Re: rlogin without a password

To: debian-user@lists.debian.org
Subject: Re: rlogin without a password
From: "Karl E. Jorgensen" <karl@jorgensen.com>
Date: Thu, 2 May 2002 09:51:37 +0100
Message-id: <[🔎] 20020502085137.GB25265@e-jorgensen.freeserve.co.uk>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] E173Bum-0000mm-00@rhenium.btinternet.com>
References: <[🔎] E1732LL-0007lG-00@gadolinium.btinternet.com> <[🔎] y688z73zdre.fsf@multics.mit.edu> <[🔎] E173Bum-0000mm-00@rhenium.btinternet.com>

Long time no hear!

On Thu, May 02, 2002 at 09:25:47AM +0100, Dougie Nisbet wrote:
> On Wednesday 01 May 2002 11:47 pm, David Z Maze wrote:
> 
> > Run ssh-keygen(1) to generate a public/private keypair.  These should
> > wind up in $HOME/.ssh, as identity and identity.pub.  Use scp to copy
> > the identity.pub file to the target machine, and cat it on to the end
> > of $HOME/.ssh/authorized_keys.  (It's possible that you might not have
> > a .ssh directory; if not, create it, and run 'chmod 0700 .ssh'.)
> >
> > Now, when you log in, make sure you're running an ssh-agent(1)
> > process.  (This happens by default when you log in to X, I believe.)
> > Run ssh-add(1); this will prompt you for the pass-phrase for the ssh
> > key, and register it with the agent.  Now when you run ssh, it will
> > get the private key from the agent and use that to authenticate you to
> > the remote machine (with no password).
> 
> Thanks for the quick guide. I decided to apt-get remove anything that 
> remotely resembled anything to do with ssh, and start again. I also manually 
> removed /etc/ssh* and ~/.ssh* as they affected the behaviour of ssh. 
> 
> Then I did apt-get install ssh, and immediately I'm confused. The output was:
> 
> 	root@guestw:~# apt-get install ssh
> 	Reading Package Lists... Done
> 	Building Dependency Tree... Done
> 	The following NEW packages will be installed:
> 	  ssh 
> 	  0 packages upgraded, 1 newly installed, 0 to remove and 0  not upgraded.
> 	  Need to get 0B/600kB of archives. After unpacking 1352kB will be used.
> 	  Preconfiguring packages ...
> 	  Selecting previously deselected package ssh.
> 	  (Reading database ... 69032 files and directories currently installed.)
> 	  Unpacking ssh (from .../ssh_1%3a3.0.2p1-9_i386.deb) ...
> 	  Setting up ssh (3.0.2p1-9) ...
> 	  Creating SSH2 RSA key
> 	  Creating SSH2 DSA key
> 	  Restarting OpenBSD Secure Shell server: sshd.
> 
> That looks to me like it's installing ssh2, and not ssh. I'm not sure of what 
> the differences are, but I'm not sure what I've got installed; ssh, or ssh2, 
> or both, and whether that is important.

A bit of confusion here: There a different implementations of ssh;
openssh (which I suspect most would recommend here. In debian its just
the ssh package) and a few proprietory varieties as well. Each of them
have their own version numbering scheme and are unlikely to be in sync.

You ended up with ssh (=openssh) version 3.0.2. Good.

There is also (at least) 2 versions of the ssh *protocol* (yes; you
guessed it: version 1 and version 2). The version 2 protocol lacks a
couple of (minor) security holes in protocol version 1 (don't ask me
which ones).

The different versions of the protocol uses different key types; what
happened for you was that it generated the version 2 host keys in the
set-up. (which is good).

> Curiously, the output of installing it on the laptop is slightly different. 
> It appears to have set a SSH1 key. (NB: The laptop is 'vaiow', the server is 
> 'guestw'). The output from installing on the laptop is:
> 
> 
> 	root@vaiow:~# apt-get install ssh
> 	Reading Package Lists... Done
> 	Building Dependency Tree... Done
> 	The following NEW packages will be installed:
> 	  ssh 
> 	0 packages upgraded, 1 newly installed, 0 to remove and 0  not upgraded.
> 	Need to 	get 0B/600kB of archives. After unpacking 1352kB will be used.
> 	Preconfiguring packages ...
> 	Selecting previously deselected package ssh.
> 	(Reading database ... 61637 files and directories currently installed.)
> 	Unpacking ssh (from .../ssh_1%3a3.0.2p1-9_i386.deb) ...
> 	Setting up ssh (3.0.2p1-9) ...
> 	Creating SSH1 key
> 	Creating SSH2 RSA key
> 	Creating 	SSH2 DSA key
> 	Restarting OpenBSD Secure Shell server: sshd
> 
> Notice the extra line: 'Creating SSH1 key'

!? Perhaps you didn't purge everything? As far as I can see from
/var/lib/dpkg/info/ssh.postinst this should be dependent on answers
given during configuration. Those answers are stored by debconf, which
you presumably didn't purge. (Some day I got to find out where it is!
RTFM time).

I presume that
    # dpkg-reconfigure --priority=low ssh

would walk you through *all* of the config questions, rather than just
the never-asked-before ones (which is the default).

> I then use ssh-keygen to create my public/private pairs, and scp the public 
> to guestw. I cat it to the end of authorized keys. guestw looks like this:
> 
> 	dougie@guestw:~$ ls -ld .ssh
> 	drwx--S---    2 dougie   dougie       4096 May  2 09:01 .ssh
> 	dougie@guestw:~$ ls -l .ssh
> 	total 16
> 	-rwx------    1 dougie   dougie        995 May  2 09:01 authorized_keys
> 	-rw-------    1 dougie   dougie        528 May  2 08:34 identity
> 	-rw-r--r--    1 dougie   dougie        332 May  2 08:34 identity.pub
> 	-rw-r--r--    1 dougie   dougie        455 May  2 09:01 known_hosts
> 
> 	dougie@guestw:~$ ps -ef | grep agent
> 	dougie     361   332  0 08:52 ?        00:00:00 /usr/bin/ssh-agent
> 							x-session-manager
> 
> 
> I had a bit of a problem initially with ssh-agent, as it has to be run on the 
> machine itself. So I have to run around the house to go to each PC and type 
> it in, rather than from a telnet session. i.e. The telnet session produces:
> 	dougie@guestw:~$ ssh-add
> 	Could not open a connection to your authentication agent.

!?

You should only need ssh-agent running on the machine where *you* sit.
However, for processes to talk to ssh-agent, they need a couple of
environment variables and whathaveyou. I put this in my ~/.xsession
    
    eval $( ssh-agent )

(where to put this depends on how you start X. My gdm is set up to use
xsession for me. I like the control).

This ensures that anything I start will inherit the correct environment.
I still have to ssh-add my keys in (and type my passphrase), but that's
only once per login (= 3-4 weeks in my case)

Provided:
- the ssh-agent is running
- you shell has the correct environment variables set
- you have ssh-add'ed your key
- your public key is in target-machine:~somebody/.ssh/authorized_keys

then you should be able to ssh to target-machine without being bothered
by passphases or passwords. Straight in.

> [ Debug snipped ]
> 
> 
> So close, but no cigar! My reading of the output is that it's using SSH2, and 
> it won't find the keys: /home/dougie/.ssh/id_rsa. These look like SSH2 files. 
> But I have just done apt-get install ssh, so I'm not sure what I've got 
> installed, or what the difference is.

Yep. I had the same problem once upon a time. Look into the -t option on
ssh-keygen and use either 'rsa' or 'dsa'. It *is* inconsistent that
everybody recommends ssh protocol version 2, but the default for
ssh-keygen is to generate version 1 keys...


-- 
Karl E. Jørgensen
karl@jorgensen.com
www.karl.jorgensen.com
==== Today's fortune:
There are 3 kinds of people: those who can count & those who can't.
	-- Unknown source

Attachment: pgpn23yoLJe2i.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: rlogin without a password
  - From: Dougie Nisbet <dougie@highmoor.co.uk>

References:
- rlogin without a password
  - From: Dougie Nisbet <dougie@highmoor.co.uk>
- Re: rlogin without a password
  - From: David Z Maze <dmaze@debian.org>
- Re: rlogin without a password
  - From: Dougie Nisbet <dougie@highmoor.co.uk>

Prev by Date: Re: Wal-Mart PCs revisited
Next by Date: RE: SIOCADDRT : No such device
Previous by thread: Re: rlogin without a password
Next by thread: Re: rlogin without a password
Index(es):
- Date
- Thread