Hi all,

I installed OpenSSH (openssh-4.0p1-sol8-sparc-local.gz) on Solaris 8.
All work fine (ssh, sftp, scp...etc)

In the same server, i used rsh to execute remote command by using .rhosts. I
will delete rsh and use ssh.

By using SSH, i juste need to execute remote command by using .rhosts or
..shosts.
It's work fine, but the system ask me password. The system seem ignore
..rhosts and .shosts files.

I confirm that rsh no ask me the user password, so the configuration of
..rhosts is good ! and .shosts is "cp -p" of .rhosts.

I tried to modify options on ssh_config (HostbasedAuthentication yes,
IgnoreRhosts no) but it's not work. I olso tried with options
RhostsRSAAuthentification and RhostsAuthentification but the system always
ask me password.

So, i juste need to use ssh to execute command command on remote host
without ask me password. I known, it's not secure but, i need to know how
can i do it.

Any idea ?

Thank You very much for your help

Best Regards
NS

For HistbasedAuthentication to work, you'll need an shost.equiv file,
do you have one configured?  Here is a snippet from the sshd man page:

      /etc/ssh/shosts.equiv
              This is processed exactly as /etc/hosts.equiv.  However, this
              file may be useful in environments that want to run both
              rsh/rlogin and ssh.
- Bob
ns wrote:
> Hi all,
> 
> I installed OpenSSH (openssh-4.0p1-sol8-sparc-local.gz) on Solaris 8.
> All work fine (ssh, sftp, scp...etc)
> 
> In the same server, i used rsh to execute remote command by using .rhosts. I
> will delete rsh and use ssh.
> 
> By using SSH, i juste need to execute remote command by using .rhosts or
> .shosts.
> It's work fine, but the system ask me password. The system seem ignore
> .rhosts and .shosts files.
> 
> I confirm that rsh no ask me the user password, so the configuration of
> .rhosts is good ! and .shosts is "cp -p" of .rhosts.
> 
> I tried to modify options on ssh_config (HostbasedAuthentication yes,
> IgnoreRhosts no) but it's not work. I olso tried with options
> RhostsRSAAuthentification and RhostsAuthentification but the system always
> ask me password.
> 
> So, i juste need to use ssh to execute command command on remote host
> without ask me password. I known, it's not secure but, i need to know how
> can i do it.
> 
> Any idea ?
> 
> Thank You very much for your help
> 
> Best Regards
> NS
> 
> 

ns wrote:
> Hi all,
> 
> I installed OpenSSH (openssh-4.0p1-sol8-sparc-local.gz) on Solaris 8.
> All work fine (ssh, sftp, scp...etc)
> 
> In the same server, i used rsh to execute remote command by using .rhosts. I
> will delete rsh and use ssh.
> 
> By using SSH, i juste need to execute remote command by using .rhosts or
> .shosts.
> It's work fine, but the system ask me password. The system seem ignore
> .rhosts and .shosts files.
> 
> I confirm that rsh no ask me the user password, so the configuration of
> .rhosts is good ! and .shosts is "cp -p" of .rhosts.
> 
> I tried to modify options on ssh_config (HostbasedAuthentication yes,
> IgnoreRhosts no) but it's not work. I olso tried with options
> RhostsRSAAuthentification and RhostsAuthentification but the system always
> ask me password.
> 
> So, i juste need to use ssh to execute command command on remote host
> without ask me password. I known, it's not secure but, i need to know how
> can i do it.
> 
> Any idea ?
> 
> Thank You very much for your help
> 
> Best Regards
> NS
> 
> 
Hi,
Try setting up your ssh keys:-


# cd ~/.ssh
# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/rts1/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:

# cat id_rsa.pub > $HOME/.ssh/authorized_keys

Don't set a passphrase just hit return.


Cheers
Richard

On Tue, 19 Apr 2005 16:19:00 +0100, Richard Skelton wrote:

> # cat id_rsa.pub > $HOME/.ssh/authorized_keys

Ummmm, I think you mean

$ scp id_rsa.pub server:$HOME/.ssh/authorized_keys

Dave Uhring wrote:
> On Tue, 19 Apr 2005 16:19:00 +0100, Richard Skelton wrote:
> 
> 
>># cat id_rsa.pub > $HOME/.ssh/authorized_keys
> 
> 
> Ummmm, I think you mean
> 
> $ scp id_rsa.pub server:$HOME/.ssh/authorized_keys
> 
Interesting... I've always used .ssh/authorized_keys2 for ssh2
keys like rsa and dsa, and thought that .ssh/authorized_keys was
only for rsa1 keys.  However the ssh man page references
..ssh/authorized_keys for rsa and dsa keys; YET trussing sshd for
an ssh2 connection I see indeed that it is .ssh/authorized_keys2
that is checked.  Moreover, if sshd is only serving protocol 2
and .ssh/authorized_keys2 is absent and .ssh/authorized_keys
includes the ssh2 keys, public key authentication fails.  This
leads me to believe that the man page is confusing at best.
I'd suggest using only ssh2 & putting your keys in ssh/authorized_keys2.
None of this matters though for HostBasedAuthentication.  What
matters there is that the respective hosts' (not users) public
keys are known to the respective hosts
(usually in /etc/ssh/ssh_known_hosts(2)).

- Bob

On Tue, 19 Apr 2005 11:42:08 -0700, Robert Lawhead wrote:

> Interesting... I've always used .ssh/authorized_keys2 for ssh2
> keys like rsa and dsa, and thought that .ssh/authorized_keys was
> only for rsa1 keys.  However the ssh man page references
> .ssh/authorized_keys for rsa and dsa keys; YET trussing sshd for
> an ssh2 connection I see indeed that it is .ssh/authorized_keys2
> that is checked.  Moreover, if sshd is only serving protocol 2
> and .ssh/authorized_keys2 is absent and .ssh/authorized_keys
> includes the ssh2 keys, public key authentication fails.  This
> leads me to believe that the man page is confusing at best.

The original version of OpenSSH from which Sun's version is derived has
this default in /etc/ssh/sshd_config:

#AuthorizedKeysFile     .ssh/authorized_keys

Solaris 10 does not specify that file in its config.  Yet from a Linux box
to Solaris:

[~]$ ssh tarfu
Last login: Wed Apr 13 12:21:44 2005 from dave.xxxxxx.xxx
Sun Microsystems Inc.   SunOS 5.10      Generic January 2005
[~]$ ls -l .ssh
total 13
-rw-r--r--    1 duhring  sysadmin     3307 Jul  5  2004 authorized_keys
-rw-------    1 duhring  sysadmin      668 Jul 15  2003 id_dsa
-rw-r--r--    1 duhring  sysadmin      603 Jul 15  2003 id_dsa.pub
-rw-------    1 duhring  sysadmin      883 Jul 15  2003 id_rsa
-rw-r--r--    1 duhring  sysadmin      223 Jul 15  2003 id_rsa.pub
-rw-r--r--    1 duhring  sysadmin     4460 Feb 19 19:53 known_hosts

No password requested and the public key authentication did not fail even
though only ssh2 is enabled.

In my previous post, I indended to append my .ssh/authorized_keys2
to my .ssh/authorized_keys file and delete .ssh/authorized_keys2.
Unfortunately, I mispelled "authorized_keys" so my observation led
me to the wrong conclusion.  Sorry for the noise.

