Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Linux Green here, forgive me for leaving anything out.
I was asked to create a trust between two nodes. I did a base-line test first to get the result, expecting failure. It came back with "host key verification failed", seemed expected. I added the .pub to the user on the remote host and tried again, but still failed. This is expected to be with sftp. Kicked over to ssh and it came back with the same thing. Long story as short as possible, I can't ssh to any host from this box, "host key verification failed". If I run ssh with the StrictHostKeyChecking=no it is able to add it to the known_hosts before failing, it wouldn't do that otherwise. When using this option, it comes back with:
Permission denied (publickey,gssapi-with-mic,password).
I ran 'sftp -vv user@host' and the ending results came back with:
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug2: no key of type 0 for host 10.50.4.202
debug2: no key of type 2 for host 10.50.4.202
Host key verification failed.
Couldn't read packet: Connection reset by peer
I've gotten a thanks from google trying to look into it and find things to try but finding sparse and repetative information. sftp issues in batch mode, but that doesn't apply. Nothing showing as to why ssh can't be done from the box at all without error.
What am I missing as to why it's trying to force a login and not just say, hey, what's the password for root? I haven't changed anything and have never seen this in my few short years with Linux.
Linux localhost 2.6.18-8.el5 #1 SMP Fri Jan 26 14:15:21 EST 2007 i686 athlon i386 GNU/Linux
Red Hat Enterprise Linux Server release 5 (Tikanga)
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
# similar for protocol version 2
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
# Don't read the user's ~/.rhosts and ~/.shosts files
# To disable tunneled clear text passwords, change to no here!
# Change to no to disable s/key passwords
# Kerberos options
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
# no default banner path
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsRSAAuthentication no
# PasswordAuthentication yes
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# Port 22
# Cipher 3des
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# If this option is set to yes then remote X11 clients will have full access
# to the original X11 display. As virtually no X11 client supports the untrusted
# mode correctly we set this to yes.
# Send locale-related environment variables
SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
SendEnv LC_IDENTIFICATION LC_ALL
What is the exact command you are running? Your local sshd_config looks fine.
You're trying to setup a trust relationship? So you did the keygen already and placed the RSA/DSA key in the authorized_keys file on the remote host? The .ssh directory is owned and group owned by the user you are connecting to and the permissions are 700 on the .ssh directory? The authorized_keys file needs the same ownership/group ownership as well and needs permissions 600.
The argument must be yes or no. If set to yes, passphrase/password querying will be disabled. This option is useful in scripts and other batch jobs where you have no user to supply the password.
Just noticed the responses that I hadn't seen today.
It was a problem of ssh from the node. It was the task to setup the keys for sftp trust that got me into this node for the first time. I thank everyone for the brain busting help ! Now on to learning how to create trusts...
If so, please be aware that the Ripple Project is "currently dormant" as of July 2009.
I'd also like to suggest that you need to be very careful here, if you are playing with "financial transaction projects" when you are perhaps a new linux user.
For example, I would not like you to have your fingers badly burnt if you have inadvertently set up ssh or sftp incorrectly. There are many other security considerations as well.
I tend to leave "financial transaction software" to the Big Guns, who have the resources (and no doubt, insurance) to support this sort of activity.
You may, of course, be contracted by some major financial institution, but in which case, why are you asking questions here on LQ?
Additionally, the movement of currency between parties in different, or indeed the same, countries is likely to be highly regulated. Attempting to do this in a relatively anonymous manner is likely to attract the attention of the various regulatory authorities ( Internet-search money laundering )
Perhaps my searches have led me astray, and I have made too many assumptions.
In which case, my apologies, and please explain "Now on to learning how to create trusts...".
The purpose of the box is for Aventx and automation with Oracle. They use sftp for picking up internal data to process. I apologize for some confusion in my explaining the flow of things rather than just the issue of ssh doesn't work outbound.
Yes, I'm new'ish to Linux, understand a good amount but missing the super user depth of the OS.
Thanks everyone for even just listening... It took me a *stuff* ton of searching to see what the issue was. Hopefully there is helpful information in here. I have found some good stuff on this site and hope to continue with everyone in my journeys of the Linux world.
ssh can be difficult to set up for a good reason: Because you are using ssh rather than telnet, ssh assumes you want a secure connection. It does basic checks to see if you have left anything accidentally open. If so, it will fail to connect on the premise that no connection is better than establishing an insecure connection that you thought was "secure".