SSH key question

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
23 messages Options
12
Reply | Threaded
Open this post in threaded view
|

SSH key question

MR ZenWiz
I have three machines set up on my home network with remote file copy
and ssh interactions.  I have my desktop "base" machine set up for
password-free remote access to the two laptops, but for some reason, I
can't get the same access from one of the laptops back to the base.

I generated the proper keys with ssh-genkey, then I used ssh-copy-id
to send the keys to the target machine.  As I said, done from the base
to both of the laptops, it works fine.  I even have remote access to
my partners laptop from the base using her id for the remote actions.

However, from my own laptop, I can't get password-free access, via ssh
or rsync, to my base desktop.  I either put up with the password
prompt, or ssh to the base from the laptop and run the file transfers
from the remote base login to/from the laptop because that way it does
not require passwords.

What am I missing?

Sequences:

base: ssh-genkey
base: ssh-copy-id <laptop>
base: complete remote login
base: ssh <laptop> - password-free login

This works.

laptop: ssh-genkey
laptop: ssh-copy-id <base>
laptop: complete remote login
laptop: ssh <base> - requires I enter the password

This does not work.

Thanks.

Mark

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: SSH key question

Chris Green
On Thu, Dec 10, 2020 at 10:09:10AM -0800, MR ZenWiz wrote:

> I have three machines set up on my home network with remote file copy
> and ssh interactions.  I have my desktop "base" machine set up for
> password-free remote access to the two laptops, but for some reason, I
> can't get the same access from one of the laptops back to the base.
>
> I generated the proper keys with ssh-genkey, then I used ssh-copy-id
> to send the keys to the target machine.  As I said, done from the base
> to both of the laptops, it works fine.  I even have remote access to
> my partners laptop from the base using her id for the remote actions.
>
> However, from my own laptop, I can't get password-free access, via ssh
> or rsync, to my base desktop.  I either put up with the password
> prompt, or ssh to the base from the laptop and run the file transfers
> from the remote base login to/from the laptop because that way it does
> not require passwords.
>
> What am I missing?
>
> Sequences:
>
> base: ssh-genkey
> base: ssh-copy-id <laptop>
> base: complete remote login
> base: ssh <laptop> - password-free login
>
> This works.
>
> laptop: ssh-genkey
> laptop: ssh-copy-id <base>
> laptop: complete remote login
> laptop: ssh <base> - requires I enter the password
>
> This does not work.
>
I'm not sure if I'm teaching grandmother to suck eggs, but still...

Have you got an agent running on one system and not the other?

Were you generating passphraseless keys with ssh-genkey or were you
using a passphrase?  If they were passphraseless then I'm stumped but
if they have passphrases then maybe you have the passphrase stored (in
an agent) on your desktop but not on your laptop.


... or I suppose you might have 'only allow password authentication'
set up on your desktop so passphrases don't work (unlikely I think).



--
Chris Green

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: SSH key question

David Fletcher-5
In reply to this post by MR ZenWiz
On Thu, 2020-12-10 at 10:09 -0800, MR ZenWiz wrote:
> I have three machines set up on my home network with remote file copy
> and ssh interactions.  I have my desktop "base" machine set up for
> password-free remote access to the two laptops, but for some reason,
> I
> can't get the same access from one of the laptops back to the base.

AIUI, you only ever run the genkey once. Doesn't matter which machine.

You need to be able to edit ~/.ssh/authorized_keys on a remote machine
and add your public key to that file. In my case it's the same as
id_rsa.pub. Make sure the access privileges are tight - chmod -R 700
~/.ssh and you should be good to go. I find that I need to do an ssh
into a remote machine first to get the known_hosts file updated then
rsync and things work seamlessly.

HTH Dave


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: SSH key question

David Fletcher-5
In reply to this post by MR ZenWiz
PS

You need to make sure you have openssh-server installed. I just install
it on all my computers.


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: SSH key question

Liam Proven
In reply to this post by MR ZenWiz
On Thu, 10 Dec 2020 at 19:11, MR ZenWiz <[hidden email]> wrote:
>
> I have three machines set up on my home network with remote file copy
> and ssh interactions.  I have my desktop "base" machine set up for
> password-free remote access to the two laptops, but for some reason, I
> can't get the same access from one of the laptops back to the base.

