Password less login for Sysstat

[andyclimb]

I've had a good search and a couple of attempts but I can't seem to get it to work. I'm trying to get fhem to fetch systats from two rPis.

I've defined systat with the IPs of the remote Pis... but they just say initialised..

Could anyone help?

My thoughts were to create .ssh keys, but the fhem user is not a normal user with a home directory etc.  Apart form that im stuck!

Andrew

[justme1968]

what do you mean with 'normal' user. what else would it be? what system is fhem running on?

the user on the fhem host has to be able to create a password less ssh connection to the target system. the user that is used on the target system can be configured with the ssh_user attribute on the sysstat device.

if you can not create a home directory for the fhem user and put the .ssh directory with the keys there you can use the IdentityFile parameter in the global ssh_config file to point to another location.

you also probably have to start the ssh connection at least once manual to anser the 'are you sure...' questions on the command line.

andre

edit: the sysstat module uses the ssh command line binary to create the connection. not a perl ssh library. so the ssh binary has to be there. i don't know if this is the case with a fritz box for example.

[andyclimb]

Hi,

Thanks for the fast reply. I'm new to all this so I always fail to include all the information required to diagnose the problem.  I'll get there eventually.

I'm running fhem on an Ubuntu server 13.04.

The fhem processes run under the user fhem

andrew@lenovo:~$ id fhem
uid=999(fhem) gid=20(dialout) groups=20(dialout)

I'm familier with ssh keys and have set up passwordless login before.

I've created a home directory and placed the keys there but i can't  issue a " usermod -d /home/fhem fhem" as there is a process in use by fhem.  if i shut fhem down, the process restarts, if i kill it it restarts...

I've located the global ssh_config but what to put in there so that user fhem has access to ots authorised_keys file in /home/fhem/.ssh/authorized_keys i not sure about.

Cheers

Andrew  

[justme1968]

if you have a .ssh direcotry in the fhem home then you do not need to modify the global config file. authorized_keys is needed on the target host. not the fhem host.

you should start with ssh-keygen as user fhem on the fhem host to create your passwordless key pair. this will give you an id_xxx and an id_xxx.pub file in .ssh.

the contents of the pub file hast to go into the known_hosts file in the .ssh directory of the target user on the target host.

then you should be able to use 'ssh <target_user>@<target_host>' as user fhem on the fhem host. the first time you will be asked on (or two) questions. the second time there should be no question any more.

use the target user for the ssh_user attribute in fhem.

andre

[andyclimb]

OK so i did some research..  

the fhem user details in the /etc/passwd file are

Code Auswählen Erweitern

fhem:x:999:20::/opt/fhem:/bin/false

so the home directory of fhem is /opt/fhem and there is a .ssh folder in there.  I added the id_rsa key, changed owner to fhem and chmod 600
i then copied the corresponding id_rsa.pub file to the raspberry pi and added it to the authorized_keys file in the .ssh folder.

however, it still does not work.. the auth.log reads on the rPi

Aug 19 20:00:22 raspberrypi sshd[10572]: Connection closed by 192.168.1.209 [preauth]
Aug 19 20:00:22 raspberrypi sshd[10576]: Connection closed by 192.168.1.209 [preauth]
Aug 19 20:01:22 raspberrypi sshd[10595]: Connection closed by 192.168.1.209 [preauth]
Aug 19 20:01:22 raspberrypi sshd[10599]: Connection closed by 192.168.1.209 [preauth]


I could test it by sshing into the rPi as them but I can't log in as fhem, i can't su fhem as it requires a password that i don't know..
edit: I could change the password for the fhem user but I don't want to do that if it will screw up the running of them.  I do not currently know how fhem is started.

A

[justme1968]

on the raspberry pi target system you can use any account you like. only the user on the fhem fhem host is fixed to the fhem user.

if the user on the target system differs from the fhem user you have to set the ssh_user attribute of the sysstat device.

from your description i'm not sure which accounts on which system you are trying to use.

andre

edit: if the /etc/passwd line is from the target raspberry pi then you can not log in as the fhem user has no shell. just use a different user. even the default pi user ist fine.

[andyclimb]

mm ok I'll explain it a bit clearer.

I have an ubuntu server running fhem.  I have two raspberry pis both running Raspbian, with a bluetooth dongle and presenced running.  I have set up passwordless login from my mac to all three using SSH certs.  They all work fine.  I have generated SSH certs for the user andrew on the ubuntu server and successfully logged in by ssh from the ubuntu server to both rPis.  So I have all this working.  I have root access on all machines.  I have run apt-get install libsys-statistics-linux-perl on both rPis.

What I can't get working is the sysstat module in fhem running on the ubuntu server.
I have generated the ssh certs, and put the id_rsa private key in /opt/fhem/.ssh which is the home directory of the fhem user running on the ubuntu server.
I have copied the corresponding id_rsa.pub public key to the raspberry pi.  I've added it to the authorized_keys file in ~/.ssh/ along with the other keys that i've added.

edit: the attribute for the sysstat instance running on the ubuntu server has ssh_user set to pi which is the user with the public certs on the pi.

the auth.log file from the raspberry pi suggests authentication failure
Aug 19 20:00:22 raspberrypi sshd[10572]: Connection closed by 192.168.1.209 [preauth]

however, I have no access to the user fhem, created during the install of fhem from the .deb package. This user runs the fhem, and owns the /opt/fhem directory.  

Code Auswählen Erweitern

andrew@lenovo:~$ id fhem
uid=999(fhem) gid=20(dialout) groups=20(dialout)
I can't switch user to fhem or SSH in.  I don't know the password, if there is one. if i knew the password, or if someone could say to me that I can change the password for the user fhem by using sudo passwd fhem without breaking the running of fhem then i could try that.  Otherwise i've got no idea how to debug this further.  

Does that help clear up which machine is which.  Fhem only exists on the server, key authentication is working fine for my mac and the user andrew on the ubuntu server, but i can't check if the fhem ssh certs are working.

Andrew

[justme1968]

for testing you can use your known good ssh keys from the mac or user andrew and copy them into the .ssh directory of the fhem user.

you also don't need a password for testing. just change the /bin/false to /bin/sh in /etc/passwd and do a su - fhem as user root.

then do a 'ssh -v pi@xxx' and look at the messages.

andre

[andyclimb]

I had already changed that, rebooted but could not get it to work.. until I tried sudo su fhem!

Then i could connect, authorise the RSA key and then it worked.  

So to get this to work you have to change the /etc/passwd entry for fhem from /bin/false to /bin/sh, then sudo su fhem and connect to the pi using ssh and verify the SSH key.  

Thanks for you help

Andrew

[FHEM_Starter]

Hi Andrew,

I followed until the very last step and them i failed.

What I want is: connect 2 Raspberry via ssh under the user fhem.

What I did:
on Raspberry A: connect via ssh as user pi, sudo su fhem, create id_rsa.pub via sysgen
on Raspberry B: connect via ssh as user pi, sudo su fhem, cd /opt/fhem, create .ssh, cd .ssh, nano authorized_keys and paste the content of id_rsa.pub on Raspberry A. nano /etc/ssh/sshd_config and:

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      %h/.ssh/authorized_keys

restart ssh and then try to connect from Raspberry A to B, but: still there is the question for a password

What did I do wrong ?

Regards Wolfgang