subject:"\[SLUG\] ssh key\-based auth not working Ubuntu without GUI \(X\) login\?\?"

Re: [SLUG] ssh key-based auth not working Ubuntu without GUI (X) login??

2011-08-23 Thread James Linder


On 23/08/2011, at 10:00 AM, slug-requ...@slug.org.au wrote:

>> I've come across an interesting "feature" on the later Ubuntu's - ssh
>> key-based authentication to a target box doesn't appear to work, unless
>> I've logged onto the target box through the GUI (X).
> 
> Guessing here, hopefully a guess which starts you on the path to an
> answer.
> 
> 1) I'd use ls -l to check the contents and permissions of
> /home/sonia/.ssh/authorized_keys
> you want
> sonia:sonia -rw---
> 
> You might want to look in /var/log/daemon.log on the target for the
> messages from the ssh server.
> 
> 2) When you log into GNOME that starts gnome-keyring-daemon. This
> implements ssh-agent but looks into the GNOME keystores (which includes,
> but is not limited to, ~/.ssh).  I do wonder if the ssh keys being used
> by gnome-keyring-daemon and the ssh keys in ~/.ssh/id_* might be
> different??? You might want to compare the fingerprints which are output
> in ssh -v and in the system log. Maybe command line ssh and
> gnome-keyring-agent are simply offering differing keys, only one of
> which works.

I'm certain this is 'other thingz' not ssh. I use it many times every day 
without any issue, to 10.04, 10.10 and 11.04 as well as centos and suse, from 
all the above.

But I go to great length to get rid of asinine stuff like the keyring where I'm 
led to the one-true-way.

James--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] ssh key-based auth not working Ubuntu without GUI (X) login??

2011-08-23 Thread Michael Chesterton

> * Amos Shapira  [2011-08-23 13:11:47 +1000]:
> > This made me think about another option - do you use encrypted home
> > directories?
>

Brilliant, I never would have guessed, even though I have run into a similar
situation with start up scripts running before home was ready. If it was me,
I would put the authorized_key file in /home/sonia/.ssh while home is
unmounted. You just have to remember it's living in both places, it's there
when you aren't logged into the console, when you log into the console, it
gets hidden by the mounted encrypted drive and is inaccessible, but it's
already on your encrypted drive so both cases will work.

It's just a little fragile, because you have to remember if you update the
file you have to update it twice. But I could live with that.
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] ssh key-based auth not working Ubuntu without GUI (X) login??

2011-08-22 Thread Sonia Hamilton

* Amos Shapira  [2011-08-23 13:11:47 +1000]:
> This made me think about another option - do you use encrypted home
> directories?

* James Polley  [2011-08-23 14:39:53 +1000]:

> On Tue, Aug 23, 2011 at 1:11 PM, Amos Shapira wrote:
> Depending on how much effort you want to put in to work around this, you
> could:
>  - Turn off homedir encryption
>  - Configure sshd to look for authorized_keys in another place
>  - Use Kerberos auth, which doesn't need to read your homedir (nb: not a
> simple solution)

Duh! It's encrypted home directories... Thanks guys!

>  - Use signed SSH keys

I'm not sure how signing my ssh key would help... could you explain a
bit more?

Thanks,

-- 
Sonia Hamilton
http://soniahamilton.wordpress.com
http://www.linkedin.com/in/soniahamilton
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] ssh key-based auth not working Ubuntu without GUI (X) login??

2011-08-22 Thread James Polley

On Tue, Aug 23, 2011 at 1:11 PM, Amos Shapira wrote:

> On 23 August 2011 11:24, Glen Turner  wrote:
>
> > 1) I'd use ls -l to check the contents and permissions of
> > /home/sonia/.ssh/authorized_keys
> > you want
> > sonia:sonia -rw---
> >
>
> This made me think about another option - do you use encrypted home
> directories?
> If so then maybe the authosized_keys file is only accessible when the user
> is logged in on the GUI.
>

I'm almost certain this is the case - authorized_users lives in your
homedir, your homedir only gets mounted (by default) when you're active -
logging in via ssh should trigger it to be mounted, but of course your
authorized_keys aren't available until after it's mounted, hence after you
log in.

Depending on how much effort you want to put in to work around this, you
could:
 - Turn off homedir encryption
 - Configure sshd to look for authorized_keys in another place
 - Use Kerberos auth, which doesn't need to read your homedir (nb: not a
simple solution)
 - Use signed SSH keys


 --Amos
> --
> SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
> Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
>
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] ssh key-based auth not working Ubuntu without GUI (X) login??

2011-08-22 Thread Amos Shapira

On 23 August 2011 11:24, Glen Turner  wrote:

> 1) I'd use ls -l to check the contents and permissions of
> /home/sonia/.ssh/authorized_keys
> you want
> sonia:sonia -rw---
>

This made me think about another option - do you use encrypted home
directories?
If so then maybe the authosized_keys file is only accessible when the user
is logged in on the GUI.

--Amos
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] ssh key-based auth not working Ubuntu without GUI (X) login??

2011-08-22 Thread Glen Turner

On Tue, 2011-08-23 at 09:57 +1000, Sonia Hamilton wrote:
> I've come across an interesting "feature" on the later Ubuntu's - ssh
> key-based authentication to a target box doesn't appear to work, unless
> I've logged onto the target box through the GUI (X).

Guessing here, hopefully a guess which starts you on the path to an
answer.

1) I'd use ls -l to check the contents and permissions of
/home/sonia/.ssh/authorized_keys
you want
sonia:sonia -rw---

You might want to look in /var/log/daemon.log on the target for the
messages from the ssh server.

2) When you log into GNOME that starts gnome-keyring-daemon. This
implements ssh-agent but looks into the GNOME keystores (which includes,
but is not limited to, ~/.ssh).  I do wonder if the ssh keys being used
by gnome-keyring-daemon and the ssh keys in ~/.ssh/id_* might be
different??? You might want to compare the fingerprints which are output
in ssh -v and in the system log. Maybe command line ssh and
gnome-keyring-agent are simply offering differing keys, only one of
which works.

-- 
 Glen Turner 

-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

[SLUG] ssh key-based auth not working Ubuntu without GUI (X) login??

2011-08-22 Thread Sonia Hamilton

I've come across an interesting "feature" on the later Ubuntu's - ssh
key-based authentication to a target box doesn't appear to work, unless
I've logged onto the target box through the GUI (X).

Anyone come across this? Anyone know of a fix?

Here's the target box:

% cat /etc/issue.net 
Ubuntu 10.10

Here's me trying to logon to the target box, and I'm not logged on the
GUI on the target box:

% ssh -v cereza
OpenSSH_5.8p1 Debian-1ubuntu3, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /home/sonia/.ssh/config
debug1: Applying options for cereza
debug1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to cereza [10.68.206.77] port 22.
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug1: identity file /home/sonia/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/sonia/.ssh/id_rsa-cert type -1
debug1: identity file /home/sonia/.ssh/id_dsa type 2
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: identity file /home/sonia/.ssh/id_dsa-cert type -1
debug1: identity file /home/sonia/.ssh/id_ecdsa type -1
debug1: identity file /home/sonia/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version
OpenSSH_5.5p1 Debian-4ubuntu5
debug1: match: OpenSSH_5.5p1 Debian-4ubuntu5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.8p1 Debian-1ubuntu3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 z...@openssh.com
debug1: kex: client->server aes128-ctr hmac-md5 z...@openssh.com
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA
dc:f1:0d:ee:d0:56:b8:64:d5:64:c8:99:ef:00:3d:a7
debug1: Host 'cereza' is known and matches the RSA host key.
debug1: Found key in /home/sonia/.ssh/known_hosts:148
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/sonia/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Offering DSA public key: /home/sonia/.ssh/id_dsa
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/sonia/.ssh/id_ecdsa
debug1: Next authentication method: password
sonia@cereza's password: 

Then I logon to the GUI of the target box, and hey presto ssh key-auth
works from my source box:

% ssh cereza
Linux cereza 2.6.35-30-generic #56-Ubuntu SMP Mon Jul 11 20:00:22 UTC
2011 i686 GNU/Linux
Ubuntu 10.10

Welcome to Ubuntu!
 * Documentation:  https://help.ubuntu.com/

 New release 'natty' available.
 Run 'do-release-upgrade' to upgrade to it.

 Last login: Tue Aug 23 09:50:38 2011 from zapote.local

--
Sonia Hamilton
http://soniahamilton.wordpress.com
http://www.linkedin.com/in/soniahamilton
-- 
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html

Re: [SLUG] ssh key-based auth not working Ubuntu without GUI (X) login??

Re: [SLUG] ssh key-based auth not working Ubuntu without GUI (X) login??

Re: [SLUG] ssh key-based auth not working Ubuntu without GUI (X) login??

Re: [SLUG] ssh key-based auth not working Ubuntu without GUI (X) login??

Re: [SLUG] ssh key-based auth not working Ubuntu without GUI (X) login??

Re: [SLUG] ssh key-based auth not working Ubuntu without GUI (X) login??

[SLUG] ssh key-based auth not working Ubuntu without GUI (X) login??

7 matches

Site Navigation

Mail list logo

Footer information