hello list
I have a network mounted home directory shared between all hosts on my network:
[bluethundr@LCENT03:~]#df -h Filesystem Size Used Avail Use% Mounted on /dev/mapper/VolGroup00-LogVol00 140G 4.4G 128G 4% / /dev/sda1 99M 35M 60M 37% /boot tmpfs 1.6G 0 1.6G 0% /dev/shm nas.summitnjhome.com:/mnt/nas 903G 265G 566G 32% /mnt/nas nas2.summitnjhome.com:/mnt/store 1.4T 187G 1.1T 15% /mnt/store nas2.summitnjhome.com:/mnt/home 903G 47G 784G 6% /home none 1.6G 136K 1.6G 1% /var/lib/xenstored
So therefore my RSA key should already be in my authorized_keys on any host. However logging into the virtual network, I always get prompted for a password. just for the heck of it, I scp'd the key over again to one of the virtual hosts:
[bluethundr@LCENT03:~]#scp .ssh/id_rsa.pub virt1:~ bluethundr@virt1's password: id_rsa.pub 100% 381 0.4KB/s 00:00
ssh'd in:
[bluethundr@LCENT03:~]#ssh virt1 bluethundr@virt1's password: Last login: Tue Nov 16 15:57:24 2010 from 192.168.1.46
Searched for the key on the host I just ssh'd into:
[bluethundr@VIRTCENT01:~]#grep -f id_rsa.pub .ssh/authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAABI-FAKE-DATA-dgjIWxnyplIYKE5IQw9FY2+IVsYw==
As you can see, it's already there.. I then checked the modes on authorized_keys:
[bluethundr@VIRTCENT01:~]#ls -l .ssh/authorized_keys -rw------- 1 1001 1002 1597 Nov 15 12:02 .ssh/authorized_keys
And checked that I was using the same shared network mounted home directory from the machine I just ssh'd in from:
[bluethundr@VIRTCENT01:~]#df -h Filesystem Size Used Avail Use% Mounted on /dev/mapper/VolGroup00-LogVol00 9.1G 1.8G 6.9G 21% / /dev/xvda1 99M 20M 75M 21% /boot tmpfs 129M 0 129M 0% /dev/shm nas.summitnjhome.com:/mnt/nas 903G 265G 566G 32% /mnt/nas nas2.summitnjhome.com:/mnt/store 1.4T 187G 1.1T 15% /mnt/store nas2.summitnjhome.com:/mnt/home 903G 47G 784G 6% /home [bluethundr@VIRTCENT01:~]#
Considering that this key is internal network only and doesn't have a passphrase set (it does not traverse internet boundaries) why on earth am I being prompted for a password whenever I ssh into this machine?
thanks!
A few things to look for:
Make sure .ssh and authorized_keys files are permissioned to 700 and 600 respectively. If they are wide open then ssh will skip them. Check /var/log/secure on both machines. That may give you a clue ssh with -vvv (or just -v) and see if you get errors.
I just had the same thing and my problem was .ssh permissions.
Hope this helps. John
On Tue, Nov 16, 2010 at 16:05, bluethundr bluethundr@gmail.com wrote:
hello list
I have a network mounted home directory shared between all hosts on my network:
[bluethundr@LCENT03:~]#df -h Filesystem Size Used Avail Use% Mounted on /dev/mapper/VolGroup00-LogVol00 140G 4.4G 128G 4% / /dev/sda1 99M 35M 60M 37% /boot tmpfs 1.6G 0 1.6G 0% /dev/shm nas.summitnjhome.com:/mnt/nas 903G 265G 566G 32% /mnt/nas nas2.summitnjhome.com:/mnt/store 1.4T 187G 1.1T 15% /mnt/store nas2.summitnjhome.com:/mnt/home 903G 47G 784G 6% /home none 1.6G 136K 1.6G 1% /var/lib/xenstored
So therefore my RSA key should already be in my authorized_keys on any host. However logging into the virtual network, I always get prompted for a password. just for the heck of it, I scp'd the key over again to one of the virtual hosts:
[bluethundr@LCENT03:~]#scp .ssh/id_rsa.pub virt1:~ bluethundr@virt1's password: id_rsa.pub 100% 381 0.4KB/s 00:00
ssh'd in:
[bluethundr@LCENT03:~]#ssh virt1 bluethundr@virt1's password: Last login: Tue Nov 16 15:57:24 2010 from 192.168.1.46
Searched for the key on the host I just ssh'd into:
[bluethundr@VIRTCENT01:~]#grep -f id_rsa.pub .ssh/authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAABI-FAKE-DATA-dgjIWxnyplIYKE5IQw9FY2+IVsYw==
As you can see, it's already there.. I then checked the modes on authorized_keys:
[bluethundr@VIRTCENT01:~]#ls -l .ssh/authorized_keys -rw------- 1 1001 1002 1597 Nov 15 12:02 .ssh/authorized_keys
And checked that I was using the same shared network mounted home directory from the machine I just ssh'd in from:
[bluethundr@VIRTCENT01:~]#df -h Filesystem Size Used Avail Use% Mounted on /dev/mapper/VolGroup00-LogVol00 9.1G 1.8G 6.9G 21% / /dev/xvda1 99M 20M 75M 21% /boot tmpfs 129M 0 129M 0% /dev/shm nas.summitnjhome.com:/mnt/nas 903G 265G 566G 32% /mnt/nas nas2.summitnjhome.com:/mnt/store 1.4T 187G 1.1T 15% /mnt/store nas2.summitnjhome.com:/mnt/home 903G 47G 784G 6% /home [bluethundr@VIRTCENT01:~]#
Considering that this key is internal network only and doesn't have a passphrase set (it does not traverse internet boundaries) why on earth am I being prompted for a password whenever I ssh into this machine?
thanks!
Here's my RSA Public key: gpg --keyserver pgp.mit.edu --recv-keys 5A4873A9
Share and enjoy!! _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
bluethundr wrote:
hello list
I have a network mounted home directory shared between all hosts on my network:
<snip>
So therefore my RSA key should already be in my authorized_keys on any host. However logging into the virtual network, I always get prompted for a password. just for the heck of it, I scp'd the key over again to one of the virtual hosts:
<snip>
Considering that this key is internal network only and doesn't have a passphrase set (it does not traverse internet boundaries) why on earth am I being prompted for a password whenever I ssh into this machine?
Do you have PermitRootLogin without-password in /etc/ssh/sshd_config?
mark
On Tue, Nov 16, 2010 at 16:31, m.roth@5-cent.us wrote:
bluethundr wrote:
hello list
I have a network mounted home directory shared between all hosts on my network:
<snip> > So therefore my RSA key should already be in my authorized_keys on any > host. However logging into the virtual network, I always get prompted > for a password. just for the heck of it, I scp'd the key over again to > one of the virtual hosts: <snip> > Considering that this key is internal network only and doesn't have a > passphrase set (it does not traverse internet boundaries) why on earth > am I being prompted for a password whenever I ssh into this machine?
Do you have PermitRootLogin without-password in /etc/ssh/sshd_config?
mark
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I would think that would just cause a failed login and not ask for a password then let him in. From reading, it looks like he can SSH, just not without the password... John
bluethundr wrote, On 11/16/2010 04:05 PM:
hello list
I have a network mounted home directory shared between all hosts on my network:
So therefore my RSA key should already be in my authorized_keys on any host. However logging into the virtual network, I always get prompted for a password. just for the heck of it, I scp'd the key over again to one of the virtual hosts:
[bluethundr@LCENT03:~]#scp .ssh/id_rsa.pub virt1:~ bluethundr@virt1's password: id_rsa.pub 100% 381 0.4KB/s 00:00
ssh'd in:
[bluethundr@LCENT03:~]#ssh virt1 bluethundr@virt1's password: Last login: Tue Nov 16 15:57:24 2010 from 192.168.1.46
Considering that this key is internal network only and doesn't have a passphrase set (it does not traverse internet boundaries) why on earth am I being prompted for a password whenever I ssh into this machine?
thanks!
assumption 1: the private key is .ssh/id_rsa.priv (on the starting machine). assumption 2: you have to tell ssh (actually the ssh agent) which key to use. assumption 3: .ssh/id_rsa.priv is readable only by the user. assumption 4: someone has not configured the other machine to disallow keyed login (nuts, but could happen. PubkeyAuthentication no?).
have you done `ssh-add .ssh/id_rsa.priv` before you ssh?
what does ssh-add -L and ssh-add -l give?
On Tue, Nov 16, 2010 at 4:05 PM, bluethundr bluethundr@gmail.com wrote:
So therefore my RSA key should already be in my authorized_keys on any host. However logging into the virtual network, I always get prompted for a password. just for the heck of it, I scp'd the key over again to one of the virtual hosts:
[snip]
Considering that this key is internal network only and doesn't have a passphrase set (it does not traverse internet boundaries) why on earth am I being prompted for a password whenever I ssh into this machine?
I've seen this before in NFS mounted home directories..and had to think about it before I realized what was happening.
When you first attempt to login, sshd is running as root. It needs to look at your NFS mounted home directory (which is often set for no root squash) to get the public key. But because it is no root squash, and the perms on your pubkey are probably 700, even root can't read the key. You can verify by logging in as root to the machine and trying to cat out the users public key. Most likely you cannot so the sshd cannot validate the key.
On Tue, Nov 16, 2010 at 09:12:17PM -0500, Kwan Lowe wrote:
When you first attempt to login, sshd is running as root. It needs to look at your NFS mounted home directory (which is often set for no root squash) to get the public key. But because it is no root squash,
Depends on the sshd_config; "UsePrivilegeSeparation yes" (which is normally the default) means that phase is run as the destination user and not as root.
On Tue, Nov 16, 2010 at 9:14 PM, Stephen Harris lists@spuddy.org wrote:
On Tue, Nov 16, 2010 at 09:12:17PM -0500, Kwan Lowe wrote:
When you first attempt to login, sshd is running as root. It needs to look at your NFS mounted home directory (which is often set for no root squash) to get the public key. But because it is no root squash,
Depends on the sshd_config; "UsePrivilegeSeparation yes" (which is normally the default) means that phase is run as the destination user and not as root.
Yes, exactly :) We had to change this to get it to work... Or set the norootsquash option..
On Tue, Nov 16, 2010 at 9:14 PM, Stephen Harris lists@spuddy.org wrote:
On Tue, Nov 16, 2010 at 09:12:17PM -0500, Kwan Lowe wrote:
When you first attempt to login, sshd is running as root. It needs to look at your NFS mounted home directory (which is often set for no root squash) to get the public key. But because it is no root squash,
Depends on the sshd_config; "UsePrivilegeSeparation yes" (which is normally the default) means that phase is run as the destination user and not as root.
To clarify, the sshd listener runs as root and then drops privileges once the user is authenticated.. The issue is specifically the root squash across NFS filesystems which is normally set to disable root privs on the mount (that, and noexec). I.e., even root has no privs to validate the shared key.
On 11/16/2010 06:19 PM, Kwan Lowe wrote:
On Tue, Nov 16, 2010 at 9:14 PM, Stephen Harrislists@spuddy.org wrote:
Depends on the sshd_config; "UsePrivilegeSeparation yes" (which is normally the default) means that phase is run as the destination user and not as root.
To clarify, the sshd listener runs as root and then drops privileges once the user is authenticated.. The issue is specifically the root squash across NFS filesystems which is normally set to disable root privs on the mount (that, and noexec). I.e., even root has no privs to validate the shared key.
You are both incorrect. Key authentication *always* takes place as the user requesting login, regardless of the UsePrivilegeSeparation option.
When using UsePrivilegeSeparation, sshd creates a separate process to handle the crypto and compression bits (primarily) of incoming traffic, in order to prevent privilege escalation. That option does not affect most authentication types (it is documented to interact with UseLogin, which is off by default).
I'm not aware of any configuration where root_squash will prevent users from authenticating with keys.
bluethundr bluethundr@gmail.com wrote:
[bluethundr@VIRTCENT01:~]#ls -l .ssh/authorized_keys -rw------- 1 1001 1002 1597 Nov 15 12:02 .ssh/authorized_keys
By any chance do you have a UID/GID mismatch between machines? I'm not convinced that it would result in the behavior matched, but the fact that 1001 and 1002 above were not resolved made me wonder.
Also, John Kennedy mentioned permissions. Also check for overly open permissions on parent directories all the way up to /.
Devin
-
bluethundr -
Devin Reade -
Gordon Messmer -
John Kennedy -
Kwan Lowe -
m.roth@5-cent.us -
Stephen Harris -
Todd Denniston