SSH: Possible to forward password authentication to command executed on remote machine

sshssh-keys

A quick background on what exactly I'm trying to do:

I frequently have to set up public key authentication from remote clients to my local machine. I'm attempting to automate this process a bit by being able to run a script which will via SSH do 2 things sequentially:

1) Via password authenticated SSH, use ssh-keygen on remote machine and generate an RSA key and save it in a predefined spot

2) Take key on remote machine and set it up so the remote machine can pub-key authenticate with local machine.

I've attempted to do #2 similarly to how I did #1 with using ssh-copy-id in a ssh session. However I get only one password prompt, the prompt for the initial SSH connection. ssh-copy-id requires a password authentication at this point, however SSH doesn't send back the password prompt, and instead I get an output like the following:

[localUser@localhost ~]$ ssh remoteUser@remoteIP ssh-copy-id -i ~/authenticationKey localuser@localhost
remoteUser@remoteIP's password: [ENTER]
Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

I should note here as well, that through debug messages I've already determined that the ssh command is connecting successfully. The permission denied messages are coming from ssh-copy-id, and not ssh.

It seems to me that it's a problem with the password prompt not propagating back to the shell from the remote client, or that SSH is attempting submit a password that I don't know (or at least doesn't work)

I suppose that I could do it manually as a workaround by making use of scp, but I'm also partially interested in knowing if there is a way to do this, or at least what ssh is doing here.

Thanks for any help you can give me!

-Bleck H.

Best Answer

It would be simpler to use ssh-copy-id locally or just use cat to copy the public key to the local authorized_keys. Heres how I did it.

  1. From local, ssh to remote and use `ssh-keygen`` as in your step #1
  2. From local, scp the public key from remote to local file tmp.pub
  3. On local, ``cat tmp.pub >> /home/jimmy/.ssh/authorized_keys

If you append your own public key to the remote user's authorized_keys in step #1, then you can do step #2 without re-entering a password.

Your ssh command ssh-copy-id is executed in a sub-shell on the remote without a tty, so you see the output echoed back to your local, but your local input doesn't get to the remote sub-shell. On my machine (Debian Wheezy) I did:

yba@tavas:~$ ssh localhost ssh localhost
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
Enter passphrase for key '/home/yba/.ssh/id_rsa': 
Pseudo-terminal will not be allocated because stdin is not a terminal.
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,password).
yba@tavas:~$

Note the reason that is printed, "Pseudo-terminal will not be allocated because stdin is not a terminal", The result is the same a if you pressed the enter key twice on the remote with no password.

Related Topic