Sun SSH without a password (not OpenSSH)
in [Solaris]
|
From: The Derfer on 10 Dec 2009 04:00 Is the procedure for password-less SSH between 2 servers that are both using SUN SSH (NOT OpenSSH!) different than it is for OpenSSH. Per recent dictates, we've had to revert to Sun SSH where I work. (Too bad, I liked OpenSSH better). I follow the same procedures: generate public key (dsa or rsa), copy it to authorized_keys2 (and/or "authorized_keys") on the server you want to access without a password, and it is always NO GO. Always prompts for a password. Is this perhaps a problem indigenous to Sun SSH? I follow the directions (exactly) as seen on sites like: http://www.securitydocs.com/library/3385 and http://www.sunsolarisadmin.com/solaris-7/ssh-access-without-password-in-sun-solaris/ .... but they, along with everybody else, assume OpenSSH is in use. Anyone tried this with Sun SSH recently or ever? Does anyone have reproducable steps? The obvious questions for me need not be asked: yes, the permissions and ownerships are right, double-checked everything ... this is the only difference I can think of. Thanks in advance to anyone who can help.
From: Doug McIntyre on 10 Dec 2009 11:28 The Derfer <derf109(a)gmail.com> writes: >Is the procedure for password-less SSH between 2 servers >that are both using SUN SSH (NOT OpenSSH!) different than it is >for OpenSSH. Per recent dictates, we've had to revert to Sun SSH >where I work. (Too bad, I liked OpenSSH better). You know that SunSSH is just a fork of OpenSSH with patches to make things like Sun RBAC and their ideas of privsep work correctly, right?
From: Mark Bartelt on 11 Dec 2009 11:29 [ Emil Naepflein ] >> Check the permissions of .ssh and all files below. >> Everything should be readable only by the owner. Not true. Sun's ssh doesn't require this (nor does OpenSSH); for example ... $ sed 1q /etc/release Solaris 10 10/08 s10x_u6wos_07b X86 $ $ ls -ld $HOME $HOME/.ssh $HOME/.ssh/authorized_keys drwxr-xr-x 5 mark mark 6 Dec 8 07:54 /export/home/mark drwxr-xr-x 2 mark mark 5 Aug 31 11:10 /export/home/mark/.ssh -rw-r--r-- 1 mark mark 222 Jul 1 2004 /export/home/mark/.ssh/authorized_keys $ And this configuration lets me connect using public key authentication, with no problem. But what _is_ important is that all three of $HOME, $HOME/.ssh, and $HOME/.ssh/authorized_keys have the "group" and "other" _write_ permissions disabled. Dunno about Sun's SSH; but OpenSSH, at least, will refuse to try public key authentication if any of those three are writable by anybody other than the owner.
From: ITguy on 11 Dec 2009 18:57 > >> Check the permissions of .ssh and all files below. > >> Everything should be readable only by the owner. > > Not true. Sun's ssh doesn't require this (nor does > OpenSSH); for example ... Depends entirely on your sshd_config file. Check the "StrickModes" setting.
From: Mark Bartelt on 12 Dec 2009 22:16
Um, guys, I think a bit of RTFM time would be appropriate. First, to review: Emil Naepflein wrote ... EN> Check the permissions of .ssh and all files below. EN> Everything should be readable only by the owner. .... to which I replied ... MB> Not true. Sun's ssh doesn't require this (nor does MB> OpenSSH); for example ... MB> MB> $ sed 1q /etc/release MB> Solaris 10 10/08 s10x_u6wos_07b X86 MB> $ MB> $ ls -ld $HOME $HOME/.ssh $HOME/.ssh/authorized_keys MB> drwxr-xr-x 5 mark mark 6 Dec 8 07:54 /export/home/mark MB> drwxr-xr-x 2 mark mark 5 Aug 31 11:10 /export/home/mark/.ssh MB> -rw-r--r-- 1 mark mark 222 Jul 1 2004 /export/home/mark/.ssh/authorized_keys MB> $ MB> MB> And this configuration lets me connect using public MB> key authentication, with no problem. MB> MB> But what _is_ important is that all three of $HOME, MB> $HOME/.ssh, and $HOME/.ssh/authorized_keys have the MB> "group" and "other" _write_ permissions disabled. MB> MB> Dunno about Sun's SSH; but OpenSSH, at least, will MB> refuse to try public key authentication if any of MB> those three are writable by anybody other than the MB> owner. There were _two_ followups to this, both basically saying the same (incorrect) thing. Emil Naepflein wrote ... EN> Then you have changed the default behaviour in sshd_config. EN> (StrictModes) .... and "ITguy" said basically the same thing ... ITG> Depends entirely on your sshd_config file. Check the "StrickModes" ITG> setting. So, two things: First, our "StrictModes" setting hasn't been changed from Sun's default: $ diff /etc/ssh/sshd_config_ORIG /etc/ssh/sshd_config 76c76 < LogLevel info --- > LogLevel verbose 119c119 < PasswordAuthentication yes --- > PasswordAuthentication no $ Secondly (and more important), let's look at the manpage to see what "StrictModes" actually does: $ man sshd_config [ ... ] StrictModes Specifies whether sshd should check file modes and own- ership of the user's files and home directory before accepting login. This is normally desirable because novices sometimes accidentally leave their directory or files world-writable. The default is yes. Note the reference to "world-writable". This is what the "StrictModes" keyword controls: Whether sshd will check whether the _write_ permission of $HOME, $HOME/.ssh, and $HOME/.ssh/authorized_keys is correct (where "correct" is "not enabled"). Nothing, either in the documentation, or in the observed behaviour, suggests that anything needs to be set either non-world-readable or non-group readable. Mode 0755 for the directories and 0644 for authorized_keys is perfectly fine. |