LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page help with public key authentication
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-01-2009, 04:36 PM   #1
rookie7799
LQ Newbie
 
Registered: Apr 2009
Posts: 7

Rep: Reputation: 0
help with public key authentication

Hi guys,

i think i followed like 5 tutorials on how to set up passwordless connection with ssh and no matter what I do this freaking thing keeps asking me for password!
i followed the following:
http://www.securityfocus.com/infocus/1810
http://www.csua.berkeley.edu/~ranga/...sh_nopass.html
http://www.techrecipes.net/articles/...ssh-login.html


here is some info:
SERVER: sshd_config
Code:
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys
debug on CLIENT:

Code:
[pavel@web02 .ssh]$ ssh -vvv 10.1.0.141
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 10.1.0.141 [10.1.0.141] port 22.
debug1: Connection established.
debug1: identity file /home/pavel/.ssh/identity type -1
debug3: Not a RSA1 key file /home/pavel/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/pavel/.ssh/id_rsa type 1
debug3: Not a RSA1 key file /home/pavel/.ssh/id_dsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/pavel/.ssh/id_dsa type 2
debug1: loaded 3 keys
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 137/256
debug2: bits set: 502/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/pavel/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 6
debug1: Host '10.1.0.141' is known and matches the RSA host key.
debug1: Found key in /home/pavel/.ssh/known_hosts:6
debug2: bits set: 513/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/pavel/.ssh/identity ((nil))
debug2: key: /home/pavel/.ssh/id_rsa (0x2b75bc85f5a0)
debug2: key: /home/pavel/.ssh/id_dsa (0x2b75bc85f5d0)
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-with-mic,password
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug3: Trying to reverse map address 10.1.0.141.
debug1: Unspecified GSS failure.  Minor code may provide more information
Unknown code krb5 195

debug1: Unspecified GSS failure.  Minor code may provide more information
Unknown code krb5 195

debug1: Unspecified GSS failure.  Minor code may provide more information
Unknown code krb5 195

debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/pavel/.ssh/identity
debug3: no such identity: /home/pavel/.ssh/identity
debug1: Offering public key: /home/pavel/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Offering public key: /home/pavel/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
pavel@10.1.0.141's password:
ssh -V on both servers show:
Code:
ssh -V
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006
why is this happening ???
 
Old 06-01-2009, 05:22 PM   #2
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by rookie7799
debug on CLIENT:

Code:
[pavel@web02 .ssh]$ ssh -vvv 10.1.0.141
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006
...
debug3: Not a RSA1 key file /home/pavel/.ssh/id_rsa.
...
debug3: Not a RSA1 key file /home/pavel/.ssh/id_dsa.
...
debug1: identity file /home/pavel/.ssh/id_dsa type 2
...
debug1: Offering public key: /home/pavel/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
...
debug1: Offering public key: /home/pavel/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
...
debug1: Next authentication method: password
If I'm reading this correctly, you have used ssh-keygen to create both a type 2 RSA key pair and a DSA key pair.

On the sshd server side, let's see the output from:
  • ls -ld ~
  • ls -ld ~/.ssh
  • ls -l ~/.ssh

When StrictModes are enabled, (user created) permissions problems at the ~, ~/.ssh, and authorized_keys levels are common.
 
Old 06-02-2009, 07:22 AM   #3
rookie7799
LQ Newbie
 
Registered: Apr 2009
Posts: 7

Original Poster
Rep: Reputation: 0
[pavel@x ~]$ ls -ld ~
drwxr-xr-x 10 pavel pavel 4096 Jun 1 16:18 /home/pavel
[pavel@x ~]$ ls -ld ~/.ssh
drwx------ 2 pavel pavel 4096 Jun 1 18:32 /home/pavel/.ssh
[pavel@x ~]$ ls -l ~/.ssh
total 16
-rw------- 1 pavel pavel 1208 Jun 1 19:28 authorized_keys
-rw------- 1 pavel pavel 606 Jun 1 18:08 authorized_keys2
-rw-r--r-- 1 pavel pavel 398 Jun 1 16:38 known_hosts
 
Old 06-02-2009, 11:18 AM   #4
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Your permissions and ownership on the server side look fine. Check the client side as well to be sure you haven't given group write permissions to ~ or ~/.ssh, and that your private key is only readable by you.

If you don't find a permissions problem there, outline the exact steps you have gone through. (Instead of pointing to a howto, post the exact commands you're running.)
 
Old 06-03-2009, 08:47 AM   #5
rookie7799
LQ Newbie
 
Registered: Apr 2009
Posts: 7

Original Poster
Rep: Reputation: 0
i'm not sure what I did exactly ... but now it works :-D

something along the lines of changing sshd_config
 
Old 06-03-2009, 11:40 AM   #6
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Ubuntu 12.04, Antix19.3
Posts: 3,794

Rep: Reputation: 282Reputation: 282Reputation: 282
You probably changed PasswordAuthentication to no and now it is working
 
Old 05-25-2012, 10:12 PM   #7
afranio
LQ Newbie
 
Registered: May 2012
Posts: 1

Rep: Reputation: Disabled
The man above is kidding with us!!!
If you change the option to "NO", as he suggests, you'll no longer can login to your machine !!!

Bad taste KIDDING !!!!
 
Old 05-26-2012, 12:07 AM   #8
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Germany
Distribution: Whatever fits the task best
Posts: 17,148
Blog Entries: 2

Rep: Reputation: 4886Reputation: 4886Reputation: 4886Reputation: 4886Reputation: 4886Reputation: 4886Reputation: 4886Reputation: 4886Reputation: 4886Reputation: 4886Reputation: 4886
Quote:
Originally Posted by afranio View Post
If you change the option to "NO", as he suggests, you'll no longer can login to your machine !!!

Bad taste KIDDING !!!!
The goal of this thread is to achieve password-less authentication via public-key authentication. So there is no problem in disabling password authentication if you have set up your system correctly.
 
Old 05-26-2012, 12:41 AM   #9
rajkumar.m
LQ Newbie
 
Registered: May 2010
Posts: 18

Rep: Reputation: 12
I think you might have changed this option in ssh configuration file

StrictModes no
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenSSH Public Key Authentication adri_ht_ Linux - Server 6 04-16-2009 07:50 AM
Public key authentication from QEMU Valery Reznic Linux - Security 2 12-28-2008 01:35 AM
Public Key Authentication with SSH edafe Ubuntu 1 08-26-2006 11:06 AM
Can't use public key authentication with SSH Noob69 Linux - General 5 01-06-2006 06:27 AM
Public key authentication problem Gameon Linux - Security 7 01-02-2004 06:33 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:41 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration