#1733 closed help (fixed)

ssh key puma to ARCHER problems

Reported by: cryder Owned by: willie
Priority: normal Component: PUMA
Keywords: SSH Cc:
Platform: PUMA UM Version: 7.8

Description

I've recently been having problems with my ssh-key from puma to archer. I've followed the instructions at https://puma.nerc.ac.uk/trac/UM_TUTORIAL/wiki/Ros/sshAgent with no luck,

The ssh key appears to be successfully created and copied to archer, but when I try:
cryder@puma:/home/cryder> ssh cryder@…
I get asked for my archer password.

Doing ssh-add from puma and entering my ssh passphrase works but doesn't resolve the above issue.

Thanks for any help,
Claire

Attachments (1)

login.txt (8.2 KB) - added by cryder 21 months ago.

Download all attachments as: .zip

Change History (26)

comment:1 Changed 21 months ago by willie

  • Keywords SSH added
  • Owner changed from um_support to willie
  • Status changed from new to accepted

Hi Claire,

Which step is the problem? Are there any messages reported?

Regards

Willie

comment:2 Changed 21 months ago by annette

Just to add it might be worth deleting the following file, then re-trying ssh-add:

rm ~/.ssh/environment.puma

Regards,
Annette

comment:3 Changed 21 months ago by cryder

Thanks,

Removing environment.puma and re-trying ssh-add doesn't solve the problem.

The problem seems to be that the ssh-key isn't working as I'm always asked for my archer password if I try to login to Archer from the command line on puma.

If I try to submit a job to archer from the umui, I get asked for my archer password, and then the job just hangs and never gets started on archer.

Thank you,
Claire

comment:4 Changed 21 months ago by willie

Hi Claire,

I think Step 2 of the setup process sometimes causes problems.

cat ~/.ssh/id_dsa.pub | ssh <username>@login.archer.ac.uk 'mkdir -p .ssh ; cat - >> ~/.ssh/authorized_keys'

Remember to replace username with your ARCHER username and note that there is a space after the second cat's dash. Once you do this it will ask for your ARCHER password, which you should enter, and thereafter you should be able to

  ssh cryder@login.archer.ac.uk

and it should let you in straight away. If it doesn't, please let me know of any messages that appear.

Regards

Willie

comment:5 Changed 21 months ago by cryder

Hi Willie,

Thanks - I still can't get it to work - this is what I've been getting (no error messages, just that ssh cryder@… still asks for my password rather than letting me in):

puma:> ssh-keygen -f ~/.ssh/id_rsa -C "cryder@…"
Generating public/private rsa key pair.
/home/cryder/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/cryder/.ssh/id_rsa.
Your public key has been saved in /home/cryder/.ssh/id_rsa.pub.
The key fingerprint is:
cc:e9:90:f5:02:61:b1:c5:9f:22:27:4c:00:26:cf:37 cryder@…
The key's randomart image is:
+—[ RSA 2048]——+
|. o…+o. |
| = ..+. |
| o Eoo .. . |
| . .+*ooo |
| o+S.. |
| o . |
| . |
| |
| |
+————————-+

cryder@puma:> cat ~/.ssh/id_rsa.pub | ssh cryder@… 'mkdir -p .ssh ; cat - >> ~/.ssh/authorized_keys'


This is a private computing facility. Access to this service is limited to those
who have been granted access by the operating service provider on behalf of the
contracting authority and use is restricted to the purposes for which access was
granted. All access and usage are governed by the terms and conditions of access
agreed to by all registered users and are thus subject to the provisions of the
Computer Misuse Act, 1990 under which unauthorised use is a criminal offence.

If you are not authorised to use this service you must disconnect immediately.


Password:
[I enter password and cat seems successful]

cryder@puma:/home/cryder> ssh cryder@…


This is a private computing facility. Access to this service is limited to those
who have been granted access by the operating service provider on behalf of the
contracting authority and use is restricted to the purposes for which access was
granted. All access and usage are governed by the terms and conditions of access
agreed to by all registered users and are thus subject to the provisions of the
Computer Misuse Act, 1990 under which unauthorised use is a criminal offence.

If you are not authorised to use this service you must disconnect immediately.


Password:
[I get asked for password, rather than getting straight in or being asked for passphrase..]

comment:6 Changed 21 months ago by willie

Hi Claire,

You have done everything correctly. The last banner message before the final password request shows that you have accessed ARCHER. I think something on the ARCHER side is asking for a password. Could you therefore login to ARCHER using your password and look in your authorized_keys file:

tail -2 ~cryder/.ssh/authorized_keys

The last entry should end with the "-C" string you typed above when you generated the key i.e. probably cryder@….

Then hide some files:

 mv .bashrc .bashrc.old
 mv .profile .profile.old
}}

logout and then try to SSH in as before.  Let me know what happens, please.

