On my Windows 10, I am running into the problem of not being able to connect to m Vagrant virtual machine via ssh user with public key authentication method at git bash using command such as
$ ssh -v lauser#127.0.0.1 -p 2222 -i ~/.ssh/id_rsa
I would be prompted for password, as if the public key I copied to in the ~/.ssh/Authorized_keys file inside the vm were not seen. Meanwhile,the password authentication method works, as well as 'vagrant ssh'.
I have made sure to
create key pairs locally, create a .ssh directory at the remote, and add pub key string to the remote's .ssh /authorized_keys file; both the .ssh and the .ssh /authorized_keys file are owned by the user(lauser), and set at 700 and 644
edit the /etc/ssh/sshd_config file on vm to use
RSAAuthentication yes
PubkeyAuthentication yes
and restarted the sshd server (with 'sudo service ssh restart').
verify that firewall has been disabled temporarily to eliminate any complication.
verify that there is only one vm running, all others are either in 'suspend' or 'halt' mode.
confirm the file type by 'file ~/.ssh/authorized_keys', and get confirmation '~/.ssh/authorized_keys: OpenSSH RSA public key'
verify that the keys match by comparing the output from 'sudo cat ~/.ssh/authorized_keys' in vm and the output from ' cat ~/.ssh/id_rsa.pub' at the local.
but still I get Permission denied (publickey) when trying to connect through public key authentication.
It sounds like you've done everything correctly so far. When I run in to this problem, it's usually due to directory permissions on the target user's home directory (~), ~/.ssh or ~/.ssh/authorized_keys.
See this answer on SuperUser.
I faced same challenges when the home directory on the remote did not have correct privileges. Changing permissions from 777 to 744 helped me
Related
How can I create an ssh key from Windows and install it on a Linux host using OpenSSH to log in without a password for each connection?
CREATE AND INSTALL SSH KEY
First of all, we need to create a new key in the Windows pc (where we start the connection) using:
ssh-keygen -t rsa
Don't change the default path or remember where you saved the key, it will be used for the next command.
Press enter another two times to avoid using a passphrase (if you don't want it).
After that, if you haven't change the default path, the key will be created into {USERPROFILE}\.ssh\id_rsa.pub.
Now, you can usually use the command ssh-copy-id for installing the key on the remote host, but unfortunately this command is not available on Windows, so we have to install it using this command:
type $env:USERPROFILE\.ssh\id_rsa.pub | ssh {REMOTE_HOST} "cat >> .ssh/authorized_keys"
or if your key is not in the default path:
type {RSA_KEY_PATH} | ssh {REMOTE_HOST} "cat >> .ssh/authorized_keys"
and replace the {RSA_KEY_PATH} with your RSA path.
Replace {REMOTE_HOST} with the remote host IP/Name (like pi#192.168.0.1), launch the command, insert the password if required, and the work is done!
IMPORTANT!
SETTING UP .ssh FOLDER
If the ~/.ssh folder is not existing in your remote host, you need to configure them, this is usually done by the command ssh-copy-id, but we can not access to this power from Windows!
You need to connect to the remote host in ssh and create the .ssh directory and the authorized_keys file for the first time:
ssh {REMOTE_HOST}
Create the .ssh directory:
mkdir ~/.ssh
Set the right permissions:
chmod 700 ~/.ssh
Create the authorized_keys file:
touch ~/.ssh/authorized_keys
Set the right permissions:
chmod 600 ~/.ssh/authorized_keys
NOTE
The authorized_keys is not a folder, if you try to create it using mkdir, the SSH connection passwordless will not work, and if you debug the ssh on the host, you will notice an error/log similar to:
~/.ssh/authorized_keys is not a key file.
ADD YOUR SSH KEY ON YOUR AGENT
Run those two lines on your Windows pc to add the created key on your cmd/powershell:
ssh-agent $SHELL
ssh-add
When I issue ssh -v hostname, it tells me successful. But permission denied(publickey) when issuing ssh -v user#hostname. What's the differences between them? And I try to solve this problem by some ways, but weren't effective. Such as:
chmod 700 ~/.ssh/
chmod 600 ~/.ssh/authorized_keys
Restorecon ~/.ssh/authorized_keys
I guess the problem is about context, because after issuing ssh -v hostname, the debug information tells me unable to get valid context. And issuing ssh[user#]hostname it authorized id_rsa, id_ecdsa, and id_ed25519 and skiping id_dsa (probably the config setting).
