1. Home
  2. Raspberry Pi Group
  3. Frustrating SSH issue

Frustrating SSH issue

I've got two Pis. I've set up keys for a user (Tom) on Pi 1, and given the public key to a user (Dick) on Pi 2. Dick can now ssh to Pi 1 as Tom without needing a password. (so far so good).

As another user (Harry) on Pi 2, I've ssh'd to Tom on Pi 1 (using Tom's password), and copied Tom's public key back to Harry's $HOME/.ssh directory on Pi 2. But when Harry tries to ssh to Pi 1 as Tom, he is prompted for a password. Dick and Harry both appear to have the same file permissions. Both are only in their own groups. What am I doing wrong ?

ls -ld from $HOME/.ssh gives permissions of drwxr-xr-x ls -l authorized_keys give -r--------

Adrian

--
To Reply : 
replace "bulleid" with "adrian" - all mail to bulleid is rejected 
Sorry for the rigmarole, If I want spam, I'll go to the shops 
Every time someone says "I don't believe in trolls", another one dies.
Reply to
Adrian
Loading thread data ...

permissions on ~/.ssh should be 700 (drwx------) authorized_keys should be 600 (--rw------), (but 400 as you have probably works)

my strategy when transferring keys is to do "umask 77" first then the permissions will come out as needed.

--
For a good time: install ntp
Reply to
Jasen Betts

I think that the lack of a password may well be the problem. It sounds to me as if the account may be locked... man {usermod,useradd} may help.

--
Alex
Reply to
Alex Potter

I take your point regarding the directory permissions, but as I said, both are the same, yet from one account it works, from the other it doesn't, so I'm not sure that being over generous on the permissions is the issue. I've just tried changing to drwx------ and it doesn't make any difference.

Adrian

--
To Reply : 
replace "bulleid" with "adrian" - all mail to bulleid is rejected 
Sorry for the rigmarole, If I want spam, I'll go to the shops 
Every time someone says "I don't believe in trolls", another one dies.
Reply to
Adrian

Thanks for the suggestion. I've given Harry a password, and unlocked the account, but still no joy.

Adrian

--
To Reply : 
replace "bulleid" with "adrian" - all mail to bulleid is rejected 
Sorry for the rigmarole, If I want spam, I'll go to the shops 
Every time someone says "I don't believe in trolls", another one dies.
Reply to
Adrian

Does /var/log/auth.log give a clue? You may need to enable logging in sshd first, i.e. no # comment signs for the log statements as below

/etc/ssh/sshd_config: # Logging SyslogFacility AUTH LogLevel INFO

Rob

Reply to
Rob Windgassen

Logging was already working.

I logged onto Pi 1 and set tail -f running on the log file.

Then from Pi 2, I ssh'd from Dick's account, and the log file gave :

Accepted publickey from tom from port ssh2

I then tried to ssh from Harry's account, and the log file didn't register at all until I entered Tom's password, at which point I got :

Accepted password for tom ...

Nothing in /var/log on Pi 2 has any messages relating to the SSH attempts

Adrian

--
To Reply : 
replace "bulleid" with "adrian" - all mail to bulleid is rejected 
Sorry for the rigmarole, If I want spam, I'll go to the shops 
Every time someone says "I don't believe in trolls", another one dies.
Reply to
Adrian

In message , Jim Price writes

No user config files. ~/.ssh only has authorized_keys, known_hosts and the users own key files (although Harry shouldn't need them).

I've already tried giving Harry a password (and unlocking the account), and that makes no difference.

Adrian

--
To Reply : 
replace "bulleid" with "adrian" - all mail to bulleid is rejected 
Sorry for the rigmarole, If I want spam, I'll go to the shops 
Every time someone says "I don't believe in trolls", another one dies.
Reply to
Adrian

If the files are identical the problem is permissions. perhaps you have wrong ownership or permissions on the home directory of the the user. ssh is very fussy about permissions.

--
For a good time: install ntp
Reply to
Jasen Betts

Thanks for the suggestion.

Both have drwxr-xr-x

However dick is owned by dick in group dick harry is root / root. Changing it to harry / harry doesn't make any difference.

Adrian

--
To Reply : 
replace "bulleid" with "adrian" - all mail to bulleid is rejected 
Sorry for the rigmarole, If I want spam, I'll go to the shops 
Every time someone says "I don't believe in trolls", another one dies.
Reply to
Adrian

Turn on verbose logging in the ssh config on both machines, repeat the attempted login for each account and compare the results. Where they diverge should reveal where the problem is. Post the relevant output here if you need any help with it. You might also find one of the many available diff programs useful to see where the logging diverges. We're about finished with the usual suspects when it comes to being able to diagnose the problem with insufficient clues.

--
    ??????????????? 
    ? ? ?     ?   ? 
  ??? ? ? ? ? ? ??? 
  ???????????????  -- JimP.
Reply to
Jim Price

try this: chown -R harry:harry ~harry/.ssh chmod -R uo-rwx ~harry/.ssh

Also check /etc/ssh/sshd_config to see if there's login restrictions by "allowgroups" or "allowusers".

--
For a good time: install ntp
Reply to
Jasen Betts

??? A public key is -as the name says- supposed to be publicly known. Hence knowledge of Tom's public key can not be used by Dick to gain access to Tom's account.

To give a remote user access to an account the account owner must put the remote user's public key in her/his authorized_keys file. By doing so the account owner says: "I trust the owner of the accompanied private key to log into my account." The remote user uses her/his own private key to authorize.

If Dick is able to log into Tom's account without a password you must have done something else than giving Tom's public key to Dick (like putting Dick's public key in Tom's authorized_keys file).

That is expected behavior. Put Harry's public key in Tom's authorized_keys file to give Harry access to Tom's account without a password.

As a side note: If your public key could be used to gain access of your account then it would be impossible to withdraw a particular user's access rights without changing your own public/private key pair. And that would deny access to everybody instead of only that particular user.

Regards,

Kees.

--
Kees Theunissen.
Reply to
Kees Theunissen

In message , Adrian writes

Rather than replying in each subthread, an overall reply.

It seems that I'm stupid.

Kees Theunissen has hit the nail on the head, I was sharing the wrong keys. Tom and Dick had swapped keys, so both could ssh to each other, but Harry only had Tom's, whereas what was actually need was for Tom to have Harry's. Having given Tom Harry's key, it now works.

Many thanks to those who have taken the time to assist.

Adrian

--
To Reply : 
replace "bulleid" with "adrian" - all mail to bulleid is rejected 
Sorry for the rigmarole, If I want spam, I'll go to the shops 
Every time someone says "I don't believe in trolls", another one dies.
Reply to
Adrian

In a mad moment - Adrian mumbled :

Time to check on what Bob and Alice were up to ? ;))

--

|)ryn [vans            mail to - BrynEvans@bryork.freeuk.com
Reply to
Bryn Evans

Have you tried giving both users the same primary group, say 'users'? Don't forget that you'll need to run

sudo chown -R dick.users /home/dick sudo chown -R harry.users /home/harry after you've changed the prime group for both users.

--
martin@   | Martin Gregorie 
gregorie. | Essex, UK 
org       |
Reply to
Martin Gregorie

Ask Eve, she works for NSA.

--
For a good time: install ntp
Reply to
Jasen Betts

With Charlie.

-- mrr

Reply to
Morten Reistad

On Sun, 5 Jan 2014 03:35:48 +0100, Morten Reistad declaimed the following:

I'd refrained from commenting that Eve is just a victim -- it's the serpent that works for the NSA...

--
	Wulfraed                 Dennis Lee Bieber         AF6VN 
    wlfraed@ix.netcom.com    HTTP://wlfraed.home.netcom.com/
Reply to
Dennis Lee Bieber

Because it's inconvenient to get up and walk 2 steps between the PC & pi to move data via a USBstik, I wanted to 'interconnect them'. Although I yielded to the absurdity of using the NationalRailway/ethernet to interconnect them, doesn't mean I'll now use SECURE-ENCRYPTION to inter-operate. Screw you!! Why can't you people SIMPLIFY?

Reply to
Unknown

ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.