Bizarre passwordless scp problem, help - SSH

This is a discussion on Bizarre passwordless scp problem, help - SSH ; If anybody can help me with this it would be appreciated. I'm attempting to do scp to another machine via a script invoked by a cronjob, therefore it must be passwordless. I have gen'd the id_rsa.pub and copied it over ...

+ Reply to Thread
Results 1 to 11 of 11

Thread: Bizarre passwordless scp problem, help

  1. Bizarre passwordless scp problem, help

    If anybody can help me with this it would be appreciated.

    I'm attempting to do scp to another machine via a script invoked by a
    cronjob, therefore it must be passwordless. I have gen'd the id_rsa.pub
    and copied it over to the receiving machine and here lies the rub...

    After creating the .ssh/ directory in the homedir of the receiving
    machine and cating the pub id to the .ssh/authorized_keys file
    (creating it in the process), the scp still does not work passwordless.
    I have followed the same procedure for another account on the receiving
    machine and it works just fine.

    Any ideas????

    TIA
    Steve Ellis.


  2. Re: Bizarre passwordless scp problem, help

    rsb-asp-google@s-c-ellis.com wrote:
    > If anybody can help me with this it would be appreciated.
    >
    > I'm attempting to do scp to another machine via a script invoked by a
    > cronjob, therefore it must be passwordless. I have gen'd the id_rsa.pub
    > and copied it over to the receiving machine and here lies the rub...
    >
    > After creating the .ssh/ directory in the homedir of the receiving
    > machine and cating the pub id to the .ssh/authorized_keys file
    > (creating it in the process), the scp still does not work passwordless.
    > I have followed the same procedure for another account on the receiving
    > machine and it works just fine.
    >
    > Any ideas????
    >
    > TIA
    > Steve Ellis.
    >


    Couple of things to check...

    Did you cache the private key on the client with ssh-agent or keychain?

    Are the .ssh directory and authorized_keys file in the correct user's
    home directory on the server?

    Are the permissions on the authorized_keys file correct? Should be 600.

  3. Re: Bizarre passwordless scp problem, help


    Chuck wrote:
    > rsb-asp-google@s-c-ellis.com wrote:
    > > If anybody can help me with this it would be appreciated.
    > >
    > > I'm attempting to do scp to another machine via a script invoked by a
    > > cronjob, therefore it must be passwordless. I have gen'd the id_rsa.pub
    > > and copied it over to the receiving machine and here lies the rub...
    > >
    > > After creating the .ssh/ directory in the homedir of the receiving
    > > machine and cating the pub id to the .ssh/authorized_keys file
    > > (creating it in the process), the scp still does not work passwordless.
    > > I have followed the same procedure for another account on the receiving
    > > machine and it works just fine.
    > >
    > > Any ideas????
    > >
    > > TIA
    > > Steve Ellis.
    > >

    >
    > Couple of things to check...
    >
    > Did you cache the private key on the client with ssh-agent or keychain?


    How would I know?

    >
    > Are the .ssh directory and authorized_keys file in the correct user's
    > home directory on the server?


    Yes according to /etc/passwd, but I get the feeling that that is not
    where ssh is being looked for it.

    >
    > Are the permissions on the authorized_keys file correct? Should be 600.


    I did a chmod 600 and it didn't help.

    BTW, the authorized_keys on the id that works isn't 600.


  4. Re: Bizarre passwordless scp problem, help

    rsb-asp-google@s-c-ellis.com sez:
    >
    > Chuck wrote:

    ....
    >> Did you cache the private key on the client with ssh-agent or keychain?

    >
    > How would I know?


    If your key is protected by a passphrase (you probably didn't, not for
    a cron job), you'll have to pass it to scp somehow.

    >> Are the .ssh directory and authorized_keys file in the correct user's
    >> home directory on the server?

    >
    > Yes according to /etc/passwd, but I get the feeling that that is not
    > where ssh is being looked for it.
    >
    >>
    >> Are the permissions on the authorized_keys file correct? Should be 600.

    >
    > I did a chmod 600 and it didn't help.
    >
    > BTW, the authorized_keys on the id that works isn't 600.


    authorized_keys don't have to be 600, but some versions are picky about
    permissions on .ssh and ~.
    sshd -d -p X
    where X > 1024 is your friend (then run "scp -p X ..." and watch sshd's
    debug messages)

    Dima
    --
    We're sysadmins. Sanity happens to other people. -- Chris King

  5. Re: Bizarre passwordless scp problem, help

    rsb-asp-google@s-c-ellis.com wrote:
    > Chuck wrote:
    >> rsb-asp-google@s-c-ellis.com wrote:
    >>> If anybody can help me with this it would be appreciated.
    >>>
    >>> I'm attempting to do scp to another machine via a script invoked by a
    >>> cronjob, therefore it must be passwordless. I have gen'd the id_rsa.pub
    >>> and copied it over to the receiving machine and here lies the rub...
    >>>
    >>> After creating the .ssh/ directory in the homedir of the receiving
    >>> machine and cating the pub id to the .ssh/authorized_keys file
    >>> (creating it in the process), the scp still does not work passwordless.
    >>> I have followed the same procedure for another account on the receiving
    >>> machine and it works just fine.
    >>>
    >>> Any ideas????
    >>>
    >>> TIA
    >>> Steve Ellis.
    >>>

    >> Couple of things to check...
    >>
    >> Did you cache the private key on the client with ssh-agent or keychain?

    >
    > How would I know?


    You would have run the programs ssh-agent and ssh-add. BTW you would
    only need to do this if you created your private key with a passphrase.
    If you didn't you don't need this step but your setup is much less
    secure. Anyone who gets a copy of your private key can use it to
    authenticate as you.

    >
    >> Are the .ssh directory and authorized_keys file in the correct user's
    >> home directory on the server?

    >
    > Yes according to /etc/passwd, but I get the feeling that that is not
    > where ssh is being looked for it.
    >
    >> Are the permissions on the authorized_keys file correct? Should be 600.

    >
    > I did a chmod 600 and it didn't help.
    >
    > BTW, the authorized_keys on the id that works isn't 600.
    >


    Like Dimitri said, some versions of sshd are picky. From a security
    standpoint protecting that file is not all the critical because it only
    contains public keys. Private keys are the ones you should guard with
    all diligence.

  6. Re: Bizarre passwordless scp problem, help

    rsb-asp-google@s-c-ellis.com wrote:

    >> Did you cache the private key on the client with ssh-agent or keychain?

    >
    > How would I know?


    Running ssh-agent or keychain ain't necessary for passwordless key-based ssh
    to work.

    >> Are the .ssh directory and authorized_keys file in the correct user's
    >> home directory on the server?

    >
    > Yes according to /etc/passwd, but I get the feeling that that is not
    > where ssh is being looked for it.


    the authorized_keys must be placed in .ssh in home dir of a user you're
    trying to log-in as. So, if you're using something like:

    scp john@server

    then the keys must be placed in john's home dir/.ssh. If you're trying:

    scp server

    then ssh will try to log-in as the user issuing the command from local
    system. For example, if it's dave it'll try to log-in as dave, though keys
    are placed in john's home dir.

    If this is not an issue check your sshd_config file for fields like:
    RSAAuthenticatio, PubkeyAuthentication, AuthorizedKeysFile and
    PasswordAuthentication.

    --
    ---
    Cezary Morga

  7. Re: Bizarre passwordless scp problem, help


    Chuck wrote:
    > rsb-asp-google@s-c-ellis.com wrote:
    > > Chuck wrote:
    > >> rsb-asp-google@s-c-ellis.com wrote:
    > >>> If anybody can help me with this it would be appreciated.
    > >>>
    > >>> I'm attempting to do scp to another machine via a script invoked by a
    > >>> cronjob, therefore it must be passwordless. I have gen'd the id_rsa.pub
    > >>> and copied it over to the receiving machine and here lies the rub...
    > >>>
    > >>> After creating the .ssh/ directory in the homedir of the receiving
    > >>> machine and cating the pub id to the .ssh/authorized_keys file
    > >>> (creating it in the process), the scp still does not work passwordless.
    > >>> I have followed the same procedure for another account on the receiving
    > >>> machine and it works just fine.
    > >>>
    > >>> Any ideas????
    > >>>
    > >>> TIA
    > >>> Steve Ellis.
    > >>>
    > >> Couple of things to check...
    > >>
    > >> Did you cache the private key on the client with ssh-agent or keychain?

    > >
    > > How would I know?

    >
    > You would have run the programs ssh-agent and ssh-add. BTW you would
    > only need to do this if you created your private key with a passphrase.
    > If you didn't you don't need this step but your setup is much less
    > secure. Anyone who gets a copy of your private key can use it to
    > authenticate as you.
    >
    > >
    > >> Are the .ssh directory and authorized_keys file in the correct user's
    > >> home directory on the server?

    > >
    > > Yes according to /etc/passwd, but I get the feeling that that is not
    > > where ssh is being looked for it.
    > >
    > >> Are the permissions on the authorized_keys file correct? Should be 600.

    > >
    > > I did a chmod 600 and it didn't help.
    > >
    > > BTW, the authorized_keys on the id that works isn't 600.
    > >

    >
    > Like Dimitri said, some versions of sshd are picky. From a security
    > standpoint protecting that file is not all the critical because it only
    > contains public keys. Private keys are the ones you should guard with
    > all diligence.


    I'm a programmer, not the machine's administrator, but the
    administrator seems to be making no progress. I thought I'd try
    inquiring here and appreciated your responses. Also please bear with me
    if I don't seem to know the obvious.

    One thing I noticed is that if I did a "ps -ef |grep sshd", the 2 ids
    which work successfully have an sshd daemon started by them; but the id
    that will not do passwordless scp, does not have an sshd daemon
    started. Could that have anything to do with it?
    If so, would that normally be started at boot time?


  8. Re: Bizarre passwordless scp problem, help


    Cezary Morga wrote:
    > rsb-asp-google@s-c-ellis.com wrote:
    >
    > >> Did you cache the private key on the client with ssh-agent or keychain?

    > >
    > > How would I know?

    >
    > Running ssh-agent or keychain ain't necessary for passwordless key-based ssh
    > to work.
    >
    > >> Are the .ssh directory and authorized_keys file in the correct user's
    > >> home directory on the server?

    > >
    > > Yes according to /etc/passwd, but I get the feeling that that is not
    > > where ssh is being looked for it.

    >
    > the authorized_keys must be placed in .ssh in home dir of a user you're
    > trying to log-in as. So, if you're using something like:
    >
    > scp john@server
    >
    > then the keys must be placed in john's home dir/.ssh. If you're trying:
    >
    > scp server
    >
    > then ssh will try to log-in as the user issuing the command from local
    > system. For example, if it's dave it'll try to log-in as dave, though keys
    > are placed in john's home dir.


    Not the issue. I can scp from id a on the sending machine to id b on
    the receiving machine, but not to id c on the receiving machine even
    thought the .ssh/authorized_keys file was setup identically in both
    homedirs.

    >
    > If this is not an issue check your sshd_config file for fields like:
    > RSAAuthenticatio, PubkeyAuthentication, AuthorizedKeysFile and


    I can't look at sshd_config other than to do a ls, but I forwarded your
    post to somebody with root priviledges and hopefully he'll check it
    out. Thank you.

    > PasswordAuthentication.
    >
    > --
    > ---
    > Cezary Morga



  9. Re: Bizarre passwordless scp problem, help

    rsb-asp-google@s-c-ellis.com wrote:

    > Not the issue. I can scp from id a on the sending machine to id b on
    > the receiving machine, but not to id c on the receiving machine even
    > thought the .ssh/authorized_keys file was setup identically in both
    > homedirs.


    But can you log into C account with password (using ssh command for the
    test) or you can't log-in at all? If it's the latter then I believe you
    should contact the administrator.

    --
    ---
    Cezary Morga

  10. Re: Bizarre passwordless scp problem, help


  11. Re: Bizarre passwordless scp problem, help

    rsb-asp-google@s-c-ellis.com sez:
    >

    ....
    > One thing I noticed is that if I did a "ps -ef |grep sshd", the 2 ids
    > which work successfully have an sshd daemon started by them; but the id
    > that will not do passwordless scp, does not have an sshd daemon
    > started. Could that have anything to do with it?
    > If so, would that normally be started at boot time?


    Are you familiar with tcp/ip server programming? The part where
    you start a listener as root at boot time, and the listener forks
    off a server process for each connection.

    In the case of "authenticated" services, that process is usually
    owned by the UID of connecting user. So the answers is no, sshd
    owned by root is the one started at boot time.

    Dima
    --
    I have not been able to think of any way of describing Perl to [person]
    "Hello, blind man? This is color." -- DPM

+ Reply to Thread