Pat Cornick
2007-Jun-01 13:17 UTC
Need to sftp with automatic login from 1 aix machine to another, the id on the target is a DCE(DFS) id
Hi, I had a question and can not find out on the web where anyone might have done this. I am sftping between one AIX machine and another using automatic login. I have created the id_rsa.pub on the source server and added it to the /.ssh/authorized_keys file on the target server. The problem we are having seems to be that because the target id is a DCE(DFS) id and it's home directory is /fs/home/bondbpex instead of /home/bondbpex it can't find the /.ssh/authorized_keys file. The permissions on the .ssh directory is 700 and the authorized_keys file is 600. Is this possible to be able to do this? Thanks for any help you can give me. /home/bondbrdg> sftp -v -v -v bondbpex at d03ftp101.boulder.ibm.com Connecting to d03ftp101.boulder.ibm.com... OpenSSH_4.3p2, OpenSSL 0.9.7l 28 Sep 2006 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Failed dlopen: /usr/krb5/lib/libkrb5.a(libkrb5.a.so): Could not load module /usr/krb5/lib/libkrb5.a(libkrb5.a.so). System error: No such file or directory debug1: Error loading Kerberos, disabling Kerberos auth. debug2: ssh_connect: needpriv 0 debug1: Connecting to d03ftp101.boulder.ibm.com [9.17.187.85] port 22. debug1: Connection established. debug3: Not a RSA1 key file /home/bondbrdg/.ssh/id_rsa. debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: missing keytype debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: missing keytype debug1: identity file /home/bondbrdg/.ssh/id_rsa type 1 debug1: identity file /home/bondbrdg/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_3.8.1 p1 debug1: match: OpenSSH_3.8.1p1 pat OpenSSH_3.* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_4.3 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 137/256 debug2: bits set: 493/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /home/bondbrdg/.ssh/known_hosts debug3: check_host_in_hostfile: match line 1 debug3: check_host_in_hostfile: filename /home/bondbrdg/.ssh/known_hosts debug3: check_host_in_hostfile: match line 1 debug1: Host 'd03ftp101.boulder.ibm.com' is known and matches the DSA host key. debug1: Found key in /home/bondbrdg/.ssh/known_hosts:1 debug2: bits set: 507/1024 debug1: ssh_dss_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/bondbrdg/.ssh/id_rsa (20067368) debug2: key: /home/bondbrdg/.ssh/id_dsa (0) debug1: Authentications that can continue: publickey,password debug3: start over, passed a different list publickey,password debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering public key: /home/bondbrdg/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,password debug1: Trying private key: /home/bondbrdg/.ssh/id_dsa debug3: no such identity: /home/bondbrdg/.ssh/id_dsa debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password bondbpex at d03ftp101.boulder.ibm.com's password: Regards, Pat Global Business Services Procurement Infrastructure Team T/L 8-620-3470 (607) 429-3470 Pat Cornick/Endicott/IBM at IBMUS cornick at us.ibm.com(Internet address IBMUSM09(CORNICK)
Peter Stuge
2007-Jun-04 19:18 UTC
Need to sftp with automatic login from 1 aix machine to another, the id on the target is a DCE(DFS) id
On Fri, Jun 01, 2007 at 09:17:39AM -0400, Pat Cornick wrote:> The problem we are having seems to be that because the target id is > a DCE(DFS) id and it's home directory is /fs/home/bondbpex instead > of /home/bondbpex it can't find the /.ssh/authorized_keys file.So put authorized_keys in the correct directory then.> The permissions on the .ssh directory is 700 and the > authorized_keys file is 600.That's all good. Check that the owner is correct too.> Is this possible to be able to do this?Yes, it works.> /home/bondbrdg> sftp -v -v -v bondbpex at d03ftp101.boulder.ibm.comThis shows no problem. We also need sshd -ddd output from d03ft101. //Peter
Darren Tucker
2007-Jun-04 22:11 UTC
Need to sftp with automatic login from 1 aix machine to another, the id on the target is a DCE(DFS) id
Pat Cornick wrote:> Hi, > > I had a question and can not find out on the web where anyone might have > done this. I am sftping > between one AIX machine and another using automatic login. I have created > the id_rsa.pub on the > source server and added it to the /.ssh/authorized_keys file on the target > server. The problem we > are having seems to be that because the target id is a DCE(DFS) id and it's > home directory is > /fs/home/bondbpex instead of /home/bondbpex it can't find the > /.ssh/authorized_keys file.As long as getpwnam() and friends return the correct home dir that should work.> The > permissions on the .ssh directory is 700 and the authorized_keys file is > 600. Is this possible to be able > to do this? Thanks for any help you can give me.Is the home directory not mounted until the user presents a kerberos ticket or a password that can get one? If so then sshd isn't going to be able to read the authorized_keys file in the user's home dir. What you can do is set AuthorizedKeysFile in sshd_config to point to a local filesystem (eg /etc/ssh/keys or something) but that's a system-wide parameter so it will affect all users. It would not be hard to make the Match keyword in recent versions support AuthorizedKeysFile but at the moment it doesn't. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.