Mailing List Archive: password prompt, but pki auth working!?...

password prompt, but pki auth working!?...

Feb 16, 2009, 6:39 PM

Post #1 of 3 (3695 views)

My head hurts!

Can anyone help me with what follows - it shows ssh working with pki
auth in all the permutations I thought might be possible, but lastly
this command prompts for a password:
# ssh -t rsync@192.168.1.40 sudo rsync -avzAXHn --delete-after
root@192.168.1.100:/etc /media/bigdisk/morgansmachine/etc
...
Permission denied (publickey,gssapi-with-mic,password).

[root@morgansoldmachine /]# ssh rsync@192.168.1.40
Last login: Sun Feb 15 20:29:39 2009 from morgansoldmachine.lan
[rsync@morgansmachine ~]$ logout
Connection to 192.168.1.40 closed.

[root@morgansoldmachine /]# ssh rsync@morgansmachine
Last login: Sun Feb 15 20:31:04 2009 from morgansoldmachine.lan
[rsync@morgansmachine ~]$ logout
Connection to morgansmachine closed.

[root@morgansoldmachine /]# ssh rsync@morgansmachine.lan
Last login: Sun Feb 15 20:31:18 2009 from morgansoldmachine.lan
[rsync@morgansmachine ~]$ logout
Connection to morgansmachine.lan closed.

[root@morgansoldmachine /]# ssh rsync@192.168.1.40
Last login: Sun Feb 15 20:31:48 2009 from morgansoldmachine.lan

[rsync@morgansmachine ~]$ ssh root@192.168.1.100
Last login: Sun Feb 15 20:10:52 2009 from morgansmachine.lan
[root@morgansoldmachine ~]# logout
Connection to 192.168.1.100 closed.

[rsync@morgansmachine ~]$ ssh root@morgansoldmachine
Last login: Sun Feb 15 20:32:25 2009 from morgansmachine.lan
[root@morgansoldmachine ~]# logout
Connection to morgansoldmachine closed.

[rsync@morgansmachine ~]$ ssh root@morgansoldmachine.lan
Last login: Sun Feb 15 20:32:44 2009 from morgansmachine.lan
[root@morgansoldmachine ~]# logout
Connection to morgansoldmachine.lan closed.

[rsync@morgansmachine ~]$ logout
Connection to 192.168.1.40 closed.

[root@morgansoldmachine /]# ssh -t rsync@192.168.1.40 sudo rsync
-avzAXHn --delete-after root@192.168.1.100:/etc
/media/bigdisk/morgansmachine/etc
root@192.168.1.100's password:
Permission denied, please try again.
root@192.168.1.100's password:
Permission denied, please try again.
root@192.168.1.100's password:
Permission denied (publickey,gssapi-with-mic,password).
rsync: connection unexpectedly closed (0 bytes received so far) [receiver]
rsync error: error in rsync protocol data stream (code 12) at io.c(600)
[receiver=3.0.5]
Connection to 192.168.1.40 closed.
[root@morgansoldmachine /]#

Thanks,
Morgan.
--
Getting errors: "There are problems with the signature" (or similar)?
Update your system by installing certificates from CAcert Inc, see here:
http://wiki.cacert.org/wiki/BrowserClients?#head-259758ec5ba51c5205cfb179cf60e0b54d9e378b
Or, if Internet Explorer is your default browser, simply click this link:
http://www.cacert.org/index.php?id=17

Morgan Read
NEW ZEALAND
<mailto:mstuffATreadDOTorgDOTnz>

fedora + freedom; fact || fiction?
http://fedoraproject.org/wiki/Overview
get freed-ora!
http://www.fsfla.org/svnwiki/selibre/linux-libre/freed-ora

Re: password prompt, but pki auth working!?... [ In reply to ]

mstuff at read

Feb 27, 2009, 6:13 PM

Post #2 of 3 (3507 views)

Permalink

Zach, thanks for the tip - now I see that ssh under sudo is using
/root/.ssh for it's keys...

sudo allows for the setting of environment variables on the command line.

So
Which environment variable does ssh use to determine where it looks for
it's keys? I assumed it would be HOME, but under sudo HOME is set to
the home directory of the user executing sudo not root's home.

Thanks,
Morgan.

