From owner-freebsd-isp@FreeBSD.ORG Wed Oct 8 02:21:03 2008 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B0339106568E for ; Wed, 8 Oct 2008 02:21:03 +0000 (UTC) (envelope-from technical@halenet.com.au) Received: from helen.halenet.com.au (helen.halenet.com.au [203.55.33.243]) by mx1.freebsd.org (Postfix) with ESMTP id 558658FC1A for ; Wed, 8 Oct 2008 02:21:03 +0000 (UTC) (envelope-from technical@halenet.com.au) Received: from localhost (localhost.halenet.com.au [127.0.0.1]) by helen.halenet.com.au (Postfix) with ESMTP id B44511EE8D0 for ; Wed, 8 Oct 2008 12:16:19 +1000 (EST) X-Virus-Scanned: amavisd-new at halenet.com.au Received: from helen.halenet.com.au ([127.0.0.1]) by localhost (helen.halenet.com.au [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zduoqJVdSg24 for ; Wed, 8 Oct 2008 12:16:19 +1000 (EST) Received: from hal (gw1.halenet.com.au [203.55.33.225]) by helen.halenet.com.au (Postfix) with ESMTPA id 49C5F1EE8DB for ; Wed, 8 Oct 2008 12:16:19 +1000 (EST) Message-ID: <009b01c928e9$fbe1f3b0$6500a8c0@hal> From: "lists" To: Date: Wed, 8 Oct 2008 12:02:57 +1000 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350 Subject: ssh to remote machines using authorized keys X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Oct 2008 02:21:03 -0000 Hi all I have the following situation which I am trying to get around I have a need to be able to ssh without_password using rsa keys to authenticate the ssh session. I have created and installed the ~/.ssh/authorized_keys for both a system user and for root on the remote machine and I have changed the /etc/ssh/sshd_config accordingly and I have run /etc/rc.d/sshd restart. I have successfully logged into the remote machine using the rsa keys for both the root user and the system user. The problem I have is that I want to log into the remote machine as root from a system user on the main machine. Each time I try I get a password prompt and even if I enter the correct root password it gives me "Permission denied (publickey,keyboard-interactive,hostbased)" If I type user prompt $ ssh user@remote.machine it works fine root prompt # ssh root@remote.machine it works fine but when I type user prompt $ ssh root@remote.machine I get prompted for a password followed by the error above, which is "Permission denied (publickey,keyboard-interactive,hostbased)" Can anyone tell me how to get around this? Is it possible? Thanks and Regards Tim From owner-freebsd-isp@FreeBSD.ORG Wed Oct 8 04:32:29 2008 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B7207106568E for ; Wed, 8 Oct 2008 04:32:29 +0000 (UTC) (envelope-from jon@radel.com) Received: from wave.radel.com (wave.radel.com [216.143.151.4]) by mx1.freebsd.org (Postfix) with ESMTP id 73C108FC1B for ; Wed, 8 Oct 2008 04:32:28 +0000 (UTC) (envelope-from jon@radel.com) Received: by wave.radel.com (CommuniGate Pro PIPE 4.1.6) with PIPE id 8013937; Tue, 07 Oct 2008 23:32:28 -0400 Received: from [216.143.146.251] (account laura@radel.com HELO 124.sub-75-211-138.myvzw.com) by wave.radel.com (CommuniGate Pro SMTP 4.1.6) with ESMTP id 8013935; Tue, 07 Oct 2008 23:32:10 -0400 Message-ID: <48EC29B2.3010509@radel.com> Date: Tue, 07 Oct 2008 23:32:02 -0400 From: Jon Radel User-Agent: Thunderbird 2.0.0.17 (Macintosh/20080914) MIME-Version: 1.0 To: lists References: <009b01c928e9$fbe1f3b0$6500a8c0@hal> In-Reply-To: <009b01c928e9$fbe1f3b0$6500a8c0@hal> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Radel.com-MailScanner-Information: Please contact Jon for more information X-Radel.com-MailScanner: Found to be clean X-Mailer: CommuniGate Pro CLI mailer Cc: freebsd-isp@freebsd.org Subject: Re: ssh to remote machines using authorized keys X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Oct 2008 04:32:29 -0000 lists wrote: > > Hi all > > I have the following situation which I am trying to get around > > I have a need to be able to ssh without_password using rsa keys to > authenticate the ssh session. ... > but when I type > user prompt $ ssh root@remote.machine I get prompted for a password > followed by the error above, which is "Permission denied > (publickey,keyboard-interactive,hostbased)" > > Can anyone tell me how to get around this? Is it possible? Very possible to get around. Make sure the private key for root on the remote machine is available to the system user on the local machine and then specify that file with the -i option to the ssh command. What is almost certainly happening is that your ssh command defaults to the private key for system user which is not the same key as your root (your e-mail isn't 100% clear to me as to whether you are using the same key for the system user and root, but it appears you aren't). If you're going to do that a lot, you can set a default in ~systemuser/.ssh/config to specify that all connections to root@remote should default to using root's private key. --Jon Radel jon@radel.com From owner-freebsd-isp@FreeBSD.ORG Wed Oct 8 07:15:51 2008 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E0A4310656A0 for ; Wed, 8 Oct 2008 07:15:51 +0000 (UTC) (envelope-from technical@halenet.com.au) Received: from helen.halenet.com.au (helen.halenet.com.au [203.55.33.243]) by mx1.freebsd.org (Postfix) with ESMTP id 74CBD8FC26 for ; Wed, 8 Oct 2008 07:15:51 +0000 (UTC) (envelope-from technical@halenet.com.au) Received: from localhost (localhost.halenet.com.au [127.0.0.1]) by helen.halenet.com.au (Postfix) with ESMTP id BB5921EE8B9 for ; Wed, 8 Oct 2008 17:29:01 +1000 (EST) X-Virus-Scanned: amavisd-new at halenet.com.au Received: from helen.halenet.com.au ([127.0.0.1]) by localhost (helen.halenet.com.au [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zvhcR9igVPjb for ; Wed, 8 Oct 2008 17:29:01 +1000 (EST) Received: from hal (gw1.halenet.com.au [203.55.33.225]) by helen.halenet.com.au (Postfix) with ESMTPA id 5059F1EE8B4 for ; Wed, 8 Oct 2008 17:29:01 +1000 (EST) Message-ID: <0b6701c92915$ac7153d0$6500a8c0@hal> From: "lists" To: References: <009b01c928e9$fbe1f3b0$6500a8c0@hal> <48EC29B2.3010509@radel.com> Date: Wed, 8 Oct 2008 17:15:42 +1000 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=response Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350 Subject: Re: ssh to remote machines using authorized keys X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Oct 2008 07:15:52 -0000 Thanks Jon > If you're going to do that a lot, you can set a default in > ~systemuser/.ssh/config to specify that all connections to root@remote > should default to using root's private key. If you don't mind I would like you to clarify the steps to address the config above The machine I am ssh ing from is local The machine I am ssh ing to is remote To do as above, do I create a .~ssh/config file with the following contents on the local machine and restart sshd /etc/rc.d/sshd restart Host remote.domainname #which is the connection name I am assuming User root Port 22 HostName remote.domainname # which is the hostname of the remote machine I am not sure what the permissions should be though. Do they need to be changed? do I need to change the /root/.ssh/id_rsa and id_rsa.pub to the systemuser? or should they stay the same. Or do I change the authorized_keys permissions The error I am getting is a permission denied which makes me think that I need to change some of the permissions. Currently the perms are 600 on both the /root/.ssh/id_rsa and id_rsa.pub and the /home/systemuser/authorized_keys Thanks and Regards Tim From owner-freebsd-isp@FreeBSD.ORG Wed Oct 8 07:56:15 2008 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 27D9A106569A for ; Wed, 8 Oct 2008 07:56:15 +0000 (UTC) (envelope-from mario@schmut.com) Received: from mail.schmut.com (mail.schmut.com [66.92.49.2]) by mx1.freebsd.org (Postfix) with SMTP id F3F738FC13 for ; Wed, 8 Oct 2008 07:56:14 +0000 (UTC) (envelope-from mario@schmut.com) Received: (qmail 69079 invoked by uid 89); 8 Oct 2008 07:29:32 -0000 Received: from zippy.schmut.com (192.168.23.4) by snoopy.schmut.com (tmda-ofmipd) with ESMTP; Wed, 08 Oct 2008 00:29:31 -0700 To: freebsd-isp@freebsd.org Date: Wed, 8 Oct 2008 00:29:31 -0700 User-Agent: KMail/1.9.6 (enterprise 0.20070907.709405) References: <009b01c928e9$fbe1f3b0$6500a8c0@hal> <48EC29B2.3010509@radel.com> <0b6701c92915$ac7153d0$6500a8c0@hal> In-Reply-To: <0b6701c92915$ac7153d0$6500a8c0@hal> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200810080029.31645.mario@schmut.com> X-Delivery-Agent: TMDA/1.1.12 (Macallan) From: Mario Theodoridis X-Primary-Address: mario@schmut.com X-Schmut-Approved: yes Cc: lists Subject: Re: ssh to remote machines using authorized keys X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Mario Theodoridis List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Oct 2008 07:56:15 -0000 On Wednesday 08 October 2008 12:15:42 am lists wrote: > Thanks Jon > > > If you're going to do that a lot, you can set a default in > > ~systemuser/.ssh/config to specify that all connections to root@remote > > should default to using root's private key. > > If you don't mind I would like you to clarify the steps to address the > config above > > The machine I am ssh ing from is local > The machine I am ssh ing to is remote > > To do as above, do I create a .~ssh/config file with the following > contents on the local machine and restart sshd /etc/rc.d/sshd restart > > Host remote.domainname #which is the connection name I am assuming > User root > Port 22 > HostName remote.domainname # which is the hostname of the remote machine > > I am not sure what the permissions should be though. Do they need to be > changed? do I need to change the /root/.ssh/id_rsa and id_rsa.pub to > the systemuser? or should they stay the same. Or do I change the > authorized_keys permissions The error I am getting is a permission denied > which makes me think that I need to change some of the permissions. > Currently the perms are 600 on both the /root/.ssh/id_rsa and id_rsa.pub > and the /home/systemuser/authorized_keys These are the permissions on my system: #ll ~/.ssh/ total 24 drwx------ 2 root wheel 512 Sep 11 00:05 . drwxr-xr-x 30 root wheel 2048 Oct 8 00:21 .. -rw-r--r-- 1 root wheel 1838 Jan 29 2008 authorized_keys -rw------- 1 root wheel 883 Jul 23 2006 id_rsa -rw-r--r-- 1 root wheel 232 Jul 23 2006 id_rsa.pub -rw-r--r-- 1 root wheel 12503 Sep 30 22:46 known_hosts Note the lack of group writability in the home directory. These are the same for every user, i.e. root is not special in this respect. So when i want to ssh to user@remote.system then ~user/.ssh/authorized_keys on remote.system needs to contain my id_rsa.pub. Hope this sums it up. mario;>