I am trying to setup a password-less SSH configuration between two machines and I am having a problem. There are a ton of howtos out there that I have followed and have had no success. Here are the steps that I’ve taken
-
Generate the authentication keys on the client. (Pressed enter when prompted for a passphrase)
[[email protected]:.ssh/$] ssh-keygen -t rsa -
Copy the public key to the server.
[[email protected]:.ssh/$] scp id_rsa.pub [email protected]:.ssh/authorized_keys - Verified the authorized key was created successfully on the server
-
Executed the following command:
[[email protected]:.ssh/$] ssh [email protected] ls
And I was still prompted for a password. I read a note on one howto that said “depending on the version of SSH that is running…” (although it did not specify which versions needed this), it might require:
- The public key in .ssh/authorized_keys2
- Permissions of .ssh to 700
- Permissions of .ssh/authorized_keys2 to 640
I also followed those steps and had no success. I have verified that the home, root, and .ssh directories are not writable by group (according to https://unix.stackexchange.com/tags/ssh/info).
Anyone have any ideas what I’m missing?
Thanks
EDIT: I also copied the public key to the second box using the ssh-copy-id command and that generated the .ssh/authorized_keys file.
[[email protected]:.ssh/$] ssh-copy-id -i id_rsa.pub [email protected]
EDIT2: Including version information
// box1 (system keys were generated on)
- Linux 2.6.34
- OpenSSH_5.5p1 Debian-6, OpenSSL 0.9.8o 01 June 2010
// box2
- Linux 2.6.33
- Dropbear client v0.52
EDIT3: Debug output
[<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="65170a0a1125070a1d54">[email protected]</a>:.ssh/$] ssh -vvv <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="fd8f929289bd9f9285cf">[email protected]</a> ls OpenSSH_5.5p1 Debian-6, OpenSSL 0.9.8o 01 Jun 2010 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to box2 [box2] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug3: Not a RSA1 key file /root/.ssh/id_rsa. debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: missing keytype debug3: key_read: missing whitespace debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: missing keytype debug1: identity file /root/.ssh/id_rsa type 1 debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048 debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: Remote protocol version 2.0, remote software version dropbear_0.52 debug1: no match: dropbear_0.52 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-6 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman- group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="582b2b30752a2b39753b3d2a2c752e68681837283d362b2b30763b3735">[email protected]</a>,<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="1467677c39706767397771666039622424547b64717a67677c3a777b79">[email protected]</a>,ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish- cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="96e4fffcf8f2f7f3fabbf5f4f5d6faefe5f7e2f9f3">[email protected]</a> debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish- cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="5a283330343e3b3f36773938391a3623293b2e353f">[email protected]</a> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="e590888486c8d3d1a58a95808b96968dcb868a88">[email protected]</a>,hmac-ripemd160,<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="9cf4f1fdffb1eef5ecf9f1f8adaaacdcf3ecf9f2efeff4b2fff3f1">[email protected]</a>,hmac- sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="0d78606c6e203b394d627d68637e7e65236e6260">[email protected]</a>,hmac-ripemd160,<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="bbd3d6dad896c9d2cbded6df8a8d8bfbd4cbded5c8c8d395d8d4d6">[email protected]</a>,hmac- sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="6a100603082a051a0f0419190244090507">[email protected]</a>,zlib debug2: kex_parse_kexinit: none,<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="661c0a0f04260916030815150e4805090b">[email protected]</a>,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,3des-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes256-cbc,twofish256-cbc,twofish- cbc,twofish128-cbc,blowfish-cbc debug2: kex_parse_kexinit: aes128-ctr,3des-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes256-cbc,twofish256-cbc,twofish- cbc,twofish128-cbc,blowfish-cbc debug2: kex_parse_kexinit: hmac-sha1-96,hmac-sha1,hmac-md5 debug2: kex_parse_kexinit: hmac-sha1-96,hmac-sha1,hmac-md5 debug2: kex_parse_kexinit: zlib,<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="a8d2c4c1cae8c7d8cdc6dbdbc086cbc7c5">[email protected]</a>,none debug2: kex_parse_kexinit: zlib,<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="1e6472777c5e716e7b706d6d76307d7173">[email protected]</a>,none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none debug2: dh_gen_key: priv key bits set: 132/256 debug2: bits set: 515/1024 debug1: sending SSH2_MSG_KEXDH_INIT debug1: expecting SSH2_MSG_KEXDH_REPLY debug3: check_host_in_hostfile: host 192.168.20.10 filename /root/.ssh/known_hosts debug3: check_host_in_hostfile: host 192.168.20.10 filename /root/.ssh/known_hosts debug3: check_host_in_hostfile: match line 3 debug1: Host 'box2' is known and matches the RSA host key. debug1: Found key in /root/.ssh/known_hosts:3 debug2: bits set: 522/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /root/.ssh/id_rsa (0x54b1c340) debug2: key: /root/.ssh/id_dsa ((nil)) debug1: Authentications that can continue: publickey,password debug3: start over, passed a different list publickey,password debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering public key: /root/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,password debug1: Trying private key: /root/.ssh/id_dsa debug3: no such identity: /root/.ssh/id_dsa debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password
EDIT4: Another interesting development. Instead of generating the keys on box1 (running OpenSSH) and copying them to box2 (running dropbear) I did it in reverse:
[[email protected]:.ssh/$] dropbearkey -t rsa -f id_rsa
[[email protected]:.ssh/$] dropbearkey -y -f id_rsa | grep "^ssh-rsa" >> authorized_keys
[[email protected]:.ssh/$] scp authorized_keys [email protected]:.ssh/
And with that I am successfully able to issue commands password-less from box2 to box1 ONLY if I specify the ID file:
[[email protected]:.ssh/$] ssh -i id_rsa [email protected] ls
Still unable to issue commands from box1 (OpenSSH) to box2 (dropbear).
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
I found the source of the problem. There was a vague message in /var/log/messages about strange ownership that tipped me off. So I checked, and the permissions of /root, /root/.ssh, and /root/.ssh/* were all correct (700), but the ownership was default.default. I’m not sure how that happened… but I ran:
[<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="4e3c21213a0e2c21367f">[email protected]</a>:.ssh/$] chown root.root /root [<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="9fedf0f0ebdffdf0e7ae">[email protected]</a>:.ssh/$] chown root.root /root/.ssh [<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="86f4e9e9f2c6e4e9feb7">[email protected]</a>:.ssh/$] chown root.root /root/.ssh/*
To changed the ownership to root and passwordless login works in both directions.
Method 2
Can you confirm if root login in ssh is allowed ? keygen usually prompts for password. Have you made a passphrase while keygen ? If yes, then it is prompting for that password. If you want passwordless access for headless account then create passwordless private keys.
Method 3
From the Debug: debug2: key_type_from_name: unknown key type '-----BEGIN' it looks like you have an improperly formatted authorized_keys file.
Removing the first (two?) lines, the last line (—–End) and any other line breaks should fix the problem.
The key file for Linux does not use the same keyfile as many Windows (and some Linux) generators. PuTTY, for example, starts private keys as ---- BEGIN SSH2 PUBLIC KEY ---- but Linux is looking for ssh-rsa AAAAB3NzaC1yc2E...G8HAaGz8ob6IXx3841ASs= [email protected]
The full specification can be found here: http://man.he.net/man5/authorized_keys
But the short version is:
*No line breaks
*Starts with the protocol (ssh-rsa, ssh-dsa)
*Public key
*Ends with “=” and the key name
Let me know if this helps
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0