ssh unattended login

[columb]

I'm trying to set up ssh unattended logins between two systems. The method I'm using is

Un-attended login
When batch scripts require secure access to remote hosts, i.e. no user to type in the password, an un-attended-login is required. This is achieved by copying the requesting user's authentication key from the source host to the target host into a file called .ssh/authorized_keys. E.g. to set up an un-attended login for 'user' on host2 when connecting from host1: - 

user@host1> cd; mkdir .ssh
user@host1> ssh-keygen -t rsa -N '' -f .ssh/id_rsa
user@host1> scp .ssh/id_rsa.pub user@host2:user_host1_key #requires password
user@host1> ssh -l user host2 'mkdir .ssh; cat user_host1_key >> .ssh/authorized_keys' #requires password
user@host1> ssh -l user host2 'ls -la' #Does NOT require password
…


The ssh-keygen command generates the user's key for host1. Thus, when added to the authorized-keys file on host2 allows user on host1 to login into user account on host2 without entering interactive mode to enter the password, i.e. un-attended login.

straight out of the manual.

When I try this with users who already have unattended logins set up from other systems all is OK. When I try it with new users it still requires a password.

ssh -vvv shows

pckxfr@b05401$ /usr/local/bin/ssh  d04501
Last unsuccessful login: Thu Nov 18 15:35:42 2004 on /dev/pts/7 from d04501_svc
Last login: Mon Nov 22 15:13:52 2004 on ssh from b05401
 
pckxfr@d04501:/home/pckxfr>/usr/local/bin/ssh  pckxfr@b05401     
pckxfr@b05401's password: 
pckxfr@d04501:/home/pckxfr>/usr/local/bin/ssh  pckxfr@b05401
pckxfr@b05401's password: 
pckxfr@d04501:/home/pckxfr>/usr/local/bin/ssh  -vvv pckxfr@b05401
OpenSSH_3.7p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7b 10 Apr 2003
debug1: Reading configuration data /usr/local/etc/ssh_config
debug3: Seeding PRNG from /usr/local/libexec/ssh-rand-helper
debug2: ssh_connect: needpriv 0
debug1: Connecting to b05401 [140.140.185.54] port 22.
debug1: Connection established.
debug1: identity file /home/pckxfr/.ssh/identity type -1
debug3: Not a RSA1 key file /home/pckxfr/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/pckxfr/.ssh/id_rsa type 1
debug1: identity file /home/pckxfr/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.0.2p1
debug1: match: OpenSSH_3.0.2p1 pat OpenSSH_2.*,OpenSSH_3.0*,OpenSSH_3.1*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.7p1
debug3: RNG is ready, skipping seeding
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 122/256
debug2: bits set: 1623/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/pckxfr/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug3: check_host_in_hostfile: filename /home/pckxfr/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host 'b05401' is known and matches the RSA host key.
debug1: Found key in /home/pckxfr/.ssh/known_hosts:1
debug2: bits set: 1566/3191
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/pckxfr/.ssh/identity (0)
debug2: key: /home/pckxfr/.ssh/id_rsa (20034178)
debug2: key: /home/pckxfr/.ssh/id_dsa (0)
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: start over, passed a different list publickey,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/pckxfr/.ssh/identity
debug3: no such identity: /home/pckxfr/.ssh/identity
debug1: Offering public key: /home/pckxfr/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /home/pckxfr/.ssh/id_dsa
debug3: no such identity: /home/pckxfr/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: userauth_kbdint: disable: no info_req_seen
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: 
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
pckxfr@b05401's password:

On the sending host :-
SSH 3.7.1p1
SSL 0.9.7b

On the receiving host
SSH 3.8.1p1
SSL 0.9.6

Has anyone any pointers to how I might debug this.

Columb Healy
Living with a seeker after the truth is infinitely preferable to living with one who thinks they've found it.

 

[marsd]

Are you willing to use expect?
It's the swiss army knife of interactive applications.
Yes, there should be a way to allow password-less logins, the exchange of private keys, etc.., but expect is FUN!

 

[11011110000]

Try it this way:

$ssh-keygen -t rsa -f $HOME/.ssh/id_rsa -P ''
$ssh -l user remotecomputer mkdir -p .ssh  ##will ask for user password
$cat .ssh/id_rsa.pub | ssh -l user remotecomputer 'cat >> .ssh/authorized_keys'  ##will ask for user password
$ssh -l user remotecomputer

If all things are correct, you won't need a password. Also, 'chmod 0700 $HOME/.ssh'.

 

[trifo]

Hi!

I think you put the wrong key (or key format) into the authorized_keys file. Open it using a text editor, like vi. You should see some entries, looking similar to this:

ssh-rsa AAAAB3NzaC1yc2EBCBABIwAAAIEA+ZB43vKEGuYmjqBgvEZEnzkM6HTmA3/eZfa+CPBlxHe4gVLw1ph4ajx227CqUYF9ey4Vi/amaYU3+t44l0826df32Oya7yWA44K3hA4E3TRLHILHV9qOtIi/8bzfeijkFcJmEyZ2Wx9NLCfeCTxZi0R+O4iYwJe2GXZy6GIsqzE= root@sunserve2

Note, this must be in one single line.

I think you succeed to put a PEM format key into the authorized_keys file, the clues for this are '-----BEGIN' and '-----END' strings in the sss -vvv output. Lookup and correct.

Good luck,

--Trifo