Topic
  • 21 replies
  • Latest Post - ‏2013-08-06T00:27:23Z by curenpc
syedsaleembasha
syedsaleembasha
21 Posts

Pinned topic SSH Without Password

‏2008-12-15T09:35:43Z |
Hello,

i configured ssh on two nodes for oracle rac installation. i can ssh from node1 to node2 without password. but i when i ssh from node2 to node1 password is required. i followed same procedure in both nodes to configure ssh. can someone help me out in this issue.

thanks a lot
Updated on 2010-11-01T13:56:20Z at 2010-11-01T13:56:20Z by DoGaS
  • SystemAdmin
    SystemAdmin
    6902 Posts

    Re: SSH Without Password

    ‏2008-12-15T12:29:09Z  
    Hi Saleem,

    I hope the following steps will be helpful to you --

    1. Create a public ssh key, if you haven’t one already.

    Look at ~/.ssh. If you see a file named id_dsa.pub then you obviously already have a public key. If not, simply create one. ssh-keygen -t dsa should do the trick.

    Please note that there are other types of keys, e.g. RSA instead of DSA. I simply recomend DSA, but keep that in mind if you run into errors.
    2. Make sure your .ssh dir is 700:
    chmod 700 ~/.ssh
    3. Get your public ssh key on the server you want to login automatically.
    A simple scp ~/.ssh/id_dsa.pub remoteuser@remoteserver.com: is ok.
    4. Append the contents of your public key to the ~/.ssh/authorized_keys and remove it.

    Important: This must be done on the server you just copied your public key to. Otherwise you wouldn’t have had to copy it on your server.

    Simply issue something like ---
    cat id_dsa.pub >> .ssh/authorized_keys while at your home directory.
    5. Instead of steps 3 and 4, you can issue something like this:

    cat ~/.ssh/id_dsa.pub | ssh -l remoteuser remoteserver.com 'cat >> ~/.ssh/authorized_keys'
    6. Remove your public key from the home directory on the server.
    7. Done!
    You can now login:

    ssh -l remoteuser remoteserver.com or ssh remoteuser@remoteserver.com

    without getting asked for a password.

    That’s all you need to do.
  • SystemAdmin
    SystemAdmin
    6902 Posts

    Re: SSH Without Password

    ‏2008-12-15T12:32:36Z  
    Hi Saleem,

    I hope the following steps will be helpful to you --

    1. Create a public ssh key, if you haven’t one already.

    Look at ~/.ssh. If you see a file named id_dsa.pub then you obviously already have a public key. If not, simply create one. ssh-keygen -t dsa should do the trick.

    Please note that there are other types of keys, e.g. RSA instead of DSA. I simply recomend DSA, but keep that in mind if you run into errors.
    2. Make sure your .ssh dir is 700:
    chmod 700 ~/.ssh
    3. Get your public ssh key on the server you want to login automatically.
    A simple scp ~/.ssh/id_dsa.pub remoteuser@remoteserver.com: is ok.
    4. Append the contents of your public key to the ~/.ssh/authorized_keys and remove it.

    Important: This must be done on the server you just copied your public key to. Otherwise you wouldn’t have had to copy it on your server.

    Simply issue something like ---
    cat id_dsa.pub >> .ssh/authorized_keys while at your home directory.
    5. Instead of steps 3 and 4, you can issue something like this:

    cat ~/.ssh/id_dsa.pub | ssh -l remoteuser remoteserver.com 'cat >> ~/.ssh/authorized_keys'
    6. Remove your public key from the home directory on the server.
    7. Done!
    You can now login:

    ssh -l remoteuser remoteserver.com or ssh remoteuser@remoteserver.com

    without getting asked for a password.

    That’s all you need to do.
    Perform the steps mentioned above on both the servers....
  • SystemAdmin
    SystemAdmin
    6902 Posts

    Re: SSH Without Password

    ‏2009-02-23T15:46:08Z  
    Hi Saleem,

    I hope the following steps will be helpful to you --

    1. Create a public ssh key, if you haven’t one already.

    Look at ~/.ssh. If you see a file named id_dsa.pub then you obviously already have a public key. If not, simply create one. ssh-keygen -t dsa should do the trick.

    Please note that there are other types of keys, e.g. RSA instead of DSA. I simply recomend DSA, but keep that in mind if you run into errors.
    2. Make sure your .ssh dir is 700:
    chmod 700 ~/.ssh
    3. Get your public ssh key on the server you want to login automatically.
    A simple scp ~/.ssh/id_dsa.pub remoteuser@remoteserver.com: is ok.
    4. Append the contents of your public key to the ~/.ssh/authorized_keys and remove it.

    Important: This must be done on the server you just copied your public key to. Otherwise you wouldn’t have had to copy it on your server.

    Simply issue something like ---
    cat id_dsa.pub >> .ssh/authorized_keys while at your home directory.
    5. Instead of steps 3 and 4, you can issue something like this:

    cat ~/.ssh/id_dsa.pub | ssh -l remoteuser remoteserver.com 'cat >> ~/.ssh/authorized_keys'
    6. Remove your public key from the home directory on the server.
    7. Done!
    You can now login:

    ssh -l remoteuser remoteserver.com or ssh remoteuser@remoteserver.com

    without getting asked for a password.

    That’s all you need to do.
    I have the same problem. From Server 1 to Server 2 the ssh access is obtained without password but not viceversa. I did the same steps in both servers. Can you help me?
  • Holgervk
    Holgervk
    56 Posts

    Re: SSH Without Password

    ‏2009-02-23T15:52:09Z  
    I have the same problem. From Server 1 to Server 2 the ssh access is obtained without password but not viceversa. I did the same steps in both servers. Can you help me?
    use ssh -vvv -p 10000
    on the client
    and
    sshd -D -p 10000

    that will give you more information

    probably there is a problem with file/directory permissions regarding $HOME/.ssh or $HOME/.ssh/authorized_keys
  • orphy
    orphy
    480 Posts

    Re: SSH Without Password

    ‏2009-02-23T16:23:36Z  
    • Holgervk
    • ‏2009-02-23T15:52:09Z
    use ssh -vvv -p 10000
    on the client
    and
    sshd -D -p 10000

    that will give you more information

    probably there is a problem with file/directory permissions regarding $HOME/.ssh or $HOME/.ssh/authorized_keys
    One of my DBAs ran into the same problem recently and I ended up tracing it to be the permissions of .ssh. As soon as I fixed it to 700, it worked so you should probably compare permissions first. It should be a quick check since you are already working one way.
    Orphy
  • SystemAdmin
    SystemAdmin
    6902 Posts

    Re: SSH Without Password

    ‏2009-02-25T15:54:39Z  
    • orphy
    • ‏2009-02-23T16:23:36Z
    One of my DBAs ran into the same problem recently and I ended up tracing it to be the permissions of .ssh. As soon as I fixed it to 700, it worked so you should probably compare permissions first. It should be a quick check since you are already working one way.
    Orphy
    Unfortunately that is not the problem. $HOME/.ssh is fixed to 700 in both lpars and $HOME/.ssh/authorized_keys is fixed to 600 in both lpars.
  • SystemAdmin
    SystemAdmin
    6902 Posts

    Re: SSH Without Password

    ‏2009-02-25T16:01:17Z  
    Unfortunately that is not the problem. $HOME/.ssh is fixed to 700 in both lpars and $HOME/.ssh/authorized_keys is fixed to 600 in both lpars.
    I meant to say that $HOME/.ssh/authorized_keys are fixed to 644 in both lpars.
  • Holgervk
    Holgervk
    56 Posts

    Re: SSH Without Password

    ‏2009-02-25T16:10:21Z  
    I meant to say that $HOME/.ssh/authorized_keys are fixed to 644 in both lpars.
    just to see if permissions are the problem do an
    chmod 600 $HOME/.ssh/authorized_keys
    chmod 600 $HOME/
    ls -ld $HOME $HOME/.ssh #to check if everything is owned by the user

    I dont think 644 is enough
  • shargus
    shargus
    157 Posts

    Re: SSH Without Password

    ‏2009-02-25T18:04:25Z  
    If you haven't done so already, turn on syslog.
    sshd will report to syslog if there are problems such as incorrect permissions/ownerships, etc.
  • SystemAdmin
    SystemAdmin
    6902 Posts

    Re: SSH Without Password

    ‏2009-02-25T19:13:39Z  
    • shargus
    • ‏2009-02-25T18:04:25Z
    If you haven't done so already, turn on syslog.
    sshd will report to syslog if there are problems such as incorrect permissions/ownerships, etc.
    Also keep in mind that you can configure SSH to allow/deny various authentication methods: hostbased,publickeys,password. So you might need to check your sshd_config files. Also, a good troubleshooting tool is to use the verbose '-v' flag to troubleshoot these issues. That will show you precisely where the problem lies...sometimes. ;) I hope this is helpful. Good luck.
  • SystemAdmin
    SystemAdmin
    6902 Posts

    Re: SSH Without Password

    ‏2009-02-26T11:57:46Z  
    Also keep in mind that you can configure SSH to allow/deny various authentication methods: hostbased,publickeys,password. So you might need to check your sshd_config files. Also, a good troubleshooting tool is to use the verbose '-v' flag to troubleshoot these issues. That will show you precisely where the problem lies...sometimes. ;) I hope this is helpful. Good luck.
    Thank you so much for all your answers. Finally with the verbose flag I was able to find out the problem. In both nodes I renamed the id_rsa file to identity but when I launched ssh from the node 2 to node 1 it was looking for id_rsa file instead of identity but viceversa it was looking for identity. I don´t know why it asked for different files but I rename again identity in node 2 to id_rsa and Eureka. I´ll be very pleased if you could tell me something about why it is asking me for id_rsa instead identity.
  • unixgrl
    unixgrl
    185 Posts

    Re: SSH Without Password

    ‏2009-02-26T15:49:03Z  
    the "identity" file is used with ssh protocol 1, id_rsa is used with protocol 2.
    It sounds like one of your systems is defaulting to Protocol 1 which is older.

    Look in your sshd_config file for "Protocol". Mine says 2,1 which means it will use
    protocol 2 primarily.
    You can also try your ssh command with "-1" or "-2" to force it to use either protocol.
    All of this information can be found at openssh.org.
  • SystemAdmin
    SystemAdmin
    6902 Posts

    Re: SSH Without Password

    ‏2009-02-27T08:55:14Z  
    • unixgrl
    • ‏2009-02-26T15:49:03Z
    the "identity" file is used with ssh protocol 1, id_rsa is used with protocol 2.
    It sounds like one of your systems is defaulting to Protocol 1 which is older.

    Look in your sshd_config file for "Protocol". Mine says 2,1 which means it will use
    protocol 2 primarily.
    You can also try your ssh command with "-1" or "-2" to force it to use either protocol.
    All of this information can be found at openssh.org.
    Hello. I have looked in the sshd_config files in both nodes and this is the value:

    1. Disable legacy (protocol version 1) support in the server for new
    2. installations. In future the default will change to require explicit
    3. activation of protocol 1
    Protocol 2

    I have configured the ssh passwordless following the "Implementing High Availability Cluster Multi-Processsing (HACMP) Cookbook.pdf" redbook, and this is what the redbook tells us about that:

    1. Login with the required user identity.
    2. Generate your authentication key pair:
    ssh-keygen -t rsa -f ~/.ssh/node1
    Press Enter for the passphrase (no password).
    This command generates two files:
    – ~/.ssh/node1: this is your secret key
    – ~/.ssh/node1.pub: this is your public key
    3. Rename your secret key to identity:
    mv ~/.ssh/node1 ~/.ssh/identity
    4. Add the public key to your authorized_keys file on the local node, so the SSH
    will work for the localhost:
    cat ~/.ssh/node1.pub >> ~/.ssh/authorized_keys
    5. Copy your public key to all other hosts:
    scp ~/.ssh/node1.pub nodeX:~/.ssh/node1.pub
    Repeat this command for each node in the cluster.
    6. Add node1’s public key to the authorized_keys file on the remote hosts:
    ssh nodeX “cat ~/.ssh/node1.pub >> ~/.ssh/authorized_keys”
    Repeat this command for each node in the cluster.
    7. Repeat steps 1 to 6 on all hosts.

    Identity is the name I gave to the id_rsa file in both nodes
  • unixgrl
    unixgrl
    185 Posts

    Re: SSH Without Password

    ‏2009-03-02T15:02:21Z  
    That step that says to change your key file to "identity" doesn't make any sense unless HACMP is trying to use protocol 1. It sounds like the Redbook needs updating. No app should be using protocol 1 anymore. I wouldn't change the names of the key files. Just copy the .pub keys into authorized_keys on the other systems.
  • SystemAdmin
    SystemAdmin
    6902 Posts

    Re: SSH Without Password

    ‏2009-03-04T12:23:32Z  
    • unixgrl
    • ‏2009-03-02T15:02:21Z
    That step that says to change your key file to "identity" doesn't make any sense unless HACMP is trying to use protocol 1. It sounds like the Redbook needs updating. No app should be using protocol 1 anymore. I wouldn't change the names of the key files. Just copy the .pub keys into authorized_keys on the other systems.
    Finally the problem is that one of my mates changed the ssh_config file uncommenting the IdentityFile line. In one node he set IdentityFile ~/.ssh/identity and in the other IdentityFile ~/.ssh/id_rsa.

    Thank you so much.
  • SystemAdmin
    SystemAdmin
    6902 Posts

    Re: SSH Without Password

    ‏2009-03-23T11:55:46Z  
    • unixgrl
    • ‏2009-03-02T15:02:21Z
    That step that says to change your key file to "identity" doesn't make any sense unless HACMP is trying to use protocol 1. It sounds like the Redbook needs updating. No app should be using protocol 1 anymore. I wouldn't change the names of the key files. Just copy the .pub keys into authorized_keys on the other systems.
    Unfortunately I have not enterely solved the problem. I am trying ssh passwordless between three nodes. It is working in two of them but not with the third. This one is able to do ssh passwordless against the others but it is not possible for the others do it against this one. I attach the logs. Please help me.

    From node "proeccdiag" to node "proecc01" (works ok):

    proadm> ssh -v proecc01
    OpenSSH_4.7p1, OpenSSL 0.9.8f 11 Oct 2007
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Failed dlopen: /usr/krb5/lib/libkrb5.a(libkrb5.a.so): 0509-022 Cannot load module /usr/krb5/lib/libkrb5.a(libkrb5.a.so).
    0509-026 System error: A file or directory in the path name does not exist.

    debug1: Error loading Kerberos, disabling Kerberos auth.
    debug1: Connecting to proecc01 http://172.16.60.107 port 22.
    debug1: Connection established.
    debug1: identity file /home/proadm/.ssh/identity type -1
    debug1: identity file /home/proadm/.ssh/id_rsa type 1
    debug1: identity file /home/proadm/.ssh/id_dsa type -1
    debug1: Remote protocol version 2.0, remote software version OpenSSH_4.7
    debug1: match: OpenSSH_4.7 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_4.7
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: server->client aes128-cbc hmac-md5 none
    debug1: kex: client->server aes128-cbc hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug1: Host 'proecc01' is known and matches the RSA host key.
    debug1: Found key in /home/proadm/.ssh/known_hosts:1
    debug1: ssh_rsa_verify: signature correct
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey,password,keyboard-interactive
    debug1: Next authentication method: publickey
    debug1: Trying private key: /home/proadm/.ssh/identity
    debug1: Offering public key: /home/proadm/.ssh/id_rsa
    debug1: Server accepts key: pkalg ssh-rsa blen 277
    debug1: read PEM private key done: type RSA
    debug1: Authentication succeeded (publickey).
    debug1: channel 0: new client-session
    debug1: Entering interactive session.
    Last unsuccessful login: Wed Mar 4 11:33:38 CUT 2009 on ssh from proecc02
    Last login: Wed Mar 11 12:16:57 CUT 2009 on /dev/pts/2 from proeccdiag
    ### #
    ##### ##### #### ###### #### #### # # ##
    # # # # # # # # # # # # # # #
    # # # # # # ##### # # # # #
    ##### ##### # # # # # # # #
    # # # # # # # # # # # # #
    # # # #### ###### #### #### ### #####

    YOU HAVE NEW MAIL

    From node "proecc01" to node "proeccdiag" (doesn't work):

    proadm> ssh -v proeccdiag
    OpenSSH_4.7p1, OpenSSL 0.9.8f 11 Oct 2007
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Failed dlopen: /usr/krb5/lib/libkrb5.a(libkrb5.a.so): 0509-022 Cannot load module /usr/krb5/lib/libkrb5.a(libkrb5.a.so).
    0509-026 System error: A file or directory in the path name does not exist.

    debug1: Error loading Kerberos, disabling Kerberos auth.
    debug1: Connecting to proeccdiag http://172.16.60.108 port 22.
    debug1: Connection established.
    debug1: identity file /home/proadm/.ssh/identity type -1
    debug1: identity file /home/proadm/.ssh/id_rsa type 1
    debug1: identity file /home/proadm/.ssh/id_dsa type -1
    debug1: Remote protocol version 2.0, remote software version OpenSSH_4.7
    debug1: match: OpenSSH_4.7 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_4.7
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: server->client aes128-cbc hmac-md5 none
    debug1: kex: client->server aes128-cbc hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug1: Host 'proeccdiag' is known and matches the RSA host key.
    debug1: Found key in /home/proadm/.ssh/known_hosts:2
    debug1: ssh_rsa_verify: signature correct
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey,password,keyboard-interactive
    debug1: Next authentication method: publickey
    debug1: Trying private key: /home/proadm/.ssh/identity
    debug1: Offering public key: /home/proadm/.ssh/id_rsa
    debug1: Authentications that can continue: publickey,password,keyboard-interactive
    debug1: Trying private key: /home/proadm/.ssh/id_dsa
    debug1: Next authentication method: keyboard-interactive
    debug1: Authentications that can continue: publickey,password,keyboard-interactive
    debug1: Next authentication method: password
    proadm@proeccdiag's password:
  • CRM
    CRM
    83 Posts

    Re: SSH Without Password

    ‏2009-03-23T13:17:20Z  
    Unfortunately I have not enterely solved the problem. I am trying ssh passwordless between three nodes. It is working in two of them but not with the third. This one is able to do ssh passwordless against the others but it is not possible for the others do it against this one. I attach the logs. Please help me.

    From node "proeccdiag" to node "proecc01" (works ok):

    proadm> ssh -v proecc01
    OpenSSH_4.7p1, OpenSSL 0.9.8f 11 Oct 2007
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Failed dlopen: /usr/krb5/lib/libkrb5.a(libkrb5.a.so): 0509-022 Cannot load module /usr/krb5/lib/libkrb5.a(libkrb5.a.so).
    0509-026 System error: A file or directory in the path name does not exist.

    debug1: Error loading Kerberos, disabling Kerberos auth.
    debug1: Connecting to proecc01 http://172.16.60.107 port 22.
    debug1: Connection established.
    debug1: identity file /home/proadm/.ssh/identity type -1
    debug1: identity file /home/proadm/.ssh/id_rsa type 1
    debug1: identity file /home/proadm/.ssh/id_dsa type -1
    debug1: Remote protocol version 2.0, remote software version OpenSSH_4.7
    debug1: match: OpenSSH_4.7 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_4.7
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: server->client aes128-cbc hmac-md5 none
    debug1: kex: client->server aes128-cbc hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug1: Host 'proecc01' is known and matches the RSA host key.
    debug1: Found key in /home/proadm/.ssh/known_hosts:1
    debug1: ssh_rsa_verify: signature correct
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey,password,keyboard-interactive
    debug1: Next authentication method: publickey
    debug1: Trying private key: /home/proadm/.ssh/identity
    debug1: Offering public key: /home/proadm/.ssh/id_rsa
    debug1: Server accepts key: pkalg ssh-rsa blen 277
    debug1: read PEM private key done: type RSA
    debug1: Authentication succeeded (publickey).
    debug1: channel 0: new client-session
    debug1: Entering interactive session.
    Last unsuccessful login: Wed Mar 4 11:33:38 CUT 2009 on ssh from proecc02
    Last login: Wed Mar 11 12:16:57 CUT 2009 on /dev/pts/2 from proeccdiag
    ### #
    ##### ##### #### ###### #### #### # # ##
    # # # # # # # # # # # # # # #
    # # # # # # ##### # # # # #
    ##### ##### # # # # # # # #
    # # # # # # # # # # # # #
    # # # #### ###### #### #### ### #####

    YOU HAVE NEW MAIL

    From node "proecc01" to node "proeccdiag" (doesn't work):

    proadm> ssh -v proeccdiag
    OpenSSH_4.7p1, OpenSSL 0.9.8f 11 Oct 2007
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Failed dlopen: /usr/krb5/lib/libkrb5.a(libkrb5.a.so): 0509-022 Cannot load module /usr/krb5/lib/libkrb5.a(libkrb5.a.so).
    0509-026 System error: A file or directory in the path name does not exist.

    debug1: Error loading Kerberos, disabling Kerberos auth.
    debug1: Connecting to proeccdiag http://172.16.60.108 port 22.
    debug1: Connection established.
    debug1: identity file /home/proadm/.ssh/identity type -1
    debug1: identity file /home/proadm/.ssh/id_rsa type 1
    debug1: identity file /home/proadm/.ssh/id_dsa type -1
    debug1: Remote protocol version 2.0, remote software version OpenSSH_4.7
    debug1: match: OpenSSH_4.7 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_4.7
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: server->client aes128-cbc hmac-md5 none
    debug1: kex: client->server aes128-cbc hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug1: Host 'proeccdiag' is known and matches the RSA host key.
    debug1: Found key in /home/proadm/.ssh/known_hosts:2
    debug1: ssh_rsa_verify: signature correct
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey,password,keyboard-interactive
    debug1: Next authentication method: publickey
    debug1: Trying private key: /home/proadm/.ssh/identity
    debug1: Offering public key: /home/proadm/.ssh/id_rsa
    debug1: Authentications that can continue: publickey,password,keyboard-interactive
    debug1: Trying private key: /home/proadm/.ssh/id_dsa
    debug1: Next authentication method: keyboard-interactive
    debug1: Authentications that can continue: publickey,password,keyboard-interactive
    debug1: Next authentication method: password
    proadm@proeccdiag's password:
    When you generate keys on each server (hopefully using ssh-keygen) you will get a public key (id_rsa.pub) and a private key (id.rsa) if you are using rsa keys.

    If you generate the keys with no passphrase then these can be used for SSH without password (a quick google should show some guides for this such as http://oreilly.com/pub/h/66 ).

    To setup ssh you basically need to copy the id_rsa.pub into the authorized_keys2 file on the remote server.

    It looks like you have done this from diag to c01, but not vice versa.

    Check that the id_rsa.pub from c01 is in the authorized_keys2 file on diag, make sure the file has permissions of 600 and check the formatting of the file, extra spaces and other bad formatting can sometimes stop SSH from working.

    regards

    Chris
  • SystemAdmin
    SystemAdmin
    6902 Posts

    Re: SSH Without Password

    ‏2009-03-24T11:16:19Z  
    • CRM
    • ‏2009-03-23T13:17:20Z
    When you generate keys on each server (hopefully using ssh-keygen) you will get a public key (id_rsa.pub) and a private key (id.rsa) if you are using rsa keys.

    If you generate the keys with no passphrase then these can be used for SSH without password (a quick google should show some guides for this such as http://oreilly.com/pub/h/66 ).

    To setup ssh you basically need to copy the id_rsa.pub into the authorized_keys2 file on the remote server.

    It looks like you have done this from diag to c01, but not vice versa.

    Check that the id_rsa.pub from c01 is in the authorized_keys2 file on diag, make sure the file has permissions of 600 and check the formatting of the file, extra spaces and other bad formatting can sometimes stop SSH from working.

    regards

    Chris
    I have just retried the steps to configure the ssh passwordless between both nodes and I have got the same result. Anyway in AIX "authorized_keys2" is not the name of the file but "authorized_keys". It is remarkable that using the user root it works.
  • DoGaS
    DoGaS
    3 Posts

    Re: SSH Without Password

    ‏2010-11-01T13:56:20Z  
    Hello,

    i have the same issue.
    The log shows follows:
    ********************************************************
    nim2:/.ssh>ssh -v kwt
    OpenSSH_5.2p1, OpenSSL 0.9.8k 25 Mar 2009
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Failed dlopen: /usr/krb5/lib/libkrb5.a(libkrb5.a.so): 0509-022 Cannot load module /usr/krb5/lib/libkrb5.a(libkrb5.a.so).
    0509-026 System error: A file or directory in the path name does not exist.

    debug1: Error loading Kerberos, disabling Kerberos auth.
    debug1: Connecting to kwt http://172.16.130.208 port 22.
    debug1: Connection established.
    debug1: permanently_set_uid: 0/0
    debug1: identity file /.ssh/identity type -1
    debug1: identity file /.ssh/id_rsa type 1
    debug1: identity file /.ssh/id_dsa type 2
    debug1: Remote protocol version 1.99, remote software version OpenSSH_4.1
    debug1: match: OpenSSH_4.1 pat OpenSSH_4*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_5.2
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: Entering the function :kex_choose_conf

    debug1: kex: server->client aes128-ctr hmac-md5 none
    debug1: kex: client->server aes128-ctr hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug1: Host 'kwt' is known and matches the RSA host key.
    debug1: Found key in /.ssh/known_hosts:237
    debug1: ssh_rsa_verify: signature correct
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey,password,keyboard-interactive
    debug1: Next authentication method: publickey
    debug1: The Key: 0

    debug1: Trying private key: /.ssh/identity
    debug1: After function load_identity_file

    debug1: The Key: 1

    debug1: Offering public key: /.ssh/id_rsa
    debug1: Authentications that can continue: publickey,password,keyboard-interactive
    debug1: The Key: 2

    debug1: Offering public key: /.ssh/id_dsa
    debug1: Authentications that can continue: publickey,password,keyboard-interactive
    debug1: Next authentication method: keyboard-interactive
    debug1: Authentications that can continue: publickey,password,keyboard-interactive
    debug1: Next authentication method: password
    root@kwt's password:
    ********************************************************

    The ~/.ssh directory has chmod 700
    The ~/.ssh/authorized_keys has chmod 644
    Both keys (dsa & rsa) are added to authorized_keys.
    But a ssh to localhost are with passwort logon, too.

    ********************************************************
    p51a003p:/>ssh -v localhost
    OpenSSH_4.1p1, OpenSSL 0.9.7g 11 Apr 2005
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Failed dlopen: /usr/krb5/lib/libkrb5.a(libkrb5.a.so): 0509-022 Cannot load module /usr/krb5/lib/libkrb5.a(libkrb5.a.so).
    0509-026 System error: A file or directory in the path name does not exist.

    debug1: Error loading Kerberos, disabling Kerberos auth.
    debug1: Connecting to localhost http://127.0.0.1 port 22.
    debug1: Connection established.
    debug1: permanently_set_uid: 0/0
    debug1: identity file /.ssh/identity type -1
    debug1: identity file /.ssh/id_rsa type 1
    debug1: identity file /.ssh/id_dsa type 2
    debug1: Remote protocol version 1.99, remote software version OpenSSH_4.1
    debug1: match: OpenSSH_4.1 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_4.1
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: server->client aes128-cbc hmac-md5 none
    debug1: kex: client->server aes128-cbc hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug1: Host 'localhost' is known and matches the RSA host key.
    debug1: Found key in /.ssh/known_hosts:18
    debug1: ssh_rsa_verify: signature correct
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey,password,keyboard-interactive
    debug1: Next authentication method: publickey
    debug1: Trying private key: /.ssh/identity
    debug1: Offering public key: /.ssh/id_rsa
    debug1: Authentications that can continue: publickey,password,keyboard-interactive
    debug1: Offering public key: /.ssh/id_dsa
    debug1: Authentications that can continue: publickey,password,keyboard-interactive
    debug1: Next authentication method: keyboard-interactive
    debug1: Authentications that can continue: publickey,password,keyboard-interactive
    debug1: Next authentication method: password
    root@localhost's password:
    ********************************************************

    has anyone a suggestion?

    regards
    chris
  • JohnPrabhu
    JohnPrabhu
    1 Post

    Re: SSH Without Password

    ‏2013-05-09T10:54:52Z  
    Hi Saleem,

    I hope the following steps will be helpful to you --

    1. Create a public ssh key, if you haven’t one already.

    Look at ~/.ssh. If you see a file named id_dsa.pub then you obviously already have a public key. If not, simply create one. ssh-keygen -t dsa should do the trick.

    Please note that there are other types of keys, e.g. RSA instead of DSA. I simply recomend DSA, but keep that in mind if you run into errors.
    2. Make sure your .ssh dir is 700:
    chmod 700 ~/.ssh
    3. Get your public ssh key on the server you want to login automatically.
    A simple scp ~/.ssh/id_dsa.pub remoteuser@remoteserver.com: is ok.
    4. Append the contents of your public key to the ~/.ssh/authorized_keys and remove it.

    Important: This must be done on the server you just copied your public key to. Otherwise you wouldn’t have had to copy it on your server.

    Simply issue something like ---
    cat id_dsa.pub >> .ssh/authorized_keys while at your home directory.
    5. Instead of steps 3 and 4, you can issue something like this:

    cat ~/.ssh/id_dsa.pub | ssh -l remoteuser remoteserver.com 'cat >> ~/.ssh/authorized_keys'
    6. Remove your public key from the home directory on the server.
    7. Done!
    You can now login:

    ssh -l remoteuser remoteserver.com or ssh remoteuser@remoteserver.com

    without getting asked for a password.

    That’s all you need to do.

    I tried the above said. but still system asking for the password.

  • curenpc
    curenpc
    1 Post

    Re: SSH Without Password

    ‏2013-08-06T00:27:23Z  

    Check unsuccessful_login_count in /etc/security/lastlog.  In my case it was 12.  I set it back to 0, things worked.