[SOLVED] ssh keygen: 'UsePAM no' still asks for password

bitpal · 2009-09-18 11:53:50

Hi all,

Hope you can help me with this.

I have an Arch 2009.02 system set up on a cloud server. I want to connect to it via ssh from my local machine running an instance of Arch 2009.08 in a Sun VirtualBox. I followed a wiki article from the cloud server provider http://cloudservers.mosso.com/index.php … 08_-_Setup, which is for Arch 2007.08.

I worked through the whole thing including the 'SSH Keygen' section to enable me to login without a password. I can log in fine with ssh, but I still get a password prompt. I'm not even sure that the key negotiations are working at all. Are there any changes to the ssh configuration between Arch 2007 and 2009 that I need to consider?

TIA for your help!

Last edited by bitpal (2009-09-21 18:34:31)

fukawi2 · 2009-09-18 12:32:54

There's no such thing as Arch 2007 and Arch 2009. Arch is a rolling release distribution, so as son as you run pacman -Syu you've upgraded to the latest 'version' which changes daily, if not hourly.

Try running ssh with the -vvv option and see if you can find anything useful in the output.

bitpal · 2009-09-18 13:58:41

Thanks fukawi2, the question on the versions is about changes after 2007 because the howto setup guide is for that 'version' of arch. I tried the -vvv option, but I couldn't capture the output. Where does ssh write the debug log to?

Pudge · 2009-09-18 19:13:50

If you can ssh into the server but a password is required, then the key negotiations are not working.

Step 1 In the server machine, run ssh-keygen -t rsa -b 2048 for every user that will be involved in the ssh connections. For example, the server has users root, bill, and guest. I wouldn't ssh into the server as the root user. That's a bad idea. So, if you want to be able to ssh into the guest account and not bill's account, then logged in as guest in the server, generate the ssh keys for only guest.. If you later want to ssh into bill's account, then logged in as bill, generate ssh keys for bill.

Step 2 In your client machine, run ssh-keygen -t rsa -b 2048 for every user that will want to ssh into the server. For example, the only user (besides root) in the client machine is clem. Log in as clem and generate the ssh keys for clem. It should generate the following files.

[clem@hostname .ssh]$ ls -l
total 32
-rw------- 1 don users 1743 2009-02-17 21:08 id_rsa
-rw-r--r-- 1 don users 390 2009-01-31 21:53 id_rsa.pub
-rw-r--r-- 1 don users 9282 2009-09-04 22:33 known_hosts
[clem@hostname .ssh]$

In order for clem to ssh into the server as guest without using a password, the content's of clem's /home/clem/.ssh/id_rsa.pub file must be contained in the server's /home/guest/.ssh/authorized_keys file. You may want more than one user to be able to ssh into the guest account. So, if the authorized_keys file already exists, you must append the contents of clem's id_rsa.pub (client machine) into /home/guest/.ssh/authorized_keys (Server). The authorized_keys file ends up being a list of everyone wanting to use key authorization to log into that account (guest on server).

If you want clem to ssh into the server without a password of any type, when you generate the keys for clem you have to enter an empty passphrase when ssh-keygen prompts for a passphrase by just hitting enter. If you enter a passphrase for clem, the server will prompt you for the passphrase when you ssh in. I won't go into the security issues of using or not using a passphrase. However, you can set up a ssh key management program on the client (Gnome comes with one) where you only enter the passphrase one time for each time you log in. That still doesn't help you if you want a script to access the server without human intervention of entering a password or passphrase.

Now for clem to ssh into the server on the guest account:

ssh guest@servername
or to ssh into bill's account
ssh bill@servername

If clem on the client machine has an account on the server machine that's also clem
ssh servername
will work. However, I recommend getting into the habit of using ssh username@servername

If you need root access in the server, then ssh into it as a user then su to root or use sudo. Make sure that the ssh daemon in the server is configured to PermitRootLogin no in the /etc/ssh/sshd_config file.

In a nutshell, to ssh into a remote server account without a password, both the server account and the client account have to have public and private keys generated. The server being ssh'ed into must have the client side user's public key contained in the server account's authorized_keys file. Also the client's key must be generated without a passphrase.

All this should work with all "versions" of Arch. ssh doesn't care about what version of Arch you're using.

HTH More info in this tutorial

Pudge

Last edited by Pudge (2009-09-18 19:23:38)

bitpal · 2009-09-21 18:33:28

Thanks for the explicit help. I ended up starting over with clean arch systems and used the http://wiki.archlinux.org/index.php/SSH and http://wiki.archlinux.org/index.php/Using_SSH_Keys tutorials. I didn't have to change the 'UsePAM' line in the sshd_config. Now it works.

Again, the issue was the VERSION of Arch catered to in the http://cloudservers.mosso.com/index.php … 08_-_Setup setup guide. I do realize that Arch is bleeding-edge. But someone using year-old help files may end up with a mess, since configuration changes may have been introduced since then. Of course the cloudserver tutorial could just be plain wrong. I will make a note to that effect in the wiki setup guide.

Again thanks for the help guys. Problem solved.

Arch Linux

#1 2009-09-18 11:53:50

[SOLVED] ssh keygen: 'UsePAM no' still asks for password

#2 2009-09-18 12:32:54

Re: [SOLVED] ssh keygen: 'UsePAM no' still asks for password

#3 2009-09-18 13:58:41

Re: [SOLVED] ssh keygen: 'UsePAM no' still asks for password

#4 2009-09-18 19:13:50

Re: [SOLVED] ssh keygen: 'UsePAM no' still asks for password

#5 2009-09-21 18:33:28

Re: [SOLVED] ssh keygen: 'UsePAM no' still asks for password

Board footer