Originally posted by: Yanuly

Hi,
I've been searching hi and low the Internet for a document explaining the correct way to setup passwordless ssh between two AIX servers using openssh. The search returned many similar documents, all of them explain a seemingly simple procedure that I haven't been able to make work:
$ ssh-keygen -t rsa or dsa (for this example "X")
Generating public/private X key pair.
Enter file in which to save the key (/root/.ssh/X):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): (i've left this empty)
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_X.
Your public key has been saved in /root/.ssh/id_X.pub.
The key fingerprint is:
98:da:8d:48:a8:09:44:b1:b3:62:51:2d:a9:6b:61:ba root@remotehost
$ cat ./.ssh/X.pub | ssh mc@remotehost 'cat >> .ssh/authorized_keys';
I've generated both types of keys, verified that the .ssh dir has 700 permits and it's files 600 and still it asks me for a password. i wonder if there is an additional config to change on the sshd_config or elsewhere. This is my debug output.

/home/revapp/.ssh>ssh -v revapp@tonga df
OpenSSH_4.1p1, OpenSSL 0.9.7d 17 Mar 2004
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Failed dlopen: /usr/krb5/lib/libkrb5.a(libkrb5.a.so): 0509-022 Cannot load module /usr/krb5/lib/libkrb5.a(libkrb5.a.so).
0509-026 System error: A file or directory in the path name does not exist.

debug1: Error loading Kerberos, disabling Kerberos auth.
debug1: Connecting to tonga http://xx.xx.xx.xx port 22.
debug1: Connection established.
debug1: identity file /home/revapp/.ssh/identity type -1
debug1: identity file /home/revapp/.ssh/id_rsa type -1
debug1: identity file /home/revapp/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.1
debug1: match: OpenSSH_4.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'tonga' is known and matches the RSA host key.
debug1: Found key in /home/revapp/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/revapp/.ssh/identity
debug1: Trying private key: /home/revapp/.ssh/id_rsa
debug1: Trying private key: /home/revapp/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password
revapp@tonga's password:

it seems to be accepting the rsa or dsa keys but still goes the password path. Any help would be appreciated.
Thanks!

Originally posted by: SystemAdmin

I am not sure what the answer is but here is a succesful key exchange:

debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Failed dlopen: /usr/krb5/lib/libkrb5.a(libkrb5.a.so): 0509-022 Cannot load module /usr/krb5/lib/libkrb5.a(libkrb5.a.so).
0509-026 System error: A file or directory in the path name does not exist.

debug1: Error loading Kerberos, disabling Kerberos auth.
debug1: Connecting to cdfsros http://10.117.232.11 port 22.
debug1: Connection established.
debug1: identity file /home/ibs/.ssh/identity type -1
debug1: identity file /home/ibs/.ssh/id_rsa type 1
debug1: identity file /home/ibs/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_4.5
debug1: match: OpenSSH_4.5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'cdfsros' is known and matches the RSA host key.
debug1: Found key in /home/ibs/.ssh/known_hosts:2
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/ibs/.ssh/identity
debug1: Offering public key: /home/ibs/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 149
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new client-session
debug1: Entering interactive session.

What are the permissions on your .ssh/* files on the server you are going from?

Cheers,

Sam

Originally posted by: Yanuly

Permits are 600 on both .ssh/*

I also ran the ssh with -vvv for greater detail, this is what it shows:

debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/revapp/.ssh/identity
debug3: no such identity: /home/revapp/.ssh/identity
debug1: Trying private key: /home/revapp/.ssh/id_rsa
debug3: no such identity: /home/revapp/.ssh/id_rsa
debug1: Trying private key: /home/revapp/.ssh/id_dsa
debug3: no such identity: /home/revapp/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: userauth_kbdint: disable: no info_req_seen
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred:
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
revapp@tonga's password:

Originally posted by: SystemAdmin

HI

First u have to generate the key and put the below mentioned the DIR

then u have manualy first try to connect the servers from ONE FTPUSER .

servername:/# more ~/.ssh/arch.key
-----BEGIN RSA PRIVATE KEY-----
MIICWgIBAAKBgQDJfAwPAGt4V/kquXgt3Fj/gfTguUxLNF8Zt5CsbJDEVcmdNrSB
Hu7FjAm1uZoYn2kT5Gx6TL/rf3qRmV5Zq7rcQs/ctYg9D5en1hMhZ2D+VNHFIfqx
hQqTm5nZwkVl2fLddvoOHSdb9QrRLcTMB73cfljjI2KE2WqklasYcnupbQIBIwKB
gAXBtzOg7SCyDm7vWzSCo3UDtooT7DypuZMFPqXXN1YRFGOT2UWEinqsOsqtiA9V
AwCRf3E1ZJGzL2M+5XBGvDIgyns0sgc+kUXSFtYdWXAsYcdiLNULJp9qf4jWwOPo
nMq8SAzdNDzNdiiXqtyr+65DCe82MwZ/+nBMCitNSrGLAkEA8ebGR

when u write the script like below mwntioned the startup......

1. ssh key should destrebuted to the remote machine.

#in case of copy fail right now script will loop!!!!!
DESTSVR="90.100.105.100"
KEY=~/.ssh/arch.key
SID=SL1
USER=ftpusr

Originally posted by: SystemAdmin

It looks to me like none of the public keys on the machine you are going from are matching entries in the authorized_keys file on the remote host. Double check that the authorized_keys file ont eh remote host is in the .ssh directory and only contains the contents of the public key on the host you are connecting from. Also check it's permissions are 600 as well.

Thanks,
Sam

Message was edited by: sam_rudland

Originally posted by: Yanuly

Ok, it's working now. Let me explain why it didn't, as a note for myself (and others, of course).
After generating the key i was directly copying it to the authorized_keys file on the remote host. The procedure needs the id_xxx.pub file to be copied to the home dir of the user on the remote machine. THEN, a local "cat" can dump it's contents into the authorized_keys file on the $HOME/.ssh directory, this file MUST have a 644 permit while it's directory must be 655:
/home/yanuly/.ssh>ls -la
total 16
drwxr-xr-x 2 yanuly staff 256 Feb 12 09:18 .
drwxr-xr-x 4 yanuly staff 4096 Feb 13 11:51 ..
-rw-r--r-- 1 yanuly staff 239 Feb 12 09:18 authorized_keys
on the host that generates the keys, this is the .ssh listing:
/home/yanuly/.ssh>ls -la
total 32
drwxr-xr-x 2 yanuly staff 256 Feb 12 09:17 .
drwxr-xr-x 6 yanuly staff 4096 Feb 13 14:42 ..
-rw------- 1 yanuly staff 887 Feb 12 09:17 id_rsa
-rw-r----- 1 yanuly staff 239 Feb 12 09:17 id_rsa.pub
-rw-r--r-- 1 yanuly staff 227 Feb 12 09:17 known_hosts
the last file is generated when the pub file is copied. If debugging, it's better to go all the way:
/home/yanuly/.ssh>ssh -vvv yanuly@atlantis df

Thank you for your responses

Originally posted by: Bhannuji

Hi ,

 I am trying  to set up password less SSH connection. I did generate id_dsa.pub key and then copied the the this into remote server authorized_keys. But still getting the below error. Could you please assist me.

 

Thanks,

Bhanoji.