Starting sshd in debug mode shows that both files are consulted,
and finding an appropriate key in either is adequate.

	debug1: temporarily_use_uid: 500/1 (e=0/0)
	debug1: trying public key file /u/foo/.ssh/authorized_keys
	debug1: restore_uid: 0/0
	debug1: temporarily_use_uid: 500/1 (e=0/0)
	debug1: trying public key file /u/foo/.ssh/authorized_keys2
	debug1: restore_uid: 0/0
	Failed publickey for foo from 192.168.1.61 port 2819 ssh2
	debug1: userauth-request for user foo service ssh-connection method publickey
	debug1: attempt 2 initial attempt 0 failures 2 initial failures 0
	debug1: test whether pkalg/pkblob are acceptable
	debug1: temporarily_use_uid: 500/1 (e=0/0)
	debug1: trying public key file /u/foo/.ssh/authorized_keys
	debug1: matching key found: file /u/foo/.ssh/authorized_keys, line 6
	Found matching DSA key: 96:5a:df:ce:c7:d7:57:7b:7b:d7:3a:b7:b2:f8:ba:22
	debug1: restore_uid: 0/0
	debug1: userauth-request for user foo service ssh-connection method publickey
	debug1: attempt 3 initial attempt 0 failures 2 initial failures 0
	debug1: temporarily_use_uid: 500/1 (e=0/0)
	debug1: trying public key file /u/foo/.ssh/authorized_keys
	debug1: matching key found: file /u/foo/.ssh/authorized_keys, line 6
	Found matching DSA key: 96:5a:df:ce:c7:d7:57:7b:7b:d7:3a:b7:b2:f8:ba:22
	debug1: restore_uid: 0/0
	debug1: ssh_dss_verify: signature correct
	Accepted publickey for foo from 192.168.1.61 port 2819 ssh2

	debug1: temporarily_use_uid: 500/1 (e=0/0)
	debug1: trying public key file /u/foo/.ssh/authorized_keys
	debug1: restore_uid: 0/0
	debug1: temporarily_use_uid: 500/1 (e=0/0)
	debug1: trying public key file /u/foo/.ssh/authorized_keys2
	debug1: restore_uid: 0/0
	Failed publickey for foo from 192.168.1.61 port 2819 ssh2
	debug1: userauth-request for user foo service ssh-connection method publickey
	debug1: attempt 2 initial attempt 0 failures 2 initial failures 0
	debug1: test whether pkalg/pkblob are acceptable
	debug1: temporarily_use_uid: 500/1 (e=0/0)
	debug1: trying public key file /u/foo/.ssh/authorized_keys
	debug1: matching key found: file /u/foo/.ssh/authorized_keys, line 6
	Found matching DSA key: 96:5a:df:ce:c7:d7:57:7b:7b:d7:3a:b7:b2:f8:ba:22
	debug1: restore_uid: 0/0
	debug1: userauth-request for user foo service ssh-connection method publickey
	debug1: attempt 3 initial attempt 0 failures 2 initial failures 0
	debug1: temporarily_use_uid: 500/1 (e=0/0)
	debug1: trying public key file /u/foo/.ssh/authorized_keys
	debug1: matching key found: file /u/foo/.ssh/authorized_keys, line 6
	Found matching DSA key: 96:5a:df:ce:c7:d7:57:7b:7b:d7:3a:b7:b2:f8:ba:22
	debug1: restore_uid: 0/0
	debug1: ssh_dss_verify: signature correct
	Accepted publickey for foo from 192.168.1.61 port 2819 ssh2

Both Openssh and Sun's ssh permit the authorized_keys(2) file to be
specified in sshd_config, albiet with slightly differing strings.
So the surprise to me was even with both specified, that authorized_keys
would be searched for ssh2 keys.


	OpenSSH_4.0p1, OpenSSL 0.9.7e 25 Oct 2004
	% strings /usr/local/sbin/sshd | grep -i Authorized | sort -u
	.ssh/authorized_keys
	.ssh/authorized_keys2
	authorized_keys_file
	authorized_keys_file2
	authorizedkeysfile
	authorizedkeysfile2


	sshd version Sun_SSH_1.1
	% strings /usr/lib/ssh/sshd | grep -i Authorized | sort -u
	.ssh/authorized_keys
	.ssh/authorized_keys2
	authorizedkeysfile
	authorizedkeysfile2


Dave Uhring wrote:
> 
> The original version of OpenSSH from which Sun's version is derived has
> this default in /etc/ssh/sshd_config:
> 
> #AuthorizedKeysFile     .ssh/authorized_keys
> 
> Solaris 10 does not specify that file in its config.  Yet from a Linux box
> to Solaris:
..
..

Robert Lawhead <news0000.5.unixguru@spamgourmet.com> wrote:
> Both Openssh and Sun's ssh permit the authorized_keys(2) file to be
> specified in sshd_config, albiet with slightly differing strings.
> So the surprise to me was even with both specified, that authorized_keys
> would be searched for ssh2 keys.

Yes.  A long time ago the ssh servers for v1 and v2 were split (a
separate binary was run to handle v1 connections).  It was most easily
handled by each binary having it's own configuration files.  The older
v1 server wouldn't have been able to handle the v2 key format.

Once both protocols were able to be handled by a single unified server,
moving everything back to one file became reasonable.

To maintain backward compatibility, the authorized_keys2 file is still
consulted, but authorized_keys is now the preferred location for all
keys, both v1 and v2.  I'm pretty sure this has been the case for a few
years, but I have no idea when this was actually stated in the OpenSSH
docs. 

-- 
Darren Dunham                                           ddunham@taos.com
Senior Technical Consultant         TAOS            http://www.taos.com/
Got some Dr Pepper?                           San Francisco, CA bay area
         < This line left intentionally blank to confuse you. >

On Tue, 19 Apr 2005 22:57:34 +0000, Darren Dunham wrote:

> Yes.  A long time ago the ssh servers for v1 and v2 were split (a
> separate binary was run to handle v1 connections).  It was most easily
> handled by each binary having it's own configuration files.  The older
> v1 server wouldn't have been able to handle the v2 key format.

Those would have been Tatu Yl�nen's version of ssh rather than OpenSSH.

> Once both protocols were able to be handled by a single unified server,
> moving everything back to one file became reasonable.

OpenSSH was first released in OpenBSD-2.6, Dec. 1999 with only v1 support.
Support for v2 within the same binary was provided in OpenBSD-2.7, Jun.
2000.

> To maintain backward compatibility, the authorized_keys2 file is still
> consulted, but authorized_keys is now the preferred location for all
> keys, both v1 and v2.  I'm pretty sure this has been the case for a few
> years, but I have no idea when this was actually stated in the OpenSSH
> docs.

From the OpenBSD CVS archive:

 Revision 1.41 / (download) - annotate - [select for diffs] , Fri Jun 22
 21:55:50 2001 UTC (3 years, 9 months ago) by markus
Branch: MAIN
Changes since 1.40: +1 -2 lines
Diff to previous 1.40 (colored)

merge authorized_keys2 into authorized_keys.
authorized_keys2 is used for backward compat.
(just append authorized_keys2 to authorized_keys)

I tried this configuration but it's not work.

on /export/home/user1/.ssh
-rw-r--r--   1 user1  root         226 Apr 20 09:44 authorized_keys
-rw-r--r--   1 user1  root         226 Apr 20 09:44 authorized_keys2
-rw-------   1 user1  root         887 Apr 20 09:44 id_rsa
-rw-r--r--   1 user1  root         226 Apr 20 09:44 id_rsa.pub

on ssh_config :
HostbasedAuthentication yes

Any idea ?

Thanks a lot
NS


> Hi,
> Try setting up your ssh keys:-
>
>
> # cd ~/.ssh
> # ssh-keygen -t rsa
> Generating public/private rsa key pair.
> Enter file in which to save the key (/home/rts1/.ssh/id_rsa):
> Enter passphrase (empty for no passphrase):
> Enter same passphrase again:
>
> # cat id_rsa.pub > $HOME/.ssh/authorized_keys
>
> Don't set a passphrase just hit return.
>
>
> Cheers
> Richard

i started sshd with debug option, and i have :

....
debug1: userauth-request for user user1 service ssh-connection method none
....

Any idea please ?

NS


"ns" <ns@none.ns> a �crit dans le message de
news:d452d2$4qa$1@reader1.imaginet.fr...
> I tried this configuration but it's not work.
>
> on /export/home/user1/.ssh
> -rw-r--r--   1 user1  root         226 Apr 20 09:44 authorized_keys
> -rw-r--r--   1 user1  root         226 Apr 20 09:44 authorized_keys2
> -rw-------   1 user1  root         887 Apr 20 09:44 id_rsa
> -rw-r--r--   1 user1  root         226 Apr 20 09:44 id_rsa.pub
>
> on ssh_config :
> HostbasedAuthentication yes
>
> Any idea ?
>
> Thanks a lot
> NS
>
>
> > Hi,
> > Try setting up your ssh keys:-
> >
> >
> > # cd ~/.ssh
> > # ssh-keygen -t rsa
> > Generating public/private rsa key pair.
> > Enter file in which to save the key (/home/rts1/.ssh/id_rsa):
> > Enter passphrase (empty for no passphrase):
> > Enter same passphrase again:
> >
> > # cat id_rsa.pub > $HOME/.ssh/authorized_keys
> >
> > Don't set a passphrase just hit return.
> >
> >
> > Cheers
> > Richard
>
>

See if you can get hold of "The Secure Shell The Definitive Guide"
by Daniel Barrett and Richard Silverman (O'Reilly, 2003).  It is
an excellent resource for ssh and has detailed information on how
to make various configurations work.  In the meantime, check that
the hosts involved have each other's public keys, and that that they
are in each other's shost.equiv file.  Also be sure that ssh-keysign
is available and is suid to the sshd user (usually root).

 From 'man ssh-keysign'...
      ssh-keysign is used by ssh(1) to access the local host keys and generate
      the digital signature required during hostbased authentication with SSH
      protocol version 2.

      ssh-keysign is disabled by default and can only be enabled in the the
      global client configuration file /etc/ssh/ssh_config by setting
      HostbasedAuthentication to �yes�.

      ssh-keysign is not intended to be invoked by the user, but from ssh(1).
      See ssh(1) and sshd(8) for more information about hostbased authentica-
      tion.

User's keys are irrelevant for hostbased auth.

- Bob

ns wrote:

> I tried this configuration but it's not work....

Thanks a lot Robert ! i will try again

Best Regards
NS

"Robert Lawhead" <news0000.5.unixguru@spamgourmet.com> a �crit dans le
message de news:eradnUSubeSuBfvfRVn-pA@speakeasy.net...
> See if you can get hold of "The Secure Shell The Definitive Guide"
> by Daniel Barrett and Richard Silverman (O'Reilly, 2003).  It is
> an excellent resource for ssh and has detailed information on how
> to make various configurations work.  In the meantime, check that
> the hosts involved have each other's public keys, and that that they
> are in each other's shost.equiv file.  Also be sure that ssh-keysign
> is available and is suid to the sshd user (usually root).
>
>  From 'man ssh-keysign'...
>       ssh-keysign is used by ssh(1) to access the local host keys and
generate
>       the digital signature required during hostbased authentication with
SSH
>       protocol version 2.
>
>       ssh-keysign is disabled by default and can only be enabled in the
the
>       global client configuration file /etc/ssh/ssh_config by setting
>       HostbasedAuthentication to �yes�.
>
>       ssh-keysign is not intended to be invoked by the user, but from
ssh(1).
>       See ssh(1) and sshd(8) for more information about hostbased
authentica-
>       tion.
>
> User's keys are irrelevant for hostbased auth.
>
> - Bob
>
> ns wrote:
>
> > I tried this configuration but it's not work....