kings
Posts: 61
Joined: Tue Aug 15, 2017 5:17 pm

ssh key pairing between two pi's still requires password after setup

Sat Sep 09, 2017 4:00 am

I ssh all day long between boxes in my pi network. Try as I might, I can't set up an ssh key pair to allow me to ssh from pi to pi without needing a password. Feel very confident that I have followed all the basic rules to the letter:

Ownership and permissions on both pi's are the same and correct. SSH with a password works just fine. Transfer of the public key to the 2nd pi appears to have worked fine (by inspection).

Here are the steps I took in my most recent attempt:

On Pi1
cd .ssh
rm id*
ssh-keygen -t rsa -C <usrname>@<rp1 IP>
cat ~/.ssh/id_rsa.pub | ssh <usrname>@<rp2 IP>' cat >> .ssh/authorized_keys' ## I have used other methods here, too...
>>provide password

then when I ssh to rp2, I am prompted for a password.
After succesfully logging in and out of rp2, further attempt to ssh still require a password.

Pulling my hair out! Hope someone here can offer a solution.
Thanks!

gkreidl
Posts: 6345
Joined: Thu Jan 26, 2012 1:07 pm
Location: Germany

Re: ssh key pairing between two pi's still requires password after setup

Sat Sep 09, 2017 7:41 am

Did you check the content of .ssh/authorized_keys on both RPis?
I just did something similar yesterday and it works without a password now.
Minimal Kiosk Browser (kweb)
Slim, fast webkit browser with support for audio+video+playlists+youtube+pdf+download
Optional fullscreen kiosk mode and command interface for embedded applications
Includes omxplayerGUI, an X front end for omxplayer

User avatar
jahboater
Posts: 6718
Joined: Wed Feb 04, 2015 6:38 pm
Location: Wonderful West Dorset

Re: ssh key pairing between two pi's still requires password after setup

Sat Sep 09, 2017 8:31 am

I use ssh-copy-id and it always works.

Code: Select all

ssh-keygen -t rsa
ssh-copy-id pi@host
You get asked for the password for user "pi" of course on the machine "host"
You don't need to be in the ssh directory.

User avatar
B.Goode
Posts: 11236
Joined: Mon Sep 01, 2014 4:03 pm
Location: UK

Re: ssh key pairing between two pi's still requires password after setup

Sat Sep 09, 2017 8:55 am

A couple of thoughts:

SSH is protectively very fussy about the file access protection on both the .ssh directory and the .ssh/authorized_keys file. Might be worth checking? (Mentioned in you query, but worth rechecking?)

Maybe invoking the ssh client with verbose output enabled ( with the -vvv argument) might reveal what is going on?

kings
Posts: 61
Joined: Tue Aug 15, 2017 5:17 pm

Re: ssh key pairing between two pi's still requires password after setup

Sat Sep 09, 2017 7:07 pm

Here is my latest attempt:

Code: Select all

sking@rp1-home:/home/sking/.ssh> ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/sking/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/sking/.ssh/id_rsa.
Your public key has been saved in /home/sking/.ssh/id_rsa.pub.
The key fingerprint is:
db:44:f7:03:a1:dd:28:c3:02:e5:ed:4a:63:eb:9e:96 sking@rp1-home

sking@rp1-home:/home/sking/.ssh> ssh-copy-id sking@rp2-home
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
sking@rp2-home's password: 

Number of key(s) added: 1


Now try logging into the machine, with:   "ssh 'sking@rp2-home'"
and check to make sure that only the key(s) you wanted were added.
Contents of authorized key file on sking@rp2-home:

Code: Select all

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCxzP7syiSJnp5kGPWe20M8jzubZiK2n0YYba6p43L4p5y2X90ChciZra+XUpA461oM7hZkKBgHSnIVRhXhn9EEeCLBaSGsklWFQH/U8xKwPKrawfYhuXHIust7hkAyG4iEix0lDZOVB1RyFR1gHvDJxu0zZ7tpT52US49LtF8a3DkmelvxDSZe6jcrU55cARE/bhnsl2LJkSWqmIwgi2PEBxnh4LvbqVejVsDXmv/tRTmejsW7w8bbUaonsoErXBN4sHH/Vis/4Bbhp6CPKRd3daijqolsUb6s2Luk+2htfEb8AXJrqOXMO6Mrrosuwab8n8xVBOgnyWP sking@rp1-home
and the first lines returned from the result of >ssh rp2-home -v

Code: Select all

OpenSSH_6.7p1 Raspbian-5+deb8u3, OpenSSL 1.0.1t  3 May 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to rp2-home [192.168.1.32] port 22.
debug1: Connection established.
debug1: identity file /home/sking/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory


I double checked permissions to .ssh and files within...all looks good to me???