Regards
== Willie ==

comment:7 Changed 21 months ago by cryder

Hi Willie,

Still no success, this is what happens:

On Archer:
cryder@eslogin003:~> tail -2 ~cryder/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEArno19aQnWd3TPeEqcN3voUiKecWZ1laj91uQhqM3eC6aqpnUqg/3+lV9CQcJJjmno4GL8Ke0gjC5LRFfweiK78RpgqbFIU7CuVScNamEx/h9C0AfpCrpQK/44iadRHZfaPXi3GnCr3RJ10oPSrczUHJCw0I6oUlqBr3tmpY6z/FVDF3EtKiaECARZKmDin2xPCSNvxRTHO+QSi9EFU58GYB3y6bvtRx5wne2glAhL4yZLaQf3YAO8IVMCK+yiCkLqfwEEnMCCmZW98GliEwpPy7dGaknYaENeCoOaCy1HBFeoI0CLCK/Sb4SYAZ2v0x9RVVyTx0yv+pii/W7W2JGzw== cryder@…
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA3q+wHShy8lvsm+4iwuihxKsjQteaXiNOGqroDbw5OCrlAHs0jTaRGcCUZY1YTaFHxabZ4orH0/nUalEj9DuMVxdJqRmNQG/swwFpmJX5rS+QOVAsiYHMkhF7ox08drnMbqy3nwNY7orP95s3bfKfcWbbJkYVTR7XbzPCqeWS2dGRBZ9zVMmgE0nB9rvBGvLKuc3WuTAYC6ZIFt4B9zYAMBeEPE/pVZPKb+VxcHxnFqUu4/M2uPdTEzIzCQcsIawujIlywQiICV+cI1LV2ZaHQCWwm2PvkMPxHdopk91SlJ0X6RLv4dwdMZhxTXBTx9douE9sqwj3sN4vZAR0rb9WIw== cryder@…

[Seems to end with cryder@… rather than cryder@…
Then I move the .profile and .bashrc files as suggested, logout, and from puma:]

cryder@puma:/home/cryder> ssh-add
Enter passphrase for /home/cryder/.ssh/id_rsa:
Identity added: /home/cryder/.ssh/id_rsa (/home/cryder/.ssh/id_rsa)
Identity added: /home/cryder/.ssh/id_dsa (/home/cryder/.ssh/id_dsa)
cryder@puma:/home/cryder> ssh cryder@…


This is a private computing facility. Access to this service is limited to those
who have been granted access by the operating service provider on behalf of the
contracting authority and use is restricted to the purposes for which access was
granted. All access and usage are governed by the terms and conditions of access
agreed to by all registered users and are thus subject to the provisions of the
Computer Misuse Act, 1990 under which unauthorised use is a criminal offence.

If you are not authorised to use this service you must disconnect immediately.


Password:

[So still being asked for my password. Previously I've needed to do ssh-add everytime I login to puma, so I'm still doing this].

Thanks,
Claire

comment:8 Changed 21 months ago by willie

Hi Claire,

Could you do the following on PUMA,

   ssh -vvv cryder@login.archer.ac.uk > login.txt 2>&1

and after you've logged into ARCHER, logout again and attach the output to the ticket.

Regards

Willie

comment:9 Changed 21 months ago by willie

Also Claire,

Could you

 cd ~/.ssh
 ls -la

on ARCHER and let me know the results.

Thanks
Willie

comment:10 Changed 21 months ago by willie

One more thing Claire,

Again on ARCHER, let me know the result of

cd ~/.ssh
file *

Thanks
Willie

comment:11 Changed 21 months ago by cryder

Hi Willie,

cd ~/.ssh

file *

gives:
eslogin006:cryder$ cd ~/.ssh
eslogin006:cryder$ file *
authorized_keys: ASCII text, with very long lines
known_hosts: ASCII text, with very long lines

cryder@puma:/home/cryder> ssh -vvv cryder@… > login.txt 2>&1
Password:

Just hangs once I've entered my password, never gets anywhere.

eslogin006:cryder$ cd ~/.ssh
eslogin006:cryder$ ls -la
total 16
drwx—S—- 2 cryder n02 4096 Nov 18 13:10 .
drwxrwsrwx 7 cryder n02 4096 Nov 30 09:53 ..
-rwx——— 1 cryder n02 1616 Nov 26 15:20 authorized_keys
-rwx——— 1 cryder n02 641 Mar 19 2015 known_hosts

comment:12 Changed 21 months ago by willie

Hi Claire,

Thanks. I can see the login.txt file and it shows that it is rejecting both your RSA and DSA keys that you have on PUMA. I think the thing to do is

  • hide your RSA keys on PUMA ( i.e. attach .old to file name)
  • hide your authorized_keys file on ARCHER
  • repeat steps 2 and 3 of the SSH instructions (there is no need to generate any new keys)

This should work (!)

regards

Willie

comment:13 Changed 21 months ago by cryder

Hi Willie,

Still no success I'm afraid, but perhaps I haven't understood the instructions properly.

If I hide the RSA keys on puma (do I need to hide the DSA keys too? I've assumed I do, but trying this both ways made no difference), then when I do step 2 (cat of the id_rsa.pub file to archer) creates an authorized_keys file on archer which is empty.

I also tried doing this in the order:
hide archer authorized_keys file
step 2 (cat)
hide RSA (and DSA) keys on puma
ssh to archer

Either way I'm still asked for my Archer password.

Thanks,
Claire

comment:14 Changed 21 months ago by willie

Hi Claire,

No It's just the RSA key you need to hide. You need the DSA key to establish the SSH connections. When you do step 2, it is the DSA public key that you should be transferring.

So to be specific,

  • make sure you un hide the DSA key on PUMA (keep the RSA key hidden)
  • make sure that the ARCHER authorized keys files is empty or doesn't exist
  • on PUMA perform step 2 with the DSA key

Then it should work.

Regards

Willie

comment:15 Changed 21 months ago by cryder

Hi Willie,

Just to check I'm doing this correctly:
I've moved my archer authorized_keys file to a .old version
Puma DSA key is as normal, RSA key hidden

Perform step 2:
https://puma.nerc.ac.uk/trac/UM_TUTORIAL/wiki/sshAgent
transfers the RSA key:
cat ~/.ssh/id_rsa.pub | ssh cryder@… 'mkdir -p .ssh ; cat - >> ~/.ssh/authorized_keys'
So I tried it with the file id_dsa.pub file instead of id_rsa.pub - but either way I'm still asked for an ARCHER password when I do ssh cryder@…

Is that correct?
Thanks,
Claire

comment:16 Changed 21 months ago by willie

Hi Claire,

OK so the last step you did was to transfer the DSA key? Could you now please

 ssh -vvv cryder@login.archer.ac.uk 2> login.txt

This is a slightly different command from the one I asked you to do earlier. If it asks for a password, control C or Control D it and either let me know or attach the login.txt to the ticket.

Thanks

Willie

Changed 21 months ago by cryder

comment:17 Changed 21 months ago by cryder

Hi Willie,

I got asked for a password and did control C. I've attached the login.txt file here.

Thanks,
Claire

comment:18 Changed 21 months ago by willie

Thanks Claire,

Could you

cd /home/cryder//ssh
ls -la 

and let me have the result please.

Willie

comment:19 Changed 21 months ago by willie

Sorry On PUMA that is

comment:20 Changed 21 months ago by willie

Hi Claire,

I think that some of your file permissions on ARCHER may be causing problems.

Try, on ARCHER,

chmod 740 ~cryder
chmod 600 ~/.ssh

and then try to SSH in from PUMA.

Regards

Willie

comment:21 Changed 21 months ago by cryder

Hi Willie,

cryder@puma:/home/cryder/.ssh> ls -la
total 36
drwx——— 2 cryder users 4096 2015-11-30 15:43 .
drwxr-xr-x 9 cryder users 4096 2015-12-01 09:56 ..
-rwx——— 1 cryder users 133 2015-11-26 15:08 environment.puma
-rwx——— 1 cryder users 1743 2015-11-18 12:57 id_dsa
-rwx——— 1 cryder users 404 2015-11-18 12:57 id_dsa.pub
-rwx——— 1 cryder users 1743 2015-11-26 15:17 id_rsa.old
-rwx——— 1 cryder users 404 2015-11-26 15:17 id_rsa.pub.old
-rwx——— 1 cryder users 3589 2014-11-27 09:46 known_hosts
-rwx——— 1 cryder users 781 2014-05-28 12:02 setup

I also tried the chmod commands, but I still get asked for my password.

Would it help if I came over to Met (I'm in Lyle) to try various options? I go on maternity leave a week on Thurs so I'm keen to try and get things working asap.

Thanks,
Claire

comment:22 Changed 21 months ago by willie

Hi Claire,

Yes, that'll be great. I'll summarize here afterwards.

Willie

comment:23 Changed 21 months ago by cryder

Thanks, is now a good time?

Claire

comment:24 Changed 21 months ago by willie

Summary
Now working.
The .ssh directory needed

chmod 700 ~/.ssh

If both RSA and DSA keys are used, both must be transferred to the authorized keys file; if only one is used, it must be the same one on PUMA and ARCHER.

comment:25 Changed 21 months ago by willie

  • Resolution set to fixed
  • Status changed from accepted to closed
Note: See TracTickets for help on using tickets.