ssh troubles



[Q] why passwordless ssh login still ask for user password?


-->
* ssh -v
* chk local, .ssh folder permission is 700
* cat /var/log/auth.log
* cat /var/log/security
[??? cat: /var/log/security: No such file or directory ]

* chk remote, ~/.ssh/authorized_keys file permission is 400 or 600,
* chk local, private key file is 600

* chk spelling of filename, 'authorized_keys' file, and /etc/ssh/sshd_config

* chk the user login shell by
$ cat /etc/passwd |grep username


//=== change the login shell for a certain user

* change the /etc/passwd file directly
or
$ chsh -s /bin/bash username

Then log in and log out


//=== /etc/ssh/sshd_config
* PermitRootLogin

The argument must be “yes”, “without-password”, “forced-commands-only”, or "no”.
*** The default is “yes”.

“without-password” will disable password authentication for root.
but allow root login only with public key authentication.


* AllowUsers root user1 user2 user3

Any other users than the ones listed above trying to login via SSH would receive the error messages:
"Roaming not allowed by server"


* PermitEmptyPasswords no
http://stackoverflow.com/a/14421105/758174
??? make sure the account you are trying to ssh to is a user with a password on the remote server

* UsePAM
ssh failed to login because PAM rules check failure
* chk the /etc/pam.d/sshd for rules applied
* common problem is a user without password
[ compare the /etc/passwd with /etc/shadow]
[ chk your /etc/nsswitch and /etc/pam.d/* to see auth source]
* missing home directory,
* missing some extra auth configuration
* UID too low or too high



//=== ssh -v
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: password
git@172.187.0.40's password:
debug1: Authentications that can continue: publickey,password

...




//=== https://www.cs.utah.edu/~bigler/code/sshkeys.html

"... One of the login modes of ssh is to use a SSH key pair.
A key pair is made up of both a private and a public key.
The private key is kept on your local machine while your
public key is what you distribute to ...

There are a few flavors of keys you can generate,
rsa1 (for SSH1), dsa (SSH2), or rsa (SSH2).

According to my IT guy he likes DSA.
You can (and should) associate a password with your key pair ..."""
[not the user account password, just a challenge password for key pair]

"" ...
You can also vary the number of bits used for the key...
I was recommended to use 2048 bits.
..."""

$ ssh-keygen -t dsa -b 2048




//=== ssh2.pem is just an example for private key filename
xxxx $ scp -i ssh2.pem ./* xyz.com:workspaces/data/
-->
$ scp -i ssh2.pem * username@xyz.com:workspaces/data/


xxxx $ ssh -i privkey xyz.com
-->
$ ssh -i privkey * username@xyz.com

[if username@ is omitted, the current user under local machine shell will used ...]