On 18/02/09 07:25, Zach wrote:
> Try ssh -vvv -t [.....]
>
> On Mon, Feb 16, 2009 at 8:39 PM, Morgan Read <mstuff@read.org.nz> wrote:
>
>> My head hurts!
>>
>> Can anyone help me with what follows - it shows ssh working with pki
>> auth in all the permutations I thought might be possible, but lastly
>> this command prompts for a password:
>> # ssh -t rsync@192.168.1.40 sudo rsync -avzAXHn --delete-after
>> root@192.168.1.100:/etc /media/bigdisk/morgansmachine/etc
>> ...
>> Permission denied (publickey,gssapi-with-mic,password).
>>
>>
>> [root@morgansoldmachine /]# ssh rsync@192.168.1.40
>> Last login: Sun Feb 15 20:29:39 2009 from morgansoldmachine.lan
>> [rsync@morgansmachine ~]$ logout
>> Connection to 192.168.1.40 closed.
>>
>> [root@morgansoldmachine /]# ssh rsync@morgansmachine
>> Last login: Sun Feb 15 20:31:04 2009 from morgansoldmachine.lan
>> [rsync@morgansmachine ~]$ logout
>> Connection to morgansmachine closed.
>>
>> [root@morgansoldmachine /]# ssh rsync@morgansmachine.lan
>> Last login: Sun Feb 15 20:31:18 2009 from morgansoldmachine.lan
>> [rsync@morgansmachine ~]$ logout
>> Connection to morgansmachine.lan closed.
>>
>> [root@morgansoldmachine /]# ssh rsync@192.168.1.40
>> Last login: Sun Feb 15 20:31:48 2009 from morgansoldmachine.lan
>>
>> [rsync@morgansmachine ~]$ ssh root@192.168.1.100
>> Last login: Sun Feb 15 20:10:52 2009 from morgansmachine.lan
>> [root@morgansoldmachine ~]# logout
>> Connection to 192.168.1.100 closed.
>>
>> [rsync@morgansmachine ~]$ ssh root@morgansoldmachine
>> Last login: Sun Feb 15 20:32:25 2009 from morgansmachine.lan
>> [root@morgansoldmachine ~]# logout
>> Connection to morgansoldmachine closed.
>>
>> [rsync@morgansmachine ~]$ ssh root@morgansoldmachine.lan
>> Last login: Sun Feb 15 20:32:44 2009 from morgansmachine.lan
>> [root@morgansoldmachine ~]# logout
>> Connection to morgansoldmachine.lan closed.
>>
>> [rsync@morgansmachine ~]$ logout
>> Connection to 192.168.1.40 closed.
>>
>> [root@morgansoldmachine /]# ssh -t rsync@192.168.1.40 sudo rsync
>> -avzAXHn --delete-after root@192.168.1.100:/etc
>> /media/bigdisk/morgansmachine/etc
>> root@192.168.1.100's password:
>> Permission denied, please try again.
>> root@192.168.1.100's password:
>> Permission denied, please try again.
>> root@192.168.1.100's password:
>> Permission denied (publickey,gssapi-with-mic,password).
>> rsync: connection unexpectedly closed (0 bytes received so far) [receiver]
>> rsync error: error in rsync protocol data stream (code 12) at io.c(600)
>> [receiver=3.0.5]
>> Connection to 192.168.1.40 closed.
>> [root@morgansoldmachine /]#
>>
>>
>> Thanks,
>> Morgan.
>> --
>> Getting errors: "There are problems with the signature" (or similar)?
>> Update your system by installing certificates from CAcert Inc, see here:
>>
>> http://wiki.cacert.org/wiki/BrowserClients?#head-259758ec5ba51c5205cfb179cf60e0b54d9e378b
>> Or, if Internet Explorer is your default browser, simply click this link:
>> http://www.cacert.org/index.php?id=17
>>
>> Morgan Read
>> NEW ZEALAND
>> <mailto:mstuffATreadDOTorgDOTnz>
>>
>> fedora + freedom; fact || fiction?
>> http://fedoraproject.org/wiki/Overview
>> get freed-ora!
>> http://www.fsfla.org/svnwiki/selibre/linux-libre/freed-ora
>>
>>
>

--
Getting errors: "There are problems with the signature" (or similar)?
Update your system by installing certificates from CAcert Inc, see here:
http://wiki.cacert.org/wiki/BrowserClients?#head-259758ec5ba51c5205cfb179cf60e0b54d9e378b
Or, if Internet Explorer is your default browser, simply click this link:
http://www.cacert.org/index.php?id=17

Morgan Read
NEW ZEALAND
<mailto:mstuffATreadDOTorgDOTnz>

fedora + freedom; fact || fiction?
http://fedoraproject.org/wiki/Overview
get freed-ora!
http://www.fsfla.org/svnwiki/selibre/linux-libre/freed-ora

Re: password prompt, but pki auth working!?... [ In reply to ]

wooledg at eeg

Mar 2, 2009, 5:21 AM

Post #3 of 3 (3493 views)

Permalink

On Sat, Feb 28, 2009 at 03:13:06PM +1300, Morgan Read wrote:
> So
> Which environment variable does ssh use to determine where it looks for
> it's keys? I assumed it would be HOME, but under sudo HOME is set to
> the home directory of the user executing sudo not root's home.

I happen to have 4.4p1 source lying about, so:

pathnames.h:#define _PATH_SSH_CLIENT_ID_RSA ".ssh/id_rsa"

readconf.c:
if (options->protocol & SSH_PROTO_2) {
len = 2 + strlen(_PATH_SSH_CLIENT_ID_RSA) + 1;
options->identity_files[options->num_identity_files] =
xmalloc(len);
snprintf(options->identity_files[options->num_identity_files++],
len, "~/%.100s", _PATH_SSH_CLIENT_ID_RSA);

len = 2 + strlen(_PATH_SSH_CLIENT_ID_DSA) + 1;
options->identity_files[options->num_identity_files] =
xmalloc(len);
snprintf(options->identity_files[options->num_identity_files++],
len, "~/%.100s", _PATH_SSH_CLIENT_ID_DSA);
}

So, at this point there's a string that contains "~/.ssh/id_rsa".

ssh.c:
if ((pw = getpwuid(original_real_uid)) == NULL)
fatal("load_public_identity_files: getpwuid failed");
if (gethostname(thishost, sizeof(thishost)) == -1)
fatal("load_public_identity_files: gethostname: %s",
strerror(errno));
for (; i < options.num_identity_files; i++) {
cp = tilde_expand_filename(options.identity_files[i],
original_real_uid);

where original_real_uid is set somewhere earlier in ssh.c. I won't
try to track it down any further (especially since I'm looking at
out-of-date sources), but it sure looks like it's evaluating the
home directory based on the current uid or euid, rather than the
contents of $HOME.

Mailing List Archive

Mailing List Archive

Attached Files: