Solved SCP Without Password Prompt

rajiii2002

rajiii2002

Seeking to use the SCP command without needing to enter the remote password to copy a file. I was trying to do it with the "root" user.

I have searched these forums and Google. I have tried a few different "How To" guides, but I am still failing to use the scp command without needing a password. Can anyone recommend a method, guidance, or a "How To" guide?

I have tried the following with no success:
www.freebsd.org

Chapter 14. Security

Hundreds of standard practices have been authored about how to secure systems and networks, and as a user of FreeBSD, understanding how to protect against attacks and intruders is a must
www.freebsd.org www.freebsd.org

My understanding is all I need to do is:
ssh-keygen -t rsa on the server (#1)
Then I did not enter a passphrase. Just left it blank when prompted.
Copied the newly created /root/.ssh/id_rsa.pub on the server (#1) to /root/.ssh/authorized_keys on the client (#2).
Restarted SSH service sshd restart on both server (#1) and client (#2).
But when attempting on the client (#2) scp /root/test-file root@server:/root/ I am still prompted for a password.
I am also unable to connect via ssh root@server on the client machine without being prompted for a password.

This is my first post in the FreeBSD forums. I have been able to accomplish everything we have ever needed with FreeBSD by reading the forums and Google, but this is the first time I have been unable to accomplish something. Thank you in advance for your help. :)
 
rajiii2002 said:
I was trying to do it with the "root" user.
Click to expand...
Root is not allowed to login or scp or sftp by default. At all. And should really be kept that way.

Code: 
     PermitRootLogin
             Specifies whether root can log in using ssh(1).  The argument
             must be yes, prohibit-password, forced-commands-only, or no.  The
             default is no.  Note that if ChallengeResponseAuthentication and
             UsePAM are both yes, this setting may be overridden by the PAM
             policy.

             If this option is set to prohibit-password (or its deprecated
             alias, without-password), password and keyboard-interactive
             authentication are disabled for root.

             If this option is set to forced-commands-only, root login with
             public key authentication will be allowed, but only if the
             command option has been specified (which may be useful for taking
             remote backups even if root login is normally not allowed).  All
             other authentication methods are disabled for root.

             If this option is set to no, root is not allowed to log in.
sshd_config(4)
 
I have PermitRootLogin yes set in the /etc/ssh/sshd_config

This should permit root to connect and copy a file via scp?

I do understand root should not be used, but these are development not production servers. We will create new users and modify the scripts near the end of our development. And it is sort of a unique case in our development where we need to use scp with the root account.
 
rajiii2002 said:
I do understand root should not be used, but these are development not production servers. We will create new users and modify the scripts near the end of our development.
Click to expand...
Here's a novel idea, develop with security already in mind. Don't try to bolt security onto your project when you're already done.
 
I created a new user, scpuser, added that user to the wheel group.
Refreshed the ssh-keygen -t rsa on the server.
Copied the newly created /root/.ssh/id_rsa.pub on the server (#1) to /root/.ssh/authorized_keys on the client (#2).
But,
scp -v /usr/home/scpuser/test-file scpuser@webserver:/usr/home/scpuser still prompts for a password.

I also tried changing the PermitRootLogin yes to PermitRootLogin without-password on the server (#1) and when executing scp on the client (#2), the client (#2) still prompts for a password.

Code: 
root@freebsd-webserver:/ # scp -v /usr/home/scpuser/test-file scpuser@webserver:/usr/home/scpuser
Executing: program /usr/bin/ssh host webserver, user scpuser, command scp -v -t /usr/home/scpuser
OpenSSH_7.8p1, OpenSSL 1.1.1a-freebsd  20 Nov 2018
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to WebServer [10.0.0.8] port 22.
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type 0
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type 3
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: identity file /root/.ssh/id_xmss type -1
debug1: identity file /root/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.8 FreeBSD-20180909
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.8 FreeBSD-20180909
debug1: match: OpenSSH_7.8 FreeBSD-20180909 pat OpenSSH* compat 0x04000000
debug1: Authenticating to webserver:22 as 'scpuser'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:123456789012345678901234567890123
DNS lookup error: general failure
debug1: Host 'webserver' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: Fssh_kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:123456789012345678901234567890123 /root/.ssh/id_rsa
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Offering public key: ED25519 SHA256:123456789012345678901234567980123 /root/.ssh/id_ed25519
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Trying private key: /root/.ssh/id_xmss
debug1: Next authentication method: keyboard-interactive
Password for scpuser@WebServer:
debug1: Authentications that can continue: publickey,keyboard-interactive
Password for scpuser@WebServer:
debug1: Authentications that can continue: publickey,keyboard-interactive
Password for scpuser@WebServer:
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: No more authentication methods to try.
scpuser@webserver: Permission denied (publickey,keyboard-interactive).
lost connection
root@freebsd-webserver:/ #

I am not sure what I need to do to scp without the password prompt.
 
Is the public/private keys stored or being read from a different location on the server/client?
Or do I have something reversed?
 
Your destination account is scpuser, so the /usr/home/scpuser/.ssh/authorized_keys is read, not /root/.ssh/authorized_keys.
 
If you add to your server‘s /etc/ssh/sshd_conf
AuthenticationMethods publickey
then access will always be denied without asking for a password for any user that does not have publickey auth set up (correctly).
Sidenote: no need to have sshd running on the client.
 
With the replies and help I received here, it lead me to this thread and I was able to resolve the issue:
forums.freebsd.org

Howto: Setting up public key password-less 'ssh' access

==================================== Original post by J65nko @ daemonforums.org ==================================== * Introduction * Generate public and private RSA key pair with 'ssh-keygen' * View the RSA key pair * Copy the public key 'id_rsa.pub' to the server *...
forums.freebsd.org forums.freebsd.org

I was finally able to scp without having a password prompt. It seems as though I was reversed in my setup. I had the private key on the server (#1) and was copying the public key to the authorized_keys on the client (#2) and trying to copy a file from the client (#2) executing the scp command on the client (#2).

Once I created the public/private key on the client (#2) and copied the public key to the server (#1) authorized_keys, I was able to scp test-file scpuser@server:/usr/home/scpuser from the client (#2) without having the password prompt.

Thank you for your help! :)
 
rajiii2002 said:
Seeking to use the SCP command without needing to enter the remote password to copy a file. I was trying to do it with the "root" user.

I have searched these forums and Google. I have tried a few different "How To" guides, but I am still failing to use the scp command without needing a password. Can anyone recommend a method, guidance, or a "How To" guide?

I have tried the following with no success:
www.freebsd.org

Chapter 14. Security

Hundreds of standard practices have been authored about how to secure systems and networks, and as a user of FreeBSD, understanding how to protect against attacks and intruders is a must
www.freebsd.org www.freebsd.org

My understanding is all I need to do is:
ssh-keygen -t rsa on the server (#1)
Then I did not enter a passphrase. Just left it blank when prompted.
Copied the newly created /root/.ssh/id_rsa.pub on the server (#1) to /root/.ssh/authorized_keys on the client (#2).
Restarted SSH service sshd restart on both server (#1) and client (#2).
But when attempting on the client (#2) scp /root/test-file root@server:/root/ I am still prompted for a password.
I am also unable to connect via ssh root@server on the client machine without being prompted for a password.

This is my first post in the FreeBSD forums. I have been able to accomplish everything we have ever needed with FreeBSD by reading the forums and Google, but this is the first time I have been unable to accomplish something. Thank you in advance for your help. :)
Click to expand...

I cannot recommend to use scp without password.

It is very easy to hack any box like this. I saw many hackers using those methods.

Maybe have you looked at samba, sshfs, ... or alternative to avoid no pass?

note that if your admin change networks the key will no longer work.
 
Spartrekus said:
I cannot recommend to use scp without password.

It is very easy to hack any box like this. I saw many hackers using those methods.

Maybe have you looked at samba, sshfs, ... or alternative to avoid no pass?
Click to expand...
Right. Instead of using an encrypted, public/private key protected connection, you are seriously suggesting using a passwordless SMB share instead? And did you ever realize that sshfs might actually use the same encryption and authentication as ssh(1)? And therefor by extension also scp(1) or sftp(1)?

Spartrekus said:
note that if your admin change networks the key will no longer work.
Click to expand...
Simple question, how do you think the admin would be able to do that?
 
rajiii2002 said:
It seems as though I was reversed in my setup. I had the private key on the server (#1) and was copying the public key to the authorized_keys on the client (#2) and trying to copy a file from the client (#2) executing the scp command on the client (#2).
Click to expand...
Yep, you had that exactly the wrong way around. Glad to see you figured it out.
 
You must log in or register to reply here.
Back
Top