Using SSH without run time credentials

[Matha]

Hello,

I have something "peculiar" going on beneath covers with respect to using SSH without run time credentials that I cannot understand. Looking for some feedback on debugging from another angle, please.

I have performed ssh-copy-id successfully on approximately 20 RPi boxes - all running Buster but, of course, some are older than others. I can now ssh into all these servers except one where the credential is demanded at each logon attempt. I have checked the ~/.ssh/authorized_keys file and found no difference in the entries except that the errant server had two identical records (deleting one manually did not resolve the issue).

The errant server has the following properties:

Code: Select all

$ uname -a
Linux raspbari11 4.19.75-v7+ #1270 SMP Tue Sep 24 18:45:11 BST 2019 armv7l GNU/Linux
$ cat /proc/cpuinfo
processor	: 0
model name	: ARMv7 Processor rev 5 (v7l)
BogoMIPS	: 38.40
Features	: half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm 
CPU implementer	: 0x41
CPU architecture: 7
CPU variant	: 0x0
CPU part	: 0xc07
CPU revision	: 5

processor	: 1
model name	: ARMv7 Processor rev 5 (v7l)
BogoMIPS	: 38.40
Features	: half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm 
CPU implementer	: 0x41
CPU architecture: 7
CPU variant	: 0x0
CPU part	: 0xc07
CPU revision	: 5

processor	: 2
model name	: ARMv7 Processor rev 5 (v7l)
BogoMIPS	: 38.40
Features	: half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm 
CPU implementer	: 0x41
CPU architecture: 7
CPU variant	: 0x0
CPU part	: 0xc07
CPU revision	: 5

processor	: 3
model name	: ARMv7 Processor rev 5 (v7l)
BogoMIPS	: 38.40
Features	: half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm 
CPU implementer	: 0x41
CPU architecture: 7
CPU variant	: 0x0
CPU part	: 0xc07
CPU revision	: 5

Hardware	: BCM2835
Revision	: a21041
Serial		: 
Model		: Raspberry Pi 2 Model B Rev 1.1
$ 

All update/upgrade operations are current in the intranet farm. Please note that all suggestions are welcome!

Kind regards.

[tpyo kingg]

Incorrect permissions is a very common problem with those symptoms. So on the errant machine, verify the permissions on the file authorized_keys, the directory it is in, and all the directories above it.

Then if that was not it, watch the logs on the errant machine as you try to log in with a key. It should tell you where the problem lies:

Code: Select all

sudo tail -f /var/log/auth.log | awk '$5~/^sshd/'

Or

Code: Select all

sudo journalctl -efu ssh.service

[Matha]

Thx @tpyo kingg,

Code: Select all

pi@raspbari11:~ $ sudo tail -f /var/log/auth.log | awk '$5~/^ssh/'
Jan 21 10:48:16 raspbari11 sshd[31612]: Authentication refused: bad ownership or modes for directory /home/pi
Jan 21 10:48:18 raspbari11 sshd[31612]: Accepted password for pi from 192.168.50.166 port 38352 ssh2

Some lines below (perhaps not relevant for this thread intentionally deleted):

Code: Select all

pi@raspbari11:~ $ sudo journalctl -efu ssh.service
-- Logs begin at Mon 2020-01-20 11:10:27 CST. --
Jan 20 11:10:34 raspbari11 systemd[1]: Started OpenBSD Secure Shell server.
Jan 20 11:11:20 raspbari11 sshd[965]: Authentication refused: bad ownership or modes for directory /home/pi
Jan 20 11:11:24 raspbari11 sshd[965]: Connection closed by authenticating user pi 192.168.50.166 port 37466 [preauth]
Jan 21 10:48:16 raspbari11 sshd[31612]: Authentication refused: bad ownership or modes for directory /home/pi
Jan 21 10:48:18 raspbari11 sshd[31612]: Accepted password for pi from 192.168.50.166 port 38352 ssh2

And, of course, as you realized (but I didn't even think about it since I was editing with user pi and don't have a clue how it happened:

Code: Select all

pi@raspbari11:~/.ssh $ ls -l
total 8
-rw------- 1 pi pi  565 Jan 20 11:10 authorized_keys
-rw-r--r-- 1 pi pi 2220 Sep  8 21:19 known_hosts

Many, many thanks! Kind regards.

[Lewis-H]

Use a ssh-library written in Java instead of runtime-exec'ing a ssh program.