Problems with passwordless ssh/scp (W2K client , Solaris 8 server).

From: David Liber <david.liber(at)the401kcompany.com>
Date: Tue Jul 29 2003 - 18:47:12 EDT

Hi,

I am trying to use a passwordless ssh/scp from some ANT scripts. That is I want to be able to execute ssh and scp from my ANT scripts at night time, when I am not around to type in passwords.

So far I have tried few things, and none of them worked. Here is my configuration for the ssh client and server. At this point I am not sure where to take it from here to get it going:

1. W2K client. Installed cygwin with the latest ssh (OpenSSH_3.6.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090702f).
2. Generated a public key by running 'ssh-keygen -t rsa'. Left passphrase *empty* (this is to avoid password prompting). As the result, a private key file 'id_rsa' and public key file 'id_rsa.pub' will be generated in your ${HOME}/.ssh directory.
3. I then scp-ed the id_rsa.pub file to the remote UNIX ssh server machine. On the remote server machine I copied the is_rsa.pub to ~/.ssh/authorized_keys2
4. The SSH server configuration is a pretty standard configuration (Solaris 8): <<< $ pwd /etc/ssh $ ssh -V OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090700f $ cat ssh_config
   # $OpenBSD: ssh_config,v 1.16 2002/07/03 14:21:05 markus Exp $
   

# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for various options

Host *
# ForwardAgent no

  ForwardX11 yes
# RhostsAuthentication no
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
# EscapeChar ~

$
>>>
5) When I try now the "ssh -l username SSHSERVERNAME" I am still prompted for a password.

Any ideas on how I can have the password disabled for the ssh/scp and what I did wrong so far?

Thanks,
David

<<< Here is the excerpt from the verbose command that may show why I cannot perform the passwordless commands

$ ssh -v -l tuxedo tuxstage3
OpenSSH_3.6.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090702f debug1: Rhosts Authentication disabled, originating port will not be trusted.

debug1: Connecting to tuxstage3 [192.168.186.67] port 22.
debug1: Connection established.
debug1: identity file /cygdrive/c/.ssh/identity type -1
debug1: identity file /cygdrive/c/.ssh/id_rsa type 1
debug1: identity file /cygdrive/c/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.5p1
debug1: match: OpenSSH_3.5p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.6.1p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'tuxstage3' is known and matches the RSA host key.
debug1: Found key in /cygdrive/c/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:

publickey,password,keyboard-interactive

debug1: Next authentication method: publickey
debug1: Trying private key: /cygdrive/c/.ssh/identity
debug1: Offering public key: /cygdrive/c/.ssh/id_rsa
debug1: Authentications that can continue:

publickey,password,keyboard-interactive

debug1: Trying private key: /cygdrive/c/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue:

publickey,password,keyboard-interactive
debug1: Next authentication method: password tuxedo@tuxstage3's password:
>>>

At the red signing location above I actually expected to get something back from the SSH server such below (sign that it worked), but I didn't and I cannot figure out why:
<<<

debug1: Next authentication method: publickey
debug1: Trying private key: /cygdrive/c/.ssh/ident ity
debug1: Offering public key: /cygdrive/c/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 149 lastkey 0x100f90e0 hint 1
Do you need more help?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:
Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).

>>>

Any help is appreciated... Received on Tue Jul 29 19:08:22 2003