AIX

Originally posted by: syedsaleembasha

Hello,

i configured ssh on two nodes for oracle rac installation. i can ssh from node1 to node2 without password. but i when i ssh from node2 to node1 password is required. i followed same procedure in both nodes to configure ssh. can someone help me out in this issue.

thanks a lot

Originally posted by: SystemAdmin

Hi Saleem,

I hope the following steps will be helpful to you --

1. Create a public ssh key, if you haven’t one already.

Look at ~/.ssh. If you see a file named id_dsa.pub then you obviously already have a public key. If not, simply create one. ssh-keygen -t dsa should do the trick.

Please note that there are other types of keys, e.g. RSA instead of DSA. I simply recomend DSA, but keep that in mind if you run into errors.
2. Make sure your .ssh dir is 700:
chmod 700 ~/.ssh
3. Get your public ssh key on the server you want to login automatically.
A simple scp ~/.ssh/id_dsa.pub remoteuser@remoteserver.com: is ok.
4. Append the contents of your public key to the ~/.ssh/authorized_keys and remove it.

Important: This must be done on the server you just copied your public key to. Otherwise you wouldn’t have had to copy it on your server.

Simply issue something like ---
cat id_dsa.pub >> .ssh/authorized_keys while at your home directory.
5. Instead of steps 3 and 4, you can issue something like this:

cat ~/.ssh/id_dsa.pub | ssh -l remoteuser remoteserver.com 'cat >> ~/.ssh/authorized_keys'
6. Remove your public key from the home directory on the server.
7. Done!
You can now login:

ssh -l remoteuser remoteserver.com or ssh remoteuser@remoteserver.com

without getting asked for a password.

That’s all you need to do.

Originally posted by: SystemAdmin

Perform the steps mentioned above on both the servers....

Originally posted by: SystemAdmin

I have the same problem. From Server 1 to Server 2 the ssh access is obtained without password but not viceversa. I did the same steps in both servers. Can you help me?

Originally posted by: Holgervk

use ssh -vvv -p 10000
on the client
and
sshd -D -p 10000

that will give you more information

probably there is a problem with file/directory permissions regarding $HOME/.ssh or $HOME/.ssh/authorized_keys

Originally posted by: orphy

One of my DBAs ran into the same problem recently and I ended up tracing it to be the permissions of .ssh. As soon as I fixed it to 700, it worked so you should probably compare permissions first. It should be a quick check since you are already working one way.
Orphy

Originally posted by: SystemAdmin

Unfortunately that is not the problem. $HOME/.ssh is fixed to 700 in both lpars and $HOME/.ssh/authorized_keys is fixed to 600 in both lpars.

Originally posted by: SystemAdmin

I meant to say that $HOME/.ssh/authorized_keys are fixed to 644 in both lpars.

Originally posted by: Holgervk

just to see if permissions are the problem do an
chmod 600 $HOME/.ssh/authorized_keys
chmod 600 $HOME/
ls -ld $HOME $HOME/.ssh #to check if everything is owned by the user

I dont think 644 is enough

Originally posted by: JohnPrabhu

I tried the above said. but still system asking for the password.

Originally posted by: shargus

If you haven't done so already, turn on syslog.
sshd will report to syslog if there are problems such as incorrect permissions/ownerships, etc.

Originally posted by: SystemAdmin

Also keep in mind that you can configure SSH to allow/deny various authentication methods: hostbased,publickeys,password. So you might need to check your sshd_config files. Also, a good troubleshooting tool is to use the verbose '-v' flag to troubleshoot these issues. That will show you precisely where the problem lies...sometimes. ;) I hope this is helpful. Good luck.

Originally posted by: SystemAdmin

Thank you so much for all your answers. Finally with the verbose flag I was able to find out the problem. In both nodes I renamed the id_rsa file to identity but when I launched ssh from the node 2 to node 1 it was looking for id_rsa file instead of identity but viceversa it was looking for identity. I don´t know why it asked for different files but I rename again identity in node 2 to id_rsa and Eureka. I´ll be very pleased if you could tell me something about why it is asking me for id_rsa instead identity.

Originally posted by: unixgrl

the "identity" file is used with ssh protocol 1, id_rsa is used with protocol 2.
It sounds like one of your systems is defaulting to Protocol 1 which is older.

Look in your sshd_config file for "Protocol". Mine says 2,1 which means it will use
protocol 2 primarily.
You can also try your ssh command with "-1" or "-2" to force it to use either protocol.
All of this information can be found at openssh.org.

Originally posted by: SystemAdmin

Hello. I have looked in the sshd_config files in both nodes and this is the value:

1. Disable legacy (protocol version 1) support in the server for new
2. installations. In future the default will change to require explicit
3. activation of protocol 1

Protocol 2

I have configured the ssh passwordless following the "Implementing High Availability Cluster Multi-Processsing (HACMP) Cookbook.pdf" redbook, and this is what the redbook tells us about that:

1. Login with the required user identity.
2. Generate your authentication key pair:
ssh-keygen -t rsa -f ~/.ssh/node1
Press Enter for the passphrase (no password).
This command generates two files:
– ~/.ssh/node1: this is your secret key
– ~/.ssh/node1.pub: this is your public key
3. Rename your secret key to identity:
mv ~/.ssh/node1 ~/.ssh/identity
4. Add the public key to your authorized_keys file on the local node, so the SSH
will work for the localhost:
cat ~/.ssh/node1.pub >> ~/.ssh/authorized_keys
5. Copy your public key to all other hosts:
scp ~/.ssh/node1.pub nodeX:~/.ssh/node1.pub
Repeat this command for each node in the cluster.
6. Add node1’s public key to the authorized_keys file on the remote hosts:
ssh nodeX “cat ~/.ssh/node1.pub >> ~/.ssh/authorized_keys”
Repeat this command for each node in the cluster.
7. Repeat steps 1 to 6 on all hosts.

Identity is the name I gave to the id_rsa file in both nodes

Originally posted by: unixgrl

That step that says to change your key file to "identity" doesn't make any sense unless HACMP is trying to use protocol 1. It sounds like the Redbook needs updating. No app should be using protocol 1 anymore. I wouldn't change the names of the key files. Just copy the .pub keys into authorized_keys on the other systems.

Originally posted by: SystemAdmin

Finally the problem is that one of my mates changed the ssh_config file uncommenting the IdentityFile line. In one node he set IdentityFile ~/.ssh/identity and in the other IdentityFile ~/.ssh/id_rsa.

Thank you so much.

Originally posted by: SystemAdmin

Unfortunately I have not enterely solved the problem. I am trying ssh passwordless between three nodes. It is working in two of them but not with the third. This one is able to do ssh passwordless against the others but it is not possible for the others do it against this one. I attach the logs. Please help me.

From node "proeccdiag" to node "proecc01" (works ok):

proadm> ssh -v proecc01
OpenSSH_4.7p1, OpenSSL 0.9.8f 11 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Failed dlopen: /usr/krb5/lib/libkrb5.a(libkrb5.a.so): 0509-022 Cannot load module /usr/krb5/lib/libkrb5.a(libkrb5.a.so).
0509-026 System error: A file or directory in the path name does not exist.

debug1: Error loading Kerberos, disabling Kerberos auth.
debug1: Connecting to proecc01 http://172.16.60.107 port 22.
debug1: Connection established.
debug1: identity file /home/proadm/.ssh/identity type -1
debug1: identity file /home/proadm/.ssh/id_rsa type 1
debug1: identity file /home/proadm/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.7
debug1: match: OpenSSH_4.7 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.7
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'proecc01' is known and matches the RSA host key.
debug1: Found key in /home/proadm/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/proadm/.ssh/identity
debug1: Offering public key: /home/proadm/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 277
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new client-session
debug1: Entering interactive session.
Last unsuccessful login: Wed Mar 4 11:33:38 CUT 2009 on ssh from proecc02
Last login: Wed Mar 11 12:16:57 CUT 2009 on /dev/pts/2 from proeccdiag
### #
##### ##### #### ###### #### #### # # ##
# # # # # # # # # # # # # # #
# # # # # # ##### # # # # #
##### ##### # # # # # # # #
# # # # # # # # # # # # #
# # # #### ###### #### #### ### #####

YOU HAVE NEW MAIL

From node "proecc01" to node "proeccdiag" (doesn't work):

proadm> ssh -v proeccdiag
OpenSSH_4.7p1, OpenSSL 0.9.8f 11 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Failed dlopen: /usr/krb5/lib/libkrb5.a(libkrb5.a.so): 0509-022 Cannot load module /usr/krb5/lib/libkrb5.a(libkrb5.a.so).
0509-026 System error: A file or directory in the path name does not exist.

debug1: Error loading Kerberos, disabling Kerberos auth.
debug1: Connecting to proeccdiag http://172.16.60.108 port 22.
debug1: Connection established.
debug1: identity file /home/proadm/.ssh/identity type -1
debug1: identity file /home/proadm/.ssh/id_rsa type 1
debug1: identity file /home/proadm/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.7
debug1: match: OpenSSH_4.7 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.7
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'proeccdiag' is known and matches the RSA host key.
debug1: Found key in /home/proadm/.ssh/known_hosts:2
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/proadm/.ssh/identity
debug1: Offering public key: /home/proadm/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /home/proadm/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password
proadm@proeccdiag's password:

Originally posted by: CRM

When you generate keys on each server (hopefully using ssh-keygen) you will get a public key (id_rsa.pub) and a private key (id.rsa) if you are using rsa keys.

If you generate the keys with no passphrase then these can be used for SSH without password (a quick google should show some guides for this such as http://oreilly.com/pub/h/66 ).

To setup ssh you basically need to copy the id_rsa.pub into the authorized_keys2 file on the remote server.

It looks like you have done this from diag to c01, but not vice versa.

Check that the id_rsa.pub from c01 is in the authorized_keys2 file on diag, make sure the file has permissions of 600 and check the formatting of the file, extra spaces and other bad formatting can sometimes stop SSH from working.

regards

Chris

Originally posted by: SystemAdmin

I have just retried the steps to configure the ssh passwordless between both nodes and I have got the same result. Anyway in AIX "authorized_keys2" is not the name of the file but "authorized_keys". It is remarkable that using the user root it works.

Originally posted by: DoGaS

Hello,

i have the same issue.
The log shows follows:
********************************************************
nim2:/.ssh>ssh -v kwt
OpenSSH_5.2p1, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Failed dlopen: /usr/krb5/lib/libkrb5.a(libkrb5.a.so): 0509-022 Cannot load module /usr/krb5/lib/libkrb5.a(libkrb5.a.so).
0509-026 System error: A file or directory in the path name does not exist.

debug1: Error loading Kerberos, disabling Kerberos auth.
debug1: Connecting to kwt http://172.16.130.208 port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /.ssh/identity type -1
debug1: identity file /.ssh/id_rsa type 1
debug1: identity file /.ssh/id_dsa type 2
debug1: Remote protocol version 1.99, remote software version OpenSSH_4.1
debug1: match: OpenSSH_4.1 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: Entering the function :kex_choose_conf

debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'kwt' is known and matches the RSA host key.
debug1: Found key in /.ssh/known_hosts:237
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: The Key: 0

debug1: Trying private key: /.ssh/identity
debug1: After function load_identity_file

debug1: The Key: 1

debug1: Offering public key: /.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: The Key: 2

debug1: Offering public key: /.ssh/id_dsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password
root@kwt's password:
********************************************************

The ~/.ssh directory has chmod 700
The ~/.ssh/authorized_keys has chmod 644
Both keys (dsa & rsa) are added to authorized_keys.
But a ssh to localhost are with passwort logon, too.

********************************************************
p51a003p:/>ssh -v localhost
OpenSSH_4.1p1, OpenSSL 0.9.7g 11 Apr 2005
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Failed dlopen: /usr/krb5/lib/libkrb5.a(libkrb5.a.so): 0509-022 Cannot load module /usr/krb5/lib/libkrb5.a(libkrb5.a.so).
0509-026 System error: A file or directory in the path name does not exist.

debug1: Error loading Kerberos, disabling Kerberos auth.
debug1: Connecting to localhost http://127.0.0.1 port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /.ssh/identity type -1
debug1: identity file /.ssh/id_rsa type 1
debug1: identity file /.ssh/id_dsa type 2
debug1: Remote protocol version 1.99, remote software version OpenSSH_4.1
debug1: match: OpenSSH_4.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'localhost' is known and matches the RSA host key.
debug1: Found key in /.ssh/known_hosts:18
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /.ssh/identity
debug1: Offering public key: /.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Offering public key: /.ssh/id_dsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password
root@localhost's password:
********************************************************

has anyone a suggestion?

regards
chris

Originally posted by: curenpc

Check unsuccessful_login_count in /etc/security/lastlog.  In my case it was 12.  I set it back to 0, things worked.