Why does my public key authentication not work with all machines?
I've got 15 machines in my office. I just generated my id_dsa.pub & copied it to the ~/.ssh/authorized_keys2 on all the machines, but it only seems to work properly on about half of them. What could be going wrong?
if I ssh -vv to a working and non working host, I get the following differences: working: debug2: we sent a publickey packet, wait for reply debug1: input_userauth_pk_ok: pkalg ssh-dss blen 433 lastkey 0x8086e20 hint 2 debug2: input_userauth_pk_ok: fp a3:3e:bc:f8:52:2e:ec:9d:15:03:43:f4:0f:25:d7:51 debug1: read PEM private key done: type DSA debug1: ssh-userauth2 successful: method publickey not working: debug2: we sent a publickey packet, wait for reply debug1: authentications that can continue: publickey,password,keyboard-interactive debug2: we did not send a packet, disable method debug1: next auth method to try is keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug1: authentications that can continue: publickey,password,keyboard-interactive debug2: we did not send a packet, disable method debug1: next auth method to try is password debug1: packet_send2: adding 48 (len 61 padlen 19 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: ssh-userauth2 successful: method password why is it doing that? Is it because they are all not running the same version of openssh? Do I have to tell the host to allow public key explicitly? |
looks like your sshd is not configured right (see sshd.conf) on the failing machines. it seems that it can't get the key from your host - more information is necesssary here. network-topologie, config's,..
an other possibility is the "authorized_key2" - try to change back to just call it "authorized_key" on those machines. are they all the same os (and ssh2 only)? sl mritch. |
Quote:
the sshd.conf on a good machine vs bad machine is almost identical & both are pretty vanilla - just the way they came out of the box. Code:
Title = "SSHD" I've tried using both authorzied_keys and authorized_keys2. All machines are running linux, some are running RH7.3, some are running RH9.x - whether they work or not does not seem to depend on their version (i.e. some 7.3 boxes work, some 9.x boxes work). network topology: pretty simple, really, my machine and all the machines I'm trying to connect too are all patched into one 24 port unmanaged switch. There are two other switches attached to that switch, but I'm not working with those machines yet. any other ideas? Do you need any more specific info? Thanks again |
have you done a "diff" of /etc/ssh/sshd_config on the good vs bad machines?
Check permissions and ownership of authorized_keys2 file. If you have copy and pasted it then it might not work. |
Quote:
% diff sshdwork sshdbroke 1c1 < # $OpenBSD: sshd_config,v 1.48 2002/02/19 02:50:59 deraadt Exp $ --- > # $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $ 3,4c3,4 < # This is the sshd server system-wide configuration file. See sshd(8) < # for more information. --- > # This is the sshd server system-wide configuration file. See > # sshd_config(5) for more information. 6c6 < # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin --- > # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin 36c36 < #LoginGraceTime 600 --- > #LoginGraceTime 120 40,42c40,42 < #RSAAuthentication yes < #PubkeyAuthentication yes < #AuthorizedKeysFile .ssh/authorized_keys --- > RSAAuthentication yes > PubkeyAuthentication yes > AuthorizedKeysFile .ssh/authorized_keys 64,65c64 < # KerberosAuthentication automatically enabled if keyfile exists < #KerberosAuthentication yes --- > #KerberosAuthentication no 69,70c68 < # AFSTokenPassing automatically enabled if k_hasafs() is true < #AFSTokenPassing yes --- > #AFSTokenPassing no 77c75 < #PAMAuthenticationViaKbdInt yes --- > #PAMAuthenticationViaKbdInt no 86a85,87 > #UsePrivilegeSeparation yes > #PermitUserEnvironment no > #Compression yes edit: just for grins, I copied the sshd_config file over from a working machine to a non-working machine & restarted sshd. still no good. :confused: Quote:
|
If your network is very congested and the login takes a while, you may be exceeding the grace time (although that's highly unlikely). Another thing may be that the format of the authorized_keys file is wrong on some of the boxes. It's important that you transfer the file as text rather than binary data, and it's also important that there are no line breaks inserted. Trying diff'ing the actual authorized_keys file on a working and non-working box.
|
Quote:
diffing the auth_keys shows no difference. Glad to see that everyone else is as stumped as me. ;) Any other suggestiong? |
Got it working. It was a permissions issue for the .ssh directory itself. It had to much permission, so it wouldn't work (weird).
I chmoded it to 700 (from 755), and everything works. |
That's correct, no one should be allowed to see your keys, or especially your trusted host list.
|
All times are GMT -5. The time now is 01:37 AM. |