[belug-l] Passwortabfrage rsync/ssh obwohl Key ein existiert

Stephan Hesse stehesse at web.de
Mo Dez 20 10:31:02 CET 2010 

Hallo Linuxer,

es kommt eine Passwortabfrage wo ich keine erwarte.

Backupserver(Ubuntu 10.10) (ssh-server+client) = Server der Daten per rsync vom
Solarisserver (ssh-server+client) (Solaris 11 express ) holen soll.
Es ist kein Solaris-Problem, da ich das gleiche nochmal mit einem Client unter
Ubuntu 10.04 gemacht habe. Mit gleichem Fehler und Ergebnis.

Auf dem Backupserver als "backupuser" $ssh-keygen -t dsa einen ssh-key erzeugt.
Kein Passwort verwendet! Den Inhalt von id_dsa.pub auf den SolarisServer
nach /home/backupuser/.ssh/authorized_keys kopiert. ssh -p 57876 solarisserver
	funktioniert einwandfrei ohne Passworteingabe!
Ein ln -s ~/.ssh/authorized_keys ~/.ssh/authorized_keys2 habe ich auch gemacht.

Dann eingefügt in /home/backupuser/.ssh/authorized_keys
command="/usr/bin/sudo /usr/bin/rsync --server --sender -vlogDtprz --delete-excluded
--numeric-ids . /"

Unten beginnt  bei #1## das Kommando welches sonst immer funktionierte (manuell oder
mit cronjob) Nun werde ich nach einem Passwort gefragt. Ich bekomme es
beim besten Willen nicht weg. Seit Jahren fahre ich sonst mein rsync über ssh auf
diesem erfolgreich mit Opensolaris und Ubuntu 8/9. Nun hängt er mit einer
Passwortabfrage. Ein manuelles rsync in die Gegenrichtung über ssh vom Solarisserver
auf den Ubuntuserver funktioniert einwandfrei. Also keine Firewallprobleme o.ä.

Wo ist das Problem?

DANKE sehr für Tipps!
Gruß von Stephan

#1##
/usr/bin/sudo /home/backupuser/bin/backup-rsync solarisserver \
&>/home/backup/logme.log  
#fragt 3 x somit problematisch nach dem Passwort, dies muss
ohne gehen! Password: 
Password: 
Password:
Und bricht ab. Selbst bei einer Passworteingabe nimmt das System kein gültiges
Passwort an. ""
Starting rsync backup from solarisserver...
OpenSSH_5.5p1 Debian-4ubuntu4, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to solarisserver [192.168.18.11] port 57876.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /home/backupuser/.ssh/id_dsa type 2
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: identity file /home/backupuser/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version Sun_SSH_1.5
debug1: no match: Sun_SSH_1.5
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu4
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit:
ssh-rsa-cert-v00 at openssh.com,ssh-dss-cert-v00 at openssh.com,ssh-rsa,ssh-dss debug2:
kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib debug2: kex_parse_kexinit:
none,zlib at openssh.com,zlib debug2: kex_parse_kexinit: first_kex_follows 0 debug2:
kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit:
gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,arcfour debug2:
kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,arcfour
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96 debug2:
kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96 debug2:
kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2:
kex_parse_kexinit:
af-ZA,ar-EG,as-IN,az-AZ,be-BY,bg-BG,bn-IN,bs-BA,ca-ES,cs-CZ,da-DK,de-DE,el-GR,en-US,es-ES,et-EE,fi-FI,fr-FR,gu-IN,he-IL,hi-IN,hr-HR,hu-HU,hy-AM,id-ID,is-IS,it-IT,ja-JP,ka-GE,kk-KZ,kn-IN,ko-KR,ks-IN,ku-TR,ky-KG,lt-LT,lv-LV,mk-MK,ml-IN,mr-IN,ms-MY,mt-MT,nb-NO,nl-NL,nn-NO,or-IN,pa-IN,pl-PL,pt-BR,pt-PT,ro-RO,ru-RU,sa-IN,sk-SK,sl-SI,sq-AL,sr-RS,sv-SE,th-TH,tr-TR,uk-UA,vi-VN,zh-CN,i-default,zh-TW
debug2: kex_parse_kexinit:
af-ZA,ar-EG,as-IN,az-AZ,be-BY,bg-BG,bn-IN,bs-BA,ca-ES,cs-CZ,da-DK,de-DE,el-GR,en-US,es-ES,et-EE,fi-FI,fr-FR,gu-IN,he-IL,hi-IN,hr-HR,hu-HU,hy-AM,id-ID,is-IS,it-IT,ja-JP,ka-GE,kk-KZ,kn-IN,ko-KR,ks-IN,ku-TR,ky-KG,lt-LT,lv-LV,mk-MK,ml-IN,mr-IN,ms-MY,mt-MT,nb-NO,nl-NL,nn-NO,or-IN,pa-IN,pl-PL,pt-BR,pt-PT,ro-RO,ru-RU,sa-IN,sk-SK,sl-SI,sq-AL,sr-RS,sv-SE,th-TH,tr-TR,uk-UA,vi-VN,zh-CN,i-default,zh-TW
debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5
none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr
hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1:
expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 130/256
debug2: bits set: 528/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting
SSH2_MSG_KEX_DH_GEX_REPLY debug1: checking without port identifier
debug1: Host 'solarisserver' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: found matching key w/out port
debug2: bits set: 544/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/backupuser/.ssh/id_dsa (0x21e4b130)
debug1: Authentications that can continue:
gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive debug1: Next
authentication method: gssapi-keyex debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found

debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found

debug1: Unspecified GSS failure.  Minor code may provide more information
debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Offering public key: /home/backupuser/.ssh/id_dsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue:
gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive debug2: we did
not send a packet, disable method debug1: Next authentication method:
keyboard-interactive debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
debug1: Authentications that can continue:
gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive debug1: Next
authentication method: keyboard-interactive debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
debug1: Authentications that can continue:
gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
debug1: Authentications that can continue:
gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive debug2: we did not send
a packet, disable method debug1: No more authentication methods to try.
Permission denied (gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive).
rsync: connection unexpectedly closed (0 bytes received so far) [Receiver]
rsync error: unexplained error (code 255) at io.c(601) [Receiver=3.0.7]
Fatal: rsync finished solarisserver with errors!
Finished rsync backup from solarisserver...
""
!! So müßte es glaube ich aussehen !!
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/rsynci/.ssh/id_rsa
debug3: no such identity: /home/rsynci/.ssh/id_rsa
debug1: Offering public key: /home/rsynci/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-dss blen 435
debug2: input_userauth_pk_ok: fp 8a:c9:af:fe:ac:4c:ad:ca:09:3f:2e:cc:00:53:46:1c
debug3: sign_and_send_pubkey
debug1: read PEM private key done: type DSA
debug1: Authentication succeeded (publickey).
##############################
sudo more /etc/sudoers auf Ubuntu 10.10 Backupserver

root    ALL=(ALL) ALL
%sudo ALL=(ALL) ALL
%admin ALL=(ALL) ALL
backupuser ALL=(root) NOPASSWD:ALL
###############################
ste at backupserver:~$ id backupuser		auf Ubuntu 10.10 Backupserver

uid=2003(backupuser) gid=2003(backupuser)
Gruppen=2003(backupuser),20(dialout),24(cdrom),27(sudo),29(audio),44(video),46(plugdev),104(fuse),119(admin),1002(burning)
###############################
cat /tank/users/backupuser/.ssh/authorized_keys		auf Solarisserver

command="/usr/bin/sudo /usr/bin/rsync --server --sender -vlogDtprz --delete-excluded
--numeric-ids . /" ssh-dss AAAAB3NzaC1k...key  blablubb 7g== backupuser at backupserver
#############
root at solarisserver:~# ls -l /tank/users/backupuser/.ssh/
total 5
-rw------- 1 backupuser staff 2016 2010-12-17 10:23 authorized_keys
lrwxrwxrwx 1 backupuser staff   15 2010-12-16 15:01 authorized_keys2 ->
authorized_keys -rw------- 1 backupuser staff  403 2010-12-17 09:57 known_hosts
###############################
root at solarisserver:~# cat /etc/sudoers
##
## User privilege specification
##
root ALL=(ALL) ALL
%sudo   ALL=(ALL) ALL
admin ALL=(ALL) ALL
backupuser ALL=(ALL) NOPASSWD: /usr/bin/rsync *
#backupuser ALL=(root) NOPASSWD: ALL
#backupuser ALL=(ALL) ALL
# kommentierte settings erfolglos probiert!
##################################
root at solarisserver:~# cat /etc/group 
root::0:
other::1:root
bin::2:root,daemon
sys::3:root,bin,adm,backupuser
adm::4:root,daemon,backupuser
uucp::5:root
mail::6:root
tty::7:root,adm
lp::8:root,adm
nuucp::9:root
staff::10:
daemon::12:root
sysadmin::14:backupuser
games::20:
smmsp::25:
gdm::50:
upnp::52:
xvm::60:
netadm::65:
mysql::70:
openldap::75:
webservd::80:
postgres::90:
slocate::95:
unknown::96:
nobody::60001:
noaccess::60002:
nogroup::65534:
pkg5srv::97:
users::100:
##########################################
Ausschnitt aus meinem  bin/backup-rsync script auf dem Backupserver
rsync -avz --numeric-ids -e 'ssh -vv -p 57876 -i /home/backupuser/.ssh/id_dsa' \
        --delete --delete-excluded                              \
        --exclude-from="$EXCLUDES"  $EXTRAOPT                   \
        $SERVER:/ $DATA_PATH/$SERVER/daily.0
################################
Solarisserver	/etc/ssh/sshd_config
Protocol 2
Port 57876
ListenAddress ::
GatewayPorts no
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
PrintMotd no
KeepAlive yes
SyslogFacility auth
LogLevel info
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
ServerKeyBits 768
KeyRegenerationInterval 3600
StrictModes yes
AuthorizedKeysFile      %h/.ssh/authorized_keys
LoginGraceTime 600
MaxAuthTries    6
MaxAuthTriesLog 3
PermitEmptyPasswords yes
PasswordAuthentication yes
PermitRootLogin yes
Subsystem       sftp    internal-sftp
IgnoreRhosts yes
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
################################################
Backupserver(Ubuntu 10.10)	/etc/ssh/sshd_config
Port 59111
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 768
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      %h/.ssh/authorized_keys
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords yes
ChallengeResponseAuthentication no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes