Matha
Posts: 11
Joined: Mon Dec 17, 2012 3:22 pm

Using SSH without run time credentials

Mon Jan 20, 2020 5:01 pm

Hello,

I have something "peculiar" going on beneath covers with respect to using SSH without run time credentials that I cannot understand. Looking for some feedback on debugging from another angle, please.

I have performed ssh-copy-id successfully on approximately 20 RPi boxes - all running Buster but, of course, some are older than others. I can now ssh into all these servers except one where the credential is demanded at each logon attempt. I have checked the ~/.ssh/authorized_keys file and found no difference in the entries except that the errant server had two identical records (deleting one manually did not resolve the issue).

The errant server has the following properties:

Code: Select all

$ uname -a
Linux raspbari11 4.19.75-v7+ #1270 SMP Tue Sep 24 18:45:11 BST 2019 armv7l GNU/Linux
$ cat /proc/cpuinfo
processor	: 0
model name	: ARMv7 Processor rev 5 (v7l)
BogoMIPS	: 38.40
Features	: half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm 
CPU implementer	: 0x41
CPU architecture: 7
CPU variant	: 0x0
CPU part	: 0xc07
CPU revision	: 5

processor	: 1
model name	: ARMv7 Processor rev 5 (v7l)
BogoMIPS	: 38.40
Features	: half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm 
CPU implementer	: 0x41
CPU architecture: 7
CPU variant	: 0x0
CPU part	: 0xc07
CPU revision	: 5

processor	: 2
model name	: ARMv7 Processor rev 5 (v7l)
BogoMIPS	: 38.40
Features	: half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm 
CPU implementer	: 0x41
CPU architecture: 7
CPU variant	: 0x0
CPU part	: 0xc07
CPU revision	: 5

processor	: 3
model name	: ARMv7 Processor rev 5 (v7l)
BogoMIPS	: 38.40
Features	: half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm 
CPU implementer	: 0x41
CPU architecture: 7
CPU variant	: 0x0
CPU part	: 0xc07
CPU revision	: 5

Hardware	: BCM2835
Revision	: a21041
Serial		: 
Model		: Raspberry Pi 2 Model B Rev 1.1
$ 
All update/upgrade operations are current in the intranet farm. Please note that all suggestions are welcome! ;)

Kind regards.

tpyo kingg
Posts: 809
Joined: Mon Apr 09, 2018 5:26 pm
Location: N. Finland

Re: Using SSH without run time credentials

Mon Jan 20, 2020 5:19 pm

Incorrect permissions is a very common problem with those symptoms. So on the errant machine, verify the permissions on the file authorized_keys, the directory it is in, and all the directories above it.

Then if that was not it, watch the logs on the errant machine as you try to log in with a key. It should tell you where the problem lies:

Code: Select all

sudo tail -f /var/log/auth.log | awk '$5~/^sshd/'
Or

Code: Select all

sudo journalctl -efu ssh.service

Matha
Posts: 11
Joined: Mon Dec 17, 2012 3:22 pm

Re: Using SSH without run time credentials

Tue Jan 21, 2020 4:55 pm

Thx @tpyo kingg,

Code: Select all

[email protected]:~ $ sudo tail -f /var/log/auth.log | awk '$5~/^ssh/'
Jan 21 10:48:16 raspbari11 sshd[31612]: Authentication refused: bad ownership or modes for directory /home/pi
Jan 21 10:48:18 raspbari11 sshd[31612]: Accepted password for pi from 192.168.50.166 port 38352 ssh2
Some lines below (perhaps not relevant for this thread intentionally deleted):

Code: Select all

[email protected]:~ $ sudo journalctl -efu ssh.service
-- Logs begin at Mon 2020-01-20 11:10:27 CST. --
Jan 20 11:10:34 raspbari11 systemd[1]: Started OpenBSD Secure Shell server.
Jan 20 11:11:20 raspbari11 sshd[965]: Authentication refused: bad ownership or modes for directory /home/pi
Jan 20 11:11:24 raspbari11 sshd[965]: Connection closed by authenticating user pi 192.168.50.166 port 37466 [preauth]
Jan 21 10:48:16 raspbari11 sshd[31612]: Authentication refused: bad ownership or modes for directory /home/pi
Jan 21 10:48:18 raspbari11 sshd[31612]: Accepted password for pi from 192.168.50.166 port 38352 ssh2
And, of course, as you realized (but I didn't even think about it since I was editing with user pi and don't have a clue how it happened:

Code: Select all

[email protected]:~/.ssh $ ls -l
total 8
-rw------- 1 pi pi  565 Jan 20 11:10 authorized_keys
-rw-r--r-- 1 pi pi 2220 Sep  8 21:19 known_hosts
Many, many thanks! Kind regards.

Lewis-H
Posts: 26
Joined: Thu Oct 31, 2019 12:45 pm

Re: Using SSH without run time credentials

Wed Jan 22, 2020 2:17 pm

Use a ssh-library written in Java instead of runtime-exec'ing a ssh program.

Return to “Networking and servers”