SSH passwordless connections won't work

Scenario:
I run a home server behind a NAT router on a static IP with Suse 12.2, + standard release KDE. My mother and mother-in-law both also run Suse (12.1 and 12.2 + KDE) but they don’t have static IPs. On a fairly regular basis, I am called upon to fix something trivial (or in the case of Kontact, not so trivial) and I rely on a script I’ve put on each of their machines to SCP a text file containing their latest IP address to my server. The script is periodically invoked via cron and uses ‘whatismyip.com’ to determine the latest IP. All worked well to start with, using a user name an password to scp to the server. I wasn’t happy with the security of this method and converted to public/private keys. These worked well until a release or so back. Try as a might, I’ve never managed to get a passwordless login to work.

**Additional Info:
**(The commands in caps are for clarity, not typos)
My script runs under a root crontab,
The file is intended to be SCPd by the cron script to the server as a regular user into a directory /srv/www/htdocs/IPadmin, where the permissions on IPadmin are 777, to allow the files to land.

Procedure I’ve followed:

  1. On the clients (my rel’s machines) as root, in /root, I’ve run ‘ssh-keygen’ and used the default location /root/.ssh to store rsa_id & rsa_id.pub . I’ve used a 46 character pass-phrase.
  2. From the client, I’ve SCPd the .pub file to the home directory of the user I’d be logging in as from my cron script.
  3. Also from the client, I’ve then used CAT to double pipe (append) the content of the .pub file to /home/user/.ssh/authorized-keys (I’ve looked at the file to verify the public keys have been appended correctly and for the root@client user - That’s what the cron script runs as when it attempts to SCP)
  4. Before deleting the .pub file, I’ve exited from any ssh connections to the server and then , as the root user on the client machine I’ve tried to ssh to the server as the target user on the server. I use non standard ssh ports, which are allowed through by my router.
  5. The command is: ssh -l user -p port IPofserver
  6. My expectation is that once the keys have been generated and the rsa_id (private key) is on the client in /root/.ssh and the content of the public key is safely stored in authorized-keys in the server in /home/user/.ssh, I’d no longer need to use a password. But frustratingly I am prompted for a password every time!!!

/etc/ssh/sshd_config on the server includes:
Port xxxxx (my non standard port) &
RSAAuthentication yes
PubkeyAuthentication yes

/var/log/messages shows the following, each time I attempt a login from the client using the cron script (manually)
Dec 29 22:54:14 SERVER sshd[4349]: Accepted keyboard-interactive/pam for bob from 92.28.50.156 port 51189 ssh2
Dec 29 22:54:14 SERVER systemd-logind[751]: New session 831 of user bob.
Dec 29 22:54:15 SERVER sshd[4353]: Received disconnect from 92.28.50.156: 11: disconnected by user
Dec 29 22:54:15 SERVER systemd-logind[751]: Removed session 831.
There’s a short delay, then:
Dec 29 22:55:03 SERVER sshd[4383]: error: PAM: Authentication failure for bob from host-92-28-50-156.as13285.net
Dec 29 22:55:04 SERVER sshd[4383]: error: PAM: Authentication failure for bob from host-92-28-50-156.as13285.net
Dec 29 22:55:04 SERVER sshd[4383]: Postponed keyboard-interactive for bob from 92.28.50.156 port 51194 ssh2 [preauth]
Dec 29 22:55:04 SERVER sshd[4383]: error: PAM: Authentication failure for bob from host-92-28-50-156.as13285.net
Dec 29 22:55:04 SERVER sshd[4383]: Connection closed by 92.28.50.156 [preauth]

I’m confused by the IP & port numbers as they bear no relation to the source or target IPs or ports. What is host-92-28-50-156.as13285.net?

Any thoughts on what else to look at or where I’ve gone wrong?

Cheers,

Greg

There’s already a problem at that point.

Using ssh is going to request the passphrase. However, since it is run from cron, there is no way to request a passphrase. Hence it won’t be able to use publickey authentication.

If I may say so, you are making this too complicated.

Here’s what I would do:

I would setup a POP3 server. And I would setup an account for each of those client machines. It only needs to be a POP3 account, but seting up a linux account does that.

I would want the POP3 server to support APOP authentication, so that passwords cannot be stolen by packet sniffing on the line.

On each client machine, I would setup fetchmail to periodically query the POP3 server for email, using that APOP authentication.

Then I would find the client IP addresses by examining the POP3 logs. There need not be any actual mail transferred. The POP3 server should log IP address and name of user for each APOP authentication.

You get the IP from logs, so no actual file need be transferred. APOP uses MD5 hashes, which is admittedly not as secure as one might like. But it is simpler than what you are doing, and safe enough. All that is risked is the passwords of the POP3 accounts that you have setup. Those accounts would be dummy accounts that nobody could login to anyway (bad shell, for example). The APOP passwords would be for that task only.

Perhaps I missed something about what you are trying to do. If you do need a file, you could initiate the connect for that from your end, once you know the IP.

Thanks for the swift response.

I like your idea of using a pop3 transaction to log the IPs. I take it that the client’s external IP would be in there - I’ve never tried setting up fetchmail or a pop3 server. Checking on the Interweb, it all looks dauntingly complicated. Can you recommend a good clean, up-to-date and Suse friendly tutorial, please?

In the meantime, I’d still like to understand why I cannot get my key based authentication to work for ssh - It’s too frustrating. As far as I can tell I’ve done it according to the rules (or, at least in common with several walk-throughs posted on the web). Even if I choose your approach, it would be worth bottoming out what my ssh key problem is, so others searching and finding this post will be graced with a solution :slight_smile:

I even tried reverting to a key with no passphrase, to see if that was the problem but it made no difference at all. I was still asked for my password. TBH if having a key without a passphrase isn’t considered too much of a risk, then I’d revert to that, while sorting out the pop3/apop solution - if only I could get it to work!?! How risky is it?

Cheers,

Greg

Since my earlier post, I pulled up Yast software management. I see that “qpopper” is available in the standard repos. It’s a pretty simple POP3 server. It logs the IP address and the user who logged in. It runs via inetd/xinetd. It supports APOP, but you would need a separate database entry for APOP. The separate database entry is good. You could setup user accounts with no login possible, and only APOP auth for POP3.

My guess is that Yast will do most of the setup for you - as mentioned, qpopper is simple. You would have to setup port forwarding on your router for POP3 (usually port 110). According to software management (the “dependencies tab”, the qpopper package also provides “config (qpopper)” which is probably the Yast stuff for setting it up.

Here are qpopper log entries from an old, about to be retired, solaris box at work:


Dec 30 11:02:09 mp popper[6389]: (v4.0.8) Servicing request from "209.85.223.999" at 209.85.223.999
Dec 30 11:02:09 mp popper[6389]: Stats: userid 0 0 0 0 209.85.223.999 209.85.223.999

I don’t have any APOP users who still access that box - the only users are people who have not heard that the box is about to be taken down. But the log for APOP entries is similar.

I did munge that data (hid the user login name, and changed the last 3 digits of the IP address) to ‘999’.

And “fetchmail” is in the repos - I standardly install that, and use it for checking a few mail boxes. I just use from the command line. Setting up user crontab entries to do that should be easy enough. As I recall, the man pages for fetchmail are a bit turgid, but you can probably find online help with a google search.

It should work interactively, but not from cron if it requires a passphrase to be entered. Maybe there’s a way of using an “expect” script to feed it a passphrase.

If it doesn’t work interactively, then use “ssh -v -v -l user ip-or-hostname” to get verbose information on what is happening.

I personally run ssh-agent for handling key stuff, so I haven’t tried it directly with the standard keyname that you are using. I suppose that I should one day experiment with that.

On 2012-12-30 18:36, nrickert wrote:

> And “fetchmail” is in the repos - I standardly install that, and use it
> for checking a few mail boxes. I just use from the command line.
> Setting up user crontab entries to do that should be easy enough. As I
> recall, the man pages for fetchmail are a bit turgid, but you can
> probably find online help with a google search.

Fetchmail syntax is very simple, and the man page contains a section
with clear examples.


Cheers / Saludos,

Carlos E. R.
(from 11.4, with Evergreen, x86_64 “Celadon” (Minas Tirith))

Thinking you might improve on what you’re trying to accomplish by implementing knockd, which is a port knocking daemon.

For instance, a script on a remote machine might knock on your computer, automatically initiating a callback SSH session.

If you do set this up, would be interesting for you to do a write-up.

TSU