I have a shell login on host cheddar.halon.org.uk, while I was away for a few days recently (that bit's irrelevant really), cheddar.halon.org.uk was (presumably) moved to an new machine and thus its host key changed.
So, when I came home, my passwordless login to cheddar.halon.org.uk failed with the usual ssh message about 'host key has changed', maybe a man in the middle attack, etc.
I removed the relevant line from ~/.ssh/known_hosts, logged in again, the correct line was added to ~/.ssh/known_hosts and all was well again, or so I thought.
However, it doesn't all work again as it did:-
While ssh logins to cheddar.halon.org.uk from terminal windows on my GUI desktop are passwordless logins from shell console terminals (i.e. CTRL/ALT/n ones) ask for my password at cheddar.halon.org.uk (N.B. they don't ask for the key to my passphrase, it's the cheddar.halon.org.uk password that is asked for). I'm sure these used to work.
More to the point my rsync backup to cheddar.halon.org.uk that runs as a cron job has also stopped working, it's expecting a passwordless login to cheddar.halon.org.uk but like the ssh login from a console it's failing because cheddar.halon.org.uk is asking for a password.
So both the above problems point at some sort of screw up with ssh_agent but it's complicated by the following:-
The file ~/.ssh/config contains:-
Host cheddar.halon.org.uk IdentityFile ~/.ssh/np_id_rsa
and ~/.ssh/np_id_rsa and ~/.ssh/np_id_rsa.pub haven't changed so why isn't it being used?
Any ideas as to what else might have been affected by the host key change at cheddar.halon.org.uk? It's possible some previous misconfiguration was masking something such that the passwordless login was working for some other reason than the config file above but I still need to sort it out.
Chris G wrote:
I have a shell login on host cheddar.halon.org.uk, while I was away for a few days recently (that bit's irrelevant really), cheddar.halon.org.uk was (presumably) moved to an new machine and thus its host key changed. So, when I came home, my passwordless login to cheddar.halon.org.uk failed with the usual ssh message about 'host key has changed', maybe a man in the middle attack, etc. I removed the relevant line from ~/.ssh/known_hosts, logged in again, the correct line was added to ~/.ssh/known_hosts and all was well again, or so I thought. However, it doesn't all work again as it did:- Any ideas as to what else might have been affected by the host key change at cheddar.halon.org.uk? It's possible some previous misconfiguration was masking something such that the passwordless login was working for some other reason than the config file above but I still need to sort it out.
This might be just a case that the remote system no longer has a copy of your public key(s) in an authorized_keys file for your user. Passwordless login relies on the copying of the contents of, for instance, local:~/.ssh/id_rsa.pub to remote:~/.ssh/authorized_keys on the remote system (there can be many of these keys in that one file). It's not unreasonable to think that these files have been missed (or even deliberately not copied) on migration.
Another option is that an existing (remote) authorized_keys has had its permissions changed away from 600 to something else (ssh will, depending upon configuration, disallow passwordless connections unless this file is only owned by the user).
Hope that helps,
Simon
On Sun, Mar 06, 2011 at 11:02:20PM +0000, Simon Ransome wrote:
Chris G wrote:
I have a shell login on host cheddar.halon.org.uk, while I was away for a few days recently (that bit's irrelevant really), cheddar.halon.org.uk was (presumably) moved to an new machine and thus its host key changed. So, when I came home, my passwordless login to cheddar.halon.org.uk failed with the usual ssh message about 'host key has changed', maybe a man in the middle attack, etc. I removed the relevant line from ~/.ssh/known_hosts, logged in again, the correct line was added to ~/.ssh/known_hosts and all was well again, or so I thought. However, it doesn't all work again as it did:- Any ideas as to what else might have been affected by the host key change at cheddar.halon.org.uk? It's possible some previous misconfiguration was masking something such that the passwordless login was working for some other reason than the config file above but I still need to sort it out.
This might be just a case that the remote system no longer has a copy of your public key(s) in an authorized_keys file for your user. Passwordless login relies on the copying of the contents of, for instance, local:~/.ssh/id_rsa.pub to remote:~/.ssh/authorized_keys on the remote system (there can be many of these keys in that one file). It's not unreasonable to think that these files have been missed (or even deliberately not copied) on migration.
It's not that, all my files under .ssh are still there.
Another option is that an existing (remote) authorized_keys has had its permissions changed away from 600 to something else (ssh will, depending upon configuration, disallow passwordless connections unless this file is only owned by the user).
That's a possibility of course, I'll check.
On Sun, Mar 06, 2011 at 12:45:21PM +0000, Chris G wrote:
Any ideas as to what else might have been affected by the host key change at cheddar.halon.org.uk? It's possible some previous misconfiguration was masking something such that the passwordless login was working for some other reason than the config file above but I still need to sort it out.
Try doing ssh -v and -vv and -vvv to see if it tells you what the problem is. Each -v raises the verbosity, I've kicked myself before for stupid mistakes that have been revealed quickly like that.
Adam
At Sun, 6 Mar 2011 12:45:21 +0000, Chris G wrote:
While ssh logins to cheddar.halon.org.uk from terminal windows on my GUI desktop are passwordless
Have you logged in to your desktop environment since the host key change? Is it possible that some component of your desktop environment is caching some old key that still works? And that logging out and in again (to your DE) may stop SSH logins using your publickey from working?
logins from shell console terminals (i.e. CTRL/ALT/n ones) ask for my password at cheddar.halon.org.uk (N.B. they don't ask for the key to my passphrase, it's the cheddar.halon.org.uk password that is asked for). I'm sure these used to work.
For ssh, you can explicitly set the identity to use with -i. And you can test setting PasswordAuthentication to No using -o.
More to the point my rsync backup to cheddar.halon.org.uk that runs as a cron job has also stopped working, it's expecting a passwordless login to cheddar.halon.org.uk but like the ssh login from a console it's failing because cheddar.halon.org.uk is asking for a password.
Did this used to work using ssh-agent? The only way I've ever found to make my ssh-agent-dependent cron jobs work is to set SSH_AUTH_SOCK as part of the cron job, e.g.:
SSH_AUTH_SOCK="$(find /tmp/ssh*/ -type s -user richard -group richard -name 'agent*' | head -n 1)" cmd...
So both the above problems point at some sort of screw up with ssh_agent but it's complicated by the following:-
The file ~/.ssh/config contains:- Host cheddar.halon.org.uk IdentityFile ~/.ssh/np_id_rsa and ~/.ssh/np_id_rsa and ~/.ssh/np_id_rsa.pub haven't changed so why isn't it being used?
A last resort, of course, would be to generate a new ID.
Best, Richard
On Sun, Mar 06, 2011 at 11:29:53PM +0000, Richard Lewis wrote:
Chris G wrote:
More to the point my rsync backup to cheddar.halon.org.uk that runs as a cron job has also stopped working, it's expecting a passwordless login to cheddar.halon.org.uk but like the ssh login from a console it's failing because cheddar.halon.org.uk is asking for a password.
Did this used to work using ssh-agent? The only way I've ever found to make my ssh-agent-dependent cron jobs work is to set SSH_AUTH_SOCK as part of the cron job, e.g.:
SSH_AUTH_SOCK="$(find /tmp/ssh*/ -type s -user richard -group richard -name 'agent*' | head -n 1)" cmd...
It's all a bit more complicated than that as it turns out.
My original intent was that the passphraseless key should allow *only* rsync and that there was another key (with a passphrase) for logging in and doing things.
I *had* a file ~/.ssh/config (now removed) which had a specific Host entry for cheddar.halon.org.uk that set the IdentityFile to one without a key just for the rsync. However I had obviously screwed something up completely in my original configuration such that the rsync backup wasn't using the passphraseless key, it was using (presumably) the ssh-agent environment. I also had the format of the authorized_keys file wrong such that the rsync didn't work if it attempted to use the passphraseless key.
In addition it appears that if you have a ~/.ssh/config file with a specific host setting for an IdentityFile in it then *only* that identity will be used so again my original set-up couldn't work.
So, to sort all this out I have fixed the passphraseless entry in in ~/.ssh/authorized_keys to have :- command="rsync --server -vlogDtpr backups",no-pty,no-port-forwarding in front of it. When I first tried setting this up I hadn't realised that it required this full rsync command rather than just 'command="rsync"' so, as I said, my original set-up could never have worked as intended.
I now have a complety normal ssh (with ssh-agent and key with passphrase) for normal ssh login access to cheddar.halon.org.uk. My backup script has:- export RSYNC_RSH="ssh -i /home/chris/.ssh/np_id_rsa" rsync ...... so that it picks up and uses the passphraseless key and thus uses the 'rsync only' authorized_keys entry at cheddar.halon.org.uk.
Phew! :-)