Here are my setup steps for SSH keys if they help.
SSH Login Without Password
One of the neat features of SSH is the ability to exchange keys between
servers for authentication without a password prompt. To set this up, do the
following:
1. Use putty to SSH into the server you want to be SSHing from without a
password.
2. Issue: ssh-keygen -t rsa -f ~/.ssh/id_rsa to generate an ssh private
key.
WARNING: If you get a message that the id_rsa file already exists,
reply N to avoid overwriting the existing file. Skip to the next step.
Hit Enter when prompted for a password.
3. Issue:
cat ~/.ssh/id_rsa.pub | ssh serverx 'mkdir ~/.ssh;chmod 700
~/.ssh;cat >> ~/.ssh/authorized_keys'
to authorize this key on the remote system. You will be required to
enter your password for this first SSH session to the remote system, which is
serverx in this example.
4. From now on, if you log into the originating system, you can now
execute ssh serverx and get logged in without a password prompt. This works
because the userid is the same on both systems.
Verification
At the end of these steps, you will want to make sure that you have:
* An id_rsa file on the server you are coming from in the user's home
directory (use ls ~/.ssh/id_rsa command).
* On the server(s) you are going to, you will want to make sure there
is a authorized_keys file in the user's home directory (use ls
~/.ssh/authorized_keys command).
This should have a line that matches the contents of id_rsa on the
"from" server.
* On the server you are coming from in the user's home directory, you
must have a known_hosts file. This file must contain the public key from the
ssh server. This is created automatically using the instructions above when you
ssh to a server for the first time. You might be prompted for adding this to
the known_hosts file. Alternately, you can manually copy the
/etc/ssh/ssh_host_rsa_key.pub file from the server to the client yourself. Or a
third way to handle this from the client computer is to specify -o
StrictHostKeyChecking=no when running ssh/scp commands. This avoids any
prompting and automatically adds this to the known_hosts file. If using the
mainframe, not having the public key from the ssh server might surface itself
as an error like "FOTS1370 Host key verification failed".
* Make sure permissions are 700 on ~/.ssh on both sides.
* Make certain the userid being used on either side is
the owner of the .ssh directory.
__________________________________
Tom Stewart
Infrastructure Analyst
John Deere - z/OS Support Services
__________________________________
-----Original Message-----
From: Linux on 390 Port [mailto:[email protected]] On Behalf Of Mary
Elwood
Sent: Tuesday, December 23, 2008 2:32 PM
To: [email protected]
Subject: SFTP Authentication Question
I'm trying to change over from FTP to SFTP on Linux. I've created a userid
sftpzos on the linux guest. I've created a .ssh/authorized_key file in his
home directory and populated it with the public key from z/OS. On z/OS I
executed the ssh-keyscan and have placed the output in
the /etc/ssh/ssh_known_hosts file. I do not run SSHD on z/OS. Only the
linux guest runs SSHD.
I then submit a batch SFTP on z/OS to log in to the linux guest with userid
sftpzos.
Below is some of the job output
debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts
debug3: check_host_in_hostfile: match line 49
debug1: Host '172.29.251.106' is known and matches the RSA host key.
debug1: Found key in /etc/ssh/ssh_known_hosts:49
debug2: bits set: 506/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /u/oss08/sftp/id_dsa (1ce1e050)
debug2: key: /u/oss08/sftp/id_rsa (1ce1e1e0)
debug1: Authentications that can continue: publickey,keyboard-interactive
debug3: start over, passed a different list publickey,keyboard-interactive
debug3: preferred publickey
debug3: authmethod_lookup publickey
debug3: remaining preferred:
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /u/oss08/sftp/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Offering public key: /u/oss08/sftp/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,keyboard-interactive
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
FOTS1373 Permission denied (publickey,keyboard-interactive).
FOTS0841 Connection closed
In /var/log/messages I see this
Dec 23 14:53:42 OSA-LNX5 sshd[25330]: debug3: fd 4 is not O_NONBLOCK Dec 23
14:53:42 OSA-LNX5 sshd[25330]: debug1: Forked child 19717.
Dec 23 14:53:42 OSA-LNX5 sshd[25330]: debug3: send_rexec_state: entering fd = 7
config len 557 Dec 23 14:53:42 OSA-LNX5 sshd[25330]: debug3: ssh_msg_send: type
0 Dec 23 14:53:42 OSA-LNX5 sshd[25330]: debug3: send_rexec_state: done Dec 23
14:53:42 OSA-LNX5 sshd[19717]: debug1: rexec start in 4 out 4 newsock 4 pipe 6
sock 7 Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: inetd sockets after
dupping:
3, 3
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: Connection from 172.29.249.10 port
2103
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: Client protocol version 2.0;
client software version OpenSSH_3.8.1p1 Dec 23 14:53:42 OSA-LNX5 sshd[19717]:
debug1: match: OpenSSH_3.8.1p1 pat
OpenSSH_3.*
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: Enabling compatibility mode for
protocol 2.0 Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: Local version string
SSH-2.0-OpenSSH_4.1
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug2: fd 3 setting O_NONBLOCK Dec 23
14:53:42 OSA-LNX5 sshd[19717]: debug2: Network child is on pid 19718 Dec 23
14:53:42 OSA-LNX5 sshd[19717]: debug3: preauth child monitor started Dec 23
14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_request_receive entering Dec 23
14:53:42 OSA-LNX5 sshd[19717]: debug3: monitor_read: checking request 0 Dec 23
14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_answer_moduli: got
parameters: 1024 1024 8192
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_request_send entering:
type 1
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug2: monitor_read: 0 used once,
disabling now Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_request_receive
entering Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: monitor_read: checking
request 4 Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_answer_sign Dec 23
14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_answer_sign: signature
0x80070b80(143)
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_request_send entering:
type 5
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug2: monitor_read: 4 used once,
disabling now Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_request_receive
entering Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: monitor_read: checking
request 6 Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_answer_pwnamallow
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_answer_pwnamallow: sending
MONITOR_ANS_PWNAM: 1
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_request_send entering:
type 7
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug2: monitor_read: 6 used once,
disabling now Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_request_receive
entering Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: monitor_read: checking
request 45 Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: PAM: initializing for
"sftpzos"
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: Trying to reverse map address
172.29.249.10.
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: PAM: setting PAM_RHOST to
"osa-test.nfcu.net"
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: PAM: setting PAM_TTY to "ssh"
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug2: monitor_read: 45 used once,
disabling now Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_request_receive
entering Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: monitor_read: checking
request 3 Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_answer_authserv:
service=ssh-connection, style=
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug2: monitor_read: 3 used once,
disabling now Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_request_receive
entering Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: monitor_read: checking
request 20 Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_answer_keyallowed
entering Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_answer_keyallowed:
key_from_blob: 0x80080480
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: temporarily_use_uid: 1008/100
(e=0/0)
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: trying public key file
/root/.ssh/authorized_keys Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1:
restore_uid: 0/0 Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1:
temporarily_use_uid: 1008/100
(e=0/0)
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: trying public key file
/root/.ssh/authorized_keys Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1:
restore_uid: 0/0 Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3:
mm_answer_keyallowed: key 0x80080480 is disallowed Dec 23 14:53:42 OSA-LNX5
sshd[19717]: debug3: mm_request_send entering:
type 21
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_request_receive entering Dec
23 14:53:42 OSA-LNX5 sshd[19717]: debug3: monitor_read: checking request 20 Dec
23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_answer_keyallowed entering Dec 23
14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_answer_keyallowed:
key_from_blob: 0x8007f470
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: temporarily_use_uid: 1008/100
(e=0/0)
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: trying public key file
/root/.ssh/authorized_keys Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1:
restore_uid: 0/0 Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1:
temporarily_use_uid: 1008/100
(e=0/0)
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1: trying public key file
/root/.ssh/authorized_keys Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug1:
restore_uid: 0/0 Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3:
mm_answer_keyallowed: key 0x8007f470 is disallowed Dec 23 14:53:42 OSA-LNX5
sshd[19717]: debug3: mm_request_send entering:
type 21
Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3: mm_request_receive entering Dec
23 14:53:42 OSA-LNX5 sshd[19717]: debug1: do_cleanup Dec 23 14:53:42 OSA-LNX5
sshd[19717]: debug1: PAM: cleanup Dec 23 14:53:42 OSA-LNX5 sshd[19717]: debug3:
PAM: sshpam_thread_cleanup entering Dec 23 14:53:56 OSA-LNX5 sshd[17273]:
debug2: channel 0: rcvd adjust 1 Dec 23 14:53:57 OSA-LNX5 sshd[17273]: debug2:
channel 0: rcvd adjust 19 Dec 23 14:53:58 OSA-LNX5 sshd[17273]: debug2: channel
0: rcvd adjust 2
Two things that have caught my attention. The first - why is it going after
/root/.ssh/authorized_keys when in the ssh_config file I have expressly stated
to use sftpzos. I did place an authorized key file in /root/.ssh, but it
didn't make any difference. I have the same problem.
The other item that caught my attention is PAM. I have a feeling PAM might be
my problem but Ii am not sure.
This is the PAM configuration file for SSHD
14:54:39 OSA-LNX5:/etc/pam.d #more sshd
#%PAM-1.0
auth required pam_unix2.so# set_secrpc
auth required pam_nologin.so
auth required pam_env.so
account required pam_unix2.so
account requiredpam_nologin.so
password required pam_pwcheck.so
password required pam_unix2.souse_first_pass use_authtok
session required pam_unix2.sonone # trace or debug
session required pam_limits.so
# Enable the following line to get resmgr support for # ssh sessions (see
/usr/share/doc/packages/resmgr/README.SuSE)
#session optionalpam_resmgr.so fake_ttyname
I think the password required is my problem.
I can't figure out how to use keys.
Any and all help is greatly appreciated. I've spent half my day in google and
the light bulb hasn't come on yet.
Thank you, in advance, for your help and especially your patience.
Mary Elwood
NFCU
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions, send email to
[email protected] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
