Password connection-less

fretagi · February 10, 2015, 7:20am

Hi all!

I need help in reconfiguring password connection-less on 3 servers.

I had this feature on 3 servers, working fine for servers A, B and C, but for some unknown reason, and after a reboot was performed, from server B to server A is asking me for password, the same applies from server C to server A.
I try to setup again by generating a public key again, but if If I choose to overwrite already existing file, it might damage the already connection between servers A and B and A and C.
Please can someone help

rbatte1 · February 10, 2015, 7:38am

For server A to accept connections from servers B & C, it needs to have the public keys for the connecting accounts from those two servers in the authorized_keys file owned by the user account on Server A that you are connecting to.

I don't know a reason that a re-boot would affect this. I'm assuming that you are using sshor sftp etc. Can you complete the process manually, and did it ask you to verify the remote host fingerprint again? That would indicate that the server keys have been regenerated. i suppose that this could happen on a boot if the server had the flag set for a first-time boot when the keys would be generated.

The authorized_keys file also needs to be RW only to the owner, so perhaps this has been undone.

What version on Solaris are you using?

Robin

fretagi · February 10, 2015, 7:48am

Hi

Thanks for the response, Yes I am using

ssh

, its

solaris 10

, and earlier when I try to generate a key from server B to A:

 ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/nikira_data01/.ssh/id_rsa):
/nikira_data01/.ssh/id_rsa already exists.
Overwrite (yes/no)? no

rbatte1 · February 10, 2015, 8:02am

I would respond no

If you are trying to connect to UserA on ServerA, sign on manually and look in the home directory. There should be a directory call .ssh and within there, the file authorized_keys should exist. Do you have that?

The records in this file are made up from the public keys of users that you want to allow to connect. What do you have? This file should be public keys only, so you can happily paste the whole file without compromising your security, but please wrap it in

```text
& 
```

tags to make it clear.

You should find a record that matches the public key for your user on ServerB. Perhaps send the public key as id_rsa.pub-from-ServerB from the user on ServerB to the user on serverA and use grep -f id_rsa.pub-from-ServerB authorized keys to see if you have a matching record.

Hopefully we will be able to work out what's wrong and correct it rather than rebuild everything.

Robin

fretagi · February 10, 2015, 8:23am

Hi

from server A to server B, the connection-less is working fine, but from server B to server A, is asking for password.
On server A i found is subdir

.ssh

:

 ls -lrt
total 16
-rw-------   1 nikira   sys          672 Aug  2  2012 id_dsa
-rw-r--r--   1 nikira   sys          608 Aug  2  2012 id_dsa.pub
-rw-------   1 nikira   sys          883 Aug  2  2012 id_rsa
-rw-r--r--   1 nikira   sys          228 Aug  2  2012 id_rsa.pub
-rw-------   1 nikira   sys          834 Aug  2  2012 authorized_keys
-rw-r--r--   1 nikira   sys         2385 May 28  2013 known_hosts
[nikira@nikira-app1 .ssh]$ more authorized_keys
ssh-dss AAAAB3NzaC1kc3MAAACBAKdhkvWHHOe1NC6+5gVCO2tOYUiLumqLo6JemiPFSAoszFvWzwZmhvI2iqIypdTnShZgOr3Hhw5kyKpMal7IjFI8xbhhYIwKNKApcqnBHsnveoJO/9T0UzBVRYJI6HOs7d5z3WraW9/x
YQbB/vkr6T5hV42PK8VO3FStOKMLlUy9AAAAFQDR3exBTJqAPCDoh8j0XvU8JV+utQAAAIAU1iun3lwTDjJXGMOeTM1BpBvabQCSja7sAMXbxF5KBSo+Q9li9XTNxTR3kEjk4fwa0O8QGnCe9MCFslFzaWqzxxycf8MWQKpB
HvqWCpDb+aA6k40E82ESjo2xcwon4dhaWn1wZUGhggg3eZ4c6aExD+EBNEbi+ACKLcekI84eIgAAAIAq3Dy+weU9U4kPPtiHoutM7nlUEeeriJKZQO8AGBVzvqmFlmgm5uD9ZgQxY3YtNPQRTSxyYK4/4mOtH2us0cuGb+ky
jBVakkGO1gktE1ilXzLQpJBS+XwI3f+qDl48e1B08ksluvaluSgb74JJO9oPbSiQJ+4WsoL7e+XhWt8/WQ== nikira@nikira-db
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAwpsUXm7Va18hiwzOBAlfwHU2xdREoBUUqm6fI7iAgt2PRgXa/xMmS9jpURS/hGNwmptk002uglnqGp0sMWcj8RptJBcDP+U6nQb3KqfIY5E15q8Y3S77aX3qdZEgUAFsOyKr
fttlwgz8HGRasCEYpKB2pVyD2+sBTarLCxX+IqM= nikira@nikira-app2

and on server B on the subdir

.ssh

I found:

 ls -lrt
total 16
-rw-------   1 nikira   sys          668 Aug  2  2012 id_dsa
-rw-r--r--   1 nikira   sys          606 Aug  2  2012 id_dsa.pub
-rw-------   1 nikira   sys          887 Aug  2  2012 id_rsa
-rw-r--r--   1 nikira   sys          228 Aug  2  2012 id_rsa.pub
-rw-------   1 nikira   sys          606 Aug  2  2012 authorized_keys_bkp
-rw-------   1 nikira   sys          834 Aug  2  2012 authorized_keys
-rw-r--r--   1 nikira   sys         1769 Oct  2  2013 known_hosts
[nikira@nikira-app2 .ssh]$ file authorized_keys
authorized_keys:        ascii text
[nikira@nikira-app2 .ssh]$ more authorized_keys
ssh-dss AAAAB3NzaC1kc3MAAACBAKdhkvWHHOe1NC6+5gVCO2tOYUiLumqLo6JemiPFSAoszFvWzwZmhvI2iqIypdTnShZgOr3Hhw5kyKpMal7IjFI8xbhhYIwKNKApcqnBHsnveoJO/9T0UzBVRYJI6HOs7d5z3WraW9/x
YQbB/vkr6T5hV42PK8VO3FStOKMLlUy9AAAAFQDR3exBTJqAPCDoh8j0XvU8JV+utQAAAIAU1iun3lwTDjJXGMOeTM1BpBvabQCSja7sAMXbxF5KBSo+Q9li9XTNxTR3kEjk4fwa0O8QGnCe9MCFslFzaWqzxxycf8MWQKpB
HvqWCpDb+aA6k40E82ESjo2xcwon4dhaWn1wZUGhggg3eZ4c6aExD+EBNEbi+ACKLcekI84eIgAAAIAq3Dy+weU9U4kPPtiHoutM7nlUEeeriJKZQO8AGBVzvqmFlmgm5uD9ZgQxY3YtNPQRTSxyYK4/4mOtH2us0cuGb+ky
jBVakkGO1gktE1ilXzLQpJBS+XwI3f+qDl48e1B08ksluvaluSgb74JJO9oPbSiQJ+4WsoL7e+XhWt8/WQ== nikira@nikira-db
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAoVGzahyKzfOUbuMQ1w4XodHe3eFv0Q2pwRLZEI1g77E67ogFUn+FaDPXqX6jTQlQYIoSyQ3MeLEQN6kxAPLKDZyBQDMTIyORr6ZJaWSgbjON9h+4zdclhlFZelOxiu7wnX/0
QoiaUNLDDiNR7wMLuC4+P7s2IzzGSYeFFAkSsBU= nikira@nikira-app1

So not quite sure what could be wrong!!

rbatte1 · February 10, 2015, 8:29am

Assuming that you are on ServerB as user nikira and connecting to ServerA as nikira too, can you share the content of id_rsa.pub?

Does it match the content of ServerA file authorized_keys?

Robin

fretagi · February 10, 2015, 8:47am

the contents of

id_rsa.pub

on server B are:

 more id_dsa.pub
ssh-dss AAAAB3NzaC1kc3MAAACBAKdhkvWHHOe1NC6+5gVCO2tOYUiLumqLo6JemiPFSAoszFvWzwZmhvI2iqIypdTnShZgOr3Hhw5kyKpMal7IjFI8xbhhYIwKNKApcqnBHsnveoJO/9T0UzBVRYJI6HOs7d5z3WraW9/x
YQbB/vkr6T5hV42PK8VO3FStOKMLlUy9AAAAFQDR3exBTJqAPCDoh8j0XvU8JV+utQAAAIAU1iun3lwTDjJXGMOeTM1BpBvabQCSja7sAMXbxF5KBSo+Q9li9XTNxTR3kEjk4fwa0O8QGnCe9MCFslFzaWqzxxycf8MWQKpB
HvqWCpDb+aA6k40E82ESjo2xcwon4dhaWn1wZUGhggg3eZ4c6aExD+EBNEbi+ACKLcekI84eIgAAAIAq3Dy+weU9U4kPPtiHoutM7nlUEeeriJKZQO8AGBVzvqmFlmgm5uD9ZgQxY3YtNPQRTSxyYK4/4mOtH2us0cuGb+ky
jBVakkGO1gktE1ilXzLQpJBS+XwI3f+qDl48e1B08ksluvaluSgb74JJO9oPbSiQJ+4WsoL7e+XhWt8/WQ== nikira@nikira-db

contents of

authorized_keys

on server B:

 more authorized_keys
ssh-dss AAAAB3NzaC1kc3MAAACBAKdhkvWHHOe1NC6+5gVCO2tOYUiLumqLo6JemiPFSAoszFvWzwZmhvI2iqIypdTnShZgOr3Hhw5kyKpMal7IjFI8xbhhYIwKNKApcqnBHsnveoJO/9T0UzBVRYJI6HOs7d5z3WraW9/x
YQbB/vkr6T5hV42PK8VO3FStOKMLlUy9AAAAFQDR3exBTJqAPCDoh8j0XvU8JV+utQAAAIAU1iun3lwTDjJXGMOeTM1BpBvabQCSja7sAMXbxF5KBSo+Q9li9XTNxTR3kEjk4fwa0O8QGnCe9MCFslFzaWqzxxycf8MWQKpB
HvqWCpDb+aA6k40E82ESjo2xcwon4dhaWn1wZUGhggg3eZ4c6aExD+EBNEbi+ACKLcekI84eIgAAAIAq3Dy+weU9U4kPPtiHoutM7nlUEeeriJKZQO8AGBVzvqmFlmgm5uD9ZgQxY3YtNPQRTSxyYK4/4mOtH2us0cuGb+ky
jBVakkGO1gktE1ilXzLQpJBS+XwI3f+qDl48e1B08ksluvaluSgb74JJO9oPbSiQJ+4WsoL7e+XhWt8/WQ== nikira@nikira-db
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAoVGzahyKzfOUbuMQ1w4XodHe3eFv0Q2pwRLZEI1g77E67ogFUn+FaDPXqX6jTQlQYIoSyQ3MeLEQN6kxAPLKDZyBQDMTIyORr6ZJaWSgbjON9h+4zdclhlFZelOxiu7wnX/0
QoiaUNLDDiNR7wMLuC4+P7s2IzzGSYeFFAkSsBU= nikira@nikira-app1

the contents of

id_rsa.pub

of server A are:

 more id_dsa.pub
ssh-dss AAAAB3NzaC1kc3MAAACBANyyRov3poQc1RO+0C8u8pTW5m7PL3GpIYaCnpoVoln4t2V1wR56TYBwf64JQD0KnOs/dHtFx+ImgLLN/wVmUXVQ/B8PCDbnFi/BHqOSItOXw+bwOXkgnZvaKXi9LuDumHqcPrXrQJW2
1+toNoOrBfMPdGuftb1JXPD8iEaErIk7AAAAFQDfzN+vJ+OAcBaVvFxxK7Uy6/rAoQAAAIEAw0vD5EY8LoqOoTrzTfdC/9ljDz3RaTXE8zps4G+OdrZUBCDEXsnKAq/ESyCyQGucnGrFa9qcLjRdp8uWWPaxLNlB0QjUrSNB
TY3qI0tU/MZgz8MpbU/s2JGLMhr5ohPttO8z7fWJVaoVD1F7tiUThSzg1YxZghRUDMW9+lMK3e8AAACBAKlzZZ5npZp5itbOPRMVFgm65RdN+Y8hy09izQOUyLY/SoTsmEKaxub7xo/+FBEnSKUhkoFynpWP0zduQ4eRpGin
3RL/sz+hPK6PeUlAmNoM3elI0+9mJ0YJU4hiksus3W7oPebnO4QQ8ympWyv22jMoAwFRiJ3sczdeDGabI7Kv nikira@nikira-app1

contents of

authorized_keys

on server A are:

 more authorized_keys
ssh-dss AAAAB3NzaC1kc3MAAACBAKdhkvWHHOe1NC6+5gVCO2tOYUiLumqLo6JemiPFSAoszFvWzwZmhvI2iqIypdTnShZgOr3Hhw5kyKpMal7IjFI8xbhhYIwKNKApcqnBHsnveoJO/9T0UzBVRYJI6HOs7d5z3WraW9/x
YQbB/vkr6T5hV42PK8VO3FStOKMLlUy9AAAAFQDR3exBTJqAPCDoh8j0XvU8JV+utQAAAIAU1iun3lwTDjJXGMOeTM1BpBvabQCSja7sAMXbxF5KBSo+Q9li9XTNxTR3kEjk4fwa0O8QGnCe9MCFslFzaWqzxxycf8MWQKpB
HvqWCpDb+aA6k40E82ESjo2xcwon4dhaWn1wZUGhggg3eZ4c6aExD+EBNEbi+ACKLcekI84eIgAAAIAq3Dy+weU9U4kPPtiHoutM7nlUEeeriJKZQO8AGBVzvqmFlmgm5uD9ZgQxY3YtNPQRTSxyYK4/4mOtH2us0cuGb+ky
jBVakkGO1gktE1ilXzLQpJBS+XwI3f+qDl48e1B08ksluvaluSgb74JJO9oPbSiQJ+4WsoL7e+XhWt8/WQ== nikira@nikira-db
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAwpsUXm7Va18hiwzOBAlfwHU2xdREoBUUqm6fI7iAgt2PRgXa/xMmS9jpURS/hGNwmptk002uglnqGp0sMWcj8RptJBcDP+U6nQb3KqfIY5E15q8Y3S77aX3qdZEgUAFsOyKr
fttlwgz8HGRasCEYpKB2pVyD2+sBTarLCxX+IqM= nikira@nikira-app2

in the file

id_rsa.pub

of server B, the last line mention server C which is

nikira-db

, but on server A, the last line shows

nikira-app1

, which is server A

gandolf989 · February 10, 2015, 8:53am

Compare the security settings on the home directory between the server where private/public key works with the one where it does not work. If the public write and execute flags are turned on for the home directory then private/public key sign on won't work.

fretagi · February 10, 2015, 9:05am

the public/private keys are on

nikira_data01

directory in both servers, but on server A:

drwxrwxrwx   8 nikira   sys       122368 Feb 10 13:21 nikira_data01

and on server B:

drwxr-xr-x   6 nikira   sys          512 Aug 28  2012 nikira_data01

so they are not the same in permission wise

gandolf989 · February 10, 2015, 9:25am

Yes. Turn off write for group and world for server A and test again.

rbatte1 · February 10, 2015, 9:28am

Is nikira_data01 the home directory of your user? What are the permissions of the .ssh directory? Perhaps they are the issue.

Robin

fretagi · February 11, 2015, 1:35am

Hi Gandolf989!
thank you very much, your suggestion worked perfectely

os2mac · February 11, 2015, 6:14pm

NOTE: just to be safe, after you fix it, change the keys.

fretagi · February 12, 2015, 1:38am

how do I change the keys?

gandolf989 · February 12, 2015, 9:11am

Just remove the id_rsa and id_rsa_vl58.pub files from your ~/.ssh directory as well as remove the public key from the authorized files on any server where it can connect with the key. Then generate a new key and put the public key on any server where you want to log in without a password.

ssh-keygen -t rsa -b 2048

os2mac · February 12, 2015, 10:18am

once you have it working, and BEFORE you delete the other key. script a key distro script to push the new keys. THEN delete the old ones.