Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Fedora 19/20 > Using Fedora
FedoraForum Search

Forgot Password? Join Us!

Using Fedora General support for current versions. Ask questions about Fedora and it's software that do not belong in any other forum.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 13th November 2007, 11:40 PM
qianglu Offline
Registered User
 
Join Date: Nov 2007
Posts: 4
Unhappy ssh publickey passwordless doesn't work with Fedora 7, 8

Sorry for using a big title. I can set up the passwordless publickey
ssh on Fedora 4. But cannot on Fedora 7 and 8.

The routine method describe as follows:

local:
ssh-keygen -t dsa
and enter no password to generate id_dsa and id_dsa.pub
cat the id_dsa.pub to the server's authorized_keys
chmod 400 id_dsa id_dsa.pub locally
chmod 600 authorized_keys on the server
The .ssh directory has mode 700

The sshd_config is the same as the one on Fedora 4 server which can access the
passwordless publickey login. Also tried many different options in sshd_config.

did /etc/init.d/sshd restart

The ssh -vvv server gives

debug1: Next authentication method: publickey
debug1: Trying private key: /Users/qianglu/.ssh/identity
debug3: no such identity: /Users/qianglu/.ssh/identity
debug1: Trying private key: /Users/qianglu/.ssh/id_rsa
debug3: no such identity: /Users/qianglu/.ssh/id_rsa
debug1: Offering public key: /Users/qianglu/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password

No response in /var/log/messages

Just wonder does it have anything to do with the LDAP authentication.

Any help would be appreciated.
Reply With Quote
  #2  
Old 14th November 2007, 01:23 AM
cicatrix1 Offline
Registered User
 
Join Date: Jun 2007
Posts: 82
I had it working fine in FC7. I recently upgraded it to 8 and haven't put my backups back in place, however. I'll let you know how it looks in 8. I remember just following standard guides to get it to work in 7. The only thing I see as different is that my authorized_keys file is under my users ~/.ssh directory.
Reply With Quote
  #3  
Old 14th November 2007, 03:09 AM
zilch321 Offline
Registered User
 
Join Date: Apr 2006
Posts: 31
name the file .ssh/authorized_keys2. See if that fixes it.
Reply With Quote
  #4  
Old 14th November 2007, 03:15 AM
zilch321 Offline
Registered User
 
Join Date: Apr 2006
Posts: 31
Also, look in /var/log/security. You'll have better luck with auth issues searching that log.
Reply With Quote
  #5  
Old 14th November 2007, 04:16 AM
icydog Offline
Registered User
 
Join Date: Nov 2005
Posts: 451
It seems like your client is working properly, but the server isn't accepting the key for some reason. Can you post sshd_config?
Reply With Quote
  #6  
Old 14th November 2007, 04:30 AM
qianglu Offline
Registered User
 
Join Date: Nov 2007
Posts: 4
Thank you so much for so many quick replies.

The uncommented sshd_config options are as follows:

SyslogFacility AUTHPRIV
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
X11Forwarding yes
Subsystem sftp /usr/libexec/openssh/sftp-server
########################################

Tried .ssh/authorized_keys2, didn't work.
The authorized_keys was in ~/.ssh

The server doesn't have /var/log/security but it has /var/log/secure
which has no change just after ssh from client before typing password.
Reply With Quote
  #7  
Old 14th November 2007, 07:20 AM
icydog Offline
Registered User
 
Join Date: Nov 2005
Posts: 451
That's weird... I have the same options set on F8 and it works fine. Does /var/log/messages have anything about SELinux?
Reply With Quote
  #8  
Old 14th November 2007, 05:23 PM
qianglu Offline
Registered User
 
Join Date: Nov 2007
Posts: 4
Thanks for icydog, I found the reason. Once I switch SELinux to permissive,
I can ssh without password. But got the following SELinux message.
After I switch SELinux back to enforced, I cannot ssh without password.
So the problem become how to label the file system.

Summary
SELinux is preventing access to files with the label, file_t.

Detailed Description
SELinux permission checks on files labeled file_t are being denied. file_t
is the context the SELinux kernel gives to files that do not have a label.
This indicates a serious labeling problem. No files on an SELinux box should
ever be labeled file_t. If you have just added a new disk drive to the
system you can relabel it using the restorecon command. Otherwise you
should relabel the entire files system.

Allowing Access
You can execute the following command as root to relabel your computer
system: "touch /.autorelabel; reboot"

Additional Information

Source Context system_u:system_r:sshd_t:s0-s0:c0.c1023
Target Context system_u:object_r:file_t:s0
Target Objects None [ dir ]
Affected RPM Packages openssh-server-4.7p1-2.fc8 [application]
Policy RPM selinux-policy-3.0.8-47.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name plugins.file
Host Name dh051-116.chem.sunysb.edu
Platform Linux dh051-116.chem.sunysb.edu 2.6.23.1-49.fc8 #1
SMP Thu Nov 8 21:41:26 EST 2007 i686 i686
Alert Count 11
First Seen Tue 13 Nov 2007 10:24:28 AM EST
Last Seen Wed 14 Nov 2007 11:57:42 AM EST
Local ID 07d92b16-7ef5-4544-b32f-4edbfaf02ff4
Line Numbers

Raw Audit Messages

avc: denied { search } for comm=sshd dev=dm-0 egid=500 euid=500
exe=/usr/sbin/sshd exit=-2 fsgid=500 fsuid=500 gid=0 items=0 name=.ssh pid=2910
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 suid=0 tclass=dir
tcontext=system_u:object_r:file_t:s0 tty=(none) uid=0

Last edited by qianglu; 14th November 2007 at 06:21 PM.
Reply With Quote
  #9  
Old 15th November 2007, 04:45 PM
icydog Offline
Registered User
 
Join Date: Nov 2005
Posts: 451
I think doing "touch /.autorelabel; reboot" will fix the problem. It seems like maybe the root is labeled incorrectly or something?
Reply With Quote
  #10  
Old 15th November 2007, 04:50 PM
qianglu Offline
Registered User
 
Join Date: Nov 2007
Posts: 4
After relabel the file system, the problem was gone. Now the ssh login normally.
Thanks for the help.
Reply With Quote
Reply

Tags
fedora, passwordless, publickey, ssh, work

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Enable Passwordless Users meslick Using Fedora 3 18th November 2007 05:26 PM
howto: passwordless ssh / passphraseless ssh mnisay Guides & Solutions (No Questions) 0 9th July 2007 06:21 PM
kdm passwordless login abennett14 Installation, Upgrades and Live Media 1 6th June 2004 06:23 AM


Current GMT-time: 13:08 (Wednesday, 30-07-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat