why password less ssh not working?

Question

I connected 3 data nodes(in all these data nodes pass-wordless is working fine) in my cluster which are working fine but when i try to connect another data node pass-wordless ssh not working in fourth data node.

IP address of first three data nodes:

172.20.93.192(name node)
172.20.94.189(data node)
172.20.94.145(data node)
172.20.94.193(data node)

now my fourth data node's IP address is 172.20.95.6 where password-less is not working.

I am generating keys with

ssh-keygen -t rsa 

I am doing the same process for the fourth data node as above three data nodes but it is not working. Why? what may be the reason?

Answer 1

I had a very similar problem today with CentOS servers. The problem turned out that the /root folder had wrong permissions. In fact, the /var/log/secure log file showed this error:

Sep  3 09:10:40 nec05 sshd[21858]: Authentication refused: bad ownership or modes for directory /root

This is what it wrongly was:

[root@nec05 ~]# ls -ld /root
drwxrwxrwx. 32 root root 4096 Sep  3 09:54 /root

Using chmod fixed it:

[root@nec05 ~]# chmod 550 /root
[root@nec05 ~]# ls -ld /root
dr-xr-x---. 32 root root 4096 Sep  3 09:54 /root

After that, passwordless login worked on this particular server.

Answer 2

More information would be required to get the "real" cause. However here it goes two of the most common problems I have found and not related to the key configuration itself (taking into account that you use Linux :)):

1. SSHD in the remote machine is configured in restricted mode for "root" and you are trying to ssh as root. SOLUTION: Copy /etc/ssh/sshd.conf from one of the working machines to the faulty and restart ssh server.

2. Home folder of the user used for remote login has invalid permissions. Many default configurations for SSH Daemons contain restrictions about the permissions of the user home folder for security purposes. SOLUTION: Compare with working nodes and fix. (Sometimes you would see a warning/error log in /var/log/messages.

If you follow the process to integrate the keys from the scratch and review the permissions for all the files involved you should face no issues.

Please answer back with sshd.conf file as well as the logs from a remote login with -v (ssh -v IPADDR) for a better analysis.

Answer 3

I went through the same errors recently. All my file permissions are set up correctly but still ssh asks for password. Finally I figured out it is due to one missing at /etc/ssh/sshd_config: you shoud add "AuthorizedKeysFile %h/.ssh/authorized_keys", so that sshd will look for the publickey file at your home dir.

After doing this the problem is gone.

Answer 4

You would have to more elaborate your problem i.e. whether you are using the same private-public key pair for all servers.

Secondly you must try ssh with -v flag it will give you some hint like which private key it is using for authentication, what is the cause of authentication failure.

Thirdly Verify the permission of .ssh/authorized_keys at server end. It should not have write permission to group or other users.

You can simply use ssh-keygen -f # to generate ssh key pair. ssh-copy-id @ #to copy public key in the server's authorized key.

Answer 5

troubleshoot checklist: example: Machine A passwordless login to B

• turn off selinux on B
• FOR BOTH A&B: make sure correct permission for .ssh(700) and .ssh/authorized_keys (600)
• check on B: /etc/ssh/sshd_config: PubkeyAuthentication yes
• check firewall on B
• check the log /var/log/secure
• if you've renamed id_rsa/id_rsa.pub to example id_rsa_b/id_rsa_b.pub, you should do ssh -i .ssh/id_rsa_b user@MachineB

refer

Answer 6

I am going to explain with example: Suppose there are two server server1(192.168.43.21) and server2(192.168.43.33).If you want password less ssh between server1 and server2 where user is admin then follow below steps-

1. To install run command: yum install openssh-server openssh-clients

2. To create ssh key run command : ssh-keygen -t rsa on server1 and server2

3. SELINUX disable at : vim /etc/selinux/conifg

SELIINUX=disabled

4. After changing SELINUX need to reboot.

5. Add user to AllowUsers ,AllowGroups and PermitEmptyPasswords on at :

   vim /etc/ssh/sshd_config

AllowUsers admin

AllowGroups admin

After update restart sshd: systemctl restart sshd

6. Go to home directory of admin user : cd ~

7. Go to ssh folder : cd .ssh and copy id_rsa.pub key from server1 and paste it into server server2 authorized.key file of .ssh folder.

note: Instead of manually copy we can use:

         From server2 use command: `ssh-copy-id admin@serve1`

         From server1 use command: `ssh-copy-id admin@server2` 

8. Now try ssh from server1 to server2 and server2 to server1

        From server1 command: `ssh admin@server2`
   
        From server2 command: `ssh admin@server1`
   

9. If not working then check firewall user use command: To check status of firewall run command: firewall-cmd --state

   If it is running then check ssh port is added or not using below command: firewall-cmd --list-all

   If port is not added then need need to add to desired zone.

   If firewall is not mandatory to active in that cat you can stop firewall and mask it using below command:

   systemctl stop firewalld

   systemctl disable firewalld

   systemctl mask --now firewalld

Answer 7

Method in linux is to generate encrypted key (either with rsa or dsa ) for that user , save that key in authorized key , assign rights to that folder and file in it.

1: Generate key with command

ssh-keygen –t dsa –P '' –f ~/.ssh/id_dsa

Your public key has been saved in /home/username_of_pc/.ssh/id_dsa.pub

2:Add that key in authorized key.

Cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys

Set permissions for folder where it’s saved. if you need it on another server then simply copy it to other machine.

3:Check ssh by simply typing

    ssh localhost

It should not ask for password and only display last login time , then it’s setup correctly. Remember not to use root for ssh.