SSH - Password-less login

[NavinB]

Hi,

I have a batch script which should run thru ssh without any password authentication.I got this information and set it up like this only.

user@host1> cd; mkdir .ssh
user@host1> ssh-keygen -t rsa -N '' -f .ssh/id_rsa
user@host1> scp .ssh/id_rsa.pub user@host2:user_host1_key #requires password
user@host1> ssh -l user host2 'mkdir .ssh; cat user_host1_key >> .ssh/authorized_keys' #requires password
user@host1> ssh -l user host2 'ls -la' #Does NOT require password

This is working from one server to another.But when I try the same thing from second to one,it is still asking me for the password.

Do I need to make any changes in ssh_config or sshd_config file and what are the changes ???

Thanx...

 

[mdet]

Hi,
keep in mind that priv/pub keys should reside in
~/.ssh/id_rsa and ~/.ssh/id_rsa.pub respectively.
Pub key of host1 has to be in .ssh/authorized_keys sited on host2 and pub key of host2 has to be in .ssh/authorized_keys on host1.
The file names are default names. If you choose another one you have to specify it for the ssh-command (ssh -i <keyFile>...).
Keep also in mind that ssh has a very strict security policy. ~/.ssh must not have permissions for group or others. Same as for the key files in that directory.

If you don't get it right with these hints check out the -v -vv and -vvv flags which provides you with a lot of debug stuff.
Instead of specifying an empty password with "-N" I prefer answering ssh-keygens prompt.


Michael.

 

[NavinB]

Thanks for the info...
I tried using both interactive and cmd line of ssh-keygens
but still the prob was the same.
Ultimately, I found out that an entry has to be made in sshd_config file
RhostsRSAAuthentication yes
HostbasedAuthentication yes
and few others as well....

 

[mdet]

Well,
setting these options to "yes" results in relying on the rather insecure authentication model that is used by the aged r services (rsh, rlogin etc.)
The defaults were set well considered and one should decide which model he relies on in the future.
Otherwise there is frankly no need for secure shell, most of the things could be implemented using rsh or rcp (ok, encoding the data of course is one big point).

Michael.

 

[gregoryt]

What does the ssh_config need to allow in order to allow 'password-less' configuration for ssh?

I am curious to how you 'force' a remote server (remoteserver1) to allow RSAAuthentication on ssh(2)? On the secure server I am trying to access my debug output reads as the following

debug1: Authentications that can continue: password
debug1: Next authentication method: password

I am under the impression it needs to say that is will allow a different authentication method - but how can I acheive that from the client box? In other words, can the change only be made in the system /etc/ssh/ssh_config file? If it can be 'forced' elsewhere, how do I allow.

For instance a seperate ssh, web server (remoteserver2) that I run has ssh access and it says

debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/gregory/.ssh/identity
debug1: Trying private key: /Users/gregory/.ssh/id_rsa
debug1: Offering public key: /Users/gregory/.ssh/id_dsa

But I am not sure, if it is even possible to make remoteserver1 allow the authentication methods that remoteserver2 already employs?

Sorry for such a long post, but I am vexed by this question and feel like I am stabbing in the dark for answers

-gregory

 

[NavinB]

Hi,

Do the following settings :-

Create a file .shosts in user's home directory having entries as shown:-
other_server userid

Create a dir .ssh in user's home directory having following files:
id_rsa.pub
id_rsa
authorized_keys

Similarly create a file .shosts and dir .ssh on other server with all the files mentioned above

Note: contents of id_rsa.pub(server 1) are copied to authorized_keys(server 2) and vice-versa

Change the contents of the file /usr/local/etc/sshd_config file on the server with the following new settings:-

Port 22
Protocol 2
HostKey /usr/local/etc/ssh_host_key
HostKey /usr/local/etc/ssh_host_rsa_key
HostKey /usr/local/etc/ssh_host_dsa_key
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
IgnoreRhosts no
RhostsRSAAuthentication yes
HostbasedAuthentication yes
ChallengeResponseAuthentication no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
KeepAlive yes
UseLogin no
UsePrivilegeSeparation no
Compression yes
Banner /etc/issue
Subsystem sftp /usr/local/libexec/sftp-server

And then re-start the ssh daemon...
See if this helps...

 

[mdet]

Hi Gregory,
the man page sshd_config states that the option RSAAuthentication only applies to version 1. So if the remote server is strictly bound to protocol 2 (you wrote ssh(2) which means protocol 2, right?) there is no way to force him speaking protocol 1.
On the other hand presumed the remote server does protocol 2 and you definitely want to communicate via protocol 2 (look at the defaults you set in ssh_config) you can force your client (ssh, scp or whatever) to use the desired protocol through the appropriate options (ssh option -2 for example).
Password less authentication (that should be public key authentication) is set by PubKeyAuthentication and defaults to "Yes".
If you don't need encryption and can rely on .rhost authentication the rServices serve well.