Home / server / Questions / 79626
In Process
joebert
Asked: 2009-10-30 09:40:53 +0800 CST

Being Prompted for Password

  • 772

// Begin edit

I should note now that I've tinkered around a bit more, that everything works as intended if I use the "-i identity_file" switch when connecting from "Automation" and point that at the private key on the "Automation".

// End edit

There are three systems involved here.

1) Production

2) Workstation

3) Automation

Numbers 2 and 3 are on the same network, #1 is on a remote network. #3 does not have a monitor attached, it is managed via SSH from #2.

Now #2 has public/private keys available for, and is able to connect to #1 and #3 without a password just fine.

I need to connect to #1 from #3 in the same way. I first tried copying the keys #2 uses for #1 over to #3. I'm prompted for a password when I attempt to connect to #1 from #3. I've used ssh-keygen while logged into #3 and imported those keys to #1 just as I did when setting up #2 to connect to #1. I'm still prompted for a password.

Why am I being prompted for a password when connecting from #3 and not for #2 ?

The only difference I can think of is, when connecting from #3, I'm already remotely logged into #3 from #2.

ssh

2 Answers

  1. Your initial question seemed to be asking about accessing multiple systems from each other using your ssh and I provided the answer suggesting ssh-agent (below). After reading your comments I know understand you to be having a different problem.

    In your question you mentioned that you copied the both the private and public key from your workstation to another computer to be used by the service you are trying to automate. This is a bad idea. SSH keys should really identify a single user or single service. Private keys should not be shared between you and a service account on another system. You should have created a new set of keys on your server.

    I would guess the most likely reason you are having problems connecting is related to how you copied the keys from your workstation to the other system. OpenSSH is very picky about ownership and permission of keys. The private key should be owned by the user using it, and it should have permissions of 0600. If the key is readable by group/other then ssh will refuse to use it. If you provide the -v option to ssh when you are trying to connect you will see a complain about the permissions of the key.

    So my recommendation is that you generate a new set of keys for the service account on your automation host, and then transfer the public key to the other server.

    Since it sounds like you trust those systems and all your connections are being initially created from the workstation you could simply start an SSH agent on your workstation, add your key to the agenct and enable Agent Forwarding in the client configuration on all your hosts.

    • 1

  2. If you're using OpenSSH, this is how you do what Zoredache suggested:

    In machine-1, start a SSH agent (if not already running; GNOME, for example, starts one automatically):

    one$ eval $(ssh-agent)
Agent pid

    Load your key into the agent: (again, GNOME's gnome-keyring does this automatically; use ssh-add -l to list all keys.)

    one$ ssh-add
Enter passphrase for /home/grawity/.ssh/id_rsa: ******
    


    one$ ssh-add -l
4096 11:83:7a:39:74:9d:75:e6:90:35:34:23:f5:d7:6b:6a /home/grawity/.ssh/id_rsa

    Connect to machine-2, with agent forwarding enabled:

    one$ ssh -A machine-2

    Once connected, verify that agent forwarding works:

    two$ ssh-add -l
4096 11:83:7a:39:74:9d:75:e6:90:35:34:23:f5:d7:6b:6a /home/grawity/.ssh/id_rsa

    And if it works, connect from machine-2 to machine-3, and then back to machine-1:

    two$ ssh -A machine-3

three$ ssh -A machine-1

one$ _

    If everything worked, edit ~/.ssh/config and add:

    Host machine-1 machine-2 machine-3
    AgentForwarding yes
    • 1