[SOLVED] SSH athentication via RSA key fails.

remslug · 11-02-2013, 06:46 PM

Hi all,

I am trying to setup a passwordless authentication on one of my boxes in order to be able to use ssh commands in a script.

I have generated public/private RSA keys on the client machine (in the user I'm logged in as' .ssh directory) and added the public key to the server machine's authorized_keys files (in the user I want to be able to ssh as' .ssh directory).

I have set the rights on both .ssh directories, the key files and the authorized_keys files to 700.

On the server machine, in the /etc/ssh/sshd_config file, I have set the two following parameters :

Code:

RSAAuthentication yes
PubkeyAuthentication yes

When I try and ssh from the client machine, it still prompts me for password. The verbose output ends with the following:

Code:

debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: My Key
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/me/.ssh/id_rsa
debug3: no such identity: /home/me/.ssh/id_rsa
debug1: Trying private key: /home/me/.ssh/id_dsa
debug3: no such identity: /home/me/.ssh/id_dsa
debug1: Trying private key: /home/me/.ssh/id_ecdsa
debug3: no such identity: /home/me/.ssh/id_ecdsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password

Then it prompts me for a password.

I don't understand why the "My Key" "Offering" doesn't seem to succeed. Does anyone have any idea of what I am doing wrong?

Notes: I am using Linux Mint 15 on both machines. Password logging works as expected. SSH versions are as follows:

Code:

debug1: Remote protocol version 2.0, remote software version OpenSSH_6.1p1 Debian-4
debug1: Local version string SSH-2.0-OpenSSH_6.1p1 Debian-4

Any help is greatly appreciated. Let me know if you need any additional information.

Thanks.

AlucardZero · 11-02-2013, 10:47 PM

The reason is probably logged in /var/log/auth.log on the server

Turbocapitalist · 11-03-2013, 03:47 AM

What is the name of your private key? ssh will not find it automatically. It either has to be loaded into the agent (no more than the 6th key on the list or you will fail the default server auth settings) or else pointed to manually. You point to a private key manually with -i

Code:

ssh -i /home/remslug/.ssh/some_key_rsa remslug@93.184.216.119

voleg · 11-03-2013, 05:33 AM

Quote:

debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/me/.ssh/id_rsa
debug3: no such identity: /home/me/.ssh/id_rsa
debug1: Trying private key: /home/me/.ssh/id_dsa
debug3: no such identity: /home/me/.ssh/id_dsa
debug1: Trying private key: /home/me/.ssh/id_ecdsa
debug3: no such identity: /home/me/.ssh/id_ecdsa
debug2: we did not send a packet, disable method

Looks like you have no generated and exchanged keys yet. Please do according to well know practice.

remslug · 11-03-2013, 06:22 AM

Thanks for your replies.

As mentioned, I have generated and exchanged keys. I have done so using the following instructions : http://www.tecmint.com/ssh-passwordl...-5-easy-steps/.

I can cat the authorized_keys file on the server and the ssh-rsa entry is in there. The only difference is I have not named the key files id_rsa and id_rsa.pub because I need to be able to use different keys in order to connect to different servers. My files are named ~me/.ssh/my_key and ~me/.ssh/my_key.pub. I have tried specifying my private key file as an "IdentityFile" entry in /etc/ssh/ssh_config on the client machine to no avail. I also tried specifying it with the -i option with the same result. When I specify the file, the ouput is different though:

Code:

debug2: key: /home/me/.ssh/my_key (0x7f65d5317cd0)
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/me/.ssh/my_key
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password

The /var/log/auth.log file only contains this single entry for a failed login attempt:

Code:

Nov  3 12:57:29 slg-NAS sshd[2478]: Connection closed by 192.168.0.1 [preauth]

192.168.0.1 being the client machine's IP.

voleg · 11-03-2013, 06:40 AM

Then, content of ~me/.ssh/my_key.pub should be pasted in authorized_keys on server side.
Correct command should be:

Code:

$ ssh -i ~me/.ssh/my_key remoteuser@server

The second well known problem is wrong permissions on destination home directory.
It should not be group,other writable. The .ssh directory should be 700,
authorized_keys should be 644.

remslug · 11-03-2013, 06:54 AM

Thanks for your help, voleg.

Client side rights:

Code:

drwx------ 2 me me 4096 Nov  3 13:10 .ssh
-rwx------ 1 me me 1679 Nov  2 23:36 my_key
-rwxr--r-- 1 me me  389 Nov  2 23:36 my_key.pub

Server side rights:

Code:

drwx------ 2 me me 4096 nov.   2 23:22 .ssh
-rw-r--r-- 1 me me  389 nov.   2 23:37 authorized_keys

Is this correct?

Command I use:

Code:

ssh -vvv -i /home/me/.ssh/my_key me@192.168.0.4

This config gives the output in my last post.

Robhogg · 11-03-2013, 08:17 AM

This looks OK (my_key and my_key.pub don't need execute bits set, but this shouldn't prevent login). A couple of thoughts:

what does authorized_keys contain? It should have the exact contents of my_key.pub on a single line.
It might be worth trying re-generating the keys, just in case the files got corrupted.

voleg · 11-03-2013, 08:31 AM

What about permissions on home directory on server side ?
It should be writable by owner only.

remslug · 11-03-2013, 11:27 AM

Quote:

what does authorized_keys contain? It should have the exact contents of my_key.pub on a single line.
It might be worth trying re-generating the keys, just in case the files got corrupted.

Yes, authorized_keys contains the ssh-rsa entry on a single line, eg:

Code:

ssh-rsa <key string> My Key

I have tried regenerating the keys several times. I have also tried using ECDSA encryption instead of RSA, just to make sure, with the same result.

Rights on my home directory are 700 on both machines.
Server:

Code:

drwx------ 23 me  me   4096 nov.   2 23:22 /home/me/

Client:

Code:

drwx------ 73 me me 4096 Oct 26 17:33 /home/me/

voleg · 11-03-2013, 01:45 PM

If content of /var/log/secure does not have a clue,
next step may be run sshd in debug mode, like:

Code:

# sshd -d -p 222

Then connect to port 222:

Code:

$ ssh -v -p 222 ......

remslug · 11-03-2013, 06:00 PM

Apparently, the server can't find the authorized_keys file:

Code:

debug1: userauth-request for user me service ssh-connection method publickey [preauth]
debug1: attempt 1 failures 0 [preauth]
debug1: test whether pkalg/pkblob are acceptable [preauth]
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug1: trying public key file /home/me/.ssh/authorized_keys
debug1: Could not open authorized keys '/home/me/.ssh/authorized_keys': No such file or directory

Rights:

Code:

drwxr-xr-x 5 root root 4096 juil. 21 22:26 /home
drwx------ 23 me me 4096 nov.   4 00:43 /home/me/
drwx------ 2 me me 4096 nov.   2 23:22 /home/me/.ssh/
-rw-r--r-- 1 me me 389 nov.   2 23:37 /home/me/.ssh/authorized_keys

I have no problem doing :

Code:

cat /home/me/.ssh/authorized_keys

It outputs the file correctly:

Code:

ssh-rsa <long RSA string> My Key

Does this make any sense?

voleg · 11-04-2013, 01:46 AM

An issue becomes interesting.

Quote:

debug1: Could not open authorized keys '/home/me/.ssh/authorized_keys': No such file or directory

Are you sure that /home/me/.ssh/authorized_keys exist on server side ?
As I see, user "me" has UID/GID 1000/1000:

Quote:

debug1: temporarily_use_uid: 1000/1000 (e=0/0)

If you login as "me" on server, could you do "cat /home/me/.ssh/authorized_keys" ?
If you still has no solution, probably it is selinux problem.
Please set it to PERMISSIVE and check what happen in /var/log/messages.

remslug · 11-04-2013, 08:11 AM

This is weird. This morning when I restarted both machines (after I had switched them off for the night), it started working without changing anything. I guess some services had to be restarted for some of the changes to take effect... I had already tried to restart sshd on the server, though.

Thanks for the help.

voleg · 11-04-2013, 08:21 AM

Bad. Now we never will know what it was....