Scenario:
I run a home server behind a NAT router on a static IP with Suse 12.2, + standard release KDE. My mother and mother-in-law both also run Suse (12.1 and 12.2 + KDE) but they don’t have static IPs. On a fairly regular basis, I am called upon to fix something trivial (or in the case of Kontact, not so trivial) and I rely on a script I’ve put on each of their machines to SCP a text file containing their latest IP address to my server. The script is periodically invoked via cron and uses ‘whatismyip.com’ to determine the latest IP. All worked well to start with, using a user name an password to scp to the server. I wasn’t happy with the security of this method and converted to public/private keys. These worked well until a release or so back. Try as a might, I’ve never managed to get a passwordless login to work.
**Additional Info:
**(The commands in caps are for clarity, not typos)
My script runs under a root crontab,
The file is intended to be SCPd by the cron script to the server as a regular user into a directory /srv/www/htdocs/IPadmin, where the permissions on IPadmin are 777, to allow the files to land.
Procedure I’ve followed:
- On the clients (my rel’s machines) as root, in /root, I’ve run ‘ssh-keygen’ and used the default location /root/.ssh to store rsa_id & rsa_id.pub . I’ve used a 46 character pass-phrase.
- From the client, I’ve SCPd the .pub file to the home directory of the user I’d be logging in as from my cron script.
- Also from the client, I’ve then used CAT to double pipe (append) the content of the .pub file to /home/user/.ssh/authorized-keys (I’ve looked at the file to verify the public keys have been appended correctly and for the root@client user - That’s what the cron script runs as when it attempts to SCP)
- Before deleting the .pub file, I’ve exited from any ssh connections to the server and then , as the root user on the client machine I’ve tried to ssh to the server as the target user on the server. I use non standard ssh ports, which are allowed through by my router.
- The command is: ssh -l user -p port IPofserver
- My expectation is that once the keys have been generated and the rsa_id (private key) is on the client in /root/.ssh and the content of the public key is safely stored in authorized-keys in the server in /home/user/.ssh, I’d no longer need to use a password. But frustratingly I am prompted for a password every time!!!
/etc/ssh/sshd_config on the server includes:
Port xxxxx (my non standard port) &
RSAAuthentication yes
PubkeyAuthentication yes
/var/log/messages shows the following, each time I attempt a login from the client using the cron script (manually)
Dec 29 22:54:14 SERVER sshd[4349]: Accepted keyboard-interactive/pam for bob from 92.28.50.156 port 51189 ssh2
Dec 29 22:54:14 SERVER systemd-logind[751]: New session 831 of user bob.
Dec 29 22:54:15 SERVER sshd[4353]: Received disconnect from 92.28.50.156: 11: disconnected by user
Dec 29 22:54:15 SERVER systemd-logind[751]: Removed session 831.
There’s a short delay, then:
Dec 29 22:55:03 SERVER sshd[4383]: error: PAM: Authentication failure for bob from host-92-28-50-156.as13285.net
Dec 29 22:55:04 SERVER sshd[4383]: error: PAM: Authentication failure for bob from host-92-28-50-156.as13285.net
Dec 29 22:55:04 SERVER sshd[4383]: Postponed keyboard-interactive for bob from 92.28.50.156 port 51194 ssh2 [preauth]
Dec 29 22:55:04 SERVER sshd[4383]: error: PAM: Authentication failure for bob from host-92-28-50-156.as13285.net
Dec 29 22:55:04 SERVER sshd[4383]: Connection closed by 92.28.50.156 [preauth]
I’m confused by the IP & port numbers as they bear no relation to the source or target IPs or ports. What is host-92-28-50-156.as13285.net?
Any thoughts on what else to look at or where I’ve gone wrong?
Cheers,
Greg