stop sshd from asking for password

ThunderWolf

New Member


Messages: 14

I am trying to disallow password login to my ssh server, but can't. I have set:
Code:
PasswordAuthentication no
in /etc/ssh/sshd_config and have reset the deamon with:
Code:
service sshd restart
and
Code:
killall -HUP sshd
neither of these work, when logging it still asks me for my password, when asked for the password and giving it null three times it returns without asking for rsa passphrase. I think this has to do with another setting in my config file, or the config file is not being read by the deamon.
This is my config file:
Code:
#       $OpenBSD: sshd_config,v 1.82 2010/09/06 17:10:19 naddy Exp $
#       $FreeBSD: release/9.0.0/crypto/openssh/sshd_config 224638 2011-08-03 19:14:22Z brooks $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

# Note that some of FreeBSD's defaults differ from OpenBSD's, and
# FreeBSD has a few additional options.

#VersionAddendum FreeBSD-20110503

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
#Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile     .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# Change to yes to enable built-in password authentication.
PasswordAuthentication no
#PermitEmptyPasswords no

# Change to no to disable PAM authentication
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
and there are no flags set on the sshd deamon in /etc/rc.conf
 
OP
T

ThunderWolf

New Member


Messages: 14

Sorry that was not all of the config file, but here is all of it:
Code:
#	$OpenBSD: sshd_config,v 1.82 2010/09/06 17:10:19 naddy Exp $
#	$FreeBSD: release/9.0.0/crypto/openssh/sshd_config 224638 2011-08-03 19:14:22Z brooks $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

# Note that some of FreeBSD's defaults differ from OpenBSD's, and
# FreeBSD has a few additional options.

#VersionAddendum FreeBSD-20110503

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
#Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile	.ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# Change to yes to enable built-in password authentication.
PasswordAuthentication no
#PermitEmptyPasswords no

# Change to no to disable PAM authentication
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'no' to disable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem	sftp	/usr/libexec/sftp-server

# Disable HPN tuning improvements.
#HPNDisabled no

# Buffer size for HPN to non-HPN connections.
#HPNBufferSize 2048

# TCP receive socket buffer polling for HPN.  Disable on non autotuning kernels.
#TcpRcvBufPoll yes

# Allow the use of the NONE cipher.
#NoneEnabled no

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	ForceCommand cvs server
 
OP
T

ThunderWolf

New Member


Messages: 14

Thank you kpa that solved the password problem, but it still is not asking me for my rsa pass-phrase! Again Thanks for the fast response.
 

kpa

Beastie's Twin

Reaction score: 1,856
Messages: 6,318

How are you connecting to the ssh server? On some systems the rsa key is automatically unlocked when you login, OS X does that for example if you select to save the password for the key on first use.

If you're on UNIX (-like) system or OS X you can run
$ ssh-add -l

to check if your key is already unlocked and held by the ssh key agent.
 
OP
T

ThunderWolf

New Member


Messages: 14

I am using Fedora 17 Linux as the client and freebsd as the server. sshd-add has no stored identities, but I added my passphrase just to see and it didn't work. It should ask for my pass-phrase.
 
OP
T

ThunderWolf

New Member


Messages: 14

I think I should add that this is returned when trying to login:
Code:
Permission denied (publickey,gssapi-with-mic,keyboard-interactive).
this could be a file permission somewhere. I have checked the clients ~/.ssh/id_rsa.pub file which is readable by all and all of the servers ~/.ssh/* files are 777.
 

kpa

Beastie's Twin

Reaction score: 1,856
Messages: 6,318

I think sshd(8) gets paranoid if the ~/.ssh/* files have write permissions to group or world, I'd do

$ chmod 640 ~/.ssh/*.pub ~/.ssh/authorized_keys ~/.ssh/known_hosts ~/.ssh/config

If you have any private key files on the server make them only user read/writeable

$ chmod 600 ~/.ssh/id_rsa

/var/log/auth.log may reveal more information why the server rejects your key.
 
OP
T

ThunderWolf

New Member


Messages: 14

I changed the permissions and had a look at the log file, but all I found in the logs was a complaint about ~/.login_conf being world writable, so I changed it to 600.
This is my logs file:
Code:
Aug 11 22:23:22 bishop0 newsyslog[944]: logfile first created
Aug 11 22:23:26 bishop0 sshd[1234]: Server listening on :: port 22.
Aug 11 22:23:26 bishop0 sshd[1234]: Server listening on 0.0.0.0 port 22.
Aug 11 22:23:46 bishop0 sshd[1317]: Authentication refused: bad ownership or modes for directory /usr/home/user
Aug 11 22:23:47 bishop0 sshd[1317]: error: PAM: authentication error for user from 192.168.0.7
Aug 11 22:23:49 bishop0 last message repeated 2 times
Aug 11 22:23:50 bishop0 sshd[1322]: Authentication refused: bad ownership or modes for directory /usr/home/user
Aug 11 22:23:51 bishop0 sshd[1322]: error: PAM: authentication error for user from 192.168.0.7
Aug 11 22:23:52 bishop0 last message repeated 2 times
Aug 11 22:23:53 bishop0 sshd[1327]: Authentication refused: bad ownership or modes for directory /usr/home/user
Aug 11 22:23:57 bishop0 sshd[1327]: Accepted keyboard-interactive/pam for user from 192.168.0.7 port 36631 ssh2
Aug 11 22:24:03 bishop0 su: BAD SU user to root on /dev/pts/0
Aug 11 22:24:13 bishop0 su: user to root on /dev/pts/0
, but I clean it up first with rm.
 
OP
T

ThunderWolf

New Member


Messages: 14

This is the log file after ChallengeResponseAuthentication is set to no:
Code:
Aug 11 22:23:22 bishop0 newsyslog[944]: logfile first created
Aug 11 22:23:26 bishop0 sshd[1234]: Server listening on :: port 22.
Aug 11 22:23:26 bishop0 sshd[1234]: Server listening on 0.0.0.0 port 22.
Aug 11 22:23:46 bishop0 sshd[1317]: Authentication refused: bad ownership or modes for directory /usr/home/user
Aug 11 22:23:47 bishop0 sshd[1317]: error: PAM: authentication error for user from 192.168.0.7
Aug 11 22:23:49 bishop0 last message repeated 2 times
Aug 11 22:23:50 bishop0 sshd[1322]: Authentication refused: bad ownership or modes for directory /usr/home/user
Aug 11 22:23:51 bishop0 sshd[1322]: error: PAM: authentication error for user from 192.168.0.7
Aug 11 22:23:52 bishop0 last message repeated 2 times
Aug 11 22:23:53 bishop0 sshd[1327]: Authentication refused: bad ownership or modes for directory /usr/home/user
Aug 11 22:23:57 bishop0 sshd[1327]: Accepted keyboard-interactive/pam for user from 192.168.0.7 port 36631 ssh2
Aug 11 22:24:03 bishop0 su: BAD SU user to root on /dev/pts/0
Aug 11 22:24:13 bishop0 su: user to root on /dev/pts/0
Aug 11 22:29:06 bishop0 sshd[1330]: Received disconnect from 192.168.0.7: 11: disconnected by user
Aug 11 22:29:09 bishop0 sshd[1343]: Authentication refused: bad ownership or modes for directory /usr/home/user
Aug 11 22:29:10 bishop0 sshd[1343]: error: PAM: authentication error for user from 192.168.0.7
Aug 11 22:29:11 bishop0 last message repeated 2 times
Aug 11 22:29:13 bishop0 sshd[1348]: Authentication refused: bad ownership or modes for directory /usr/home/user
Aug 11 22:29:18 bishop0 sshd[1348]: Accepted keyboard-interactive/pam for user from 192.168.0.7 port 36634 ssh2
Aug 11 22:29:32 bishop0 su: user to root on /dev/pts/0
 

kpa

Beastie's Twin

Reaction score: 1,856
Messages: 6,318

Your home directory has some funny permissions or it's not owned by you.
# chmod 755 /usr/home/user
# chown user /usr/home/user
# chgrp user /usr/home/user
 
OP
T

ThunderWolf

New Member


Messages: 14

I changed the permissions of my home dir, but same thing, so I changed it back to 777 for a temp fix for nfs lol. I own the home dir and it belongs to my group.
 
OP
T

ThunderWolf

New Member


Messages: 14

I been using ssh for quite a while on other systems and have always had to modify the sshd_config file. I remember after copying the pub files contents to the clients authorized_keys file trying to login and being asked for my password. I want disable password and be asked for pass-phrase, but thanks for the reply anyways.
 
OP
T

ThunderWolf

New Member


Messages: 14

I have checked all file permissions in the ~/.ssh dirs on both client and server, but everything is what it should be.

I am thinking that since sshd ran on the first boot and made it own encryption keys, that when I ran:
Code:
ssh-keygen -t rsa
it may have screwed things up.
 

kpa

Beastie's Twin

Reaction score: 1,856
Messages: 6,318

Those are host keys that are created on the first run of sshd(8). Create a new key on the client that has a password and add the public key to authorized_keys on the server, does it get rejected the same way?
 
OP
T

ThunderWolf

New Member


Messages: 14

I think I have been pulling us away form the real problem sorry. It is not rejecting the public key, but is just is not asking for it.
 

phoenix

Administrator
Staff member
Administrator
Moderator

Reaction score: 1,294
Messages: 4,099

Did you specify the key file to use on the command-line? If not, try that. That will tell you if the key is created correctly, and the public side is set on the server correctly:
$ ssh -i /path/to/key/file -l username server.to.connect.to

If that works, then you need to check ~username/.ssh/config and/or /etc/ssh/ssh_config to make sure it's asking for the right key file.
 

Jsanchez

New Member


Messages: 15

I'll show you my configuration which works as you want.

Server /etc/sshd_config
HTML:
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key

UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 768

LoginGraceTime 120
PermitRootLogin no
StrictModes yes

#RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      %h/.ssh/authorized_keys

SSH Client ~/.ssh/config
HTML:
Host example
        HostName 10.0.0.1
        Port 22
        User luser
        DynamicForward 9999
        IdentityFile /home/jsanchez/.ssh/private-key
private-key being the key generated by the client, not the public one.
and the public generated one, should be added to ~/.ssh/authorized_keys on server user account.
 

robbak

Member

Reaction score: 9
Messages: 68

Aug 11 22:29:09 bishop0 sshd[1343]: Authentication refused: bad ownership or modes for directory /usr/home/user

That is the line about the public/private key authentication attempt: It failed, because of permission errors. If your home directory is 777, then it will fail!
You stated that you had set it, but did not have success. What was the error message when you had the home directory's permission fixed? 755 user:user (assuming 'user' is your actual username: un-anonymize it if it isn't!) is what it is for me, some use 0x750 or less even more strict.
 
Top