LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 11-16-2011, 07:26 AM   #1
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 620

Rep: Reputation: 33
ssh public key auth not accepted


Hello,

on my server I have in /etc/ssh/sshd_config :

RSAAuthentication no
PubkeyAuthentication yes
RhostsRSAAuthentication no
HostbasedAuthentication no
IgnoreRhosts yes
PermitEmptyPasswords no
PasswordAuthentication no
ChallengeResponseAuthentication no
GSSAPIAuthentication no

When I try to ssh into the server with my private key, I get the following :

[Jonas@jonas ~]$ ssh -2 -v -p 2273 -l admin -i /home/Jonas/vpn\&ssh/id_rsa_admin XXX.XXX.XXX.226
OpenSSH_5.5p1, OpenSSL 1.0.0e-fips 6 Sep 2011
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to XXX.XXX.XXX.226 [XXX.XXX.XXX.226] port 2273.
debug1: Connection established.
debug1: identity file /home/Jonas/vpn&ssh/id_rsa_admin type 1
debug1: identity file /home/Jonas/vpn&ssh/id_rsa_admin-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.5
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: checking without port identifier
debug1: Host 'XXX.XXX.XXX.226' is known and matches the RSA host key.
debug1: Found key in /home/Jonas/.ssh/known_hosts:10
debug1: found matching key w/out port
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/Jonas/vpn&ssh/id_rsa_admin
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).

Why is permission denied ?
 
Old 11-16-2011, 07:56 AM   #2
LceeL
LQ Newbie
 
Registered: Mar 2007
Posts: 14

Rep: Reputation: 0
Read through the following link - make sure you have followed all the steps - http://oceanpark.com/notes/howto_ssh...orwarding.html - for example - Did you set "ForwardAgent yes" on your client system? There is nowhere near enough information in your post to do a proper diagnosis of your issue.
 
Old 11-16-2011, 08:10 AM   #3
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 620

Original Poster
Rep: Reputation: 33
I have set ""ForwardAgent yes" in my /etc/ssh/ssh_config on my client.

I have changed the file .ssh/authorized_keys2 to .ssh/authorized_keys on my server.

All the other steps mentioned in the link I have done, except "keychain" I don't want that.

Still the same result.

How can I get more debugging information ??
 
Old 11-16-2011, 08:18 AM   #4
colucix
Moderator
 
Registered: Sep 2003
Location: Bologna
Distribution: CentOS 6.5 OpenSuSE 12.3
Posts: 10,508

Rep: Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957
Try option -vvv to increase the level of verbosity in the debug messages.
 
Old 11-16-2011, 08:40 AM   #5
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 620

Original Poster
Rep: Reputation: 33
Here is more verbosity :


[Jonas@jonas ~]$ ssh -2 -vvv -p 2273 -l admin -i /home/Jonas/vpn\&ssh/id_rsa_admin XXX.XXX.XXX.226
OpenSSH_5.5p1, OpenSSL 1.0.0e-fips 6 Sep 2011
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to XXX.XXX.XXX.226 [XXX.XXX.XXX.226] port 2273.
debug1: Connection established.
debug3: Not a RSA1 key file /home/Jonas/vpn&ssh/id_rsa_admin.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/Jonas/vpn&ssh/id_rsa_admin type 1
debug1: identity file /home/Jonas/vpn&ssh/id_rsa_admin-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.5
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v00@openssh.com,ssh-dss...00@openssh.com,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 128/256
debug2: bits set: 510/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: put_host_port: [XXX.XXX.XXX.226]:2273
debug3: put_host_port: [XXX.XXX.XXX.226]:2273
debug3: check_host_in_hostfile: host [XXX.XXX.XXX.226]:2273 filename /home/Jonas/.ssh/known_hosts
debug3: check_host_in_hostfile: host [XXX.XXX.XXX.226]:2273 filename /home/Jonas/.ssh/known_hosts
debug3: check_host_in_hostfile: host [XXX.XXX.XXX.226]:2273 filename /etc/ssh/ssh_known_hosts
debug3: check_host_in_hostfile: host [XXX.XXX.XXX.226]:2273 filename /etc/ssh/ssh_known_hosts
debug3: check_host_in_hostfile: host [XXX.XXX.XXX.226]:2273 filename /home/Jonas/.ssh/known_hosts
debug3: check_host_in_hostfile: host [XXX.XXX.XXX.226]:2273 filename /home/Jonas/.ssh/known_hosts
debug3: check_host_in_hostfile: host [XXX.XXX.XXX.226]:2273 filename /etc/ssh/ssh_known_hosts
debug3: check_host_in_hostfile: host [XXX.XXX.XXX.226]:2273 filename /etc/ssh/ssh_known_hosts
debug1: checking without port identifier
debug3: check_host_in_hostfile: host XXX.XXX.XXX.226 filename /home/Jonas/.ssh/known_hosts
debug3: check_host_in_hostfile: host XXX.XXX.XXX.226 filename /home/Jonas/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 10
debug1: Host 'XXX.XXX.XXX.226' is known and matches the RSA host key.
debug1: Found key in /home/Jonas/.ssh/known_hosts:10
debug1: found matching key w/out port
debug2: bits set: 523/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/Jonas/vpn&ssh/id_rsa_admin (0x26b20b0)
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/Jonas/vpn&ssh/id_rsa_admin
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).
 
Old 11-16-2011, 09:01 AM   #6
lleb
Senior Member
 
Registered: Dec 2005
Location: Florida
Distribution: CentOS/Fedora
Posts: 2,555

Rep: Reputation: 463Reputation: 463Reputation: 463Reputation: 463Reputation: 463
http://www.jms1.net/code/rsync-backup.shtml

The top of this page talks about setting public key between servers. You might want to try starting over from scratch by deleting the ~/.ssh/authorized_keys and the id_dsa_backup.pub to get a clean start.
 
Old 11-16-2011, 09:22 AM   #7
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 620

Original Poster
Rep: Reputation: 33
Quote:
Originally Posted by lleb View Post
http://www.jms1.net/code/rsync-backup.shtml
The top of this page talks about setting public key between servers. You might want to try starting over from scratch by deleting the ~/.ssh/authorized_keys and the id_dsa_backup.pub to get a clean start.
So I need to create the key files again ? OK if that's the only solution...
 
Old 11-16-2011, 09:48 AM   #8
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
Check the logs in the server. It may indicate what the problem is. For example, if permissions of .ssh or the private key are too lax, the server will refuse to make a connection. Even the permissions of your home directory can cause problems.

The issue may not be indicated in the debug -vvv output.

After an upgrade, I wasn't able to ssh in, even though I had copied my ~/.ssh folder from backup. I found in the Release Notes that I needed to modify a line in /etc/ssh/sshd_config
from
AuthorizedKeysFile .ssh/authorized_keys
to
AuthorizedKeysFile %h/.ssh/authorized_keys

I've even had a failure to log in because the hostname part of the authorizedkeys file entry didn't match exactly with the first entry in /etc/hosts. I think I changed it from jschiwal@netcow to jschiwal@netcow.jesnet but don't remember for certain. This behavior may depend on the UseDNS setting.

I don't understand why ForwardAgent yes is being recommended in your case.

Last edited by jschiwal; 11-16-2011 at 09:56 AM.
 
Old 11-16-2011, 11:31 AM   #9
lleb
Senior Member
 
Registered: Dec 2005
Location: Florida
Distribution: CentOS/Fedora
Posts: 2,555

Rep: Reputation: 463Reputation: 463Reputation: 463Reputation: 463Reputation: 463
Quote:
Originally Posted by jonaskellens View Post
So I need to create the key files again ? OK if that's the only solution...
not saying it is the only way, but it will not hurt. how long will it take to recreate them? 2min tops...
 
Old 11-17-2011, 07:15 AM   #10
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 620

Original Poster
Rep: Reputation: 33
So I have done the following :

created the keys on my client :

Code:
[Jonas@jonas ~]$ ssh-keygen -t rsa
The result is 2 files :

Code:
-rw-------. 1 Jonas Jonas 1766 Nov 17 13:52 id_rsa
-rw-r--r--. 1 Jonas Jonas  405 Nov 17 13:52 id_rsa.pub
I copy the file id_rsa.pub to my server and place it into the .ssh-directory as follow :

Code:
[admin@server admin]$ cp id_rsa .ssh/authorized_keys
The result on the server :

Code:
[admin@server admin]$ ls -l .ssh/
total 8
-rwx------ 1 admin admin 1766 Nov 17 14:08 authorized_keys
After this I want to login as user "admin", using the id_rsa.pub key :

Code:
[Jonas@jonas ~]$ ssh -2 -v -p 2273 -l admin -i /home/Jonas/vpn\&ssh/id_rsa XXX.XXX.XXX.226
But still the same result :

Code:
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/Jonas/vpn&ssh/id_rsa_admin
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).
Should be that simple, no ?!

Last edited by jonaskellens; 11-17-2011 at 07:18 AM.
 
Old 11-17-2011, 08:32 AM   #11
colucix
Moderator
 
Registered: Sep 2003
Location: Bologna
Distribution: CentOS 6.5 OpenSuSE 12.3
Posts: 10,508

Rep: Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957
Code:
[admin@server admin]$ cp id_rsa .ssh/authorized_keys
Nope. You have to copy the public key into authorized_keys. Your private key should stay only on your local machine (private = not to be shared with anyone or with any other machine than yours).

Last edited by colucix; 11-17-2011 at 08:33 AM.
 
Old 11-17-2011, 08:38 AM   #12
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 620

Original Poster
Rep: Reputation: 33
Quote:
Originally Posted by colucix View Post
Code:
[admin@server admin]$ cp id_rsa .ssh/authorized_keys
Nope. You have to copy the public key into authorized_keys. Your private key should stay only on your local machine (private = not to be shared with anyone or with any other machine than yours).
I feel really stupid...

Now it works indeed ! I knew I needed the private key on my host, but still I copied the private key to the server...

Thanks !
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
open-ssh vs. commercial ssh (tru64), public-key auth not possible? cf050 Linux - Networking 8 03-28-2012 11:15 AM
SSH skips public key authentication for a key, but works with another key simopal6 Linux - General 1 07-06-2011 08:33 AM
Putty/SSH login failed when using RSA public key: 'Server refused our key' itsecx@gmail.com Linux - Server 10 10-04-2010 01:19 PM
SSH : public key auth ? mrbiomathe Linux - Newbie 2 01-12-2010 11:46 AM
ssh public key auth without root acces possible ? mrbiomathe Linux - Newbie 2 11-29-2009 02:11 PM


All times are GMT -5. The time now is 05:11 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration