tony1812
Posts: 354
Joined: Sat Jul 15, 2017 12:40 pm
Location: Boston MA.

scp password question

Fri Jan 05, 2018 10:24 pm

Hello, I set up a pi3 and a piZero with scp using the same procedure. when I scp from the pi3, it asks me for the password but when I scp from the piZero to the pi3 it doesn't. I must prefer the pi3 doesn't asks for the password. Both pis have authorized_keys, id_rsa id_rsa.pub and known_hosts files in the .ssh, what might be wrong?

UF_DoC
Posts: 49
Joined: Wed Jul 01, 2015 9:00 am

Re: scp password question

Sat Jan 06, 2018 5:30 pm

Sounds like something is wrong with the setup/content of authorized_keys file on the pi_zero.

In order to debug, first try a simple ssh between the two and ensure that both ways do not ask for passwords.

i.e.

from the pi-zero run

Code: Select all

ssh -vvv <pi3-ip-address> 
and ensure you get in without any password
then from the pi3 run

Code: Select all

ssh -vvv <pi-zero-ip-address> 
and confirm same.

If you cannot ssh into the pi-zero it means you have something setup incorrectly with authorized_keys file. or you have not added your key file correctly as an ssh id on the pi3. I refer to ssh-add command.

tony1812
Posts: 354
Joined: Sat Jul 15, 2017 12:40 pm
Location: Boston MA.

Re: scp password question

Sat Jan 06, 2018 8:21 pm

UF_DoC wrote:
Sat Jan 06, 2018 5:30 pm
Sounds like something is wrong with the setup/content of authorized_keys file on the pi_zero.

In order to debug, first try a simple ssh between the two and ensure that both ways do not ask for passwords.

i.e.

from the pi-zero run

Code: Select all

ssh -vvv <pi3-ip-address> 
and ensure you get in without any password
then from the pi3 run

Code: Select all

ssh -vvv <pi-zero-ip-address> 
and confirm same.

If you cannot ssh into the pi-zero it means you have something setup incorrectly with authorized_keys file. or you have not added your key file correctly as an ssh id on the pi3. I refer to ssh-add command.
Thanks for the reply. I setup another piZero in the same manner, this time I use scp it ask for password on both side. P3 and piZero. I also did what you suggested. ssh -vvv <ip> both machine ask for password. The file sent just fine after I enter the password How can I get rid of this annoying password crap?

UF_DoC
Posts: 49
Joined: Wed Jul 01, 2015 9:00 am

Re: scp password question

Sat Jan 06, 2018 8:36 pm

You need to understand keyless ssh setup.

Before you can scp files between pi's you need to be able to ssh between them without a password.

I assume you are not too security conscience and will be using the same public and private keys on both pis.

ensure you have the id_rsa, id_rsa.pub on both pi's in the ~/.ssh directory. ensure the permissions of this file is 600

i.e. chmod 600 ~/.ssh/id_rsa ~/.ssh/id_rsa.pub

run ssh-add ~/.ssh/id_rsa on both pi's

make sure authorized_keys keys has the id_rsa.pub as a line, better still, make it a copy of the id_rsa.pub i.e.
cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys

set authorized_keys permissions to 600 chmod 600 ~/.ssh/authorized_keys

try ssh between pi's and it should not ask for passwords anymore..

UNLESS!!! have you generated a password protected id_rsa key pair???

please copy and paste the output of the ssh -vvv <ip> command so we can see at which point it asks for a password.

tony1812
Posts: 354
Joined: Sat Jul 15, 2017 12:40 pm
Location: Boston MA.

Re: scp password question

Sat Jan 06, 2018 10:33 pm

UF_DoC wrote:
Sat Jan 06, 2018 8:36 pm
You need to understand keyless ssh setup.

Before you can scp files between pi's you need to be able to ssh between them without a password.

I assume you are not too security conscience and will be using the same public and private keys on both pis.

ensure you have the id_rsa, id_rsa.pub on both pi's in the ~/.ssh directory. ensure the permissions of this file is 600

i.e. chmod 600 ~/.ssh/id_rsa ~/.ssh/id_rsa.pub

run ssh-add ~/.ssh/id_rsa on both pi's

make sure authorized_keys keys has the id_rsa.pub as a line, better still, make it a copy of the id_rsa.pub i.e.
cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys

set authorized_keys permissions to 600 chmod 600 ~/.ssh/authorized_keys

try ssh between pi's and it should not ask for passwords anymore..

UNLESS!!! have you generated a password protected id_rsa key pair???

please copy and paste the output of the ssh -vvv <ip> command so we can see at which point it asks for a password.
Hi UF_DoC, I did what you said, ssh -vvv xxx.xxx.xxx.xxx, I got this long response:

debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug2: key: /home/pi/.ssh/id_rsa (0x568698)
debug2: key: /home/pi/.ssh/id_dsa ((nil))
debug2: key: /home/pi/.ssh/id_ecdsa ((nil))
debug2: key: /home/pi/.ssh/id_ed25519 ((nil))
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/pi/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/pi/.ssh/id_dsa
debug3: no such identity: /home/pi/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/pi/.ssh/id_ecdsa
debug3: no such identity: /home/pi/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/pi/.ssh/id_ed25519
debug3: no such identity: /home/pi/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
[email protected]'s password:

It is still asking me for password. :x
Few things I am not very clear, when you said "run ssh-add ~/.ssh/id_rsa on both pi's", did you mean the id_rsa on the local machine or the remote one?
"I assume you are not too security conscience" indeed I do not care much about security as these pis are on my internal network for my own use, I doubt anyone will bother to hack into them. convent is more an issue for me. This msg "SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.
" appears after I typed the password and everytime every time I boot up the pi, any idea how I can silence it?

User avatar
rpdom
Posts: 15929
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: scp password question

Sat Jan 06, 2018 10:45 pm

What permissions have you got on the .ssh directory and the .ssh/authorized_keys files on the target Pi? If the permissions are insecure the ssh login won't work.
Use

Code: Select all

ls -la ~/.ssh
on the destination Pi (after logging in with password) to check.

tony1812
Posts: 354
Joined: Sat Jul 15, 2017 12:40 pm
Location: Boston MA.

Re: scp password question

Sat Jan 06, 2018 11:44 pm

rpdom wrote:
Sat Jan 06, 2018 10:45 pm
What permissions have you got on the .ssh directory and the .ssh/authorized_keys files on the target Pi? If the permissions are insecure the ssh login won't work.
Use

Code: Select all

ls -la ~/.ssh
on the destination Pi (after logging in with password) to check.
Both pis are target as well as source because I want to be able to scp from each other and both machine's .ssh/authorized_keys as well as .ssh/id_rsa and id_rsa.un are 600.

Also I am curious what the known_host file on both ~/.ssh do? Do they have something to do with ssh?

User avatar
rpdom
Posts: 15929
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: scp password question

Sun Jan 07, 2018 10:32 am

tony1812 wrote:
Sat Jan 06, 2018 11:44 pm
Both pis are target as well as source because I want to be able to scp from each other and both machine's .ssh/authorized_keys as well as .ssh/id_rsa and id_rsa.un are 600.
Yes, but that is not what I asked. The permissions on the .ssh directory itself are also important.
Also I am curious what the known_host file on both ~/.ssh do? Do they have something to do with ssh?
The known_hosts file is a list of keys of servers that have previously connected to. This is used to confirm that it is the same server when you next connect to it.

Sometimes that can cause problems. When I set up a new Pi it is always given the default hostname "raspberrypi" and I then log in to it remotely to configure it and set the real hostname. If I didn't do some clever stuff, I would keep getting error messages that the server had changed and I was in dire risk of the world ending, so I use a workaround for that.

UF_DoC
Posts: 49
Joined: Wed Jul 01, 2015 9:00 am

Re: scp password question

Sun Jan 07, 2018 9:09 pm

Please check what the logs say:

On the Pi that you are going to ssh into run this:

Code: Select all

tail -100f /var/log/auth.log
Then ssh from the other pi.
This msg "SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.
" appears after I typed the password and everytime every time I boot up the pi, any idea how I can silence it?
Change your password...

Return to “Beginners”