Going back a step...

Ubuntu does not install openssh-server by default. You have to add it
manually, yourself.

So if you can ssh from your desktop to the laptops, you must have
installed it on the laptops in the past at some point.

Can you ssh from the laptops to the desktop _with_ a password?

--
Liam Proven – Profile: https://about.me/liamproven
Email: [hidden email] – gMail/gTalk/gHangouts: [hidden email]
Twitter/Facebook/LinkedIn/Flickr: lproven – Skype: liamproven
UK: +44 7939-087884 – ČR (+ WhatsApp/Telegram/Signal): +420 702 829 053

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: SSH key question

Sarunas Burdulis-3
In reply to this post by MR ZenWiz
On 12/10/20 1:09 PM, MR ZenWiz wrote:

> I have three machines set up on my home network with remote file copy
> and ssh interactions.  I have my desktop "base" machine set up for
> password-free remote access to the two laptops, but for some reason, I
> can't get the same access from one of the laptops back to the base.
>
> I generated the proper keys with ssh-genkey, then I used ssh-copy-id
> to send the keys to the target machine.  As I said, done from the base
> to both of the laptops, it works fine.  I even have remote access to
> my partners laptop from the base using her id for the remote actions.
>
> However, from my own laptop, I can't get password-free access, via ssh
> or rsync, to my base desktop.
I don't know what the problem may be, but increased verbosity of SSH
connenction may shed some light.

ssh -vv ...


--
Sarunas Burdulis
Systems Administrator, Dartmouth College Mathematics
https://math.dartmouth.edu/~sarunas

· https://useplaintext.email ·


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

OpenPGP_signature (505 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: SSH key question

MR ZenWiz
In reply to this post by Chris Green
On Thu, Dec 10, 2020 at 10:24 AM Chris Green <[hidden email]> wrote:
>
:

> I'm not sure if I'm teaching grandmother to suck eggs, but still...
>
> Have you got an agent running on one system and not the other?
>
> Were you generating passphraseless keys with ssh-genkey or were you
> using a passphrase?  If they were passphraseless then I'm stumped but
> if they have passphrases then maybe you have the passphrase stored (in
> an agent) on your desktop but not on your laptop.
>
> ... or I suppose you might have 'only allow password authentication'
> set up on your desktop so passphrases don't work (unlikely I think).
>
I have an ssh server running on both machines, no passphrase.  I have
not changed any settings, and don't recognize all of the above.

Thanks.

Mark

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: SSH key question

MR ZenWiz
In reply to this post by David Fletcher-5
On Thu, Dec 10, 2020 at 10:31 AM David Fletcher <[hidden email]> wrote:
>
:
>
> AIUI, you only ever run the genkey once. Doesn't matter which machine.
>
That's not the way I've ever used it before - I run ssh-genkey on any
machine I want to be able to remote login from, not to.  ssh server
has to run on the target machine to receive the login request,
authenticate and allow or deny the login.

> You need to be able to edit ~/.ssh/authorized_keys on a remote machine
> and add your public key to that file. In my case it's the same as
> id_rsa.pub. Make sure the access privileges are tight - chmod -R 700
> ~/.ssh and you should be good to go. I find that I need to do an ssh
> into a remote machine first to get the known_hosts file updated then
> rsync and things work seamlessly.
>
This is what ssh-copy-id does so I don't need to do this manually.

Thanks.

Mark

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: SSH key question

MR ZenWiz
In reply to this post by Liam Proven
On Thu, Dec 10, 2020 at 10:39 AM Liam Proven <[hidden email]> wrote:
>
:

> Going back a step...
>
> Ubuntu does not install openssh-server by default. You have to add it
> manually, yourself.
>
> So if you can ssh from your desktop to the laptops, you must have
> installed it on the laptops in the past at some point.
>
> Can you ssh from the laptops to the desktop _with_ a password?
>
Yes.  I thought I said so, but to clarify, yes.

Thanks.

