LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (http://www.linuxquestions.org/questions/linux-general-1/)
-   -   SSH Access with security keys (http://www.linuxquestions.org/questions/linux-general-1/ssh-access-with-security-keys-681235/)

codenjanod 11-05-2008 03:20 AM

SSH Access with security keys
 
Hi all,

On my one machine, I am running Gentoo 2007, Linux server_1 2.6.23-hardened-r4 #1 SMP.

From the above server, I ssh to my second server, running FreeBSD 7 , FreeBSD server_2 7.0-RELEASE-p3 FreeBSD 7.0-RELEASE-p3

My ssh output, from server_1, looks as follows:

$ ssh -v user@server_2
OpenSSH_4.7p1, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to server_2 [server_2] port 22.
debug1: Connection established.
debug1: identity file /var/user/home/.ssh/identity type -1
debug1: identity file /var/user/home/.ssh/id_rsa type -1
debug1: identity file /var/user/home/.ssh/id_dsa type 2
debug1: Remote protocol version 1.99, remote software version 3.2.9.1 SSH Secure Shell (non-commercial)
debug1: no match: 3.2.9.1 SSH Secure Shell (non-commercial)
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.7
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug1: Host 'server_2' is known and matches the DSA host key.
debug1: Found key in /var/nagios/home/.ssh/known_hosts:25
debug1: ssh_dss_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /var/nagios/home/.ssh/identity
debug1: Trying private key: /var/nagios/home/.ssh/id_rsa
debug1: Offering public key: /var/nagios/home/.ssh/id_dsa
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: password
user@server_2's password:
Authenticated with partial success.
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).


I installed sshd2 on my FreeBSD server, as I am running VSFTP on it and chrooting the ftp users to their directories, and enabled compatibility mode on it for ssh from my Gentoo server.

This is my config files for sshd and sshd2 on my FreeBSD server:

# cat /etc/ssh/sshd_config

# $OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $
# $FreeBSD: src/crypto/openssh/sshd_config,v 1.47 2006/11/10 16:52:41 des Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

# Note that some of FreeBSD's defaults differ from OpenBSD's, and
# FreeBSD has a few additional options.

#VersionAddendum FreeBSD-20061110

#Port 22
#Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys2

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# Change to yes to enable built-in password authentication.
#PasswordAuthentication no
#PermitEmptyPasswords no

# Change to no to disable PAM authentication
ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'no' to disable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM yes

#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server




And the config file for sshd2:

# cat /usr/local/etc/ssh2/sshd2_config

## SSH CONFIGURATION FILE FORMAT VERSION 1.1
## REGEX-SYNTAX egrep
## end of metaconfig
## (leave above lines intact!)
## sshd2_config
## SSH 3.2 Server Configuration File
##

## General

# HostKeyFile hostkey
# PublicHostKeyFile hostkey.pub
# RandomSeedFile random_seed
# BannerMessageFile /usr/local/etc/ssh2/ssh_banner_message
# BannerMessageFile /etc/issue.net
#
# VerboseMode no
# QuietMode no
# SyslogFacility AUTH
# SyslogFacility LOCAL7
# SftpSyslogFacility LOCAL7

## Network

# Port is commented out as it is specified by the startup script.
# Port 22
# ListenAddress any
# ResolveClientHostName yes
# RequireReverseMapping no
# MaxBroadcastsPerSecond 0
# MaxBroadcastsPerSecond 1
# NoDelay no
# KeepAlive yes
# MaxConnections 50
# MaxConnections 0
# 0 == number of connections not limited

## Crypto

# Ciphers AnyCipher
# Ciphers AnyStdCipher
# Ciphers 3des
# Following includes "none" 'cipher':
# Ciphers AnyStd
#
# MACs AnyMAC
# MACs AnyStdMAC
# Following includes "none" 'mac':
# MACs AnyStd
#
# RekeyIntervalSeconds 3600

## User

# PrintMotd yes
# CheckMail yes
# StrictModes yes
# Specifies 1 hour (you can also use 'w' for week, 'd' for day, 'm' for
# minute, 's' for seconds)
# IdleTimeOut 1h
# without specifier, the default number is in seconds
# IdleTimeOut 3600
#
# UserConfigDirectory "%D/.ssh2"
# UserConfigDirectory "/usr/local/etc/ssh2/auth/%U"
# AuthorizationFile authorization
# This variable is set here, because by default it's empty, and so no
# variables can be set. Because of that, we set a few common ones here.
SettableEnvironmentVars LANG,LC_(ALL|COLLATE|CTYPE|MONETARY|NUMERIC|TIME),PATH,TERM,TZ

## Tunneling

# AllowX11Forwarding yes
# AllowTcpForwarding yes
# AllowTcpForwardingForUsers sjl, cowboyneal@slashdot\.org
# DenyTcpForwardingForUsers 2[[:digit:]]*4,peelo
# AllowTcpForwardingForGroups privileged_tcp_forwarders
# DenyTcpForwardingForGroups coming_from_outside
#
# Local port forwardings to host 10.1.0.25 ports 143 and 25 are
# allowed for all users in group users.
# Note that forwardings using the name of this host will be allowed (if
# it can be resolved from the DNS).
#
# ForwardACL allow local .*%users \i10\.1\.0\.25%(143|25)
#
# Local port forwardings requested exactly to host proxy.company.com
# port 8080 are allowed for users that have 's' as first character
# and belong to the group with group id 10:
#
# ForwardACL allow local s.*%10 proxy\.company\.com%8080
#
# Remote port forwarding is denied for all users to all hosts:
# ForwardACL deny remote .* .*


## Authentication
## publickey and password allowed by default

# AllowedAuthentications publickey,password
# AllowedAuthentications hostbased,publickey,password
# AllowedAuthentications hostbased,publickey,keyboard-interactive
RequiredAuthentications publickey,password
# LoginGraceTime 600
# AuthInteractiveFailureTimeout 2
#
# HostbasedAuthForceClientHostnameDNSMatch no
# UserKnownHosts yes
#
# AuthPublicKey.MaxSize 0
# AuthPublicKey.MinSize 0
# AllowAgentForwarding yes
#
# AuthKbdInt.NumOptional 0
# AuthKbdInt.Optional pam,password
# AuthKbdInt.Required password
# AuthKbdInt.Retries 3
#
# PermitEmptyPasswords no
# PasswordGuesses 3

## Host restrictions

# AllowHosts localhost, foobar.com, friendly.org
#
## Next one matches with, for example, taulu.foobar.com, tuoli.com, but
## not tuoli1.com. Note that you have to input string "\." when you want it
## to match only a literal dot. You also have to escape "," when you
## want to use it in the pattern, because otherwise it is considered a list
## separator.
##
## AllowHosts t..l.\..*
##
## The following matches any numerical IP-address (yes, it is cumbersome)
##
## AllowHosts ([[:digit:]]{1\,3}\.){3}[[:digit:]]{1\,3}
##
## Same thing is achieved with using the special prefix "\i" in a
## pattern. This means that the pattern is only used to match
## IP-addresses.
##
## Using the above example:
##
## AllowHosts \i.*
##
## You can probably see the difference between the two.
##
## Also, you can use subnet masks, by using prefix "\m"
##
## AllowHosts \m127.0/8
## and
## AllowHosts \m127.0.0.0/24
##
## would match localhost ("127.0.0.1").
##
# DenyHosts evil\.org, aol\.com
# AllowSHosts trusted\.host\.org
# DenySHosts not\.quite\.trusted\.org
# IgnoreRhosts no
# IgnoreRootRHosts no
# (the above, if not set, is defaulted to the value of IgnoreRHosts)

## User restrictions

# AllowUsers sj.*,s[[:digit:]]*,s(jl|amza)
# DenyUsers skuuppa,warezdude,31373
# DenyUsers don@untrusted\.org
# AllowGroups staff,users
# DenyGroups guest,anonymous
# PermitRootLogin yes
# PermitRootLogin nopwd

## Chrooted environment

# ChRootUsers anonymous,ftp,guest
# ChRootGroups sftp,guest

## SSH1 compatibility

Ssh1Compatibility yes
Sshd1Path /usr/local/sbin/sshd
#
# This is given as argument to sshd1 with "-f" if sshd2 is invoked
# with "-f", otherwise the default configuration for sshd1 is used.
Sshd1ConfigFile /etc/ssh/sshd_config

## subsystem definitions

# Subsystems don't have defaults, so this is needed here (uncommented).
# subsystem-sftp sftp-server
# Also internal sftp-server subsystem can be used.
subsystem-sftp internal://sftp-server

## Subconfiguration
# There are no default subconfiguration files. When specified the last
# obtained keyword value will prevail. Note that the host specific files
# are read before the user specific files.

# Following matches (from) any host
#
# HostSpecificConfig .* /usr/local/etc/ssh2/subconfig/host_ext.example
#
# Following matches to subnet mask:
#
# HostSpecificConfig \m192.168.0.0/16 /usr/local/etc/ssh2/subconfig/host_int.example
#
# Following matches to users from ssh.com that have two character long
# username or is sjl and belong to group wheel or wheel[0-9]
#
# UserSpecificConfig (..|sjl)%wheel[[:digit:]]?@ssh\.com /usr/local/etc/ssh2/subconfig/user.example
#
# Following matches to the user anonymous from any host
#
# UserSpecificConfig anonymous@.* /usr/local/etc/ssh2/subconfig/anonymous.example


I have tried various options in the config files, but it keeps on asking me for a password to authenticate.
I am not too sure what I am missing here.
Any help would be greatly appreciated.

How would I be able to see what version of ssh is running on my gentoo server?

Thank you kindly

hopbyhop 11-05-2008 03:58 AM

temporary set
Quote:

LogLevel debug
on server side, then see what SERVER log tells.
Obviously you have correctly copied your DSA public key in ~/.ssh/authorized_keys2 server file.
May be a permission issue also.
Let us know

codenjanod 11-05-2008 04:20 AM

Log output but still asking for password
 
Hi,

Thank you for the reply.

This is still the output I get when trying to ssh from server_1 to server_2:

$ ssh -v user@server_2
OpenSSH_4.7p1, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to server_2 [server_2] port 22.
debug1: Connection established.
debug1: identity file /var/user/home/.ssh/identity type -1
debug1: identity file /var/user/home/.ssh/id_rsa type -1
debug1: identity file /var/user/home/.ssh/id_dsa type 2
debug1: Remote protocol version 1.99, remote software version 3.2.9.1 SSH Secure Shell (non-commercial)
debug1: no match: 3.2.9.1 SSH Secure Shell (non-commercial)
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.7
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug1: Host 'server_2' is known and matches the DSA host key.
debug1: Found key in /var/user/home/.ssh/known_hosts:25
debug1: ssh_dss_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /var/user/home/.ssh/identity
debug1: Trying private key: /var/user/home/.ssh/id_rsa
debug1: Offering public key: /var/user/home/.ssh/id_dsa
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: password
user@server_2's password:
Authenticated with partial success.
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).

On my server_2, the log shows the following output:

Nov 5 12:04:44 server_2 sshd2[1818]: connection from "server_1"
Nov 5 12:04:44 server_2 sshd2[1824]: User user's local password accepted.
Nov 5 12:04:44 server_2 sshd2[1824]: Password authentication for user user accepted.
Nov 5 12:04:44 server_2 sshd2[1824]: Local disconnected: Connection closed.
Nov 5 12:04:44 server_2 sshd2[1824]: connection lost: 'Connection closed.'

On server_2, I have the following in ~/.ssh/:

drwxr-xr-x 2 user user 512 Nov 5 12:04 .
drwxr-xr-x 3 user user 512 Nov 5 09:47 ..
-rw------- 1 user user 608 Nov 5 10:53 authorized_keys2

Permissions are correct, public key was copied correctly.

I have found the following link more or less insightful, but no real info as to how to fix the issue.
I have followed the few steps described on this page, bit I still sit with the same problem.

http://www.ssh.com/support/documenta...atibility.html

Thank you kindly.

hopbyhop 11-05-2008 04:27 AM

You should have more debug info on server2 side. Have you set loglevel debug and restarted sshd on server2?

tredegar 11-05-2008 12:41 PM

This helped me: http://www.linuxquestions.org/linux/...ation_with_ssh

codenjanod 12-08-2008 07:19 AM

SSH Access with security keys
 
Hi Tredegar,

Thank you for the reply and the link.
I recreated all the keys and the files and followed it all step by step, but to no avail.

Could it be something to do with the fact that the sshd2 daemon on FreeBSD uses 2048bit encryption?

From my client server, ssh -vvv gives me the following output:

OpenSSH_4.7p1, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to secure-server.com [81.185.124.12] port 22.
debug1: Connection established.
debug1: identity file /var/nagios/home/.ssh/identity type -1
debug1: identity file /var/nagios/home/.ssh/id_rsa type -1
debug3: Not a RSA1 key file /var/nagios/home/.ssh/id_dsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /var/nagios/home/.ssh/id_dsa type 2
debug1: Remote protocol version 1.99, remote software version 3.2.9.1 SSH Secure Shell (non-commercial)
debug1: no match: 3.2.9.1 SSH Secure Shell (non-commercial)
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.7
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,twofish128-cbc,cast128-cbc,twofish-cbc,blowfish-cbc,aes192-cbc,aes256-cbc,twofish192-cbc,twofish256-cbc,arcfour
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,twofish128-cbc,cast128-cbc,twofish-cbc,blowfish-cbc,aes192-cbc,aes256-cbc,twofish192-cbc,twofish256-cbc,arcfour
debug2: kex_parse_kexinit: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
debug2: kex_parse_kexinit: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug2: dh_gen_key: priv key bits set: 139/256
debug2: bits set: 542/1024
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug3: check_host_in_hostfile: filename /var/nagios/home/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 27
debug3: check_host_in_hostfile: filename /var/nagios/home/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 27
debug1: Host 'secure-server.com' is known and matches the DSA host key.
debug1: Found key in /var/nagios/home/.ssh/known_hosts:27
debug2: bits set: 518/1024
debug1: ssh_dss_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /var/nagios/home/.ssh/identity ((nil))
debug2: key: /var/nagios/home/.ssh/id_rsa ((nil))
debug2: key: /var/nagios/home/.ssh/id_dsa (0x80062f68)
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /var/nagios/home/.ssh/identity
debug3: no such identity: /var/nagios/home/.ssh/identity
debug1: Trying private key: /var/nagios/home/.ssh/id_rsa
debug3: no such identity: /var/nagios/home/.ssh/id_rsa
debug1: Offering public key: /var/nagios/home/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
nagios@secure-server.com's password:



To be honest I am not too sure what I am missing...

Thanks again.

jschiwal 12-08-2008 07:58 AM

Here are your uncommented items in sshd_config and mine:
Code:

grep -v -e '^$' -e '^#' sshd_config_posting
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys2

jschiwal@hpmedia:~> sudo grep -v -e '^$' -e '^#' /etc/ssh/sshd_config
root's password:
Code:

Protocol 2
PermitRootLogin no
MaxAuthTries 6
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no

UsePAM yes
X11Forwarding yes
UseDNS no
Subsystem      sftp    /usr/lib64/ssh/sftp-server
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL

I think that rsa-authentication is an option for ssh version 1.
Look at the comments just above the "UsePAM yes" line. I only use pam for session control and not for
authentication (with ssh). If bsd doesn't support PAM, then this line would be commented out anyway.

PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no

The ChallengeResponceAuthentication difference is why you are still asked for a password. Don't change it yet until you get pubkey authentication working.

Check the permissions of your .ssh/ directory and your home directory.

Also, why are you add a 2 at the end of the config file and authorized_keys? Is the correct config file being used?
Where does the ssh server start? Does is load the /etc/ssh/sshd_config2 file that you posted?

Also check your kernel log messages at both ends. If you have a permissions problem, this is where it may show up. I don't know what the equivalent of Linux's /var/log/messages and /var/log/security are on BSD.

sundialsvcs 12-08-2008 08:34 AM

If you look at the log, you'll notice one of SSH's rather-inexplicable characteristics: it starts with the strongest authentication-method available, but then it starts walking-down to accept progressively weaker algorithms. So it automatically finds, and attempts to use, the weakest link in the proverbial chain.

So... if you want it to use public-key authentication and nothing else, you must tell it that it cannot devolve to "password!"

Once you have done this, then it's a straightforward process to create a public/private key pair and to send out the public key. (You can also password-protect the key, I believe, so that you must enter a password on your own system in order to present it as your credential, so that anyone who steals your laptop at the airport cannot do the same.)

jschiwal 12-08-2008 10:43 AM

I just found out that for dsa keys, you use ~/.ssh/authorized_keys2. For RSA, you use ~/.ssh/authorized_keys. So one of my responses was wrong. Is /etc/sshd/sshd_config2 what sshd2 uses by default?

You can set the key size for your Linux's client, so the size of the is apparent in the authorized_key entry. That doesn't sound like it is an issue. What are the differences between sshd and sshd2? Is sshd2 compatible with sshd clients. I would imagine it would be otherwise it would be pretty useless.

hopbyhop 12-08-2008 11:24 AM

In my experience, most of the problems with ssh authentication are in incorrect copy/pasting of the public keys. Furthermore, reading the log on the client side only can lead to misunderstandings. So I advise you to read the server log
(e.g. tail -F /var/log/messages or var/log/secure, check syslog.conf for AUTH facility) WHILE you are connecting (or just after the failed connection). It will tell you WHY the key authentication was refused, e.g. for a key mismatch or for a host not found in etc/hosts.allow... If the server log is not clear enough, you can increase the log level (LogLevel debug) in sshd_config file.
Good luck

codenjanod 12-17-2008 02:55 AM

SSH Access with security keys
 
Hi all,

Thanks for the replies.

This is really making me feel dumb.

On my FreeBSD server, the startup config in /etc/rc.conf file is as follows:
#sshd_enable="NO"
sshd2_enable="YES"

And the service running:
# ps faux | grep sshd
root 28733 0.0 0.1 4052 2576 ?? S 8:38AM 0:00.16 /usr/local/sbin/sshd2 -p 22
root 29052 0.0 0.1 3592 2460 ?? Is 8:52AM 0:00.11 /usr/local/sbin/sshd2 -p 22

The SSH version on the FreeBSD server is:
# ssh -V
OpenSSH_4.2p1 FreeBSD-20050903, OpenSSL 0.9.7e-p1 25 Oct 2004


On my client server, the SSH version is:
$ ssh -V
OpenSSH_4.7p1, OpenSSL 0.9.8g 19 Oct 2007

I have ran updates on my FreeBSD server so all ports are up to date.

The config file, as what I understand it, in "/etc/ssh/sshd_config" is no longer in use on the FreeBSD server, as sshd2 is running now and it makes use of the config file in "/usr/local/etc/ssh2/sshd2_config"

The following is currently not hashed out in the config file, followed by the complete config file.
I am probably mis-reading something or something dumb on my side is hashed out.

# grep -v -e '^$' -e '^#' /usr/local/etc/ssh2/sshd2_config
SettableEnvironmentVars LANG,LC_(ALL|COLLATE|CTYPE|MONETARY|NUMERIC|TIME),PATH,TERM,TZ

ChRootUsers ftp
ChRootGroups sftp
subsystem-sftp internal://sftp-server


And the full config file:
## SSH CONFIGURATION FILE FORMAT VERSION 1.1
## REGEX-SYNTAX egrep
## end of metaconfig
## (leave above lines intact!)
## sshd2_config
## SSH 3.2 Server Configuration File
##

## General

# HostKeyFile hostkey
# PublicHostKeyFile hostkey.pub
# RandomSeedFile random_seed
# BannerMessageFile /usr/local/etc/ssh2/ssh_banner_message
# BannerMessageFile /etc/issue.net
#
# VerboseMode no
# QuietMode no
# SyslogFacility AUTH
# SyslogFacility LOCAL7
# SftpSyslogFacility LOCAL7

## Network

# Port is commented out as it is specified by the startup script.
# Port 22
# ListenAddress any
# ResolveClientHostName yes
# RequireReverseMapping no
# MaxBroadcastsPerSecond 0
# MaxBroadcastsPerSecond 1
# NoDelay no
# KeepAlive yes
# MaxConnections 50
# MaxConnections 0
# 0 == number of connections not limited

## Crypto

# Ciphers AnyCipher
# Ciphers AnyStdCipher
# Ciphers 3des
# Following includes "none" 'cipher':
# Ciphers AnyStd
#
# MACs AnyMAC
# MACs AnyStdMAC
# Following includes "none" 'mac':
# MACs AnyStd
#
# RekeyIntervalSeconds 3600

## User

# PrintMotd yes
# CheckMail yes
# StrictModes yes
# Specifies 1 hour (you can also use 'w' for week, 'd' for day, 'm' for
# minute, 's' for seconds)
# IdleTimeOut 1h
# without specifier, the default number is in seconds
# IdleTimeOut 3600
#
# UserConfigDirectory "%D/.ssh2"
# UserConfigDirectory "/usr/local/etc/ssh2/auth/%U"
# AuthorizationFile authorization
# This variable is set here, because by default it's empty, and so no
# variables can be set. Because of that, we set a few common ones here.
SettableEnvironmentVars LANG,LC_(ALL|COLLATE|CTYPE|MONETARY|NUMERIC|TIME),PATH,TERM,TZ

## Tunneling

# AllowX11Forwarding yes
# AllowTcpForwarding yes
# AllowTcpForwardingForUsers sjl, cowboyneal@slashdot\.org
# DenyTcpForwardingForUsers 2[[:digit:]]*4,peelo
# AllowTcpForwardingForGroups privileged_tcp_forwarders
# DenyTcpForwardingForGroups coming_from_outside
#
# Local port forwardings to host 10.1.0.25 ports 143 and 25 are
# allowed for all users in group users.
# Note that forwardings using the name of this host will be allowed (if
# it can be resolved from the DNS).
#
# ForwardACL allow local .*%users \i10\.1\.0\.25%(143|25)
#
# Local port forwardings requested exactly to host proxy.company.com
# port 8080 are allowed for users that have 's' as first character
# and belong to the group with group id 10:
#
# ForwardACL allow local s.*%10 proxy\.company\.com%8080
#
# Remote port forwarding is denied for all users to all hosts:
# ForwardACL deny remote .* .*


## Authentication
## publickey and password allowed by default

# AllowedAuthentications publickey,password
# AllowedAuthentications hostbased,publickey,password
# AllowedAuthentications hostbased,publickey,keyboard-interactive
# RequiredAuthentications publickey,password
# LoginGraceTime 600
# AuthInteractiveFailureTimeout 2
#
# HostbasedAuthForceClientHostnameDNSMatch no
# UserKnownHosts yes
#
# AuthPublicKey.MaxSize 0
# AuthPublicKey.MinSize 0
# AllowAgentForwarding yes
#
# AuthKbdInt.NumOptional 0
# AuthKbdInt.Optional pam,password
# AuthKbdInt.Required password
# AuthKbdInt.Retries 3
#
# PermitEmptyPasswords no
# PasswordGuesses 3

## Host restrictions
#AllowHosts
#
## Next one matches with, for example, taulu.foobar.com, tuoli.com, but
## not tuoli1.com. Note that you have to input string "\." when you want it
## to match only a literal dot. You also have to escape "," when you
## want to use it in the pattern, because otherwise it is considered a list
## separator.
##
## AllowHosts t..l.\..*
##
## The following matches any numerical IP-address (yes, it is cumbersome)
##
## AllowHosts ([[:digit:]]{1\,3}\.){3}[[:digit:]]{1\,3}
##
## Same thing is achieved with using the special prefix "\i" in a
## pattern. This means that the pattern is only used to match
## IP-addresses.
##
## Using the above example:
##
## AllowHosts \i.*
##
## You can probably see the difference between the two.
##
## Also, you can use subnet masks, by using prefix "\m"
##
## AllowHosts \m127.0/8
## and
## AllowHosts \m127.0.0.0/24
##
## would match localhost ("127.0.0.1").
##
# DenyHosts evil\.org, aol\.com
# AllowSHosts trusted\.host\.org
# DenySHosts not\.quite\.trusted\.org
# IgnoreRhosts no
# IgnoreRootRHosts no
# (the above, if not set, is defaulted to the value of IgnoreRHosts)

## User restrictions

# AllowUsers
# DenyUsers skuuppa,warezdude,31373
# DenyUsers don@untrusted\.org
# AllowGroups staff,users
# DenyGroups guest,anonymous
# PermitRootLogin yes
# PermitRootLogin nopwd

## Chrooted environment

ChRootUsers ftp
ChRootGroups sftp

## SSH1 compatibility

# Ssh1Compatibility yes
# Sshd1Path /usr/sbin/sshd
#
# This is given as argument to sshd1 with "-f" if sshd2 is invoked
# with "-f", otherwise the default configuration for sshd1 is used.
# Sshd1ConfigFile /etc/ssh/sshd_config

## subsystem definitions

# Subsystems don't have defaults, so this is needed here (uncommented).
# subsystem-sftp sftp-server
# Also internal sftp-server subsystem can be used.
subsystem-sftp internal://sftp-server

## Subconfiguration
# There are no default subconfiguration files. When specified the last
# obtained keyword value will prevail. Note that the host specific files
# are read before the user specific files.

# Following matches (from) any host
#
# HostSpecificConfig .* /usr/local/etc/ssh2/subconfig/host_ext.example
#
# Following matches to subnet mask:
#
# HostSpecificConfig \m192.168.0.0/16 /usr/local/etc/ssh2/subconfig/host_int.example
#
# Following matches to users from ssh.com that have two character long
# username or is sjl and belong to group wheel or wheel[0-9]
#
# UserSpecificConfig (..|sjl)%wheel[[:digit:]]?@ssh\.com /usr/local/etc/ssh2/subconfig/user.example
#
# Following matches to the user anonymous from any host
#
# UserSpecificConfig anonymous@.* /usr/local/etc/ssh2/subconfig/anonymous.example


Thanks again for all the replies and help from all.

hopbyhop 12-18-2008 04:48 AM

OK
  • make sure that $HOME/.ssh2/authorization contains the public key associated with the identity file /var/user/home/.ssh/id_dsa in your client machine (usually id_dsa.pub)
  • check log in BSD server (see in syslog.conf what file SyslogFacility AUTH writes to)
  • if you cannot login, set
    Code:

    VerboseMode yes
    restart sshd2 (note that only one user is now allowed to connect!!!)
    and post the error description from syslog. Maybe you could have to run ssh-keygen to convert the key format
  • when key login work, change
    Code:

    # AllowedAuthentications publickey,password
    to
    Code:

    AllowedAuthentications publickey
    and add your user(s) to an AllowUsers directive


All times are GMT -5. The time now is 10:05 PM.