LinuxQuestions.org
Page 1 of 2 1 2
Show 50 post(s) from this thread on one page

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   SSH athentication via RSA key fails. (https://www.linuxquestions.org/questions/linux-security-4/ssh-athentication-via-rsa-key-fails-4175483195/)

remslug 11-02-2013 06:46 PM
SSH athentication via RSA key fails.
 
Hi all,

I am trying to setup a passwordless authentication on one of my boxes in order to be able to use ssh commands in a script.

I have generated public/private RSA keys on the client machine (in the user I'm logged in as' .ssh directory) and added the public key to the server machine's authorized_keys files (in the user I want to be able to ssh as' .ssh directory).

I have set the rights on both .ssh directories, the key files and the authorized_keys files to 700.

On the server machine, in the /etc/ssh/sshd_config file, I have set the two following parameters :
Code:
RSAAuthentication yes
PubkeyAuthentication yes
When I try and ssh from the client machine, it still prompts me for password. The verbose output ends with the following:
Code:
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: My Key
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/me/.ssh/id_rsa
debug3: no such identity: /home/me/.ssh/id_rsa
debug1: Trying private key: /home/me/.ssh/id_dsa
debug3: no such identity: /home/me/.ssh/id_dsa
debug1: Trying private key: /home/me/.ssh/id_ecdsa
debug3: no such identity: /home/me/.ssh/id_ecdsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
Then it prompts me for a password.

I don't understand why the "My Key" "Offering" doesn't seem to succeed. Does anyone have any idea of what I am doing wrong?

Notes: I am using Linux Mint 15 on both machines. Password logging works as expected. SSH versions are as follows:
Code:
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.1p1 Debian-4
debug1: Local version string SSH-2.0-OpenSSH_6.1p1 Debian-4

Any help is greatly appreciated. Let me know if you need any additional information.

Thanks.

AlucardZero 11-02-2013 10:47 PM
The reason is probably logged in /var/log/auth.log on the server

Turbocapitalist 11-03-2013 03:47 AM
What is the name of your private key? ssh will not find it automatically. It either has to be loaded into the agent (no more than the 6th key on the list or you will fail the default server auth settings) or else pointed to manually. You point to a private key manually with -i

Code:
ssh -i /home/remslug/.ssh/some_key_rsa remslug@93.184.216.119

voleg 11-03-2013 05:33 AM
Quote:
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/me/.ssh/id_rsa
debug3: no such identity: /home/me/.ssh/id_rsa
debug1: Trying private key: /home/me/.ssh/id_dsa
debug3: no such identity: /home/me/.ssh/id_dsa
debug1: Trying private key: /home/me/.ssh/id_ecdsa
debug3: no such identity: /home/me/.ssh/id_ecdsa
debug2: we did not send a packet, disable method
Looks like you have no generated and exchanged keys yet. Please do according to well know practice.

remslug 11-03-2013 06:22 AM
Thanks for your replies.

As mentioned, I have generated and exchanged keys. I have done so using the following instructions : http://www.tecmint.com/ssh-passwordl...-5-easy-steps/.

I can cat the authorized_keys file on the server and the ssh-rsa entry is in there. The only difference is I have not named the key files id_rsa and id_rsa.pub because I need to be able to use different keys in order to connect to different servers. My files are named ~me/.ssh/my_key and ~me/.ssh/my_key.pub. I have tried specifying my private key file as an "IdentityFile" entry in /etc/ssh/ssh_config on the client machine to no avail. I also tried specifying it with the -i option with the same result. When I specify the file, the ouput is different though:
Code:
debug2: key: /home/me/.ssh/my_key (0x7f65d5317cd0)
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/me/.ssh/my_key
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
The /var/log/auth.log file only contains this single entry for a failed login attempt:
Code:
Nov  3 12:57:29 slg-NAS sshd[2478]: Connection closed by 192.168.0.1 [preauth]
192.168.0.1 being the client machine's IP.

voleg 11-03-2013 06:40 AM
Then, content of ~me/.ssh/my_key.pub should be pasted in authorized_keys on server side.
Correct command should be:
Code:
$ ssh -i ~me/.ssh/my_key remoteuser@server
The second well known problem is wrong permissions on destination home directory.
It should not be group,other writable. The .ssh directory should be 700,
authorized_keys should be 644.

remslug 11-03-2013 06:54 AM
Thanks for your help, voleg.

Client side rights:
Code:
drwx------ 2 me me 4096 Nov  3 13:10 .ssh
-rwx------ 1 me me 1679 Nov  2 23:36 my_key
-rwxr--r-- 1 me me  389 Nov  2 23:36 my_key.pub
Server side rights:
Code:
drwx------ 2 me me 4096 nov.  2 23:22 .ssh
-rw-r--r-- 1 me me  389 nov.  2 23:37 authorized_keys
Is this correct?

Command I use:
Code:
ssh -vvv -i /home/me/.ssh/my_key me@192.168.0.4
This config gives the output in my last post.

Robhogg 11-03-2013 08:17 AM
This looks OK (my_key and my_key.pub don't need execute bits set, but this shouldn't prevent login). A couple of thoughts:
  • what does authorized_keys contain? It should have the exact contents of my_key.pub on a single line.
  • It might be worth trying re-generating the keys, just in case the files got corrupted.

voleg 11-03-2013 08:31 AM
What about permissions on home directory on server side ?
It should be writable by owner only.

remslug 11-03-2013 11:27 AM
Quote:
  • what does authorized_keys contain? It should have the exact contents of my_key.pub on a single line.
  • It might be worth trying re-generating the keys, just in case the files got corrupted.
Yes, authorized_keys contains the ssh-rsa entry on a single line, eg:
Code:
ssh-rsa <key string> My Key
I have tried regenerating the keys several times. I have also tried using ECDSA encryption instead of RSA, just to make sure, with the same result.

Rights on my home directory are 700 on both machines.
Server:
Code:
drwx------ 23 me  me  4096 nov.  2 23:22 /home/me/
Client:
Code:
drwx------ 73 me me 4096 Oct 26 17:33 /home/me/

voleg 11-03-2013 01:45 PM
If content of /var/log/secure does not have a clue,
next step may be run sshd in debug mode, like:
Code:
# sshd -d -p 222
Then connect to port 222:
Code:
$ ssh -v -p 222 ......

remslug 11-03-2013 06:00 PM
Apparently, the server can't find the authorized_keys file:
Code:
debug1: userauth-request for user me service ssh-connection method publickey [preauth]
debug1: attempt 1 failures 0 [preauth]
debug1: test whether pkalg/pkblob are acceptable [preauth]
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug1: trying public key file /home/me/.ssh/authorized_keys
debug1: Could not open authorized keys '/home/me/.ssh/authorized_keys': No such file or directory
Rights:
Code:
drwxr-xr-x 5 root root 4096 juil. 21 22:26 /home
drwx------ 23 me me 4096 nov.  4 00:43 /home/me/
drwx------ 2 me me 4096 nov.  2 23:22 /home/me/.ssh/
-rw-r--r-- 1 me me 389 nov.  2 23:37 /home/me/.ssh/authorized_keys
I have no problem doing :
Code:
cat /home/me/.ssh/authorized_keys
It outputs the file correctly:
Code:
ssh-rsa <long RSA string> My Key
Does this make any sense?

voleg 11-04-2013 01:46 AM
An issue becomes interesting.
Quote:
debug1: Could not open authorized keys '/home/me/.ssh/authorized_keys': No such file or directory
Are you sure that /home/me/.ssh/authorized_keys exist on server side ?
As I see, user "me" has UID/GID 1000/1000:
Quote:
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
If you login as "me" on server, could you do "cat /home/me/.ssh/authorized_keys" ?
If you still has no solution, probably it is selinux problem.
Please set it to PERMISSIVE and check what happen in /var/log/messages.

remslug 11-04-2013 08:11 AM
This is weird. This morning when I restarted both machines (after I had switched them off for the night), it started working without changing anything. I guess some services had to be restarted for some of the changes to take effect... I had already tried to restart sshd on the server, though.

Thanks for the help.

voleg 11-04-2013 08:21 AM
Bad. Now we never will know what it was....


All times are GMT -5. The time now is 01:05 PM.
Page 1 of 2 1 2
Show 50 post(s) from this thread on one page