0

Hopefully, someone can help me resolve this nightmare. I did a project on vagrant provisioning 4 ubuntu machines, 1 controller and 3 servers. Created SSH key on controller and ssh-copy-id command to 3 server nodes. I can see the public key in authorized_keyes on 3 servers.

etc/ssh/sshd_config dump seems to be ok according to what i can find on internet.

#       $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $

This is the sshd server system-wide configuration file.  See


sshd_config(5) for more information.


This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin


The strategy used for options in the default sshd_config shipped with


OpenSSH is to specify options with their default value where


possible, but leave them commented.  Uncommented options override the


default value.


#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::


#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key


Ciphers and keying


#RekeyLimit default none


Logging


#SyslogFacility AUTH
#LogLevel INFO


Authentication:


#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10


#PubkeyAuthentication yes


Expect .ssh/authorized_keys2 to be disregarded by default in future.


#AuthorizedKeysFile     .ssh/authorized_keys .ssh/authorized_keys2


#AuthorizedPrincipalsFile none


#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody


For this to work you will also need host keys in /etc/ssh/ssh_known_hosts


#HostbasedAuthentication no


Change to yes if you don't trust ~/.ssh/known_hosts for


HostbasedAuthentication


#IgnoreUserKnownHosts no


Don't read the user's ~/.rhosts and ~/.shosts files


#IgnoreRhosts yes


To disable tunneled clear text passwords, change to no here!


#PasswordAuthentication yes
#PermitEmptyPasswords no


Change to yes to enable challenge-response passwords (beware issues with


some PAM modules and threads)


ChallengeResponseAuthentication no


Kerberos options


#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no


GSSAPI options


#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no


Set this to 'yes' to enable PAM authentication, account processing,


and session processing. If this is enabled, PAM authentication will


be allowed through the ChallengeResponseAuthentication and


PasswordAuthentication.  Depending on your PAM configuration,


PAM authentication via ChallengeResponseAuthentication may bypass


the setting of "PermitRootLogin without-password".


If you just want the PAM account and session checks to run without


PAM authentication, then enable this but set PasswordAuthentication


and ChallengeResponseAuthentication to 'no'.


UsePAM yes


#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none


no default banner path


#Banner none


Allow client to pass locale environment variables


AcceptEnv LANG LC_*


override default of no subsystems


Subsystem       sftp    /usr/lib/openssh/sftp-server


Example of overriding settings on a per-user basis


#Match User anoncvs


X11Forwarding no


AllowTcpForwarding no


PermitTTY no


ForceCommand cvs server


UseDNS no
GSSAPIAuthentication no

Debug output when i try to connect to one of the servers from my controller machine.

OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n  7 Dec 2017
debug1: Reading configuration data /etc/ssh/ssh_config     
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to server1 [172.16.1.51] port 22.       
debug1: Connection established.
debug1: identity file /home/vagrant/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory
debug1: identity file /home/vagrant/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/vagrant/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/vagrant/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/vagrant/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/vagrant/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/vagrant/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/vagrant/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
debug1: match: OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 pat OpenSSH* compat 0x04000000
debug1: Authenticating to server1:22 as 'vagrant'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:Qe4c4KKdHXNjhZ3PMFqTKrVFASCX3O8kvtCRKTifkfs
debug1: Host 'server1' is known and matches the ECDSA host key.
debug1: Found key in /home/vagrant/.ssh/known_hosts:1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:gmW3Caq3TNEnCYHCa+BMgMm7lINsBlo7Y73bE596LZo /home/vagrant/.ssh/id_rsa
debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
Enter passphrase for key '/home/vagrant/.ssh/id_rsa':

I have tried most of the things i could find on the subject. Still i am unable to get passwordless access to my server machines. Any advice is welcome.

Thank you.

Kirra Lissa
  • 3

3 Answers3

5

You are not being asked for the password for the remote host. You are being asked for the passphrase for the ssh key you created.

To fix the problem, supply the passphrase.

If you did not want a passphrase on your key, then you should no longer set one when you create the key. You can also remove it by setting an empty passphrase.

Michael Hampton
  • 252,907
-1

By just copying the controller SSH key via the ssh-copy-id command to the 3 server nodes you allow access FROM the nodes TO the server.

You have to do the same in reverse (ie. ssh-copy-id from each node TO the server) to allow access from the controller to the nodes.

dan m.
  • 1
  • 1
-1

check to see if the file exists on the nodes:

ssh user@node1 ls -la ~user/.ssh

Rex Mueller ESU3
  • 1