Frustrating SSH issue

I've got two Pis. I've set up keys for a user (Tom) on Pi 1, and given
the public key to a user (Dick) on Pi 2. Dick can now ssh to Pi 1 as
Tom without needing a password. (so far so good).
As another user (Harry) on Pi 2, I've ssh'd to Tom on Pi 1 (using Tom's
password), and copied Tom's public key back to Harry's $HOME/.ssh
directory on Pi 2. But when Harry tries to ssh to Pi 1 as Tom, he is
prompted for a password. Dick and Harry both appear to have the same
file permissions. Both are only in their own groups. What am I doing
wrong ?
ls -ld from $HOME/.ssh gives permissions of drwxr-xr-x
ls -l authorized_keys give -r--------
Adrian
--
To Reply : 
replace "bulleid" with "adrian" - all mail to bulleid is rejected 
 Click to see the full signature
Reply to
Adrian
Loading thread data ...
permissions on ~/.ssh should be 700 (drwx------) authorized_keys should be 600 (--rw------), (but 400 as you have probably works)
my strategy when transferring keys is to do "umask 77" first then the permissions will come out as needed.
--
For a good time: install ntp
Reply to
Jasen Betts
I think that the lack of a password may well be the problem. It sounds to me as if the account may be locked... man {usermod,useradd} may help.
--
Alex
Reply to
Alex Potter
In message , Jasen Betts writes
I take your point regarding the directory permissions, but as I said, both are the same, yet from one account it works, from the other it doesn't, so I'm not sure that being over generous on the permissions is the issue. I've just tried changing to drwx------ and it doesn't make any difference.
Adrian
--
To Reply : 
replace "bulleid" with "adrian" - all mail to bulleid is rejected 
 Click to see the full signature
Reply to
Adrian
In message , Alex Potter writes
Thanks for the suggestion. I've given Harry a password, and unlocked the account, but still no joy.
Adrian
--
To Reply : 
replace "bulleid" with "adrian" - all mail to bulleid is rejected 
 Click to see the full signature
Reply to
Adrian
Does /var/log/auth.log give a clue? You may need to enable logging in sshd first, i.e. no # comment signs for the log statements as below
/etc/ssh/sshd_config: # Logging SyslogFacility AUTH LogLevel INFO
Rob
Reply to
Rob Windgassen
In message , Rob Windgassen writes
Logging was already working.
I logged onto Pi 1 and set tail -f running on the log file.
Then from Pi 2, I ssh'd from Dick's account, and the log file gave :
Accepted publickey from tom from port ssh2
I then tried to ssh from Harry's account, and the log file didn't register at all until I entered Tom's password, at which point I got :
Accepted password for tom ...
Nothing in /var/log on Pi 2 has any messages relating to the SSH attempts
Adrian
--
To Reply : 
replace "bulleid" with "adrian" - all mail to bulleid is rejected 
 Click to see the full signature
Reply to
Adrian
In message , Jim Price writes
No user config files. ~/.ssh only has authorized_keys, known_hosts and the users own key files (although Harry shouldn't need them).
I've already tried giving Harry a password (and unlocking the account), and that makes no difference.
Adrian
--
To Reply : 
replace "bulleid" with "adrian" - all mail to bulleid is rejected 
 Click to see the full signature
Reply to
Adrian
If the files are identical the problem is permissions. perhaps you have wrong ownership or permissions on the home directory of the the user. ssh is very fussy about permissions.
--
For a good time: install ntp
Reply to
Jasen Betts
In message , Jasen Betts writes
Thanks for the suggestion.
Both have drwxr-xr-x
However dick is owned by dick in group dick harry is root / root. Changing it to harry / harry doesn't make any difference.
Adrian
--
To Reply : 
replace "bulleid" with "adrian" - all mail to bulleid is rejected 
 Click to see the full signature
Reply to
Adrian
Turn on verbose logging in the ssh config on both machines, repeat the attempted login for each account and compare the results. Where they diverge should reveal where the problem is. Post the relevant output here if you need any help with it. You might also find one of the many available diff programs useful to see where the logging diverges. We're about finished with the usual suspects when it comes to being able to diagnose the problem with insufficient clues.
--
    ??????????????? 
    ? ? ?     ?   ? 
 Click to see the full signature
Reply to
Jim Price
try this: chown -R harry:harry ~harry/.ssh chmod -R uo-rwx ~harry/.ssh
Also check /etc/ssh/sshd_config to see if there's login restrictions by "allowgroups" or "allowusers".
--
For a good time: install ntp
Reply to
Jasen Betts
??? A public key is -as the name says- supposed to be publicly known. Hence knowledge of Tom's public key can not be used by Dick to gain access to Tom's account.
To give a remote user access to an account the account owner must put the remote user's public key in her/his authorized_keys file. By doing so the account owner says: "I trust the owner of the accompanied private key to log into my account." The remote user uses her/his own private key to authorize.
If Dick is able to log into Tom's account without a password you must have done something else than giving Tom's public key to Dick (like putting Dick's public key in Tom's authorized_keys file).
That is expected behavior. Put Harry's public key in Tom's authorized_keys file to give Harry access to Tom's account without a password.
As a side note: If your public key could be used to gain access of your account then it would be impossible to withdraw a particular user's access rights without changing your own public/private key pair. And that would deny access to everybody instead of only that particular user.
Regards,
Kees.
--
Kees Theunissen.
Reply to
Kees Theunissen
In message , Adrian writes
Rather than replying in each subthread, an overall reply.
It seems that I'm stupid.
Kees Theunissen has hit the nail on the head, I was sharing the wrong keys. Tom and Dick had swapped keys, so both could ssh to each other, but Harry only had Tom's, whereas what was actually need was for Tom to have Harry's. Having given Tom Harry's key, it now works.
Many thanks to those who have taken the time to assist.
Adrian
--
To Reply : 
replace "bulleid" with "adrian" - all mail to bulleid is rejected 
 Click to see the full signature
Reply to
Adrian
In a mad moment - Adrian mumbled :
Time to check on what Bob and Alice were up to ? ;))
--

|)ryn [vans            mail to - BrynEvans@bryork.freeuk.com
Reply to
Bryn Evans
Have you tried giving both users the same primary group, say 'users'? Don't forget that you'll need to run
sudo chown -R dick.users /home/dick sudo chown -R harry.users /home/harry after you've changed the prime group for both users.
--
martin@   | Martin Gregorie 
gregorie. | Essex, UK 
 Click to see the full signature
Reply to
Martin Gregorie
Ask Eve, she works for NSA.
--
For a good time: install ntp
Reply to
Jasen Betts
With Charlie.
-- mrr
Reply to
Morten Reistad
On Sun, 5 Jan 2014 03:35:48 +0100, Morten Reistad declaimed the following:
I'd refrained from commenting that Eve is just a victim -- it's the serpent that works for the NSA...
--
	Wulfraed                 Dennis Lee Bieber         AF6VN 
    wlfraed@ix.netcom.com    HTTP://wlfraed.home.netcom.com/
Reply to
Dennis Lee Bieber
Because it's inconvenient to get up and walk 2 steps between the PC & pi to move data via a USBstik, I wanted to 'interconnect them'. Although I yielded to the absurdity of using the NationalRailway/ethernet to interconnect them, doesn't mean I'll now use SECURE-ENCRYPTION to inter-operate. Screw you!! Why can't you people SIMPLIFY?
Reply to
Unknown

ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.