FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 11-16-2010, 08:05 PM
bluethundr
 
Default ssh prompting for password

hello list

I have a network mounted home directory shared between all hosts on my network:

[bluethundr@LCENT03:~]#df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/VolGroup00-LogVol00
140G 4.4G 128G 4% /
/dev/sda1 99M 35M 60M 37% /boot
tmpfs 1.6G 0 1.6G 0% /dev/shm
nas.summitnjhome.com:/mnt/nas
903G 265G 566G 32% /mnt/nas
nas2.summitnjhome.com:/mnt/store
1.4T 187G 1.1T 15% /mnt/store
nas2.summitnjhome.com:/mnt/home
903G 47G 784G 6% /home
none 1.6G 136K 1.6G 1% /var/lib/xenstored

So therefore my RSA key should already be in my authorized_keys on any
host. However logging into the virtual network, I always get prompted
for a password. just for the heck of it, I scp'd the key over again to
one of the virtual hosts:


[bluethundr@LCENT03:~]#scp .ssh/id_rsa.pub virt1:~
bluethundr@virt1's password:
id_rsa.pub
100% 381 0.4KB/s 00:00

ssh'd in:

[bluethundr@LCENT03:~]#ssh virt1
bluethundr@virt1's password:
Last login: Tue Nov 16 15:57:24 2010 from 192.168.1.46

Searched for the key on the host I just ssh'd into:


[bluethundr@VIRTCENT01:~]#grep -f id_rsa.pub .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABI-FAKE-DATA-dgjIWxnyplIYKE5IQw9FY2+IVsYw==

As you can see, it's already there.. I then checked the modes on
authorized_keys:

[bluethundr@VIRTCENT01:~]#ls -l .ssh/authorized_keys
-rw------- 1 1001 1002 1597 Nov 15 12:02 .ssh/authorized_keys

And checked that I was using the same shared network mounted home
directory from the machine I just ssh'd in from:


[bluethundr@VIRTCENT01:~]#df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/VolGroup00-LogVol00
9.1G 1.8G 6.9G 21% /
/dev/xvda1 99M 20M 75M 21% /boot
tmpfs 129M 0 129M 0% /dev/shm
nas.summitnjhome.com:/mnt/nas
903G 265G 566G 32% /mnt/nas
nas2.summitnjhome.com:/mnt/store
1.4T 187G 1.1T 15% /mnt/store
nas2.summitnjhome.com:/mnt/home
903G 47G 784G 6% /home
[bluethundr@VIRTCENT01:~]#


Considering that this key is internal network only and doesn't have a
passphrase set (it does not traverse internet boundaries) why on earth
am I being prompted for a password whenever I ssh into this machine?

thanks!
--
Here's my RSA Public key:
gpg --keyserver pgp.mit.edu --recv-keys 5A4873A9

Share and enjoy!!
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-16-2010, 08:09 PM
John Kennedy
 
Default ssh prompting for password

A few things to look for:
Make sure .ssh and authorized_keys files are permissioned to 700 and 600 respectively. If they are wide open then ssh will skip them.Check /var/log/secure on both machines. That may give you a clue

ssh with -vvv (or just -v) and see if you get errors.
I just had the same thing and my problem was .ssh permissions.
Hope this helps.John



On Tue, Nov 16, 2010 at 16:05, bluethundr <bluethundr@gmail.com> wrote:


hello list



I have a network mounted home directory shared between all hosts on my network:



[bluethundr@LCENT03:~]#df -h

Filesystem * * * * * *Size *Used Avail Use% Mounted on

/dev/mapper/VolGroup00-LogVol00

* * * * * * * * * * *140G *4.4G *128G * 4% /

/dev/sda1 * * * * * * *99M * 35M * 60M *37% /boot

tmpfs * * * * * * * * 1.6G * * 0 *1.6G * 0% /dev/shm

nas.summitnjhome.com:/mnt/nas

* * * * * * * * * * *903G *265G *566G *32% /mnt/nas

nas2.summitnjhome.com:/mnt/store

* * * * * * * * * * *1.4T *187G *1.1T *15% /mnt/store

nas2.summitnjhome.com:/mnt/home

* * * * * * * * * * *903G * 47G *784G * 6% /home

none * * * * * * * * *1.6G *136K *1.6G * 1% /var/lib/xenstored



So therefore my RSA key should already be in my authorized_keys on any

host. However logging into the virtual network, I always get prompted

for a password. just for the heck of it, I scp'd the key over again to

one of the virtual hosts:





[bluethundr@LCENT03:~]#scp .ssh/id_rsa.pub virt1:~

bluethundr@virt1's password:

id_rsa.pub

* * * * * * * 100% *381 * * 0.4KB/s * 00:00



ssh'd in:



[bluethundr@LCENT03:~]#ssh virt1

bluethundr@virt1's password:

Last login: Tue Nov 16 15:57:24 2010 from 192.168.1.46



Searched for the key on the host I just ssh'd into:





[bluethundr@VIRTCENT01:~]#grep -f id_rsa.pub .ssh/authorized_keys

ssh-rsa AAAAB3NzaC1yc2EAAAABI-FAKE-DATA-dgjIWxnyplIYKE5IQw9FY2+IVsYw==



As you can see, it's already there.. I then checked the modes on

authorized_keys:



[bluethundr@VIRTCENT01:~]#ls -l .ssh/authorized_keys

-rw------- 1 1001 1002 1597 Nov 15 12:02 .ssh/authorized_keys



And checked that I was using the same shared network mounted home

directory from the machine I just ssh'd in from:





[bluethundr@VIRTCENT01:~]#df -h

Filesystem * * * * * *Size *Used Avail Use% Mounted on

/dev/mapper/VolGroup00-LogVol00

* * * * * * * * * * *9.1G *1.8G *6.9G *21% /

/dev/xvda1 * * * * * * 99M * 20M * 75M *21% /boot

tmpfs * * * * * * * * 129M * * 0 *129M * 0% /dev/shm

nas.summitnjhome.com:/mnt/nas

* * * * * * * * * * *903G *265G *566G *32% /mnt/nas

nas2.summitnjhome.com:/mnt/store

* * * * * * * * * * *1.4T *187G *1.1T *15% /mnt/store

nas2.summitnjhome.com:/mnt/home

* * * * * * * * * * *903G * 47G *784G * 6% /home

[bluethundr@VIRTCENT01:~]#





Considering that this key is internal network only and doesn't have a

passphrase set (it does not traverse internet boundaries) why on earth

am I being prompted for a password whenever I ssh into this machine?



thanks!

--

Here's my RSA Public key:

gpg --keyserver pgp.mit.edu --recv-keys 5A4873A9



Share and enjoy!!

_______________________________________________

CentOS mailing list

CentOS@centos.org

http://lists.centos.org/mailman/listinfo/centos



--
*John Kennedy



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-16-2010, 08:31 PM
 
Default ssh prompting for password

bluethundr wrote:
> hello list
>
> I have a network mounted home directory shared between all hosts on my
> network:
<snip>
> So therefore my RSA key should already be in my authorized_keys on any
> host. However logging into the virtual network, I always get prompted
> for a password. just for the heck of it, I scp'd the key over again to
> one of the virtual hosts:
<snip>
> Considering that this key is internal network only and doesn't have a
> passphrase set (it does not traverse internet boundaries) why on earth
> am I being prompted for a password whenever I ssh into this machine?

Do you have
PermitRootLogin without-password
in /etc/ssh/sshd_config?

mark

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-16-2010, 08:44 PM
John Kennedy
 
Default ssh prompting for password

On Tue, Nov 16, 2010 at 16:31, <m.roth@5-cent.us> wrote:


bluethundr wrote:

> hello list

>

> I have a network mounted home directory shared between all hosts on my

> network:

<snip>

> So therefore my RSA key should already be in my authorized_keys on any

> host. However logging into the virtual network, I always get prompted

> for a password. just for the heck of it, I scp'd the key over again to

> one of the virtual hosts:

<snip>

> Considering that this key is internal network only and doesn't have a

> passphrase set (it does not traverse internet boundaries) why on earth

> am I being prompted for a password whenever I ssh into this machine?



Do you have

PermitRootLogin without-password

in /etc/ssh/sshd_config?



* * * mark



_______________________________________________

CentOS mailing list

CentOS@centos.org

http://lists.centos.org/mailman/listinfo/centos


I would think that would just cause a failed login and not ask for a password then let him in. From reading, it looks like he can SSH, just not without the password...John


--
*John Kennedy



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-16-2010, 09:09 PM
Todd Denniston
 
Default ssh prompting for password

bluethundr wrote, On 11/16/2010 04:05 PM:
> hello list
>
> I have a network mounted home directory shared between all hosts on my network:
>

>
> So therefore my RSA key should already be in my authorized_keys on any
> host. However logging into the virtual network, I always get prompted
> for a password. just for the heck of it, I scp'd the key over again to
> one of the virtual hosts:
>
>
> [bluethundr@LCENT03:~]#scp .ssh/id_rsa.pub virt1:~
> bluethundr@virt1's password:
> id_rsa.pub
> 100% 381 0.4KB/s 00:00
>
> ssh'd in:
>
> [bluethundr@LCENT03:~]#ssh virt1
> bluethundr@virt1's password:
> Last login: Tue Nov 16 15:57:24 2010 from 192.168.1.46


> Considering that this key is internal network only and doesn't have a
> passphrase set (it does not traverse internet boundaries) why on earth
> am I being prompted for a password whenever I ssh into this machine?
>
> thanks!

assumption 1: the private key is .ssh/id_rsa.priv (on the starting machine).
assumption 2: you have to tell ssh (actually the ssh agent) which key to use.
assumption 3: .ssh/id_rsa.priv is readable only by the user.
assumption 4: someone has not configured the other machine to disallow keyed login (nuts, but could
happen. PubkeyAuthentication no?).

have you done
`ssh-add .ssh/id_rsa.priv`
before you ssh?

what does
ssh-add -L
and
ssh-add -l
give?

--
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-17-2010, 01:12 AM
Kwan Lowe
 
Default ssh prompting for password

On Tue, Nov 16, 2010 at 4:05 PM, bluethundr <bluethundr@gmail.com> wrote:

>
> So therefore my RSA key should already be in my authorized_keys on any
> host. However logging into the virtual network, I always get prompted
> for a password. just for the heck of it, I scp'd the key over again to
> one of the virtual hosts:
>
[snip]
> Considering that this key is internal network only and doesn't have a
> passphrase set (it does not traverse internet boundaries) why on earth
> am I being prompted for a password whenever I ssh into this machine?

I've seen this before in NFS mounted home directories..and had to
think about it before I realized what was happening.

When you first attempt to login, sshd is running as root. It needs to
look at your NFS mounted home directory (which is often set for no
root squash) to get the public key. But because it is no root squash,
and the perms on your pubkey are probably 700, even root can't read
the key. You can verify by logging in as root to the machine and
trying to cat out the users public key. Most likely you cannot so the
sshd cannot validate the key.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-17-2010, 01:14 AM
Stephen Harris
 
Default ssh prompting for password

On Tue, Nov 16, 2010 at 09:12:17PM -0500, Kwan Lowe wrote:
> When you first attempt to login, sshd is running as root. It needs to
> look at your NFS mounted home directory (which is often set for no
> root squash) to get the public key. But because it is no root squash,

Depends on the sshd_config; "UsePrivilegeSeparation yes" (which is
normally the default) means that phase is run as the destination user
and not as root.

--

rgds
Stephen
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-17-2010, 01:17 AM
Kwan Lowe
 
Default ssh prompting for password

On Tue, Nov 16, 2010 at 9:14 PM, Stephen Harris <lists@spuddy.org> wrote:
> On Tue, Nov 16, 2010 at 09:12:17PM -0500, Kwan Lowe wrote:
>> When you first attempt to login, sshd is running as root. It needs to
>> look at your NFS mounted home directory (which is often set for no
>> root squash) to get the public key. *But because it is no root squash,
>
> Depends on the sshd_config; "UsePrivilegeSeparation yes" (which is
> normally the default) means that phase is run as the destination user
> and not as root.
>
Yes, exactly We had to change this to get it to work... Or set the
norootsquash option..
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-17-2010, 01:19 AM
Kwan Lowe
 
Default ssh prompting for password

On Tue, Nov 16, 2010 at 9:14 PM, Stephen Harris <lists@spuddy.org> wrote:
> On Tue, Nov 16, 2010 at 09:12:17PM -0500, Kwan Lowe wrote:
>> When you first attempt to login, sshd is running as root. It needs to
>> look at your NFS mounted home directory (which is often set for no
>> root squash) to get the public key. *But because it is no root squash,
>
> Depends on the sshd_config; "UsePrivilegeSeparation yes" (which is
> normally the default) means that phase is run as the destination user
> and not as root.

To clarify, the sshd listener runs as root and then drops privileges
once the user is authenticated.. The issue is specifically the root
squash across NFS filesystems which is normally set to disable root
privs on the mount (that, and noexec). I.e., even root has no privs
to validate the shared key.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-18-2010, 05:40 AM
Gordon Messmer
 
Default ssh prompting for password

On 11/16/2010 06:19 PM, Kwan Lowe wrote:
> On Tue, Nov 16, 2010 at 9:14 PM, Stephen Harris<lists@spuddy.org> wrote:
>> Depends on the sshd_config; "UsePrivilegeSeparation yes" (which is
>> normally the default) means that phase is run as the destination user
>> and not as root.
>
> To clarify, the sshd listener runs as root and then drops privileges
> once the user is authenticated.. The issue is specifically the root
> squash across NFS filesystems which is normally set to disable root
> privs on the mount (that, and noexec). I.e., even root has no privs
> to validate the shared key.

You are both incorrect. Key authentication *always* takes place as the
user requesting login, regardless of the UsePrivilegeSeparation option.

When using UsePrivilegeSeparation, sshd creates a separate process to
handle the crypto and compression bits (primarily) of incoming traffic,
in order to prevent privilege escalation. That option does not affect
most authentication types (it is documented to interact with UseLogin,
which is off by default).

I'm not aware of any configuration where root_squash will prevent users
from authenticating with keys.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 01:06 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org