13

I issued ssh username@db2workgoup -n "echo `cat ~/.ssh/id_dsa.pub` >> ~/.ssh/authorized_keys" and then checked that the key was stored in authorized_keys file. But ssh is still asking for the password. I used the same for other servers within our company without any troubles.

Someone can help me to ssh without password prompt?

  • ssh from OSX
  • ssh to openSUSE 11.2 (x86_64)
  • permissions are for home dir, .ssh dir and authorised_keys file 700 or less

/var/log/messages has entry ec 9 11:09:53 db2workgroup automount[3506]: update_negative_cache: key ".user.ini" not found in map. from the time I tried to log in .

output from ssh -vvv

radek:~ radek$ ssh -vvv root@db2workgroup
OpenSSH_5.2p1, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to db2workgroup [10.0.0.22] port 22.
debug1: Connection established.
debug1: identity file /Users/radek/.ssh/identity type -1
debug1: identity file /Users/radek/.ssh/id_rsa type -1
debug3: Not a RSA1 key file /Users/radek/.ssh/id_dsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /Users/radek/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.2
debug1: match: OpenSSH_5.2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 133/256
debug2: bits set: 518/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /Users/radek/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 12
debug3: check_host_in_hostfile: filename /Users/radek/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 12
debug1: Host 'db2workgroup' is known and matches the RSA host key.
debug1: Found key in /Users/radek/.ssh/known_hosts:12
debug2: bits set: 509/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /Users/radek/.ssh/identity (0x0)
debug2: key: /Users/radek/.ssh/id_rsa (0x0)
debug2: key: /Users/radek/.ssh/id_dsa (0x100123c50)
debug1: Authentications that can continue: publickey,keyboard-interactive
debug3: start over, passed a different list publickey,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/radek/.ssh/identity
debug3: no such identity: /Users/radek/.ssh/identity
debug1: Trying private key: /Users/radek/.ssh/id_rsa
debug3: no such identity: /Users/radek/.ssh/id_rsa
debug1: Offering public key: /Users/radek/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,keyboard-interactive
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
gkubed
  • 103
Radek
  • 2,993
  • 18
  • 39
  • 52
  • 2
    Can you get access to the server logs? There might be a clue there, from sshd telling why it rejected the key. I don't remember how logs are organized on SuSE, possibly /var/log/auth.log, but anyway look for a log entry from the date of your login attempt. – Gilles 'SO- stop being evil' Dec 08 '11 at 23:41
  • I forgot to mention when writing my question that I cannot find sshd log. /var/log/auth.log doesn't exit and nothing similar in /var/log – Radek Dec 09 '11 at 00:08
  • And I don't have /etc/syslog.conf on my server. – Radek Dec 09 '11 at 00:10
  • Added line from /var/log/messages – Radek Dec 09 '11 at 00:12
  • 1
    Do you have PasswordAuthentication no in your sshd_config? – jasonwryan Dec 09 '11 at 00:31
  • Is your home directory automounted? By what technology and with what configuration? I've seen something like this before: automounted home, and a race condition in the automounter that made it trigger the mount, then answer “file not found” on the ssh key, then finish mounting so that the home directory would be there by the time I'd typed my password. If you start a second connection while already successfully logged in, does it work? – Gilles 'SO- stop being evil' Dec 09 '11 at 00:34
  • @Gilles: 1) mount gives me map auto_home on /home (autofs, automounted, nobrowse) 2) Second connection while already sucessfully logged in still requires password. – Radek Dec 09 '11 at 00:51
  • Might also try GSSAPIAuthentication=no; I've found that this interferes with PubkeyAuthentication. – Arcege Dec 09 '11 at 00:54
  • @jasonwryan: do you want to create an answer? I will accept it. There was #AuthorizedKeysFile /usr/NX/home/nx/.ssh/authorized_keys2 in the config. I guess someone just copied the conf whithout editing. Using standard AuthorizedKeysFile .ssh/authorized_keys solved the issue.Thank you. – Radek Dec 09 '11 at 00:54
  • Can you temporarily run sshd in debug mode? Run sshd -p2222 -dd, if you can, and post the traces when you connect to that port. SSH daemon traces have a lot of private information, you may need to edit out confidential or private bits before posting. – Gilles 'SO- stop being evil' Dec 09 '11 at 00:56
  • Maybe this post could be related. Cross site: Git on Bitbucket: Always asked for password, even after uploading my public SSH key or Git keeps prompting me for a password on Stackoverflow – Cadoiz Sep 14 '22 at 13:49

6 Answers6

8

In the past, I came across some tutorials that describe how to achieve a ssh password-less setup but some are sadly wrong.

Let's start over again and check every step:

  1. FROM CLIENT - Generate key: ssh-keygen -t rsa
  • Public and private key (id_rsa.pub and id_rsa) will be automatically stored in the ~/.ssh/ directory.
  • Setup will be easier if you use an empty passphrase. If you are not willing to do that, then still follow this guide, but also check the bullet point below.

  1. FROM CLIENT - Copy public key to server : ssh-copy-id user@server
  • Client public key will be copied to server's location ~/.ssh/authorized_keys.

  1. FROM CLIENT - Connect to server: ssh user@server

Now, if it's still not working after the described 3 steps, let's try the following:

  • Check ~/.ssh folder permissions in client and server machine.
  • Check /etc/ssh/sshd_config in the server to ensure that RSAAuthentication, PubkeyAuthentication and UsePAM options aren't disabled, as they are enabled by default with yes.
  • If you entered a passphrase while generating your client key, then you may try ssh-agent & ssh-add to achieve password-less connections in your session.
  • Check the contents of /var/log/auth.log on the server to find the issue why key authentication is skipped at all.
marc
  • 2,427
7

I found the solution based on jasonwryan's comment under my question.

There was #AuthorizedKeysFile /usr/NX/home/nx/.ssh/authorized_keys2 in the /etc/ssh/sshd_config sshd config file. Changing the entry to standard AuthorizedKeysFile .ssh/authorized_keys solved the issue.

Toby Speight
  • 8,678
Radek
  • 2,993
  • 18
  • 39
  • 52
  • One more thing to note is, if you give custom name for the key, then the key will be stored in current directory which won't work if key doesn't resides inside ~/.ssh/ path. Hence browse to ~/.ssh/ and then run ssh-keygen. – learner Oct 08 '17 at 08:30
0

As @marc mentions, I believe the first thing to do is to check for the cause of error in /var/log/auth.log.

Just to bring up my case, which might not be so uncommon, I got a "bad ownership or modes" error.

...
... sshd[14396]: Authentication refused: bad ownership or modes for file /home/foo/.ssh/authorized_keys

which immediately brought me to the issue: the file was editable by group and others.

Indeed, as recommended in the manual page of ssh:

    ~/.ssh/authorized_keys
         Lists the public keys (DSA, ECDSA, Ed25519, RSA) that can be used for logging
         in as this user.  The format of this file is described above.  The content of
         the file is not highly sensitive, but the recommended permissions are
         read/write for the user, and not accessible by others.

(A chmod 644 did worked for me)

Cadoiz
  • 276
Campa
  • 131
0

I spent long time on /etc/ssh/sshd_config. At the end, it was about the file permission of the following:

  • not only ~/.ssh/authorized_keys but also.
  • ~/.ssh directory (700)
  • ~ directory (700)
ls -la ~/.ssh
total 20
drwx------. 2 user user   76 Aug 10 11:23 .
drwx------. 8 user user 4096 Nov 22  2020 ..
-rw-------. 1 user user 1648 Aug  9 09:57 authorized_keys  
-rw-------. 1 user user 1675 Aug 10 11:22 id_rsa
-rw-r--r--. 1 user user  419 Aug 10 11:22 id_rsa.pub       
-rw-r--r--. 1 user user 1909 Aug 10 11:23 known_hosts
Abdennour TOUMI
  • 902
-1

If you have already done with all the steps like generating the keys, putting a copy on server, you can try running ssh-add on your local.

Also you can check the permission of the key files. However that problem throws a different kind of error.

sprksh
  • 101
-2

Also check the 'AllowUsers' setting in /etc/ssh/sshd_config: Mine was set to only allow a single user to log in so all others were forbidden which is why it asked for a password (oddly - would have thought it would just refuse access).

If you're just wanting to open up a connection to other hosts in the same network then you can be restrictive and add a subnet suffix to the username.

eg.,

AllowUsers adminusr localusr@192.168.9.0/24

will allow access to a user called 'localusr' in the given subnet.

Volksman
  • 97