Cant use ssh w/o password on VIO 2.1/aix 6.1 tl2

[mpezeur]

I'm trying to setup ssh into a user account (not padmin) on 2x of our VIO servers running ioslevel 2.1 which is also aix 6.1 tl2. After switching to root from padmin, for the user I want to ssh to, I've setup the .ssh directory in the user's home folder, and within the folder created the file authorized_keys with perm 600. The file contains the contents of the id_rsa.pub file for the root user from another aix host running aix 5.3 (ssh-keygen -t rsa). I'm used to this procedure for setting up ssh w/o a password, but on the 2x vio servers at this aix/vio level, I'm still prompted for a password. The vio servers are running the lpp packages for ssh version 5.2.0.5300. I have a non-vio aix server running aix 6.1 tl4 where I can setup ssh w/o a password just fine using the same lpp package level
When I connect from the aix 5.3 server using ssh -v, I receive this output:
debug1: Host 'vipdp5ec5' is known and matches the RSA host key.
debug1: Found key in /.ssh/known_hosts:92
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /.ssh/identity
debug1: Offering public key: /.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password
srvcusr1@vipdp5ec5's password:

is there an issue with the TL level/ioslevel on these 2x vio servers ?

 

[p5wizard]

Try running the sshd server in debug mode (-ddd) on the VIOS.

[tt]logon to VIOS on console
stopsrc -s sshd
/usr/sbin/sshd -ddd[/tt]

In -ddd mode, sshd will print debug info on console when you try to ssh into it (from AIX53 server). I'm guessing there is some ownership or permission problem.

Note that running like this sshd only allows ONE connection (it is single threaded in debug mode)



HTH,

p5wizard

 

[mpezeur]

I see this in debug mode when trying that:

debug1: userauth-request for user srvcusr1 service ssh-connection method none
debug1: attempt 0 failures 0
debug3: mm_getpwnamallow entering
debug3: mm_request_send entering: type 6
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
debug3: monitor_read: checking request 6
debug3: mm_request_receive_expect entering: type 7
debug3: mm_answer_pwnamallow
debug3: mm_request_receive entering
debug3: Trying to reverse map address 10.1.64.196.
debug2: parse_server_config: config reprocess config len 369
debug3: AIX/loginrestrictions returned 0 msg (none)
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send entering: type 7
debug2: input_userauth_request: setting up authctxt for srvcusr1
debug1: Eff_sl:::Eff_tl:
debug3: mm_inform_authserv entering
debug3: mm_request_send entering: type 3
debug2: input_userauth_request: try method none
debug3: mm_auth_password entering
debug3: mm_request_send entering: type 10
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
debug3: mm_request_receive_expect entering: type 11
debug3: mm_request_receive entering
debug2: monitor_read: 6 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 3
debug3: mm_answer_authserv: service=ssh-connection, style=
debug2: monitor_read: 3 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 10
debug3: mm_answer_authpassword: sending result 0
debug3: mm_request_send entering: type 11
debug3: mm_auth_password: user not authenticated
Failed none for srvcusr1 from 10.1.64.196 port 49547 ssh2
debug3: mm_request_receive entering
debug1: userauth-request for user srvcusr1 service ssh-connection method publickey
debug1: attempt 1 failures 0
debug2: input_userauth_request: try method publickey
debug1: test whether pkalg/pkblob are acceptable
debug3: mm_key_allowed entering
debug3: mm_request_send entering: type 20
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
debug3: mm_request_receive_expect entering: type 21
debug3: mm_request_receive entering
debug3: monitor_read: checking request 20
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 200d3908
debug1: temporarily_use_uid: 300/300 (e=0/1)
debug1: trying public key file /home/srvcusr1/.ssh/authorized_keys
debug1: restore_uid: 0/1
debug1: temporarily_use_uid: 300/300 (e=0/1)
debug1: trying public key file /home/srvcusr1/.ssh/authorized_keys
debug1: restore_uid: 0/1
Failed publickey for srvcusr1 from 10.1.64.196 port 49547 ssh2
debug3: mm_answer_keyallowed: key 200d3908 is not allowed
debug3: mm_request_send entering: type 21
debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa
debug3: mm_request_receive entering
debug1: userauth-request for user srvcusr1 service ssh-connection method keyboard-interactive
debug1: attempt 2 failures 1
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=srvcusr1 devs=
debug1: kbdint_alloc: devices ''
debug2: auth2_challenge_start: devices

 

[mpezeur]

it did turn out to be a permissions issue, on the .ssh folder. When I changed it to 755 and verified authorized_keys was 600 then ssh went through w/o the password

thanks for the info on debugging!

 

[p5wizard]

Just remember to stop this hand-started (single-threaded) sshd and go back to normal (multi-threaded) srcmstr-controlled sshd.

HTH,

p5wizard

 

[mpezeur]

thanks again!