SSH prompting for a password

[mhauff65]

Problem:

I have generated key pairs using RSA on all three servers. I have copied the id_rsa.pub to the /$HOME/.ssh of all three servers involved. The permissions on .ssh/* are 600. Server A can ssh to server B & C without a password. server B can ssh to server C and vice versa; however server B & C can not ssh to server A without being prompted for a password. Here's output from server A SSHing to server B. I appreciate any help given. I need to figure this out. Thanks in advance.

mhauff65

[oracle@exproserv .ssh]$ ssh -v exproserv2
OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to exproserv2 [192.168.7.185] port 22.
debug1: Connection established.
debug1: identity file /home/oracle/.ssh/identity type -1
debug1: identity file /home/oracle/.ssh/id_rsa type 1
debug1: identity file /home/oracle/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.9p1
debug1: match: OpenSSH_3.9p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.9p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'exproserv2' is known and matches the RSA host key.
debug1: Found key in /home/oracle/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/oracle/.ssh/identity
debug1: Offering public key: /home/oracle/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 149
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
Last login: Wed Apr 11 07:53:06 2007 from exproserv.extraquest.com
[oracle@exproserv2 ~]$ exit


Here's outp from Server B SSHing to server A:
[oracle@exproserv2 ~]$ ssh -v exproserv
OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to exproserv [192.168.7.187] port 22.
debug1: Connection established.
debug1: identity file /opt/app/oracle/.ssh/identity type -1
debug1: identity file /opt/app/oracle/.ssh/id_rsa type 1
debug1: identity file /opt/app/oracle/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.9p1
debug1: match: OpenSSH_3.9p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.9p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'exproserv' is known and matches the RSA host key.
debug1: Found key in /opt/app/oracle/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: publickey
debug1: Trying private key: /opt/app/oracle/.ssh/identity
debug1: Offering public key: /opt/app/oracle/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Trying private key: /opt/app/oracle/.ssh/id_dsa
debug1: Next authentication method: password
oracle@exproserv's password:

 

[sbrews]

In addition to copying the id_rsa.pub files to the various .ssh directories you need to copy that key into the authorized_keys file.

Take a look at this ssh how to - it does a very good job of explaining how to set it up. It covers, open to open, open to commercial, commercial to open and commercial to commercial.

http://www.unixpeople.com/HOWTO/configuring.ssh.html

 

[Gloups]

as sbrews said, be also sure that authorized_keys files has 600 permissions.

 

[mhauff65]

Folks I apologize. I have set permissions on the authorized_keys2 to 600, and I have appended the id_rsa.pub to the authorized_keys2 file. here are the commands I've used:

chmod 600 .ssh/*
cat id_rsa.pub >> .ssh/authorized_keys2

 

[QatQat]

you need to start ssh key-agent to pass the correct identity for you or establish the connection with the "-i" option

example of connection from a client

ssh -i /$HOME/.ssh/your_private_key address

Both methods are equally functional but ssh-keyagent is preferred to manage a lot of password protected keys
Obviously if yo want to connect without password prompt using the "-i" option, your private key needs to have no password.

QatQat

If I could have sex each time I reboot my server, I would definitely prefer Windoz over Linux!

 

[mhauff65]

QatQat Thanks for your suggestion.

Here's the output from the command:
[oracle@exproserv03 ~]$ ssh -i /home/oracle/.ssh/id_rsa exproserv
oracle@exproserv's password:


I've created these keys without a pass phrase. The .ssh directory has the proper permissions of 600 on them. I have appended the public keys to the authorized_keys2 file. Still I can not ssh to one of the three servers that I set up yesterday. I can ssh to 2 of the 3 servers without being prompted for a password; however 1 server I can not. I even tried the following and received this error.

[oracle@exproserv03 ~]$ ssh -o PasswordAuthentication=no exproserv
Permission denied (publickey,gssapi-with-mic,password).


Thanks in advance for any help given.

 

[sbrews]

For the one that is not working - check the permissions of .ssh, the files in it and even the permissions on the home directory to one of the other that is working.

What you are describing sounds very much like a permissions issue.

 

[QatQat]

have you tried with a normal

authorized_keys

instead of authorized_keys2?
If I remember correclty Mandriva should use authorized_keys2 but other distributions work with authorized_keys
WHat distribution are you using?

QatQat

If I could have sex each time I reboot my server, I would definitely prefer Windoz over Linux!

 

[hoinz]

To expand on sbrews' suggestion:
Check permissions of all the directories in the full path of your authorized_keys file, and make sure that nobody except for the owner and root has write permission.

e.g. if the path is /path/to/home/.ssh/authorized_keys, then you will have to check all of these:
/path/to/home/.ssh/authorized_keys
/path/to/home/.ssh
/path/to/home
/path/to
/path
/

hope this helps