scp password question

[tony1812]

Hello, I set up a pi3 and a piZero with scp using the same procedure. when I scp from the pi3, it asks me for the password but when I scp from the piZero to the pi3 it doesn't. I must prefer the pi3 doesn't asks for the password. Both pis have authorized_keys, id_rsa id_rsa.pub and known_hosts files in the .ssh, what might be wrong?

[UF_DoC]

Sounds like something is wrong with the setup/content of authorized_keys file on the pi_zero.

In order to debug, first try a simple ssh between the two and ensure that both ways do not ask for passwords.

i.e.

from the pi-zero run

Code: Select all

ssh -vvv <pi3-ip-address> 

and ensure you get in without any password
then from the pi3 run

Code: Select all

ssh -vvv <pi-zero-ip-address> 

and confirm same.

If you cannot ssh into the pi-zero it means you have something setup incorrectly with authorized_keys file. or you have not added your key file correctly as an ssh id on the pi3. I refer to ssh-add command.

[tony1812]

Sounds like something is wrong with the setup/content of authorized_keys file on the pi_zero.

In order to debug, first try a simple ssh between the two and ensure that both ways do not ask for passwords.

i.e.

from the pi-zero run

Code: Select all

ssh -vvv <pi3-ip-address> 

and ensure you get in without any password
then from the pi3 run

Code: Select all

ssh -vvv <pi-zero-ip-address> 

and confirm same.

If you cannot ssh into the pi-zero it means you have something setup incorrectly with authorized_keys file. or you have not added your key file correctly as an ssh id on the pi3. I refer to ssh-add command.

Thanks for the reply. I setup another piZero in the same manner, this time I use scp it ask for password on both side. P3 and piZero. I also did what you suggested. ssh -vvv <ip> both machine ask for password. The file sent just fine after I enter the password How can I get rid of this annoying password crap?

[UF_DoC]

You need to understand keyless ssh setup.

Before you can scp files between pi's you need to be able to ssh between them without a password.

I assume you are not too security conscience and will be using the same public and private keys on both pis.

ensure you have the id_rsa, id_rsa.pub on both pi's in the ~/.ssh directory. ensure the permissions of this file is 600

i.e. chmod 600 ~/.ssh/id_rsa ~/.ssh/id_rsa.pub

run ssh-add ~/.ssh/id_rsa on both pi's

make sure authorized_keys keys has the id_rsa.pub as a line, better still, make it a copy of the id_rsa.pub i.e.
cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys

set authorized_keys permissions to 600 chmod 600 ~/.ssh/authorized_keys

try ssh between pi's and it should not ask for passwords anymore..

UNLESS!!! have you generated a password protected id_rsa key pair???

please copy and paste the output of the ssh -vvv <ip> command so we can see at which point it asks for a password.

[tony1812]

You need to understand keyless ssh setup.

Before you can scp files between pi's you need to be able to ssh between them without a password.

I assume you are not too security conscience and will be using the same public and private keys on both pis.

ensure you have the id_rsa, id_rsa.pub on both pi's in the ~/.ssh directory. ensure the permissions of this file is 600

i.e. chmod 600 ~/.ssh/id_rsa ~/.ssh/id_rsa.pub

run ssh-add ~/.ssh/id_rsa on both pi's

make sure authorized_keys keys has the id_rsa.pub as a line, better still, make it a copy of the id_rsa.pub i.e.
cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys

set authorized_keys permissions to 600 chmod 600 ~/.ssh/authorized_keys

try ssh between pi's and it should not ask for passwords anymore..

UNLESS!!! have you generated a password protected id_rsa key pair???

please copy and paste the output of the ssh -vvv <ip> command so we can see at which point it asks for a password.

Hi UF_DoC, I did what you said, ssh -vvv xxx.xxx.xxx.xxx, I got this long response:

debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug2: key: /home/pi/.ssh/id_rsa (0x568698)
debug2: key: /home/pi/.ssh/id_dsa ((nil))
debug2: key: /home/pi/.ssh/id_ecdsa ((nil))
debug2: key: /home/pi/.ssh/id_ed25519 ((nil))
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/pi/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/pi/.ssh/id_dsa
debug3: no such identity: /home/pi/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/pi/.ssh/id_ecdsa
debug3: no such identity: /home/pi/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/pi/.ssh/id_ed25519
debug3: no such identity: /home/pi/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
pi@192.168.1.122's password:

It is still asking me for password.
Few things I am not very clear, when you said "run ssh-add ~/.ssh/id_rsa on both pi's", did you mean the id_rsa on the local machine or the remote one?
"I assume you are not too security conscience" indeed I do not care much about security as these pis are on my internal network for my own use, I doubt anyone will bother to hack into them. convent is more an issue for me. This msg "SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.
" appears after I typed the password and everytime every time I boot up the pi, any idea how I can silence it?

[rpdom]

What permissions have you got on the .ssh directory and the .ssh/authorized_keys files on the target Pi? If the permissions are insecure the ssh login won't work.
Use

Code: Select all

ls -la ~/.ssh

on the destination Pi (after logging in with password) to check.

[tony1812]

What permissions have you got on the .ssh directory and the .ssh/authorized_keys files on the target Pi? If the permissions are insecure the ssh login won't work.
Use

Code: Select all

ls -la ~/.ssh

on the destination Pi (after logging in with password) to check.

Both pis are target as well as source because I want to be able to scp from each other and both machine's .ssh/authorized_keys as well as .ssh/id_rsa and id_rsa.un are 600.

Also I am curious what the known_host file on both ~/.ssh do? Do they have something to do with ssh?

[rpdom]

Both pis are target as well as source because I want to be able to scp from each other and both machine's .ssh/authorized_keys as well as .ssh/id_rsa and id_rsa.un are 600.

Yes, but that is not what I asked. The permissions on the .ssh directory itself are also important.

Also I am curious what the known_host file on both ~/.ssh do? Do they have something to do with ssh?

The known_hosts file is a list of keys of servers that have previously connected to. This is used to confirm that it is the same server when you next connect to it.

Sometimes that can cause problems. When I set up a new Pi it is always given the default hostname "raspberrypi" and I then log in to it remotely to configure it and set the real hostname. If I didn't do some clever stuff, I would keep getting error messages that the server had changed and I was in dire risk of the world ending, so I use a workaround for that.

[UF_DoC]

Please check what the logs say:

On the Pi that you are going to ssh into run this:

Code: Select all

tail -100f /var/log/auth.log

Then ssh from the other pi.

This msg "SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.
" appears after I typed the password and everytime every time I boot up the pi, any idea how I can silence it?

Change your password...