Do I need permission to make ssh keys work?

preface


The topic of SSH keys setup and making ssh/scp connections work across hosts without password has been beaten to death in several unix and technical forums already.

Google is your friend and the entire world knows that any website like http://pkeck.myweb.uga.edu/ssh/ (the very first search result) will tell you the nitty gritties of setting up SSH keys successfully using RSA and DSA standards.

The unexpected hitch

Sometimes, even the most straigtforward configuration would not work. This is one such experience with a very simple SSH key setup, which was working from one host to another, but not vice versa. It was very frustrating to go over the seemingly simple setup steps, only to discover that they had indeed been done.

Then why in the name of Unix would it not work?!!

Granting Over permissions can bring you down too

During the trying time of making SSH work, I had either given777 (drwxrwxrwx) permission to the home directory (/home/applmgr) of applmgr unix id OR someone else had opened it up for some writing/copying purpose.

I noticed that the host on which SSH key was working did not have 777 permissions on its home directory, rather it had 755 (drwxr-xr-x).

So maybe this was the missing link? Anyways, I made the directory permissions 755 on the machine where SSH key was not working and would always ask for the password.

After that, SSH session worked like a charm. What a silly, undocumented setup step!

Here's what had been done so far:

1.) sign-on or 'su' to the appropriate app ID
2.) type:  ssh-keygen -t dsa
3.) copy (scp or other) the .pub file to .ssh directory on target server(s)
4.) rename the file to be called "authorized_keys2" by doing this:
    ssh to the target server (will be prompted for id/pw)
    $ cat id_dsa.pub >/home/$USER/.ssh/authorized_keys2  
5.) log off

Here's what ELSE had to be done to make it actually work:

Now you see it:

usell001.corp.company.us:NoOracle> ls -ld .
drwxr-xr-x   31 applmgr  users        4096 Jul 13 16:31 .
usell041.corp.company.us:NoOracle> chmod 777 .

usell008:web_prod> ssh usell041

     This system is for authorized use only.  Unauthorized access by any
     means is forbidden.  All access and activity on this system is
     logged and logs are reviewed regularly.  Activity on this system
     carries no right of privacy.  Unauthorized access will be
     investigated and prosecuted to the full extent of the law.

applmgr@usell041's password:
#
# Notice that it is asking for password
#
usell008:web_prod>


Now you don't:

usell041.corp.company.us:NoOracle> chmod 755 .
usell041.corp.company.us:NoOracle>

usell008:web_prod> ssh usell041

     This system is for authorized use only.  Unauthorized access by any
     means is forbidden.  All access and activity on this system is
     logged and logs are reviewed regularly.  Activity on this system
     carries no right of privacy.  Unauthorized access will be
     investigated and prosecuted to the full extent of the law.

Warning: No xauth data; using fake authentication data for X11 forwarding.
usell041.corp.company.us:NoOracle>

#
# Notice that it did not ask for any password and went right into usell041
#
usell041.corp.company.us:NoOracle>

Comments:

should use chmod 600 or 700

Posted by rpv on December 20, 2008 at 04:59 AM EST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

bocadmin_ww

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today