Mark

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: SSH key question

MR ZenWiz
In reply to this post by Sarunas Burdulis-3
On Thu, Dec 10, 2020 at 10:39 AM Sarunas Burdulis
<[hidden email]> wrote:
>
:
>
> I don't know what the problem may be, but increased verbosity of SSH
> connenction may shed some light.
>
> ssh -vv ...
>
Here's what I see (from laptop marHP8740 to desktop marbase):

11:50 [admar@marHP8740w:~] $ ssh -vv $BASE
OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f  31 Mar 2020
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include
/etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: resolve_canonicalize: hostname 192.168.1.131 is address
debug2: ssh_connect_direct
debug1: Connecting to 192.168.1.131 [192.168.1.131] port 22.
debug1: Connection established.
debug1: identity file /home/admar/.ssh/id_rsa type 0
debug1: identity file /home/admar/.ssh/id_rsa-cert type -1
debug1: identity file /home/admar/.ssh/id_dsa type -1
debug1: identity file /home/admar/.ssh/id_dsa-cert type -1
debug1: identity file /home/admar/.ssh/id_ecdsa type -1
debug1: identity file /home/admar/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/admar/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/admar/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/admar/.ssh/id_ed25519 type -1
debug1: identity file /home/admar/.ssh/id_ed25519-cert type -1
debug1: identity file /home/admar/.ssh/id_ed25519_sk type -1
debug1: identity file /home/admar/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/admar/.ssh/id_xmss type -1
debug1: identity file /home/admar/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1
debug1: Remote protocol version 2.0, remote software version
OpenSSH_8.2p1 Ubuntu-4ubuntu0.1
debug1: match: OpenSSH_8.2p1 Ubuntu-4ubuntu0.1 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 192.168.1.131:22 as 'admar'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms:
curve25519-sha256,[hidden email],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms:
[hidden email],[hidden email],[hidden email],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],ssh-ed25519,[hidden email],rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos:
[hidden email],aes128-ctr,aes192-ctr,aes256-ctr,[hidden email],[hidden email]
debug2: ciphers stoc:
[hidden email],aes128-ctr,aes192-ctr,aes256-ctr,[hidden email],[hidden email]
debug2: MACs ctos:
[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc:
[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[hidden email],zlib
debug2: compression stoc: none,[hidden email],zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms:
curve25519-sha256,[hidden email],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
debug2: host key algorithms:
rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos:
[hidden email],aes128-ctr,aes192-ctr,aes256-ctr,[hidden email],[hidden email]
debug2: ciphers stoc:
[hidden email],aes128-ctr,aes192-ctr,aes256-ctr,[hidden email],[hidden email]
debug2: MACs ctos:
[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc:
[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[hidden email]
debug2: compression stoc: none,[hidden email]
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [hidden email] MAC:
<implicit> compression: none
debug1: kex: client->server cipher: [hidden email] MAC:
<implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256
SHA256:liK5yK4l533NSr9JYUrxyXMi69UIWAhZ7vz9LRC7Mhs
debug1: Host '192.168.1.131' is known and matches the ECDSA host key.
debug1: Found key in /home/admar/.ssh/known_hosts:1
debug2: set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/admar/.ssh/id_rsa RSA
SHA256:6ipcSUwJHMccKD1XhUx8I1TSVgLbpyBc2INdxzYzJy0
debug1: Will attempt key: /home/admar/.ssh/id_dsa
debug1: Will attempt key: /home/admar/.ssh/id_ecdsa
debug1: Will attempt key: /home/admar/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/admar/.ssh/id_ed25519
debug1: Will attempt key: /home/admar/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/admar/.ssh/id_xmss
debug2: pubkey_prepare: done
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info:
server-sig-algs=<ssh-ed25519,[hidden email],ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[hidden email]>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/admar/.ssh/id_rsa RSA
SHA256:6ipcSUwJHMccKD1XhUx8I1TSVgLbpyBc2INdxzYzJy0
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/admar/.ssh/id_dsa
debug1: Trying private key: /home/admar/.ssh/id_ecdsa
debug1: Trying private key: /home/admar/.ssh/id_ecdsa_sk
debug1: Trying private key: /home/admar/.ssh/id_ed25519
debug1: Trying private key: /home/admar/.ssh/id_ed25519_sk
debug1: Trying private key: /home/admar/.ssh/id_xmss
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
admar@192.168.1.131's password:

I'm not 100% sure of what each step of that means, but the bottom line
is pretty clear - the authentication failed and it wants a password.

Hope that makes sense to someone.

Thanks.

Mark

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: SSH key question

Karl Auer
In reply to this post by MR ZenWiz
On Thu, 2020-12-10 at 10:09 -0800, MR ZenWiz wrote:
> I have three machines set up on my home network
> [...]
> I can't get the same access from one of the laptops back to the base.

This sequence:
> laptop: ssh-genkey
> laptop: ssh-copy-id <base>
> laptop: complete remote login
> laptop: ssh <base> - requires I enter the password

From which system are you remotely logging in to the laptop?

Anyway, try adding "--o IdentitiesOnly=yes" to the last command line in
that sequence. This cuts out the agent (if any).

Also, check that the public part of the laptop's key is actually
present in ~/.ssh/authorized_keys on the base system.

And finally - give us complete command lines. It will expose no
secrets, since you are using RFC1918 IP addresses and standard key
names, and providing no key content. However it will allow us to see
for certain which machines are involved in doing what.

Regards, K.

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer ([hidden email])
http://www.biplane.com.au/kauer

GPG fingerprint: 2561 E9EC D868 E73C 8AF1 49CF EE50 4B1D CCA1 5170
Old fingerprint: 8D08 9CAA 649A AFEF E862 062A 2E97 42D4 A2A0 616D




--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: SSH key question

Karl Auer
In reply to this post by David Fletcher-5
On Thu, 2020-12-10 at 18:29 +0000, David Fletcher wrote:
> AIUI, you only ever run the genkey once. Doesn't matter which
> machine.

You need to run ssh-genkey once for each key that you want to use.
Typically once on each machine from which you will be originating
outbound connections.

Sometimes you want a separate keys for various purposes so you run it
multiple times on the same machine, but (hopefully obviously)
specifying different file names.

> You need to be able to edit ~/.ssh/authorized_keys on a remote
> machine and add your public key to that file.

That's what ssh-copy-id does (more or less), especially if used with
the -i option to specify a single identity.

Regards, K.


--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer ([hidden email])
http://www.biplane.com.au/kauer

GPG fingerprint: 2561 E9EC D868 E73C 8AF1 49CF EE50 4B1D CCA1 5170
Old fingerprint: 8D08 9CAA 649A AFEF E862 062A 2E97 42D4 A2A0 616D




--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: SSH key question

Karl Auer
In reply to this post by David Fletcher-5
On Thu, 2020-12-10 at 18:31 +0000, David Fletcher wrote:
> You need to make sure you have openssh-server installed. I just
> install it on all my computers.

This is true, but as a password login works for the OP, it's clear that
an ssh server is installed on the system he's trying to get to. Just
publickey access doesn't.

Regards, K.

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer ([hidden email])
http://www.biplane.com.au/kauer

GPG fingerprint: 2561 E9EC D868 E73C 8AF1 49CF EE50 4B1D CCA1 5170
Old fingerprint: 8D08 9CAA 649A AFEF E862 062A 2E97 42D4 A2A0 616D




--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: SSH key question

Chris Green
In reply to this post by MR ZenWiz
On Thu, Dec 10, 2020 at 11:46:33AM -0800, MR ZenWiz wrote:

> On Thu, Dec 10, 2020 at 10:24 AM Chris Green <[hidden email]> wrote:
> >
> :
> > I'm not sure if I'm teaching grandmother to suck eggs, but still...
> >
> > Have you got an agent running on one system and not the other?
> >
> > Were you generating passphraseless keys with ssh-genkey or were you
> > using a passphrase?  If they were passphraseless then I'm stumped but
> > if they have passphrases then maybe you have the passphrase stored (in
> > an agent) on your desktop but not on your laptop.
> >
> > ... or I suppose you might have 'only allow password authentication'
> > set up on your desktop so passphrases don't work (unlikely I think).
> >
> I have an ssh server running on both machines, no passphrase.  I have
> not changed any settings, and don't recognize all of the above.
>
When you run ssh-key-gen do you provide a passphrase for the generated
key or do you just hit return when asked?  If you just hit return then
the key is 'passphraseless'.

--
Chris Green

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: SSH key question

Sarunas Burdulis-3
In reply to this post by MR ZenWiz
On 12/10/20 2:55 PM, MR ZenWiz wrote:

> On Thu, Dec 10, 2020 at 10:39 AM Sarunas Burdulis
> <[hidden email]> wrote:
>>
> :
>>
>> I don't know what the problem may be, but increased verbosity of SSH
>> connenction may shed some light.
>>
>> ssh -vv ...
>>
> Here's what I see (from laptop marHP8740 to desktop marbase):
>
> 11:50 [admar@marHP8740w:~] $ ssh -vv $BASE
> OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f  31 Mar 2020
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: /etc/ssh/ssh_config line 19: include
> /etc/ssh/ssh_config.d/*.conf matched no files
> debug1: /etc/ssh/ssh_config line 21: Applying options for *
> debug2: resolve_canonicalize: hostname 192.168.1.131 is address
> debug2: ssh_connect_direct
> debug1: Connecting to 192.168.1.131 [192.168.1.131] port 22.
> debug1: Connection established.
> ... ... ...
> debug1: Will attempt key: /home/admar/.ssh/id_rsa RSA
> SHA256:6ipcSUwJHMccKD1XhUx8I1TSVgLbpyBc2INdxzYzJy0
> debug1: Will attempt key: /home/admar/.ssh/id_dsa
> debug1: Will attempt key: /home/admar/.ssh/id_ecdsa
> debug1: Will attempt key: /home/admar/.ssh/id_ecdsa_sk
> debug1: Will attempt key: /home/admar/.ssh/id_ed25519
> debug1: Will attempt key: /home/admar/.ssh/id_ed25519_sk
> debug1: Will attempt key: /home/admar/.ssh/id_xmss
> debug2: pubkey_prepare: done
> debug1: SSH2_MSG_EXT_INFO received
> debug1: kex_input_ext_info:
> server-sig-algs=<ssh-ed25519,[hidden email],ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[hidden email]>
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentications that can continue: publickey,password
> debug1: Next authentication method: publickey
> debug1: Offering public key: /home/admar/.ssh/id_rsa RSA
> SHA256:6ipcSUwJHMccKD1XhUx8I1TSVgLbpyBc2INdxzYzJy0
> debug2: we sent a publickey packet, wait for reply
After the above step, on success, one should see:

debug1: Server accepts key: /home/admar/.ssh/id_rsa RSA
SHA256:6ipcSUwJHMccKD1XhUx8I1TSVgLbpyBc2INdxzYzJy0
debug1: Authentication succeeded (publickey).
Authenticated to ...

auth.log and syslog on your $BASE may have some clues.

--
Sarunas Burdulis
Systems Administrator, Dartmouth College Mathematics
https://math.dartmouth.edu/~sarunas

· https://useplaintext.email ·


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

OpenPGP_signature (505 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: SSH key question

Gary Aitken
In reply to this post by MR ZenWiz
On 12/10/20 11:09 AM, MR ZenWiz wrote:

> I have three machines set up on my home network with remote file copy
> and ssh interactions.  I have my desktop "base" machine set up for
> password-free remote access to the two laptops, but for some reason, I
> can't get the same access from one of the laptops back to the base.
>
> I generated the proper keys with ssh-genkey, then I used ssh-copy-id
> to send the keys to the target machine.  As I said, done from the base
> to both of the laptops, it works fine.  I even have remote access to
> my partners laptop from the base using her id for the remote actions.
>
> However, from my own laptop, I can't get password-free access, via ssh
> or rsync, to my base desktop.  I either put up with the password
> prompt, or ssh to the base from the laptop and run the file transfers
> from the remote base login to/from the laptop because that way it does
> not require passwords.

You might try editing
   /etc/ssh/sshd_config
on the target and setting
   LogLevel DEBUG
then restart sshd
   sudo systemctl restart sshd

Have you checked the protections on ~/.ssh/authorized_keys?

Gary


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: SSH key question

MR ZenWiz
In reply to this post by Chris Green
On Thu, Dec 10, 2020 at 2:26 PM Chris Green <[hidden email]> wrote:
>
:
> When you run ssh-key-gen do you provide a passphrase for the generated
> key or do you just hit return when asked?  If you just hit return then
> the key is 'passphraseless'.
>
Are you saying I should use the 'passphraseless' key?  I don't give it
one because I don't want to have one.

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: SSH key question

Chris Green
On Thu, Dec 10, 2020 at 05:52:01PM -0800, MR ZenWiz wrote:

> On Thu, Dec 10, 2020 at 2:26 PM Chris Green <[hidden email]> wrote:
> >
> :
> > When you run ssh-key-gen do you provide a passphrase for the generated
> > key or do you just hit return when asked?  If you just hit return then
> > the key is 'passphraseless'.
> >
> Are you saying I should use the 'passphraseless' key?  I don't give it
> one because I don't want to have one.
>
If the key is 'passphraseless' then you don't need to provide the
passphrase when you use it to login to a remote ssh server.  However it
means that anyone with access to your system can get the key and use
it themselves for remote access.  If you provide a passphrase for the
key then the system will ask for it when you use the key, an 'agent'
of some sort remembers the key/passphrase for the duration of your
session and thus you don't have to repeatedly enter the passphrase
every time you use the key.

Many systems allow you to configure them so that the passphrase for
your ssh keys is the same as your login password and thus your key(s)
can be automatically decrypted and kept in the agent when you log in.

That's what my original question was asking, if you had provided a
passphrase to the key which matched your login password on one system
but not on the other you might see the symptoms you describe because
the key would get automatically decrypted on one system but not on the
other.

--
Chris Green

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: SSH key question

Colin Watson
In reply to this post by MR ZenWiz
On Thu, Dec 10, 2020 at 10:09:10AM -0800, MR ZenWiz wrote:
> However, from my own laptop, I can't get password-free access, via ssh
> or rsync, to my base desktop.  I either put up with the password
> prompt, or ssh to the base from the laptop and run the file transfers
> from the remote base login to/from the laptop because that way it does
> not require passwords.

Since it appeared from your client debug logs as though your client was
indeed attempting to authenticate using a public key, your best bet
would be to look at /var/log/auth.log on the server to find out why it's
denying that public key authentication attempt.

--
Colin Watson (he/him)                              [[hidden email]]

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: SSH key question

MR ZenWiz
On Fri, Dec 11, 2020 at 4:03 AM Colin Watson <[hidden email]> wrote:

>
> On Thu, Dec 10, 2020 at 10:09:10AM -0800, MR ZenWiz wrote:
> > However, from my own laptop, I can't get password-free access, via ssh
> > or rsync, to my base desktop.  I either put up with the password
> > prompt, or ssh to the base from the laptop and run the file transfers
> > from the remote base login to/from the laptop because that way it does
> > not require passwords.
>
> Since it appeared from your client debug logs as though your client was
> indeed attempting to authenticate using a public key, your best bet
> would be to look at /var/log/auth.log on the server to find out why it's
> denying that public key authentication attempt.
>
I looked in the auth.log and queried the message on the web.

The message says:

Authentication refused: bad ownership or modes for directory /home/admar

The solution listed is to change the home directory to deny group and
other write permissions on the home directory and set the permissions
for ~/.ssh to 700 and ~/.ssh/authorized_keys to 600.

I had my home set for 775, and write access to the users group (I have
a good reason for this), so when I changed it to 755, the
password-less login from the laptop worked.

That would make perfect sense except for one minor detail: I have the
exact same 775 permissions with the same group set on my laptop's home
directory, and no issue whatsoever doing the password-less login from
the desktop to the laptop.

I'm still stumped.

Anyone?

Thanks.

Mark

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
12