[lug] comands over ssh

Hugh Brown hugh at vecna.com
Thu Jan 10 19:10:42 MST 2002 

I do this a fair amount.

My .ssh/config has this in it

Host *
   ForwardAgent yes
   ForwardX11 yes
   RhostsAuthentication no
   RhostsRSAAuthentication yes
   RSAAuthentication yes
   PasswordAuthentication no
   FallBackToRsh no
   UseRsh no
#   BatchMode no
   CheckHostIP yes
   StrictHostKeyChecking no
   IdentityFile ~/.ssh/id_dsa
   IdentityFile ~/.ssh/identity
   IdentityFile ~/.ssh/id_rsa
   Port 22
   Protocol 2
   Cipher blowfish
   EscapeChar ~


The sshd_config on the receiving end has this on it:

Port 22
HostKey /etc/ssh/ssh_host_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 3600
IgnoreRhosts yes
StrictModes yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd yes
KeepAlive yes

SyslogFacility AUTHPRIV
LogLevel INFO

RhostsAuthentication no
RhostsRSAAuthentication no
HostbasedAuthentication no
RSAAuthentication yes

PasswordAuthentication yes
PermitEmptyPasswords no


all of this is with openssh.

I would definitely add a -v to see what is going on.  I would also make
sure that authorized_keys2 is in ~user/.ssh/ dir and that it has
appropriate permissions (644 is what I have).

If you have root on the machine you are logging into, you should look at
the /var/log/secure log.

Hugh

On Thu, 2002-01-10 at 17:26, David wrote:
> Can anyone help with this problem please?
> dajo
> 
> I am trying to use ssh to run a command on a remote machine without the need
> to supply a password to that machine.  I can do the first part, but my efforts
> to use ssh, ssh-agent, and ssh-add to eliminate the password have failed.
> 
> Here is, what I take to be, the key part from the man page for ssh; but note
> that I am trying to use protocol 2.
> 
>      ssh implements the RSA authentication protocol automatically.  The user
>      creates his/her RSA key pair by running ssh-keygen(1).  This stores the
>      private key in $HOME/.ssh/identity and the public key in
>      $HOME/.ssh/identity.pub in the user's home directory.  The user should
>      then copy the identity.pub to $HOME/.ssh/authorized_keys in his/her home
>      directory on the remote machine (the authorized_keys file corresponds to
>      the conventional $HOME/.rhosts file, and has one key per line, though the
>      lines can be very long).  After this, the user can log in without giving
>                                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>      the password.
>      ^^^^^^^^^^^^
> I ran "ssh-keygen -t rsa" and got the appropriate files in my directory:
> 
> -rw-------    1 dajo     dajomen       887 Jan  9 12:28 id_rsa
> -rw-r--r--    1 dajo     dajomen       219 Jan  9 12:28 id_rsa.pub
> -rw-r--r--    1 dajo     dajomen      1.1k Jan 10 14:18 known_hosts2
> local dajo ~ 
> 
> I copied id_rsa.pub to the remote machine and renamed the file:
> 
> total 4.0k
> -rw-------    1 dajo     dajo          219 Jan 10 12:05 authorized_keys2
> remote dajo ~ 
> 
> Here is what happens when I try to set-up and use ssh to run ls on the remote
> machine; I have added notes #.
> 
> # A fresh start.
> local dajo ~ ssh-add
> Could not open a connection to your authentication agent.
> 
> # The environment, stuff deleted.
> local dajo ~ env
> PWD=/home/dajo
> HOSTNAME=local
> <snip>
> SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass
> <snip>
> 
> # Start the agent.
> local dajo ~ ssh-agent
> SSH_AUTH_SOCK=/tmp/ssh-XX9X7ghy/agent.7106; export SSH_AUTH_SOCK;
> SSH_AGENT_PID=7107; export SSH_AGENT_PID;
> echo Agent pid 7107;
> 
> # Eval the variables.
> local dajo ~ SSH_AUTH_SOCK=/tmp/ssh-XX9X7ghy/agent.7106; export SSH_AUTH_SOCK;
> SSH_AGENT_PID=7107; export SSH_AGENT_PID;
> 
> # The environment, stuff deleted.
> local dajo ~ local dajo ~ local dajo ~ env
> PWD=/home/dajo
> HOSTNAME=local
> <snip>
> SSH_AGENT_PID=7107
> <snip>
> SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass
> SSH_AUTH_SOCK=/tmp/ssh-XX9X7ghy/agent.7106
> <snip>
> 
> # The agent is there.
> local dajo ~ ssh-add -l
> The agent has no identities.
> 
> # Add the key.
> local dajo ~ ssh-add
> Identity added: /home/dajo/.ssh/id_rsa (/home/dajo/.ssh/id_rsa)
> 
> # Here it is.
> local dajo ~ ssh-add -l
> 1024 a3:bf:0c:1f:44:dc:72:88:3a:95:5d:20:d4:a7:55:1b /home/dajo/.ssh/id_rsa (RSA)
> 
> # Try to run ls on remote; password requested - !
> local dajo ~ ssh -i /home/dajo/.ssh/id_rsa  remote.uchsc.edu 'ls -la'
> dajo at remote.uchsc.edu's password: 
> 
> # Whoops!
> local dajo ~ unset
> 
> # I meant this.
> local dajo ~ unset SSH_ASKPASS
> 
> # The environment, stuff deleted.  No SSH_ASKPASS.
> local dajo ~ env
> PWD=/home/dajo
> HOSTNAME=local
> <snip>
> SSH_AGENT_PID=7107
> SSH_AUTH_SOCK=/tmp/ssh-XX9X7ghy/agent.7106
> <snip>
> 
> # Still no joy.
> local dajo ~ ssh -i /home/dajo/.ssh/id_rsa  remote.uchsc.edu 'ls -la'
> dajo at remote.uchsc.edu's password: 
> local dajo ~ 
> 
> # Also.
> ssh -2 -i /home/dajo/.ssh/id_rsa  remote.uchsc.edu 'ls -la'
> dajo at remote.uchsc.edu's password: 
> 
> # The ls works if I provide the password.
> 
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
-- 
------------------------------------
System Administrator/Unix Consultant
hugh at vecna.com
Vecna Technologies, Inc
6525 Belcrest Rd, Suite 612
Hyattsville MD, 20782
301.864.7253
http://www.vecna.com

More information about the LUG mailing list