy!!
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
--
*John Kennedy
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
11-16-2010, 08:31 PM
ssh prompting for password
bluethundr wrote:
> hello list
>
> I have a network mounted home directory shared between all hosts on my
> network:
<snip>
> So therefore my RSA key should already be in my authorized_keys on any
> host. However logging into the virtual network, I always get prompted
> for a password. just for the heck of it, I scp'd the key over again to
> one of the virtual hosts:
<snip>
> Considering that this key is internal network only and doesn't have a
> passphrase set (it does not traverse internet boundaries) why on earth
> am I being prompted for a password whenever I ssh into this machine?
Do you have
PermitRootLogin without-password
in /etc/ssh/sshd_config?
mark
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
11-16-2010, 08:44 PM
John Kennedy
ssh prompting for password
On Tue, Nov 16, 2010 at 16:31, <m.roth@5-cent.us> wrote:
bluethundr wrote:
> hello list
>
> I have a network mounted home directory shared between all hosts on my
> network:
<snip>
> So therefore my RSA key should already be in my authorized_keys on any
> host. However logging into the virtual network, I always get prompted
> for a password. just for the heck of it, I scp'd the key over again to
> one of the virtual hosts:
<snip>
> Considering that this key is internal network only and doesn't have a
> passphrase set (it does not traverse internet boundaries) why on earth
> am I being prompted for a password whenever I ssh into this machine?
Do you have
PermitRootLogin without-password
in /etc/ssh/sshd_config?
* * * mark
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
I would think that would just cause a failed login and not ask for a password then let him in. From reading, it looks like he can SSH, just not without the password...John
--
*John Kennedy
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
11-16-2010, 09:09 PM
Todd Denniston
ssh prompting for password
bluethundr wrote, On 11/16/2010 04:05 PM:
> hello list
>
> I have a network mounted home directory shared between all hosts on my network:
>
>
> So therefore my RSA key should already be in my authorized_keys on any
> host. However logging into the virtual network, I always get prompted
> for a password. just for the heck of it, I scp'd the key over again to
> one of the virtual hosts:
>
>
> [bluethundr@LCENT03:~]#scp .ssh/id_rsa.pub virt1:~
> bluethundr@virt1's password:
> id_rsa.pub
> 100% 381 0.4KB/s 00:00
>
> ssh'd in:
>
> [bluethundr@LCENT03:~]#ssh virt1
> bluethundr@virt1's password:
> Last login: Tue Nov 16 15:57:24 2010 from 192.168.1.46
> Considering that this key is internal network only and doesn't have a
> passphrase set (it does not traverse internet boundaries) why on earth
> am I being prompted for a password whenever I ssh into this machine?
>
> thanks!
assumption 1: the private key is .ssh/id_rsa.priv (on the starting machine).
assumption 2: you have to tell ssh (actually the ssh agent) which key to use.
assumption 3: .ssh/id_rsa.priv is readable only by the user.
assumption 4: someone has not configured the other machine to disallow keyed login (nuts, but could
happen. PubkeyAuthentication no?).
have you done
`ssh-add .ssh/id_rsa.priv`
before you ssh?
what does
ssh-add -L
and
ssh-add -l
give?
--
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
11-17-2010, 01:12 AM
Kwan Lowe
ssh prompting for password
On Tue, Nov 16, 2010 at 4:05 PM, bluethundr <bluethundr@gmail.com> wrote:
>
> So therefore my RSA key should already be in my authorized_keys on any
> host. However logging into the virtual network, I always get prompted
> for a password. just for the heck of it, I scp'd the key over again to
> one of the virtual hosts:
>
[snip]
> Considering that this key is internal network only and doesn't have a
> passphrase set (it does not traverse internet boundaries) why on earth
> am I being prompted for a password whenever I ssh into this machine?
I've seen this before in NFS mounted home directories..and had to
think about it before I realized what was happening.
When you first attempt to login, sshd is running as root. It needs to
look at your NFS mounted home directory (which is often set for no
root squash) to get the public key. But because it is no root squash,
and the perms on your pubkey are probably 700, even root can't read
the key. You can verify by logging in as root to the machine and
trying to cat out the users public key. Most likely you cannot so the
sshd cannot validate the key.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
11-17-2010, 01:14 AM
Stephen Harris
ssh prompting for password
On Tue, Nov 16, 2010 at 09:12:17PM -0500, Kwan Lowe wrote:
> When you first attempt to login, sshd is running as root. It needs to
> look at your NFS mounted home directory (which is often set for no
> root squash) to get the public key. But because it is no root squash,
Depends on the sshd_config; "UsePrivilegeSeparation yes" (which is
normally the default) means that phase is run as the destination user
and not as root.
--
rgds
Stephen
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
11-17-2010, 01:17 AM
Kwan Lowe
ssh prompting for password
On Tue, Nov 16, 2010 at 9:14 PM, Stephen Harris <lists@spuddy.org> wrote:
> On Tue, Nov 16, 2010 at 09:12:17PM -0500, Kwan Lowe wrote:
>> When you first attempt to login, sshd is running as root. It needs to
>> look at your NFS mounted home directory (which is often set for no
>> root squash) to get the public key. *But because it is no root squash,
>
> Depends on the sshd_config; "UsePrivilegeSeparation yes" (which is
> normally the default) means that phase is run as the destination user
> and not as root.
>
Yes, exactly We had to change this to get it to work... Or set the
norootsquash option..
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
11-17-2010, 01:19 AM
Kwan Lowe
ssh prompting for password
On Tue, Nov 16, 2010 at 9:14 PM, Stephen Harris <lists@spuddy.org> wrote:
> On Tue, Nov 16, 2010 at 09:12:17PM -0500, Kwan Lowe wrote:
>> When you first attempt to login, sshd is running as root. It needs to
>> look at your NFS mounted home directory (which is often set for no
>> root squash) to get the public key. *But because it is no root squash,
>
> Depends on the sshd_config; "UsePrivilegeSeparation yes" (which is
> normally the default) means that phase is run as the destination user
> and not as root.
To clarify, the sshd listener runs as root and then drops privileges
once the user is authenticated.. The issue is specifically the root
squash across NFS filesystems which is normally set to disable root
privs on the mount (that, and noexec). I.e., even root has no privs
to validate the shared key.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
11-18-2010, 05:40 AM
Gordon Messmer
ssh prompting for password
On 11/16/2010 06:19 PM, Kwan Lowe wrote:
> On Tue, Nov 16, 2010 at 9:14 PM, Stephen Harris<lists@spuddy.org> wrote:
>> Depends on the sshd_config; "UsePrivilegeSeparation yes" (which is
>> normally the default) means that phase is run as the destination user
>> and not as root.
>
> To clarify, the sshd listener runs as root and then drops privileges
> once the user is authenticated.. The issue is specifically the root
> squash across NFS filesystems which is normally set to disable root
> privs on the mount (that, and noexec). I.e., even root has no privs
> to validate the shared key.
You are both incorrect. Key authentication *always* takes place as the
user requesting login, regardless of the UsePrivilegeSeparation option.
When using UsePrivilegeSeparation, sshd creates a separate process to
handle the crypto and compression bits (primarily) of incoming traffic,
in order to prevent privilege escalation. That option does not affect
most authentication types (it is documented to interact with UseLogin,
which is off by default).
I'm not aware of any configuration where root_squash will prevent users
from authenticating with keys.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
ssh prompting for password
We had to change this to get it to work... Or set the
