Issues with automating SFTP
Hi
We are trying to set up a non-interactive sftp to one of our clients to be able to transfer files to them. For the setup I logged into server1 as user1 and generated RSA public and private keys id_rsa and id_rsa.pub. Then I did an sftp to server2 as user2 and put the id_rsa.pub in the .ssh folder as authorized_keys. Then when I try to do an sftp from server1 (logged in as user1) to server2 as user2 I get prompted for the password.
These are the sshd_config parameters on server2:
IgnoreRhosts yes
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
PubkeyAuthentication yes
One interesting this that I have noticed is that when I connect via. sftp to server2 as user2 for the first time I get the message:
The authenticity of host '<server2>' can't be established.
DSA key fingerprint is <some numbers>
Are you sure you want to continue connecting (yes/no)?
and the known_hosts file is created with a key starting with ssh-dss. When I am creating an RSA key pair why is my server creating a DSA key fingerprint? Is that right/expected behaviour?
I did a -vvv on the sftp to server2 to try to detect what my problem was and noticed that the RSA key is not being detected.This is the version of SSH on the server
server1:user1:> ssh -V
Sun_SSH_1.1, SSH protocols 1.5/2.0, OpenSSL 0x0090704f
Part of the logging that I captured. I can send you the complete one if you need it:
server1:user1:> sftp -vvv user2@server2
Connecting to server2...
Sun_SSH_1.1, SSH protocols 1.5/2.0, OpenSSL 0x0090704f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to server2 port 22.
debug1: Connection established.
debug3: Not a RSA1 key file /abcd/./files/mgr/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: no key found
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: no key found
debug1: identity file /abcd/./files/mgr/.ssh/id_rsa type 1
debug1: identity file /abcd/./files/mgr/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version ReflectionForSecureIT_6.1.0.16
debug1: no match: ReflectionForSecureIT_6.1.0.16
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-Sun_SSH_1.1
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc
debug2: kex_parse_kexinit: aes128-ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: i-default
debug2: kex_parse_kexinit: i-default
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
I have spent a lot of time on this without any success. I don't know if I am missing something very obvious here. Any response would be appreciated.
Re: Issues with automating SFTP
To setup non-interactvie SSH RSA Keys I use the following procedure:
First, install OpenSSH on two UNIX machines, hurly and burly.
This works best using DSA keys and SSH2 by default as far as I can tell.
All the other HOWTOs I've seen seem to deal with RSA keys and SSH1, and the instructions not surprisingly fail to work with SSH2.
2. On each machine type ssh somemachine.example.com and make a connection with your
regular password. This will create a .ssh dir in your home directory with the proper perms.
3. On your primary machine where you want your secret keys to live (let's say hurly), type
ssh-keygen -t dsa
This will prompt you for a secret passphrase. If this is your primary identity
key, make sure to use a good passphrase. If this works right you will get two files
called id_dsa and id_dsa.pub in your .ssh dir.
Note: it is possible to just press the enter key when prompted for a passphrase, which will make a key with no passphrase.
This is a Bad Idea ™ for an identity key, so don't do it!
See below for uses of keys without passphrases.
4. scp ~/.ssh/id_dsa.pub burly:.ssh/authorized_keys2
Copy the id_dsa.pub file to the other host's .ssh dir with the name
authorized_keys2.
5. Now burly is ready to accept your ssh key. How to tell it which keys to use? The ssh-add
command will do it. For a test, type
ssh-agent sh -c 'ssh-add < /dev/null && bash'
This will start the ssh-agent, add your default identity(prompting you for
your passphrase), and spawn a bash shell. From this new shell you should be able
to:
ssh burly
This should let you in without typing a password or passphrase. Hooray!
You can ssh and scp all you want from this bash shell and not have to type any
password or passphrase.