When user isn't specified, the .ssh config is searched for a default one for the given host, and if there's none, the same username as on the source machine is used.
To get more information, add copy&paste of the .ssh/config and outputs of both the ssh commands.
When using ssh user#hostname you explcitely try to log in as user on hostname. The login failes because you need to create an authorized_keys file in this user's home, too, as you did for the default user which is used when user is not given. Obviously authentication by password is disabled, else ssh would ask for it.
I am new to Ubuntu-Linux,i have to create a ssh user in remote system and generate its key. and access this system by key_file through the command.
ssh -i key_file user#host
Can any body tell me how can i do ?
On the system you are trying to connect to, the public key (usually id_rsa.pub or something similar) needs to be added to the authorized_keys file.
If the user is brand new and the authorized_keys file doesn't exist yet, this command will create it for you.
cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
Next just make sure sshd is running on the host and you should be able to connect with the command you posted.
on remote-server-
ssh-keygen
ssh-copy-id user#host
cd .ssh
make a copy of the file id_rsa and give any body who want to access this server/system.
on the other system
ssh -i id_rsa user#host
If you want to connect to another host as user "user", what you need is the public key of the user that is going to open that connection, i.e. the user you are logged in on your desktop computer or some server you are coming from, not for the user, you are logging in to on the remote host.
You can check, if the keys for your current user are already created in $HOME/.ssh; there you should find something like "id_rsa" and "id_rsa.pub" (for rsa keys). If they don't exist, you create them by calling
ssh-keygen -t rsa
The public key that is generated that way, id_rsa.pub in this example, has to be put in a file ${HOME of user on remote host}/.ssh/authorized_keys on the target host.
If this file does not exist on the remote host or if even .ssh does not exist, you have to create those files with the following permissions:
.ssh 700
.ssh/authorized_keys 600
See http://www.openssh.com/faq.html#3.14 for details.
A detailed description of the process can be found here:
https://help.github.com/articles/generating-ssh-keys/
I connected 3 data nodes(in all these data nodes pass-wordless is working fine) in my cluster which are working fine but when i try to connect another data node pass-wordless ssh not working in fourth data node.
IP address of first three data nodes:
172.20.93.192(name node)
172.20.94.189(data node)
172.20.94.145(data node)
172.20.94.193(data node)
now my fourth data node's IP address is 172.20.95.6 where password-less is not working.
I am generating keys with
ssh-keygen -t rsa
I am doing the same process for the fourth data node as above three data nodes but it is not working. Why? what may be the reason?
I had a very similar problem today with CentOS servers. The problem turned out that the /root folder had wrong permissions. In fact, the /var/log/secure log file showed this error:
Sep 3 09:10:40 nec05 sshd[21858]: Authentication refused: bad ownership or modes for directory /root
This is what it wrongly was:
[root#nec05 ~]# ls -ld /root
drwxrwxrwx. 32 root root 4096 Sep 3 09:54 /root
Using chmod fixed it:
[root#nec05 ~]# chmod 550 /root
[root#nec05 ~]# ls -ld /root
dr-xr-x---. 32 root root 4096 Sep 3 09:54 /root
After that, passwordless login worked on this particular server.
More information would be required to get the "real" cause. However here it goes two of the most common problems I have found and not related to the key configuration itself (taking into account that you use Linux :)):
SSHD in the remote machine is configured in restricted mode for "root" and you are trying to ssh as root. SOLUTION: Copy /etc/ssh/sshd.conf from one of the working machines to the faulty and restart ssh server.
Home folder of the user used for remote login has invalid permissions. Many default configurations for SSH Daemons contain restrictions about the permissions of the user home folder for security purposes. SOLUTION: Compare with working nodes and fix. (Sometimes you would see a warning/error log in /var/log/messages.
If you follow the process to integrate the keys from the scratch and review the permissions for all the files involved you should face no issues.
Please answer back with sshd.conf file as well as the logs from a remote login with -v (ssh -v IPADDR) for a better analysis.
I went through the same errors recently. All my file permissions are set up correctly but still ssh asks for password. Finally I figured out it is due to one missing at /etc/ssh/sshd_config: you shoud add "AuthorizedKeysFile %h/.ssh/authorized_keys", so that sshd will look for the publickey file at your home dir.
After doing this the problem is gone.
You would have to more elaborate your problem i.e. whether you are using the same private-public key pair for all servers.
Secondly you must try ssh with -v flag it will give you some hint like which private key it is using for authentication, what is the cause of authentication failure.
Thirdly Verify the permission of .ssh/authorized_keys at server end. It should not have write permission to group or other users.
You can simply use
ssh-keygen -f # to generate ssh key pair.
ssh-copy-id # #to copy public key in the server's authorized key.
troubleshoot checklist:
example: Machine A passwordless login to B
turn off selinux on B
FOR BOTH A&B: make sure correct permission for .ssh(700) and .ssh/authorized_keys (600)
check on B: /etc/ssh/sshd_config: PubkeyAuthentication yes
check firewall on B
check the log /var/log/secure
if you've renamed id_rsa/id_rsa.pub to example id_rsa_b/id_rsa_b.pub, you should do ssh -i .ssh/id_rsa_b user#MachineB
refer
I am going to explain with example:
Suppose there are two server server1(192.168.43.21) and server2(192.168.43.33).If you want password less ssh between server1 and server2 where user is admin then follow below steps-
To install run command: yum install openssh-server openssh-clients
To create ssh key run command : ssh-keygen -t rsa on server1 and server2
SELINUX disable at : vim /etc/selinux/conifg
SELIINUX=disabled
After changing SELINUX need to reboot.
Add user to AllowUsers ,AllowGroups and PermitEmptyPasswords on at :
vim /etc/ssh/sshd_config
AllowUsers admin
AllowGroups admin
After update restart sshd: systemctl restart sshd
Go to home directory of admin user : cd ~
Go to ssh folder : cd .ssh and copy id_rsa.pub key from server1 and paste it into server server2 authorized.key file of .ssh folder.
note: Instead of manually copy we can use:
From server2 use command: `ssh-copy-id admin#serve1`
From server1 use command: `ssh-copy-id admin#server2`
Now try ssh from server1 to server2 and server2 to server1
From server1 command: `ssh admin#server2`
From server2 command: `ssh admin#server1`
If not working then check firewall user use command:
To check status of firewall run command: firewall-cmd --state
If it is running then check ssh port is added or not using below command:
firewall-cmd --list-all
If port is not added then need need to add to desired zone.
If firewall is not mandatory to active in that cat you can stop firewall and
mask it using below command:
systemctl stop firewalld
systemctl disable firewalld
systemctl mask --now firewalld
Please check if selinux is disabled.
In my case, worked after selinux disabled.
Method in linux is to generate encrypted key (either with rsa or dsa ) for that user , save that key in authorized key , assign rights to that folder and file in it.
1: Generate key with command
ssh-keygen –t dsa –P '' –f ~/.ssh/id_dsa
Your public key has been saved in /home/username_of_pc/.ssh/id_dsa.pub
2:Add that key in authorized key.
Cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys
Set permissions for folder where it’s saved.
if you need it on another server then simply copy it to other machine.
3:Check ssh by simply typing
ssh localhost
It should not ask for password and only display last login time , then it’s setup correctly. Remember not to use root for ssh.
I was referring to http://www.mtu.net/~engstrom/ssh-agent.php
My public key is listed under ~/.ssh/authorized_keys at remote1. During SSH login connect,
it's working fine(loaded my private key under connection-Auth), it asked for passphrase which I provided then login is successful.
But when switching between servers like from remote2, do SSH remote1, it would ask for a password. Trying to set up SSH agent forwarding according to that site but was to no avail...ssh-add never prompts me for private-key-passphrase or was it wrong what i was doing trying to follow the process described?
I basically did
$ eval ssh-agent
$ ssh-add (some do ssh-add ~/.ssh/id_rsa--> wonder wat id_rsa is referring to as I only have the auth_keys file under .ssh)
Saw some resources described to do chmod 600 ~/.ssh/authorized_keys, but not sure if that's applicable to my case.
ssh-agent wrap another command, you can for example wrap a shell
ssh-agent bash
Then, in that shell, you need to add your private key, and type your passphrase :
ssh-add /path/to/your/private/key # (by default : ~/.ssh/id_rsa)
Then, when you use ssh to connect, add the -A option :
ssh -A user#remote1
That's it, your key is forwarded, you can see it if you type (on remote1) :
ssh-add -L
You can now connect to your remote2, using that private key.
Be careful when you use ssh forwarding. Anyone with root access on remote1 could use your identity to connect on remote2 while you are connected.
I am pretty sure that ~/.ssh/authorized_keys must always be chmod 600. This is a sensitive file that must be protected.