SCP - password needed after ssh-keygen

[kat000003]

Hi all.

A couple of months ago, I got SSH working on all 5 of my AIX V 5.2 servers. Due to company standards, I now need to disable ftp, but before I can do this, I need to get SCP working...

I have logged onto system1 with user1, run ssh-keygen -t rsa, ftp'ed the id_rsa.pub file to system2 as authorized_keys and I have even made sure that the contents of the file match. I have tried different combinations of permissions (700, 755, 600, 644) on both machines and I have made sure that the home directories are owned by user1.
When I try to scp from system1 to system2, it doesn;t connect.

Output for user1:

scp -v steve1 XXXXXXXX:
Executing: program /usr/local/bin/ssh host XXXXXXXX, user (unspecified), command scp -v -t .
OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.6l 04 Nov 2003
debug1: Reading configuration data /usr/local/etc/ssh_config
debug1: Connecting to XXXXXXXX [XX.XXX.X.XX] port 22.
debug1: Connection established.
debug1: identity file /sag/.ssh/identity type 0
debug1: identity file /sag/.ssh/id_rsa type 1
debug1: identity file /sag/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.8p1
debug1: match: OpenSSH_3.8p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'XXXXXXXX' is known and matches the RSA host key.
debug1: Found key in /sag/.ssh/known_hosts:4
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /sag/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /sag/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: No more authentication methods to try.
Permission denied (publickey,password,keyboard-interactive).
lost connection

I am hoping that someone can suggest a few other things to try, coz frankly, it looks like I have done it perfectly according to all of the webdocs, but for some reason it is not working.

Thanks a stack!
kat000003

 

[columb]

I had all sorts of problems with setting this up and the most common causes of problems, in order, were
[ol]
[li]permissions on home directories and/or .ssh directories. Lock these down tight (chmod 750 /home/user and chmod 700 /home/users.ssh). You can always loosen them off later once you've got it working to see where the limits lie[/li]
[li]Unsuccessful login count too high. Our system is set to lock out when the unsuccessful login count exceeds 3 and this causes all sorts of problems[/li]
[li]Account expired - believe or not this has caused a lot of problems but that might be our useage pattern.[/li]
[/ol]

Good luck trying those.

Ceci n'est pas une signature
Columb Healy

 

[RodKnowlton]

Permissions should be 700 on .ssh and 600 on authorized_keys and id_rsa.

Do ordinary ssh connections still work? If so, scp should still work with whatever authentication you're using for ssh. Is this the case?

- Rod


IBM Certified Advanced Technical Expert pSeries and AIX 5L
CompTIA Linux+
CompTIA Security+

A Simple Code for Posting on the Web

 

[kat000003]

Seems like we found the problem. We tested some changes to the home directory, 755 permissions were applied and it worked. Most of the documentation pointed to .ssh and its contents though...

At least we know it works now!! Next project will be to create a new user ID for all batch ftp jobs on all of my AIX servers and change all the scripts that are controlling the ftp as it currently stands.

Once again, thanks for the valuable advice gentleman!!!

Later
kat000003

 

[columb]

This script is used on our systems to create new helpdesk users who need ssh key compatibility to use any system from any other. Note that throughout we use PIN where others use username.

#!/usr/bin/perl -w
use strict;
use Getopt::Std;

sub printusage 
  {
  print @_;
  print "Usage: $0 -p <PIN> -g <gecos>\n";
  exit 1;
  }

sub next_free_uid
  {
  my $hashref = shift;
  my $i;
  for ( $i = 16001; $hashref->{$i}; $i++ ){}
  return $i;
  }

sub get_uid
  {
  my $hashref = shift;
  my $retval = 0;
  foreach ( keys %{$hashref} )
    {
    $retval or $retval = $hashref->{$_}, next;
    $retval == $hashref->{$_} or printusage "Invalid mix of uids\nUse chkuser.pl to sort it out\n";
    }
  return $retval;
  }

my %opts;
getopt ( 'gp', \%opts ) or printusage;
(! defined $opts{'g'}) || (! defined $opts{'p'}) and printusage "Missing parameter\n";

my %uids;
my %hostuid;
my @hosts = qw ( host1 host2 host3 host4 host5 host6 host7 );
foreach my $host ( @hosts )
  {
  foreach ( `ssh $host "cat /etc/passwd"` )
    {
    my ( $pin, undef, $uid, undef, $gecos ) = split /:/;
    ( $uid > 16000 ) && ( $uid < 17000 ) and $uids{$uid}++;
    $pin eq $opts{'p'} and $hostuid{$host} = $uid;
    }
  }
#
open OFH, ">$opts{'p'}.keys" or die "Unable to open keys file\n";
my $workinguid = (scalar keys %hostuid ) ? get_uid \%hostuid : next_free_uid \%uids;
foreach my $host ( @hosts )
  {
  defined $hostuid{$host} or do
    {
    my $cmd = "ssh $host \"mkuser id=$workinguid pgrp=helpdesk gecos=\\\"$opts{'g'}\\\" $opts{'p'}";
    print "$cmd\n";
    system $cmd;
    $cmd = "ssh $host \"su - $opts{'p'} -c /usr/local/bin/mk_public_private_keys.ksh\"";
    print "$cmd\n";
    system $cmd;
   $cmd = "ssh $host \"ln -f /home/helpdesk/.profile /home/$opts{'p'}/.profile\"";
    system $cmd;
    print "$cmd\n";
    print OFH `ssh $host "cat /home/$opts{'p'}/.ssh/id_rsa.pub"`;
    };
  }
close OFH;

foreach my $host ( @hosts )
  {
  my $fname = "/home/$opts{'p'}/.ssh/authorized_keys";
  my $cmd = "scp $opts{'p'}.keys $host:$fname";
  system $cmd;
  $cmd= "ssh $host \"chmod 600 $fname\"";
  system $cmd;
  $cmd = "ssh $host \"chown $opts{'p'}:helpdesk $fname\"";
  system $cmd;
  }
foreach my $host ( @hosts )
  {
  my $fname = "/home/$opts{'p'}/.ssh/known_hosts";
  my $cmd = "scp known_hosts $host:$fname";
  system $cmd;
  $cmd= "ssh $host \"chmod 600 $fname\"";
  system $cmd;
  $cmd = "ssh $host \"chown $opts{'p'}:helpdesk $fname\"";
  system $cmd;
  }

What it does is
[ul]
[li]Find the lowest free UID between 16000 and 17000 (our user range)[/li]
[li]Create the new user with this ID on all the systems[/li]
[li]Create an SSH public/private keyset on each system[/li]
[li]Link in the .profile to a shared .profile (you probably won't want that bit)[/li]
[li]Copy the newly created public key into a temporary 'keys' file[/li]
[li]Once completed the keys file is copied back as $HOME/.ssh/authorised_keys[/li]
[li]A previously created 'known_hosts' file is then copied round.[/li]
[/ul]
I can generate a new helpdesk user in under ten minutes. The initial investment was high but I'm reaping the returns.

Ceci n'est pas une signature
Columb Healy