LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Red Hat
User Name
Password
Red Hat This forum is for the discussion of Red Hat Linux.

Notices

Reply
 
Search this Thread
Old 12-21-2011, 01:00 PM   #1
to0
LQ Newbie
 
Registered: Dec 2011
Posts: 3

Rep: Reputation: Disabled
SSH public key authentication not working


Hi all,

I need to be able to script some SCP transfers, so I'm using the process that has always worked for me:

1. Copy the public key from the client to the server
2. Append the client's public key to ~root/.ssh/authorized_keys2

I've tried with DSA and RSA, but I keep getting prompted for a password when I try to connect from the client. I have verified that the files copied correctly because the md5sums of the keys match on the client and the server. I also tried renaming authorized_keys2 to authorized_keys and known_hosts, with the same results.

I've also uncommented these lines from /etc/ssh/sshd_config and restarted sshd:
Code:
RSAAuthentication yes
PubkeyAuthentication yes
Here's the debug output of trying to SSH from the client to the server with the DSA keys setup (md5sum of client:~root/.ssh/id_dsa.pub matches authorized_keys2, authorized_keys, and known_hosts in server:~root/.ssh). It's like the server doesn't even acknowledge the key:

Code:
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to server1 [192.168.1.132] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type 0
debug1: identity file /root/.ssh/id_rsa type 1
debug1: identity file /root/.ssh/id_dsa type 2
debug1: loaded 3 keys
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'server1' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:35
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
No credentials cache found

debug1: Unspecified GSS failure.  Minor code may provide more information
No credentials cache found

debug1: Unspecified GSS failure.  Minor code may provide more information
No credentials cache found

debug1: Next authentication method: publickey
debug1: Offering public key: /root/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Offering public key: /root/.ssh/id_dsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: password
root@server1's password:
I'm pulling my hair out over this and can't think of anything else to try. Anyone have any ideas?

Thanks!
 
Old 12-21-2011, 01:02 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,379

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
this is usually down to the wrong rights on ~/.ssh (should be 700) or ~/.ssh/authorized_keys (should be 600)
 
Old 12-21-2011, 02:51 PM   #3
to0
LQ Newbie
 
Registered: Dec 2011
Posts: 3

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by acid_kewpie View Post
this is usually down to the wrong rights on ~/.ssh (should be 700) or ~/.ssh/authorized_keys (should be 600)
Sorry, I forgot to mention that I've verified that the permissions are correct:

Code:
[root@server1 ~]# ls -ld ~/.ssh
drwx------. 2 root root 4096 Dec 16 20:42 /root/.ssh
[root@server1 ~]# ls -l ~/.ssh
total 16
-rw-------. 1 root root 612 Dec 16 20:41 authorized_keys
-rw-------. 1 root root 612 Dec 16 20:41 authorized_keys2
-rw-------. 1 root root 612 Dec 16 20:41 known_hosts
edit: OS on the server is RHEL 6.1.

Last edited by to0; 12-21-2011 at 03:09 PM.
 
Old 12-21-2011, 04:55 PM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,379

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
run the server daemon in the foreground and see that that says. you get much more useful information on the server side.
 
Old 12-21-2011, 05:51 PM   #5
to0
LQ Newbie
 
Registered: Dec 2011
Posts: 3

Original Poster
Rep: Reputation: Disabled
When I run sshd in the foreground, it actually accepts the public key and connects without a password prompts, but immediately kicks me out:

Code:
[root@client1 ~]# ssh server1
...
debug1: Offering public key: /root/.ssh/id_dsa
debug1: Server accepts key: pkalg ssh-dss blen 435
debug1: read PEM private key done: type DSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: forcing write
Last login: Wed Dec 21 18:43:20 2011 from client1
debug1: channel 0: free: client-session, nchannels 1
Connection to server1 closed.
debug1: Transferred: stdin 0, stdout 0, stderr 32 bytes in 0.2 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 149.2
debug1: Exit status 254

[root@client1 ~]#
I have PermitRootLogin set to yes in sshd_config.

Here's the output for the server:
Code:
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: trying public key file /root/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug1: matching key found: file /root/.ssh/authorized_keys, line 1
Found matching DSA key: 8f:6d:99:13:b4:7c:67:b9:4e:79:a0:d9:37:22:ac:8c
debug1: restore_uid: 0/0
debug1: ssh_dss_verify: signature correct
debug1: do_pam_account: called
Accepted publickey for root from 192.168.1.131 port 45849 ssh2
debug1: monitor_child_preauth: root has been authenticated by privileged process
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: ssh_gssapi_storecreds: Not a GSSAPI mechanism
debug1: restore_uid: 0/0
debug1: SELinux support enabled
debug1: PAM: establishing credentials
PAM: pam_open_session(): Authentication failure
debug1: Entering interactive session for SSH2.
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_channel_req: channel 0 request pty-req reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: Allocating pty.
debug1: session_pty_req: session 0 alloc /dev/pts/1
ssh_selinux_setup_pty: security_compute_relabel: Invalid argument
debug1: server_input_channel_req: channel 0 request env reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req env
debug1: server_input_channel_req: channel 0 request shell reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req shell
debug1: Setting controlling tty using TIOCSCTTY.
debug1: Received SIGCHLD.
debug1: session_by_pid: pid 26143
debug1: session_exit_message: session 0 channel 0 pid 26143
debug1: session_exit_message: release channel 0
debug1: session_pty_cleanup: session 0 release /dev/pts/1
debug1: session_by_channel: session 0 channel 0
debug1: session_close_by_channel: channel 0 child 0
debug1: session_close: session 0 pid 0
debug1: channel 0: free: server-session, nchannels 1
Connection closed by 192.168.1.131
debug1: do_cleanup
debug1: PAM: cleanup
debug1: PAM: deleting credentials
Transferred: sent 2600, received 2864 bytes
Closing connection to 192.168.1.131 port 45849
At this point, sshd crashes.

If I do a service sshd restart, it goes back to asking me for a password.

Thanks for the help.

Last edited by to0; 12-21-2011 at 05:56 PM. Reason: Added server's sshd output
 
Old 12-05-2012, 03:52 PM   #6
pokemaster
Member
 
Registered: Apr 2005
Location: Massachusetts, USA
Distribution: debian,ubuntu,slackware
Posts: 110

Rep: Reputation: 17
This looks to me like an SELinux issue (I've just encountered it myself).


Here, SELinux is denying the sshd daemon access to the authorized_keys file, but only when run in the background.

Running in the foreground, it gets root's generic context and has no problems.


The fix:

restorecon -v -R /home

This restores the SELinux contexts to default for /home.

I'm running CentOS, for reference.
 
Old 12-06-2012, 02:14 AM   #7
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,379

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
Please note this is an OLD thread. The OP has almost certainly moved on from this now.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH skips public key authentication for a key, but works with another key simopal6 Linux - General 1 07-06-2011 08:33 AM
SSH public key authentication Jeroen1000 Linux - Security 12 09-07-2009 04:14 AM
Public key authentication with ssh elnacho12 Linux - Networking 3 12-18-2007 08:38 AM
Public Key Authentication with SSH edafe Ubuntu 1 08-26-2006 11:06 AM
Can't use public key authentication with SSH Noob69 Linux - General 5 01-06-2006 06:27 AM


All times are GMT -5. The time now is 05:31 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration