# Passwordless SSH + Wrong Chmod

## RobinVossen

Well I have a application server running.

And I want to get the apps of there using SSH. And the ofc passwordless else its really annoying to put it on.

so I did read http://gentoo-wiki.com/SECURITY_SSH_without_a_password

I tryed the first time with passwords. That worked fine. (but was annoying as hell)

So on the localbox I have a user called john_doe with as username john. (So john is for the system important)

On the appserver I made a user called _sxb (has a meaning inside the company (_s is the users Task in the company, x is it Department and b is the number of user in that department. (B = 11)))

Anyhow I did read that Security_ssh_without_a_password article. And I try the ssh-installkeys tool since If I have to do it by hand for about 100 pcs I will be wasting lots of time.

So, I did do:

```

$ echo "net-misc/ssh-installkeys" >> /etc/portage/package.keywords

$ emerge -av net-misc/ssh-installkeys

```

This was at Johns system.

Then I did 

```
$ ssh-installkeys _sxb@192.168.1.1
```

 (as John) (192.168.1.1 is the Application Server)

Then I get:

 *Quote:*   

> 
> 
> Checking your local configuration...
> 
> Can't chdir into .ssh directory!
> ...

 

So I checked the Rights.

I did in the /home/john the following commands:

```

# chown john .ssh

# chmod 644 .ssh

$l s -al

```

and I got as output:

```

drw-r--r-- 2 john john 4096 Nov 30 08:55 .ssh

```

Like it should be.

So I do again:

```
$ ssh-installkeys _sxb@192.168.1.1
```

And I still cant cd into my .ssh directory.

So what am I doing wrong?

What think mistake do I make?

----------

## downer

How does .ssh look on the remote host? Maybe it's there the proble lies?

//D

----------

## RobinVossen

I think you want to know the /home/_sxb/.ssh folder?

I do 

```
# ls -al /home/_sxb/ | grep .shh
```

and I get

```
drw-r--r-- 2 _sxb _sxb 4096 Nov 30 08:48
```

This is on the Application Server (So the SSH_Server that is going to be connected to)

----------

## Anarcho

The executive bit is missing on both .ssh directories!

```
chmod 700 ~/.ssh # there is no need the be world readable, I think...
```

----------

## RobinVossen

Thanks..!

I did get premissions are wrong. But the script fixed it for me  :Smile: 

Tryed and I get permission denied. But I think thats since of the /etc/ssh file.

lets check..

Nope..

Well ill find this out myself.. I have to take a proper look  :Wink: 

Thanks again

----------

## RobinVossen

Ok I did EXACTLY what the tutorial said.

didnt work.

So I did rm -rf * when I was in the .ssh folder on Johns PC.

I test it with ssh -l _sxb 192.168.1.1 and I get:

```

The authenticity of hosts '192.168.1.1 (192.168.1.1)' can't be established.

RSA key fingerprint is <something>

Are you aure you want to continue connecting: Yes

Warning Permanently added '192.168.1.1' (RSA) to the list of known hosts.

Permission denied (publickey,keyboard-interactive).

```

I did change my sshd file. 

Of BOTH systems. the App server and Johns Pc.

What do I do wrong?  :Sad: 

Here is the server (192.168.1.1) sshd_config without the lines that have # in front:

```

Protocol 2

MaxAuthTries 6

RSAAuthentication yes

PubkeyAuthentication yes

AuthorizedKeyFiles .ssh/authorized_keys

PasswordAuthentication no

UsePAM yes

Subsystem sftp /usr/lib/misc/sftp-server

X11Forwarding yes

```

I did restart the server (sshd)

When I do 

```
find / -name authorized_keys
```

 I find nothing.

So I guess I have to make the /home/_sxb/.ssh/authorized_keys file myself?

But I do get a RSA Fingerprint?

Cheers,

Robin

----------

## Anarcho

You only allow authentication using private/public key, which is a good idea.

But, as you already guessed, there needs to be a authorized_keys file or else noone can connect.

Generaly 

1. Generate Keys:

ssh-keygen -t dsa

This will create 2 files, most probably in the ~/.ssh/ folder: id_dsa and id_dsa.pub

2. Put the content of id_dsa.pub in the ~/.ssh/authorized_keys file of the server

3. Put both files id_dsa and id_dsa.pub in the ~/.ssh folder of the client machine

Then you should be able to connect using publickey.

----------

## RobinVossen

So basically that Tool "ssh-installkeys" is Worthless?

Since I have to do this on about 100 computers.

So, is there a easier way like the installkeys tool?

----------

## Anarcho

 *RobinVossen wrote:*   

> So basically that Tool "ssh-installkeys" is Worthless?
> 
> Since I have to do this on about 100 computers.
> 
> So, is there a easier way like the installkeys tool?

 

I have never used "ssh-installkeys" but I guess that in order to work the server must NOT be switched to pubkey only, yet!

----------

## RobinVossen

Ah well what do you think takes the least work?

Your (Classic) way for 100+ Systems?

or the figuring out how the tool works and then run that for 100+ Systems?

I guess you have lots of Knowledge of this so I just ask you  :Smile: 

----------

## Anarcho

As far as I understand the text in the WIKI this script should be working when you enable password login on the ssh server.

To go with a clean start I would delete the .ssh directories on both home dirs, enable password login on the server (if it is disabled) and then start the ssh-installkeys script. From what I read this should then create your keypair and install the public key on the server. Then you can disable the password authentication again on the server.

----------

## RobinVossen

Done exacly as you said.

I am as john on his box in his home folder when i execute:

```
ssh-installkeys _sxb 192.168.1.1
```

I get as output

```

Checking your local configuration...

you have no .ssh directory.

Creation of .ssh suppressed.

Your .ssh dirrectory is not readable bby you. That's wierd.

Goodbye

```

I think that john has problems with its homefolder.

I did make him like 

```
adduser -m -G users,wheel,audio john
```

He is the owner of the folder /home/john

Well, weird?

----------

## Anarcho

Could you please give me the output of 

"ls -ld / /home /home/john /home/john/.ssh"

----------

## RobinVossen

Will do Monday. Since its after work.. I cant access the PC now..

Thanks anyhow, Ill reply as soon as posbile

----------

## RobinVossen

 *Anarcho wrote:*   

> Could you please give me the output of 
> 
> "ls -ld / /home /home/john /home/john/.ssh"

 

I did that. And I got:

```

drwxr-xr-x 18 root root 4096 Dec 3 07:46 /

drwxr-xr-x  3 john john 4096 Nov 30 17:56 /home/john

drwxr-xr-x  2 john john 4096 Nov 30 17:57 /home/john/.ssh

```

Ps.

I just thought of something that might help.

I am going to mount (with NFS) /home/john on the system that the user connects to with SSH.

So thats /home/_sxb that /home/john are the same folders then.

Cheers,

Robin

----------

## Anarcho

 *RobinVossen wrote:*   

>  *Anarcho wrote:*   Could you please give me the output of 
> 
> "ls -ld / /home /home/john /home/john/.ssh" 
> 
> I did that. And I got:
> ...

 

Is this your actual setup? Is the home folder on both machines identic? If yes, then have both users the same uid?

If not, could you post the same output as above (ls -ld...) for the remote machine? (replace john with _sxb of course).

----------

## RobinVossen

I got the exact same output. And both users account UIDs are 1001.

However I did play around this for two days now and I did found a nice Solution.

I made a authorized_keys that is linked to id_dsa.pub

Then I did use NFS to mount johns home to the _sxb home.

That does just work  :Smile:  And I can make it a Cron-Job to change the SSH Key.

The only problem is that NFS keeps failing. So I have done that dirty now. (See: http://www.linuxforums.org/forum/linux-networking/109897-openvz-network-filesystem.html)

Thanks for everything.

But I still dont get why It didnt work.. So, well if you can explain that anyhow Id love to hear that. (Since Ill learn and gain Knowledge  :Wink: )

Cheers, (or in your native language Auf Wiederseen (I really hope I did write that correct))

~ Robin

----------

## Anarcho

 *RobinVossen wrote:*   

> I got the exact same output. And both users account UIDs are 1001.
> 
> However I did play around this for two days now and I did found a nice Solution.
> 
> I made a authorized_keys that is linked to id_dsa.pub
> ...

 

I'm sorry, but I have no explanation, either. I don't understand why the script can't chdir to the .ssh directory. That seems to make no sense (as the script itself also reports).

 *Quote:*   

> Cheers, (or in your native language Auf Wiederseen (I really hope I did write that correct))

 

There was just one little mistake => "Auf Wiedersehen"

----------

## RobinVossen

Well, thanks for all the Effort anyhow  :Smile: 

Thanks for correcting my German. Tomorrow Ill go to German Dusseldorf Airport..

Cheers,

Robin

----------

## Anarcho

 *RobinVossen wrote:*   

> Well, thanks for all the Effort anyhow 
> 
> Thanks for correcting my German. Tomorrow Ill go to German Dusseldorf Airport..
> 
> Cheers,
> ...

 

You're very welcome! I'm currently working in Düsseldorf  :Wink: 

----------

## RobinVossen

Ah, cool.

the Airport?  :Wink:  I am well Excited.. 

I am going to Pick My girlfriend up. 

We didn't see each other in Person for a Month..!

Cheers,

Robin

----------

## Anarcho

 *RobinVossen wrote:*   

> Ah, cool.
> 
> the Airport?  I am well Excited.. 
> 
> I am going to Pick My girlfriend up. 
> ...

 

No No, I don't work at the airport. I'm Freelancer for anything dedicated with PCs, mainly programming stuff.

So your girlfriend is german or why do you pick her up at the german airport?

----------

## RobinVossen

My girlfriend is from the Glorious United Kingdom. I am Dutch myself.

And tickets to Eindhoven (Closed to me within the Netherlands) did cost about 50 pounds more..

And Dusseldorf is even closer then Eindhoven. So, well why not  :Wink: 

In case you didn't notice yet I am your Neighbor. A Dutch guy

----------

## Anarcho

 *RobinVossen wrote:*   

> My girlfriend is from the Glorious United Kingdom. I am Dutch myself.
> 
> And tickets to Eindhoven (Closed to me within the Netherlands) did cost about 50 pounds more..
> 
> And Dusseldorf is even closer then Eindhoven. So, well why not 
> ...

 

Yes, I already guessed that you might be dutch. You are not the only dutch who flies from Düsseldorf Airport  :Wink:  The alternative would be belgium.

----------

