top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

SSH Unexpectedly Not Prompting for Password

+1 vote

I have a question about SSH that I can't seem to figure out. Here is the situation:

4 servers on RHEL 6.3

One server has a local account ("teddy"). SSH key pairs have been set up between this "teddy" account and the other 3 servers on a different local account common to the other 3 servers ("bear"), but not present on the "teddy" server. These 3 servers do not have a "teddy" account.

Now, I am able to ssh without password between the 3 "bear" servers using the "bear" account without a password. This behavior is undesired as it bypasses some key controls.

I figure what must be happening here is that since the 3 "bear" servers have the same public key that points to the "teddy" server, they must be using that fourth server as some type of "witness" to verify the identity of the user making the ssh connection, bypassing the password for the "bear" account. I have disabled AgentForwarding on all 4 servers in question, as well as X11Forwarding. This has not helped.

What is going on here and how do I avoid it?

posted May 14, 2013 by anonymous

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button

4 Answers

0 votes

SSH doesn't work that way. There is not a ability to be a "witness".

SSH keys are independent of the local user account. All that's necessary is for a particular user to have the public key in its authorized keys file and then SSH will use public key authentication vs password based

Check out /var/log/secure to see how you are logging in. Look at /home/*/.ssh/authorized_keys to see who has what keys.

answer May 14, 2013 by anonymous
0 votes

As someone else said, ssh doesn't work that way. Question 1: where's your
home directory - it's not NFS mounted, is it? Second, did you do an
ssh-add on teddy, first? Third, are you doing ssh -A?

answer May 14, 2013 by anonymous
0 votes

Well, something is certainly accepting the pubkey so it could be AgentForwarding.

if you echo $SSH_AUTH_SOCK is the variable defined?

and does a process list show ssh-agent running?

Also, check /etc/ssh to see if there's a authorized keys file there.

answer May 14, 2013 by anonymous
0 votes

If I'm understanding correctly, you have the "teddy" key set in "bear's"
authorized_keys file, and you also have "bear" using the same "teddy" key.
Use the -v flag when doing the ssh to verify what key the client is using;
I think you see that it is using the "teddy" pub key which you placed in
"bear's" .ssh dir.

I'm currently using a key created on a long dead box to connect to the
console of a VPS I have, mostly cause I'm too lasy to create a new one.
Every time I log in it says using pub from "@".

answer May 14, 2013 by anonymous
Similar Questions
0 votes

two remote servers running same version of ssh:

Sun_SSH_1.1, SSH protocols 1.5/2.0, OpenSSL 0x0090700f
OS ver: SunOS host1 5.9 Generic_118558-25 sun4u sparc SUNW,UltraAX-i2

I am able to log into one, but not into another....
error i am getting is: on the 'bad' server I am not getting the unix prompt. I am not sure why?can someone help?

+2 votes

I have function in python,(Assume that i have imported all necessary module),

 def DL_Iperf(args):

This function is actually a thread and it will be created as many no of UE i have, (Ex: if i have 1 UE than 1 Thread will be created),

So, if i have 1 UE/ 2 UE than its working but if i have 3 UE then it is failing, with error "Paramiko : Error reading SSH protocol banner",

Below is the stderr of the script,

    No handlers could be found for logger "paramiko.transport"

    Unhandled exception in thread started by <function DL_Iperf at 0x02B8ACF0>
    Traceback (most recent call last):

    File "C:\Users\qxdm-5\Desktop\Chirag\LTE_11_Perfect_Working\TCP_Latest_2\Windo
    ws_UE\", line 379, in DL_Iperf


    File "build\bdist.win32\egg\paramiko\", line 295, in connect

    File "build\bdist.win32\egg\paramiko\", line 451, in start_client

paramiko.SSHException: Error reading SSH protocol banner

From some reference i found that this is because of some network related issue, but my question is if it network related then why everytime in 3rd call of the function i am getting this error? And how do i resolve it?

+2 votes

Is there way to use two different keys for ssh authentication on one machine for the same user to login the same server? I need one key for svn+ssh to run command on remote server and the other key to login and work from shell on that same server.

+5 votes

We access our Subversion repositories mainly via svn+ssh:// on a central server. We limit access to the repos using Unix group membership. For example, the repo for ProjectA has 770 permissions and belongs to GroupA and ProjectB also has 770 permission and belongs to GroupB. So users who are in GroupA can access ProjectA and users in GroupB can access ProjectB. The file permissions look like this:

 drwxrws--- 7 svn GroupA 4096 Dec 27 2009 ProjectA
 drwxrws--- 7 svn GroupB 4096 Dec 27 2009 ProjectB

Everything is working as expected so far. Users in each group can only access their respective projects, and users in both groups can access both projects. But now we want to prevent a subset of users in GroupB from accessing certain subtrees of ProjectB. Can this be done when using svn+ssh:// access? If so, how?