Searching an ArrayList of Student objects using a passed String?

Run the ssh command with a bunch of -v parameters to see why the key is not being accepted. You could also stop the SSH daemon on the target server and run that in the foreground with a bunch of -v options to see why it rejected the key (if offered).

Note that the most common problem with keys not being accepted is incorrect permissions on the .ssh directory and the id_rsa and id_rsa.pub files. The directory itself needs to be 0700 (only visible to the user) and the id_rsa private key should be 0600.

Dude!

I wrote a small quick script some time ago to automate the task:

#!/bin/bash
# Creating SSH public RSA key if non exist and copying it to remote target
# for passwordless SSH login.
# Author: Dude, Oracle OTN, 28-APR-2015
# Arguments: $1 (ssh login to remote target. e.g. ./passwordless oracle@10.0.1.1)
ME=passwordless-ssh
keyfile="$HOME/.ssh/id_rsa"
[ -z "$1" ] && echo "Missing 'user@target_host' argument. Aborted." && exit 1
if [ ! -f $keyfile ]; then
  mkdir -p $HOME/.ssh
  ssh-keygen -t rsa -f $keyfile -N ''
fi
keycode=`cat $keyfile.pub`
remote_ssh_dir="~/.ssh"
remote_ssh_file="$remote_ssh_dir/authorized_keys"
ssh -q $1 "mkdir -p $remote_ssh_dir; chmod 700 $remote_ssh_dir
echo "$keycode" >> $remote_ssh_file; chmod 600 $remote_ssh_file"

For example:

$ sh ./passwordless-ssh oracle@10.0.60.10

Generating public/private rsa key pair.

Your identification has been saved in /Users/dude/.ssh/id_rsa.

Your public key has been saved in /Users/dude/.ssh/id_rsa.pub.

The key fingerprint is:

54:78:43:30:3c:cd:1b:86:b3:e9:89:e5:79:79:c9:9a dude@Pluto.local

The key's randomart image is:

+--[ RSA 2048]----+

| o+o |

| =.oo |

| = *. . |

| o = o |

| = o o . |

| . = o + |

| . + |

+-----------------+

The authenticity of host '10.0.60.10 (10.0.60.10)' can't be established.

RSA key fingerprint is 8b:ec:25:f6:b3:4b:d7:1f:94:c1:c2:89:37:14:80:c7.

Are you sure you want to continue connecting (yes/no)? yes

oracle@10.0.60.10's password: <Enter Password>

$ ssh oracle@10.0.60.10

Last login: Wed Jun 15 18:54:20 2016 from 10.0.0.32

I guess you could run above procedure from both of your hosts to connect to the other machine. To troubleshoot your problem you can remove the .ssh directories in each of the local accounts. If it still doesn't work, perhaps there's something in /etc/ssh/sshd_config configured incorrectly.

1 person found this helpful

remzi.akyuz

Hi,

after creating key, using ssh-copy-id.

ssh-copy-id — use locally available keys to authorise logins on a remote machine

ssh-copy-id username@hostname-or-ip-address.

After that you can connect without password.

for more information;

man ssh-copy-id

good luck.

Dr. DBA

Permissions look right.;

Source

-rw-r-----. 1 oracle oracle 797 Oct 27 11:19 authorized_keys

drwxr-xr-x. 2 oracle oracle 4096 Oct 27 11:24 ssh

-rw-r--r--. 1 oracle oracle 1607 Oct 27 11:30 known_hosts

-rw-r--r--. 1 oracle oracle 395 Oct 27 11:37 id_rsa.pub

-rw-------. 1 oracle oracle 1675 Oct 27 11:37 id_rsa

drwx------. 28 oracle oracle 4096 Oct 27 11:39 ..

drwx------. 3 oracle oracle 4096 Oct 27 11:39 .

Target

-rw-------. 1 oracle oracle 1.7K Aug 15 14:26 id_rsa

-rw-r--r--. 1 oracle oracle 397 Aug 15 14:26 id_rsa.pub

-rw-------. 1 oracle oracle 395 Oct 26 16:20 authorized_keys.old

-rw-r--r--. 1 oracle oracle 1.6K Oct 27 11:40 known_hosts

-rw-r-----. 1 oracle oracle 800 Oct 27 11:41 authorized_keys

drwxr-xr-x. 54 oracle oracle 4.0K Oct 27 11:43 ..

drwx------. 2 oracle oracle 4.0K Oct 27 11:43 .

Dr. DBA

I am able to create keys just fine on other servers except for this one.

What could possibly be configured incorrectly in /etc/ssh/sshd_config ?

Dude!

What exactly have you tried? Did you delete the .ssh directory of the user on the target computer and use the script I previously posted? Can you log in with a password? Regarding sshd_config, as I recall, it is possible to filter access by username or enable/disable specific encryption algorithms. If the systems are all the same release version, you could copy the sshd_config file from a working system and restart the service or server. You could also try ssh -vvv user@host for any clues.

Billy Verreynne

Permissions are not just applicable to $HOME/.ssh and its file contents.

Read permissions on $HOME by anyone but the user is also a security violation.

1 person found this helpful

Dr. DBA

I have tried deleting and recreating the public keys on both servers. I did delete the .ssh directory and recreated it on both servers too. I'm still getting the same results, asking for a password when I ssh to the remote server.

Dr. DBA

here's what I get when I ssh -vvv

ssh -vvv oracle@SERVERNAME

OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Applying options for *

debug2: ssh_connect: needpriv 0

debug1: Connecting to zeppelin [10.17.0.103] port 22.

debug1: Connection established.

debug1: identity file /home/oracle/.ssh/identity type -1

debug1: identity file /home/oracle/.ssh/identity-cert type -1

debug3: Not a RSA1 key file /home/oracle/.ssh/id_rsa.

debug2: key_type_from_name: unknown key type '-----BEGIN'

debug3: key_read: missing keytype

debug3: key_read: missing whitespace

debug2: key_type_from_name: unknown key type '-----END'

debug3: key_read: missing keytype

debug1: identity file /home/oracle/.ssh/id_rsa type 1

debug1: identity file /home/oracle/.ssh/id_rsa-cert type -1

debug1: identity file /home/oracle/.ssh/id_dsa type -1

debug1: identity file /home/oracle/.ssh/id_dsa-cert type -1

debug1: identity file /home/oracle/.ssh/id_ecdsa type -1

debug1: identity file /home/oracle/.ssh/id_ecdsa-cert type -1

debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3

debug1: match: OpenSSH_5.3 pat OpenSSH*

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_5.3

debug2: fd 3 setting O_NONBLOCK

debug1: SSH2_MSG_KEXINIT sent

debug3: Wrote 960 bytes for a total of 981

debug1: SSH2_MSG_KEXINIT received

debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit: first_kex_follows 0

debug2: kex_parse_kexinit: reserved 0

debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ssh-rsa,ssh-dss

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,zlib@openssh.com

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit: first_kex_follows 0

debug2: kex_parse_kexinit: reserved 0

debug2: mac_setup: found hmac-md5

debug1: kex: server->client aes128-ctr hmac-md5 none

debug2: mac_setup: found hmac-md5

debug1: kex: client->server aes128-ctr hmac-md5 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug3: Wrote 24 bytes for a total of 1005

debug2: dh_gen_key: priv key bits set: 140/256

debug2: bits set: 526/1024

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug3: Wrote 144 bytes for a total of 1149

debug3: check_host_in_hostfile: host zeppelin filename /home/oracle/.ssh/known_hosts

debug3: check_host_in_hostfile: match line 3

debug3: check_host_in_hostfile: host 10.17.0.103 filename /home/oracle/.ssh/known_hosts

debug3: check_host_in_hostfile: match line 3

debug1: Host 'zeppelin' is known and matches the RSA host key.

debug1: Found key in /home/oracle/.ssh/known_hosts:3

debug2: bits set: 521/1024

debug1: ssh_rsa_verify: signature correct

debug2: kex_derive_keys

debug2: set_newkeys: mode 1

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug3: Wrote 16 bytes for a total of 1165

debug2: set_newkeys: mode 0

debug1: SSH2_MSG_NEWKEYS received

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug3: Wrote 48 bytes for a total of 1213

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug2: key: /home/oracle/.ssh/identity ((nil))

debug2: key: /home/oracle/.ssh/id_rsa (0x7f9a3e869ee0)

debug2: key: /home/oracle/.ssh/id_dsa ((nil))

debug2: key: /home/oracle/.ssh/id_ecdsa ((nil))

debug3: Wrote 64 bytes for a total of 1277

debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password

debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password

debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password

debug3: authmethod_lookup gssapi-keyex

debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password

debug3: authmethod_is_enabled gssapi-keyex

debug1: Next authentication method: gssapi-keyex

debug1: No valid Key exchange context

debug2: we did not send a packet, disable method

debug3: authmethod_lookup gssapi-with-mic

debug3: remaining preferred: publickey,keyboard-interactive,password

debug3: authmethod_is_enabled gssapi-with-mic

debug1: Next authentication method: gssapi-with-mic

debug3: Trying to reverse map address 10.17.0.103.

debug1: Unspecified GSS failure. Minor code may provide more information

Dude!

debug1: Connection established.

debug1: identity file /home/oracle/.ssh/identity type -1

debug1: identity file /home/oracle/.ssh/identity-cert type -1

debug3: Not a RSA1 key file /home/oracle/.ssh/id_rsa.

debug2: key_type_from_name: unknown key type '-----BEGIN'

debug3: key_read: missing keytype

There seems to be a problem here. You should rather see something similar to the following:

debug1: Connection established.

debug3: Incorrect RSA1 identifier

debug3: Could not load "/Users/bb/.ssh/id_rsa" as a RSA1 public key

debug1: identity file /Users/bb/.ssh/id_rsa type 1

debug1: identity file /Users/bb/.ssh/id_rsa-cert type -1

debug1: identity file /Users/bb/.ssh/id_dsa type -1

debug1: identity file /Users/bb/.ssh/id_dsa-cert type -1

debug1: Enabling compatibility mode for protocol 2.0

The line in bold is wanted, since it means that you would not be using RSA version 1, which is obsolete.

There is either something wrong with your public key - perhaps you confused public and private keys, or you transferred it from another system incorrectly, e.g. containing wrong line endings.

If you follow the procedure I've shown previously it should work. If you are doing something else, that might be the problem. If you need more help, please outline what you are doing exactly. Error messages give only a clue.

Dr. DBA

I've done this many of times. This is the first time i've seen this problem.

id_rsa Public key

id_rsa.pub.JPG

authorized key on remote server.

autorized_key remote server.JPG

Dude!

Please post /etc/ssh/sshd_config of the target machine.

Dude!

Other options you might want to check is creating another user and disabling SELINUX.

Dr. DBA

# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

# This is the sshd server system-wide configuration file. See

# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with

# OpenSSH is to specify options with their default value where

# possible, but leave them commented. Uncommented options change a

# default value.

#Port 22

#AddressFamily any

#ListenAddress 0.0.0.0

#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new

# installations. In future the default will change to require explicit

# activation of protocol 1

Protocol 2

# HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

# HostKeys for protocol version 2

#HostKey /etc/ssh/ssh_host_rsa_key

#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key

#KeyRegenerationInterval 1h

#ServerKeyBits 1024

# Logging

# obsoletes QuietMode and FascistLogging

#SyslogFacility AUTH

SyslogFacility AUTHPRIV

#LogLevel INFO

# Authentication:

#LoginGraceTime 2m

#PermitRootLogin yes

#StrictModes yes

#MaxAuthTries 6

#MaxSessions 10

#RSAAuthentication yes

#PubkeyAuthentication yes

#AuthorizedKeysFile .ssh/authorized_keys

#AuthorizedKeysCommand none

#AuthorizedKeysCommandRunAs nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#RhostsRSAAuthentication no

# similar for protocol version 2

#HostbasedAuthentication no

# Change to yes if you don't trust ~/.ssh/known_hosts for

# RhostsRSAAuthentication and HostbasedAuthentication

#IgnoreUserKnownHosts no

# Don't read the user's ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!

#PasswordAuthentication yes

#PermitEmptyPasswords no

PasswordAuthentication yes

# Change to no to disable s/key passwords

#ChallengeResponseAuthentication yes

ChallengeResponseAuthentication no

# Kerberos options

#KerberosAuthentication no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

#KerberosGetAFSToken no

#KerberosUseKuserok yes

# GSSAPI options

#GSSAPIAuthentication no

GSSAPIAuthentication yes

#GSSAPICleanupCredentials yes

GSSAPICleanupCredentials yes

#GSSAPIStrictAcceptorCheck yes

#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,

# and session processing. If this is enabled, PAM authentication will

# be allowed through the ChallengeResponseAuthentication and

# PasswordAuthentication. Depending on your PAM configuration,

# PAM authentication via ChallengeResponseAuthentication may bypass

# the setting of "PermitRootLogin without-password".

# If you just want the PAM account and session checks to run without

# PAM authentication, then enable this but set PasswordAuthentication

# and ChallengeResponseAuthentication to 'no'.

#UsePAM no

UsePAM yes

# Accept locale-related environment variables

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES

AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT

AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE

AcceptEnv XMODIFIERS

#AllowAgentForwarding yes

#AllowTcpForwarding yes

#GatewayPorts no

#X11Forwarding no

X11Forwarding yes

#X11DisplayOffset 10

#X11UseLocalhost yes

#PrintMotd yes

#PrintLastLog yes

#TCPKeepAlive yes

#UseLogin no

#UsePrivilegeSeparation yes

#PermitUserEnvironment no

#Compression delayed

#ClientAliveInterval 0

#ClientAliveCountMax 3

#ShowPatchLevel no

#UseDNS yes

#PidFile /var/run/sshd.pid

#MaxStartups 10:30:100

#PermitTunnel no

#ChrootDirectory none

# no default banner path

#Banner none

# override default of no subsystems

Subsystem sftp /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis

#Match User anoncvs

# X11Forwarding no

# AllowTcpForwarding no

# ForceCommand cvs server

Dr. DBA

We tried creating another oracle user and copying the files over. Still having the same problems.

Dude!

I don't see anything wrong in your sshd_config file, which looks like the installation default.

What happens if you run above procedure and try password less login on the target server itself, e.g.:

[root@vm604 ~]# sh ./passwordless.sh oracle@localhost

# ssh oracle@localhost

Last login: Wed Apr 20 10:30:35 2016 from localhost

[oracle@vm604 ~]$

Dr. DBA

Same thing happens, it still asks for a password.

Both servers have SELinux enabled. Works one way but doesn't work the other way.

>sestatus

SELinux status: enabled

SELinuxfs mount: /selinux

Current mode: enforcing

Mode from config file: enforcing

Policy version: 28

Policy from config file: targeted

zeppelin*tst1-/home/oracle>

Dude!

I suggest to try the following:

# yum reinstall openssh openssh-server openssh-clients

# service sshd restart

Java Programming

Searching an ArrayList of Student objects using a passed String?

Comments

Post Details