Martin Frezman
Posts: 1009
Joined: Mon Oct 31, 2016 10:05 am

Re: ssh key pairing between two pi's still requires password after setup

Sat Sep 09, 2017 7:27 pm

I double checked permissions to .ssh and files within...all looks good to me???
You'll have to show them here.

It's very fiddly - it checks both perms and ownership and things have to be exactly as it wants them.

Seriously, saying "It looks OK to me" means nothing.
If this post appears in the wrong forums category, my apologies.

DirkS
Posts: 10599
Joined: Tue Jun 19, 2012 9:46 pm
Location: Essex, UK

Re: ssh key pairing between two pi's still requires password after setup

Sat Sep 09, 2017 7:31 pm

Martin Frezman wrote:
Sat Sep 09, 2017 7:27 pm
I double checked permissions to .ssh and files within...all looks good to me???
You'll have to show them here.

It's very fiddly - it checks both perms and ownership and things have to be exactly as it wants them.

Seriously, saying "It looks OK to me" means nothing.
I think it's more useful to see the full debug log instead of the first 5 lines.
I would also increase the debug level. Use -vvv

Martin Frezman
Posts: 1009
Joined: Mon Oct 31, 2016 10:05 am

Re: ssh key pairing between two pi's still requires password after setup

Sat Sep 09, 2017 8:16 pm

I think it's more useful to see the full debug log instead of the first 5 lines.
I would also increase the debug level. Use -vvv
It's all good.
If this post appears in the wrong forums category, my apologies.

kings
Posts: 61
Joined: Tue Aug 15, 2017 5:17 pm

Re: ssh key pairing between two pi's still requires password after setup

Sat Sep 09, 2017 8:24 pm

Ok, here you go:

On sking@rp1-home
drwx------ 2 sking home 4096 Sep 9 11:58 .ssh
sking@rp1-home:/home/sking/.ssh> ll
total 12
-rw------- 1 sking home 1776 Sep 8 20:42 known_hosts
-rw-r--r-- 1 sking home 396 Sep 9 11:56 id_rsa.pub
-rw------- 1 sking home 1679 Sep 9 11:56 id_rsa

On sking@pr2-home
drwx------ 2 sking home 4096 Sep 9 11:58 .ssh

sking@rp2-home:/home/sking/.ssh> ll
total 8
-rw------- 1 sking home 396 Sep 9 11:58 authorized_keys
-rw------- 1 sking home 1332 Sep 9 12:03 known_hosts

and the full text from > ssh rp2@home -vvv

Code: Select all

OpenSSH_6.7p1 Raspbian-5+deb8u3, OpenSSL 1.0.1t  3 May 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to rp2-home [192.168.1.32] port 22.
debug1: Connection established.
debug1: identity file /home/sking/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sking/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sking/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sking/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sking/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sking/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sking/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sking/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.7p1 Raspbian-5+deb8u3
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1 Raspbian-5+deb8u3
debug1: match: OpenSSH_6.7p1 Raspbian-5+deb8u3 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "rp2-home" from file "/home/sking/.ssh/known_hosts"
debug3: load_hostkeys: found key type ECDSA in file /home/sking/.ssh/known_hosts:8
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-ed25519,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib

debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: setup umac-64-etm@openssh.com
debug1: kex: server->client aes128-ctr umac-64-etm@openssh.com none
debug2: mac_setup: setup umac-64-etm@openssh.com
debug1: kex: client->server aes128-ctr umac-64-etm@openssh.com none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 40:dd:65:dd:7c:b1:11:55:12:ea:fd:a5:fe:0c:63:c3
debug3: load_hostkeys: loading entries for host "rp2-home" from file "/home/sking/.ssh/known_hosts"
debug3: load_hostkeys: found key type ECDSA in file /home/sking/.ssh/known_hosts:8
debug3: load_hostkeys: loaded 1 keys
debug3: load_hostkeys: loading entries for host "192.168.1.32" from file "/home/sking/.ssh/known_hosts"
debug3: load_hostkeys: found key type ECDSA in file /home/sking/.ssh/known_hosts:7
debug3: load_hostkeys: loaded 1 keys
debug1: Host 'rp2-home' is known and matches the ECDSA host key.
debug1: Found key in /home/sking/.ssh/known_hosts:8
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/sking/.ssh/id_rsa (0x54fb2290),
debug2: key: /home/sking/.ssh/id_dsa ((nil)),
debug2: key: /home/sking/.ssh/id_ecdsa ((nil)),
debug2: key: /home/sking/.ssh/id_ed25519 ((nil)),
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/sking/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/sking/.ssh/id_dsa
debug3: no such identity: /home/sking/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/sking/.ssh/id_ecdsa
debug3: no such identity: /home/sking/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/sking/.ssh/id_ed25519
debug3: no such identity: /home/sking/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
sking@rp2-home's password: 


knute
Posts: 664
Joined: Thu Oct 23, 2014 12:14 am
Location: Texas
Contact: Website

Re: ssh key pairing between two pi's still requires password after setup

Sat Sep 09, 2017 8:31 pm

kings wrote:
Sat Sep 09, 2017 4:00 am
Pulling my hair out! Hope someone here can offer a solution.
Thanks!
This is really a lot simpler than it seems but it has several parts.

1) To be able to log into a remote SSH server via a key, you need to generate a public/private key pair on your local client computer. See man ssh-keygen but just typing ssh-keygen at the prompt will get you everything you need to make this work.

2) You need to put the client's PUBLIC key into the .ssh/authorized_keys file on the server computer. This is where it can get confusing. To SSH both ways between two computers you need to put Computer#1's PUBLIC key file into Computer#2's .ssh/authorized_keys file AND Computer#2's PUBLIC key file into Computer#1's .ssh/authorized_keys file.

3) As somebody has already said, permissions are important. id_rsa.pub (the PUBLIC key) should be 644, id_rsa (the PRIVATE key) and authorized_keys should be 600. They should be owned by the user who's directory they are in. In other words if the files are in /home/bob/.ssh they should be owned by bob.

4) The /etc/ssh/sshd_config file is installed with public key authentication permitted. If you want to disallow logging in via a password (the whole reason we are doing this) you need to change the PasswordAuthentication to no. You must also restart ssh (sudo service ssh restart) or reboot.

5) If you wish to allow many users to log into your computer via ssh public key authentication then you must append each of their public keys into your .ssh/authorized_keys file.

6) When you create your public/private key pair you can assign a passphrase to protect your private key (a good idea in my book on a system that actually counts) but you don't have to.

Here is the complete exchange that shows how to create the public/private key pair, copy the public key to the local computer's .ssh/authorized_keys file and make an ssh connection to the localhost to test ssh public key authentication.

Code: Select all

pi@raspberrypi:~ $ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/pi/.ssh/id_rsa): 
Created directory '/home/pi/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/pi/.ssh/id_rsa.
Your public key has been saved in /home/pi/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:FhQvF0irtUn5T8Op1FK0M3WRWl/6pEBX6xtpBs7qhaM pi@raspberrypi
The key's randomart image is:
+---[RSA 2048]----+
|       .+o. . .o=|
|       ..+ o.o.+o|
|        B o.=oooo|
|       + B ++=+ +|
|      . S + *+ X |
|       . . =o.+ +|
|          .+.. . |
|          o o    |
|         E .     |
+----[SHA256]-----+

pi@raspberrypi:~ $ cd .ssh

pi@raspberrypi:~/.ssh $ cp id_rsa.pub authorized_keys

pi@raspberrypi:~/.ssh $ ssh localhost
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is SHA256:t0VSNjW7NPYqPcM/zyqfDWUvAB4LMuvTwTOf4wP6R8I.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
Linux raspberrypi 4.9.41-v7+ #1023 SMP Tue Aug 8 16:00:15 BST 2017 armv7l

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Sep  9 14:43:05 2017 from 192.168.13.5
pi@raspberrypi:~ $ exit
logout
Connection to localhost closed.
pi@raspberrypi:~/.ssh $ 
Remember your PUBLIC key gets appended to the server's .ssh/authorized_keys file.

kings
Posts: 61
Joined: Tue Aug 15, 2017 5:17 pm

Re: ssh key pairing between two pi's still requires password after setup

Sun Sep 10, 2017 3:41 am

Thanks for spelling it all out, but try as I might, I can't get the key to be recognised. Suggests part or permissions problems, but can't manage to fix it.

Could somebody post an example of their /etc/ssh/sshd_config file?

DirkS
Posts: 10599
Joined: Tue Jun 19, 2012 9:46 pm
Location: Essex, UK

Re: ssh key pairing between two pi's still requires password after setup

Sun Sep 10, 2017 8:50 am

kings wrote:
Sun Sep 10, 2017 3:41 am
Could somebody post an example of their /etc/ssh/sshd_config file?
You don't need to make any changes to the default config.
The only change I make is to switch off password authentication.

Code: Select all

PasswordAuthentication no

User avatar
jahboater
Posts: 6718
Joined: Wed Feb 04, 2015 6:38 pm
Location: Wonderful West Dorset

Re: ssh key pairing between two pi's still requires password after setup

Sun Sep 10, 2017 9:09 am

I set:-

PermitRootLogin no

and change the port number away from 22

Martin Frezman
Posts: 1009
Joined: Mon Oct 31, 2016 10:05 am

Re: ssh key pairing between two pi's still requires password after setup

Sun Sep 10, 2017 9:15 am

jahboater wrote:
Sun Sep 10, 2017 9:09 am
I set:-

PermitRootLogin no

and change the port number away from 22
I'm sure there are lots of other changes people could make as well, but, staying focussed, none of these changes have anything to do with OP's problem.

As the previous poster said, you don't need to make any changes to the default sshd_config file for "passwordless ssh" to work.
If this post appears in the wrong forums category, my apologies.

knute
Posts: 664
Joined: Thu Oct 23, 2014 12:14 am
Location: Texas
Contact: Website

Re: ssh key pairing between two pi's still requires password after setup

Sun Sep 10, 2017 4:03 pm

kings wrote:
Sun Sep 10, 2017 3:41 am
Thanks for spelling it all out, but try as I might, I can't get the key to be recognised. Suggests part or permissions problems, but can't manage to fix it.

Could somebody post an example of their /etc/ssh/sshd_config file?
So start from the beginning again.

cd
rm -r .ssh
ssh-keygen
cp .ssh/id_rsa.pub .ssh/authorized_keys
ssh localhost

and show us the whole interchange.

User avatar
jahboater
Posts: 6718
Joined: Wed Feb 04, 2015 6:38 pm
Location: Wonderful West Dorset

Re: ssh key pairing between two pi's still requires password after setup

Sun Sep 10, 2017 5:21 pm

knute wrote:
Sun Sep 10, 2017 4:03 pm
cd
rm -r .ssh
ssh-keygen
cp .ssh/id_rsa.pub .ssh/authorized_keys
ssh localhost
Out of interest, why not use "ssh-copy-id user@host" ?
It seems less error prone than copying keys around by hand.

Martin Frezman
Posts: 1009
Joined: Mon Oct 31, 2016 10:05 am

Re: ssh key pairing between two pi's still requires password after setup

Sun Sep 10, 2017 5:44 pm

It seems less error prone than copying keys around by hand.
Two reasons:
1) Because it is just another tool to learn and doesn't really gain you anything to learn it. Note, incidentally, that ssh-copy-id is implemented as a shell script, so you know it is not doing anything particularly fancy or anything you couldn't do just as easily yourself.

In any case, I never found it worth my time to learn that tool.

2) Because it is good for people to actually know what is going on "under the hood".
If this post appears in the wrong forums category, my apologies.

kings
Posts: 61
Joined: Tue Aug 15, 2017 5:17 pm

Re: ssh key pairing between two pi's still requires password after setup

Sun Sep 10, 2017 6:22 pm

I have used at least 3 methods to copy the key. I do this on another system quite often, simply by cutting and pasting. For this case, visual inspection suggests that my keys are copying just fine.

I just repeated the exercise from the beginning, starting with a new .ssh directory. Other than to set the permission on the .ssh directory, all other permissions are defaults created by ssh-keygen. I repeated all steps on both boxes, rp1 and rp2. At the end, you see that the key isn't being identified. Not shown was the result of setting the sshd_config for password authority equal 'no'...that result prevented my from reaching rp2 using ssh.

I really appreciate your help..this is tedious!

Here is the full log:

Code: Select all

sking@rp1-home:/home/sking> mkdir .ssh

sking@rp1-home:/home/sking> ls -ltra
drwxr-xr-x  2 sking home   4096 Sep 10 10:36 .ssh

sking@rp1-home:/home/sking> chmod 700 .ssh
drwx------  2 sking home   4096 Sep 10 10:36 .ssh

sking@rp1-home:/home/sking/.ssh> ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/sking/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/sking/.ssh/id_rsa.
Your public key has been saved in /home/sking/.ssh/id_rsa.pub.
The key fingerprint is:
d6:e5:dc:53:02:44:b3:69:6a:91:bc:ae:f5:4e:fe:c5 sking@rp1-home
The key's randomart image is:
+---[RSA 2048]----+
|           o=    |
|         . . =   |
|          + = . .|
|         . O . o |setting
|        S = o o  |
|       . o     o |
|          o .   E|
|         o +   . |
|        .  .+..  |
+-----------------+

sking@rp1-home:/home/sking/.ssh> ssh-copy-id sking@rp2-home
The authenticity of host 'rp2-home (192.168.1.32)' can't be established.
ECDSA key fingerprint is 40:dd:65:dd:7c:b1:11:55:12:ea:fd:a5:fe:0c:63:c3.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
sking@rp2-home's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'sking@rp2-home'"
and check to make sure that only the key(s) you wanted were added.

sking@rp1-home:/home/sking/.ssh> ssh sking@pr2-home
sking@rp2-home's password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
sking@rp2-home:/home/sking> cd .ssh
sking@rp2-home:/home/sking/.ssh> less a*
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1VP3XrvqVNu6jXhMVtnMY/mfyO1rSBySpiGTeNP0SLNwAmj2LVs3mLSHkPyDJpJdZNLpDNmG yytS3eVER/zYVjyx8DDIBy8faWrdWcQDyEiI7HrdkxkcuuBG+L+58wLfOnkWRclLtDe4CYIfx2BfB/fac6xOXM4KiGWKVEO9B4FwYavizLqpeDH IyBI8Xuh4fGBCrozpDfhWwOKWoVlRM8rgBMKOUKVQWOasVQXiqPXl/ED+BE/ICPUq++V1WcW4hs71YJZ7by7yR7h2iNoHjIGryCk1xTWi+IoCW5 5WKlWdIGFmgL3hjR1FcOXO2kVoHUT15oYu1xxxG9ccXqnlJ sking@rp1-home
logout
Connection to rp2-home closed.

sking@rp1-home:/home/sking/.ssh> ll
total 16
-rw-r--r-- 1 sking home  396 Sep 10 10:39 id_rsa.pub
-rw------- 1 sking home 1679 Sep 10 10:39 id_rsa
-rw-r--r-- 1 sking home  444 Sep 10 10:40 known_hosts
-rw------- 1 sking home  396 Sep 10 10:42 authorized_keys


sking@rp1-home:/home/sking> ssh rp2 -v
OpenSSH_6.7p1 Raspbian-5+deb8u3, OpenSSL 1.0.1t  3 May 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to rp2 [192.168.1.32] port 22.
debug1: Connection established.
debug1: identity file /home/sking/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sking/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sking/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sking/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sking/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sking/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sking/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sking/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.7p1 Raspbian-5+deb8u3
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1 Raspbian-5+deb8u3
debug1: match: OpenSSH_6.7p1 Raspbian-5+deb8u3 pat OpenSSH* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr umac-64-etm@openssh.com none
debug1: kex: client->server aes128-ctr umac-64-etm@openssh.com none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 40:dd:65:dd:7c:b1:11:55:12:ea:fd:a5:fe:0c:63:c3
debug1: Host 'rp2' is known and matches the ECDSA host key.
debug1: Found key in /home/sking/.ssh/known_hosts:3
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/sking/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/sking/.ssh/id_dsa
debug1: Trying private key: /home/sking/.ssh/id_ecdsa
debug1: Trying private key: /home/sking/.ssh/id_ed25519
debug1: Next authentication method: password
sking@rp2's password: 

Last edited by kings on Sun Sep 10, 2017 11:27 pm, edited 1 time in total.

d_older
Posts: 132
Joined: Mon Jun 25, 2012 5:04 pm
Location: East Yorkshire, UK

Re: ssh key pairing between two pi's still requires password after setup

Sun Sep 10, 2017 10:18 pm

HI KIng


In the middle of your last description you had

sking@rp1-home:/home/sking/.ssh> ssh-copy-id sking@rp1-home

is that a typo as the rest of the paragraph does refer to rp2 but, as you say you still need a password .

I would scp the authorized-keys file back and do a diff.

Dave

kings
Posts: 61
Joined: Tue Aug 15, 2017 5:17 pm

Re: ssh key pairing between two pi's still requires password after setup

Sun Sep 10, 2017 11:24 pm

Dave,

Yes a typo...or rather I mistakenly typed that line in my test before typing the correct line. I didn't catch it when I cleaned up my log for sharing. I just went back to correct my post. Sorry, should have waited for the coffee to kick in!

Steve

d_older
Posts: 132
Joined: Mon Jun 25, 2012 5:04 pm
Location: East Yorkshire, UK

Re: ssh key pairing between two pi's still requires password after setup

Mon Sep 11, 2017 12:26 am

Hi Steve.

just looked at the permissions on my files (SSH from debian-8 to pizero-W-1) and they are

Debian-8 (Local machine)

-rw-r--r-- 1 test test 783 Jun 25 22:22 authorized_keys
-rw------- 1 test test 1679 Jun 25 22:26 id_rsa
-rw-r--r-- 1 test test 395 Jun 25 22:26 id_rsa.pub
-rw-r--r-- 1 test test 8654 Aug 22 22:32 known_hosts

and

pi zero (remote machine)

-rw-r--r-- 1 pi pi 395 Aug 20 16:13 authorized_keys


Your authorized_keys and known_hosts appear to be rw------- and have non-default (for debian) group ownership.This may have an impact.I'm not sure.

Hope this helps,

Dave

kings
Posts: 61
Joined: Tue Aug 15, 2017 5:17 pm

Re: ssh key pairing between two pi's still requires password after setup

Mon Sep 11, 2017 1:17 am

Dave,

I have tried a variety of permissions (include the ones suggested in this thread). Seems like the ssh key generation routine should produce files with the permissions it wants? Also I tried changing the group ownership back to the default for my login. Didn't work the first time, but I can try again. Seems like it shouldn't be an issue, but it would be great to get this working in any shape or form.

Thanks,

Steve

kings
Posts: 61
Joined: Tue Aug 15, 2017 5:17 pm

Re: ssh key pairing between two pi's still requires password after setup

Mon Sep 11, 2017 1:44 am

Ah, breakthrough moment. I created a new user on both rp's and got it to work. Suggests a group or permission problem (as you have all pointed out). Hoping I can extend this success to my other accounts...

d_older
Posts: 132
Joined: Mon Jun 25, 2012 5:04 pm
Location: East Yorkshire, UK

Re: ssh key pairing between two pi's still requires password after setup

Mon Sep 11, 2017 6:40 am

Hi Steve,

I think the main problem is that authorized_keys must have the "other" read bit set, and the .ssh directory must have the 'other; r and x bits set (definitely the read bit, probably the execute bit) as it has to be read by the ssh server process on the remote machine before you "become" sking on the remote machine. Note sure why the ssh-copy-id didn't create the correct permissions. I agree that the group modification should not have any effect. You didn't change the default file mask when you changed the primary group?

Dave

User avatar
rpdom
Posts: 18159
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: ssh key pairing between two pi's still requires password after setup

Mon Sep 11, 2017 6:55 am

d_older wrote:
Mon Sep 11, 2017 6:40 am
Hi Steve,

I think the main problem is that authorized_keys must have the "other" read bit set, and the .ssh directory must have the 'other; r and x bits set (definitely the read bit, probably the execute bit) as it has to be read by the ssh server process on the remote machine before you "become" sking on the remote machine.
Nope, my .ssh and authorized keys files don't have those bits set and work perfectly. The remote sshd server runs as root, so has access to the files regardless of permission bits.

Return to “Networking and servers”