Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   CentOS (http://www.linux-archive.org/centos/)
-   -   SSH Automatic Log-on Failure - Centos 5.5 (http://www.linux-archive.org/centos/481714-ssh-automatic-log-failure-centos-5-5-a.html)

Always Learning 01-27-2011 05:45 AM

SSH Automatic Log-on Failure - Centos 5.5
 
Hallo,

I wanted to avoid typing-in my password every occasion I remotely
logged-on to a server.

I created my SSH keys and copied the public part to the server and
renamed it authorized_keys.

My command line is: ssh root@xxxxxx.com -p 1234

The output shows the logging-on routine wants 3 types of authentication.
Surely one successful authentication is sufficient ?


OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to xxxxxx [123.123.123.123] port 1234.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type 1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: loaded 3 keys
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'xxxxxx' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:4
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more
information
Unknown code krb5 195

debug1: Unspecified GSS failure. Minor code may provide more
information
Unknown code krb5 195

debug1: Unspecified GSS failure. Minor code may provide more
information
Unknown code krb5 195

debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Offering public key: /root/.ssh/id_rsa
debug1: Authentications that can continue:
publickey,gssapi-with-mic,password
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Next authentication method: password

-------------------

files in client /root/.ssh are:-

-rw------- 1 root root 1675 Jan 27 03:11 id_rsa
-rw-r--r-- 1 root root 403 Jan 27 03:11 id_rsa.pub
-rw-r--r-- 1 root root 2022 Jan 27 03:07 known_hosts

---------------------------------------------

server /root/.ssh

id_rsa.authorized_keys -rw--------

--------------------------------------------

The only active lines in /etc/ssh/ssh_config are

Host *
GSSAPIAuthentication yes

SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
LC_MESSAGES
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
SendEnv LC_IDENTIFICATION LC_ALL

--------------------------------------------

After commenting-out

GSSAPIAuthentication yes

in /etc/ssh/ssh_config

the remainder of a new debug report is:-

...
debug1: Authentications that can continue:
publickey,gssapi-with-mic,password
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Offering public key: /root/.ssh/id_rsa
debug1: Authentications that can continue:
publickey,gssapi-with-mic,password
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Next authentication method: password





All advice most gratefully received.

--

With best regards,

Paul.
England,
EU.


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Indunil Jayasooriya 01-27-2011 06:03 AM

SSH Automatic Log-on Failure - Centos 5.5
 
On Thu, Jan 27, 2011 at 12:15 PM, Always Learning <centos@g7.u22.net> wrote:

Hallo,



I wanted to avoid typing-in my password every occasion I remotely

logged-on to a server.



you expect Passwordless SSH. If so,





On your PC


# ssh-keygen -t rsa****** ( passphrase should be empty )


Generating public/private rsa key pair.

Enter file in which to save the key (/root/.ssh/id_rsa):

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

then,

# cd /root/.ssh/


Pls scp id_rsa.pub to the Server


# scp id_rsa.pub root@server:/root/.ssh/authorized_keys




then, finally ssh to the server from your PC. it would be passwordless.

pls see below


# ssh server





Pls try

*

--
Thank you
Indunil Jayasooriya


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Cameron Kerr 01-27-2011 06:35 AM

SSH Automatic Log-on Failure - Centos 5.5
 
On 27/01/2011, at 7:45 PM, Always Learning wrote:

> Hallo,
>
> I wanted to avoid typing-in my password every occasion I remotely
> logged-on to a server.
>
> I created my SSH keys and copied the public part to the server and
> renamed it authorized_keys.


> ---------------------------------------------
>
> server /root/.ssh
>
> id_rsa.authorized_keys -rw--------
>
> --------------------------------------------

Your ~/.ssh/authorized_keys needs to be readable by sshd, your permissions on it are too restrictive (typically, this should be 0644)

Also, it should be named authorized_keys, not id_rsa.authorized_keys

PS. Coming from a background in other distributions, I find it disturbing that Centos ships with allow_root_login defaulting to yes. If you really need this, ensure that you also restrict access from where people can log in, consider employing dynamic banning, and harden your sshd_config (which, oddly enough, you didn't post).

PPS. When diagnosing such faults, it can be useful to run the sshd (ie. the server process) in debugging mode, although this would generally require the server to be temporarily disabled so it can be started in debugging mode.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


All times are GMT. The time now is 07:11 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.