|
Post by ditchwater on Oct 8, 2007 19:20:24 GMT 7
I have the latest SSH module, and the latest SYSUSER module, installed on my N5200PRO. I can SSH to my Thecus in interactive password mode no problems, using the user "sys" which drops me into /root. In order to facilitate an automated remote rysnc login via ssh, i have added the public key from the remote host to the /root/.ssh/authorized_key file which I created on the Thecus. It doesn't seem to work. I have also added it to the /root/.ssh/authorized_keys2 file that I found, too. I did chmod 600 on both keys files. But all this has failed to allow a password-less remote login. I also notice that authorized_keys seems to get deleted when I reboot the Thecus, and the key added to authorized_keys2 gets removed, too. One question is, does the "sys" user even use the "root" directory? ie is /root/.ssh/ the right place for the public key? Another question is, has anyone got password-less ssh working on the Thecus, and if so, how?
kind regards
john
|
|
|
Post by ditchwater on Oct 8, 2007 19:24:49 GMT 7
Further to that last message, I should note I would actually prefer to do my rysnc login via a different user, which I created with the thecus' web interface, but I cant find the home directories of such users. /home only has the admin user. In any case. I have never actually been able to perform an interactive SSH login (let alone an automated one) using a user created by the web interface. Why is that? What sort of users are they?
regards
john
|
|
fabi
Junior Member
Posts: 61
|
Post by fabi on Oct 9, 2007 18:03:27 GMT 7
You need to add the key to the authorized_keys file in raid/data/module/SSHD/system/etc/ssh as the other one gets overwritten on a reboot.
Here's a short step-by-step that we use for rsync:
To synch data over insecure internet rsync can use ssh. As the scripts should run unattended we can't use a password access but instead use public key authentication:
1. On the system the rsync backup script is run on (client), create a SSH key pair and copy the public part to the other system: ssh-keygen -t dsa -f /raid/data/configs/myserverkey -N "" chmod 0600 /raid/data/configs/myserverkey scp /raid/data/configs/myserverkey.pub sys@server_IP:/raid/data/module/SSHD/system/etc/ssh/ 2. On the system the rsync backup script connects to (server), add the public key: cd /raid/data/module/SSHD/system/etc/ssh cat myserverkey.pub >> authorized_keys 3. Test the connection on the first system (client) with: ssh -l sys -i /raid/data/configs/myserverkey server_IP If there are no errors and no password is asked you can check that you're on the other system with: uname -n exit
I may have mixed up the public part and the private part but that shouldn't matter as long as they fit together. Of course you can also create the key on the server and copy the public part to the client.
I think if you store the key not in a custom named file but in id_rsa it may be found without giving it explicitely on the command line, but I was happy with that solution.
|
|
|
Post by ditchwater on Oct 10, 2007 8:58:50 GMT 7
Thanks Fabi
I took all those steps, but it's still prompting me for a password. Are there any changes that need to be made to /raid0/data/module/SSHD/system/etc/ssh/sshd_config to enable public key-based login? any host keys that need to be added anywhere else on the Thecus? I've got this working four or five times from this same client to other servers. It's just the Thecus I can't figure.
regards
john
|
|
fabi
Junior Member
Posts: 61
|
Post by fabi on Oct 10, 2007 22:05:10 GMT 7
Did you restart the box after adding the key? Otherwise the key is only in the SSHD... dir and not in /root/.ssh.
What's your command line to connect to it?
|
|
fabi
Junior Member
Posts: 61
|
Post by fabi on Oct 10, 2007 22:08:04 GMT 7
Something else: Look at the ssh config, it's possible that the authentication possibilities are not complete or in the wrong order. I don't know anymore, what the default is, but if key authentication is not in the list it won't try it.
bye Fabi
|
|
|
Post by ditchwater on Oct 11, 2007 10:29:52 GMT 7
Thanks Fabi
I may be getting somewhere with this. I was unaware about the rebooting thing. Rebooting doesn't move my key into the /root/.ssh directory. After the reboot all that is there is the authorized_keys2 file with someone else's key already in it, and not my key. There is no authorized_keys file. I wonder if that's to do with the rights to the etc/ssh/authorized_keys file? I changed it to "666', to try to ensure the reboot process could read it, but it made no difference. Who should be the owner of the /root/.ssh directory? Mine is set to root, but I notice that a lot of tasks are performed by admin. Could that make a difference?
|
|
|
Post by ditchwater on Oct 11, 2007 10:39:44 GMT 7
chown'ing the /root/.ssh directory to admin made no difference, either. I still don't get a key appearing upon reboot. In any case, when I manually put the authorized_keys file into /root/.ssh, I still get prompted for a password.
And in answer to your other question, I have tried numerous command lines, with and without the -i option pointing to the private key. (I even tried pointing it at the public key.) I have tried custom key pair names and default key pair names. I have tried with "-l sys", and with the "sys@" syntax. This is what I typically try: ssh -l sys -i /path/privatekey Thecus "Thecus" having been defined in config, due to me using a port number other than 22 to the firewall, and then NATing on port 22 the rest of the way to the Thecus.
|
|
|
Post by ditchwater on Oct 11, 2007 10:46:45 GMT 7
When you say ssh_config, do you mean sshd_config on the server (Thecus) or ssh_config on the client? The client is able to login without password to several other machines, so I don't think it's a problem with the client setting. On the Thecus side, I have RSAAuthentication yes and PubkeyAuthentication yes (both of which were the defaults anyway) in /data/modules/../ssh/sshd_config
It's driving me crazy, but I think you'll get me over the line, Fabi.
cheers
john
|
|
fabi
Junior Member
Posts: 61
|
Post by fabi on Oct 11, 2007 18:02:38 GMT 7
I was wrong about the reboot copying it to /root/.ssh.
sshd_config: AuthorizedKeysFile /raid/data/module/SSHD/system/etc/ssh/authorized_keys
So sshd already works with the file in modules, no need to copy it.
Did you create the key with -N "" (no password)?
In my step-by-step I have: chmod 0600 /raid/data/configs/myserverkey
I think it didn't like it with other permissions.
You can try calling ssh with more verbose output (-v(v(v))) to see what is going on, if it tries to use public keys, for what reasons it fails etc.
I don't have access to the server anymore, so I can't look up how it is setup, I only have the client settings here and guess from the setting names.
Maybe someone else that can ssh into a Thecus box with authentication key can join in and tell the setup.
Sorry for now, I don't know what else there could be.
|
|
|
Post by ditchwater on Oct 12, 2007 7:57:33 GMT 7
Thanks Fabi,
I'm starting to think there may be an issue with my setup, maybe the SSHD module conflicting with the firmware or something. I've just tried my public key setup method (which is just the bog standard public key method) on two other Linux machines and set up password-less login in under two minutes each time. It's just the Thecus that is causing me grief.
What version of the firmware/SSHD are you running, do you recall? I have firmware 2.00.01 on a N5200 Pro, with SSHD 2.00.00.
When I do the verbose login, I see the client offering the correct key, and then I see the client moving on to the next option, which is password. There's no indication from the server as to why it doesn't accept the key.
At this stage, I'm prepared to abandon public key login. Is there a way to automate the entry of the password?
john
|
|
|
Post by ditchwater on Oct 12, 2007 12:57:19 GMT 7
Success! I gave up on using the authorized_keys file in raid/..etc/ssh, and instead pointed SSHD directly to the id_rsa.pub file in /raid/data, which I had scp'd there from the client. It worked! It may have had something to do with rights in the ssh folder (though I tried every CHMOD combo under the sun) or it may have been the way the cat operation was copying the key to authorized_keys (though I also tried cp rather than cat). Who knows?
thanks to all.
john
|
|