LinuxQuestions.org - [SOLVED] openssh-server doesn't check into "authorized

- Debian (https://www.linuxquestions.org/questions/debian-26/)

- - openssh-server doesn't check into "authorized_keys" file (https://www.linuxquestions.org/questions/debian-26/openssh-server-doesnt-check-into-authorized_keys-file-821554/)

openssh-server doesn't check into "authorized_keys" file

Hi,

I'm stuck on this problem for about a week, I googled it and finally I'm posting this thread because I didn't find the answer...

I have two Debian 5 servers which running on both the same version of OpenSSH (5.1p1) and OpenSSL (0.9.8g).

One week ago, I set ssh keys on both of them and create the file "authorized_keys". I was able to connect on each server via SSH without password (which is the purpose of ssh keys) but I had an issue with the SSH service and I had to restart one of my server. And since this time, when I try to connect to my other server with the same ssh command, the command ask me to type the password...

This is the result of the ssh command (with the argument -v):

Code:

OpenSSH_5.1p1 Debian-5, OpenSSL 0.9.8g 19 Oct 2007

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Applying options for *

debug1: Connecting to MY_SERVER [1.2.3.4] port 22.

debug1: Connection established.

debug1: permanently_set_uid: 0/0

debug1: identity file /root/.ssh/identity type -1

debug1: identity file /root/.ssh/id_rsa type -1

debug1: identity file /root/.ssh/id_dsa type 2

debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024

debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024

debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-5

debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH*

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes128-cbc hmac-md5 none

debug1: kex: client->server aes128-cbc hmac-md5 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug1: Host '[MY_SERVER]:22' is known and matches the RSA host key.

debug1: Found key in /root/.ssh/known_hosts:10

debug1: ssh_rsa_verify: signature correct

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug1: SSH2_MSG_NEWKEYS received

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug1: Authentications that can continue: publickey,password

debug1: Next authentication method: publickey

debug1: Trying private key: /root/.ssh/identity

debug1: Trying private key: /root/.ssh/id_rsa

debug1: Offering public key: /root/.ssh/id_dsa

debug1: Authentications that can continue: publickey,password

debug1: Next authentication method: password

root@MY_SERVER's password:

I already tried to reinstall openssh on both servers but no success!

Thanks to help me to resolve this issue.

ClemSF.

what does server log say? try running sshd in double-verbose (-vv) mode.

Looks like you've set up pubkey authentication for root -> root logins (?). Let's see output from all the following (in code tags please). These should be run on the remote server (ssh daemon) side.

Code:

# ls -ld /root /root/.ssh

Code:

# egrep -i 'root|allow|deny' /etc/ssh/sshd_config

-------

[ And yes, checking your AUTH / AUTHPRIV logs is the best approach. I don't know what those are by default on Debian. ]

Can you post the contents of your /etc/ssh/sshd_config file?

Thanks everyone for your answers!

@Web31337:
This his the result of the ssh command with --v:

Code:

OPS:~/.ssh# ssh root@MY_SERVER -p 22223 -vv

OpenSSH_5.1p1 Debian-5, OpenSSL 0.9.8g 19 Oct 2007

debug1: Reading configuration data /root/.ssh/config

debug1: Applying options for MY_SERVER

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Applying options for *

debug2: ssh_connect: needpriv 0

debug1: Connecting to MY_SERVER [1.2.3.4] port 22223.

debug1: Connection established.

debug1: permanently_set_uid: 0/0

debug1: identity file /root/.ssh/identity type -1

debug1: identity file /root/.ssh/id_rsa type -1

debug2: key_type_from_name: unknown key type '-----BEGIN'

debug2: key_type_from_name: unknown key type '-----END'

debug1: identity file /root/.ssh/id_dsa type 2

debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024

debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024

debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-5

debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH*

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5

debug2: fd 3 setting O_NONBLOCK

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ssh-rsa,ssh-dss

debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr

debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib

debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit: first_kex_follows 0

debug2: kex_parse_kexinit: reserved 0

debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ssh-rsa,ssh-dss

debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr

debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,zlib@openssh.com

debug2: kex_parse_kexinit: none,zlib@openssh.com

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit: first_kex_follows 0

debug2: kex_parse_kexinit: reserved 0

debug2: mac_setup: found hmac-md5

debug1: kex: server->client aes128-cbc hmac-md5 none

debug2: mac_setup: found hmac-md5

debug1: kex: client->server aes128-cbc hmac-md5 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug2: dh_gen_key: priv key bits set: 130/256

debug2: bits set: 518/1024

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug1: Host '[MY_SERVER]:22' is known and matches the RSA host key.

debug1: Found key in /root/.ssh/known_hosts:10

debug2: bits set: 491/1024

debug1: ssh_rsa_verify: signature correct

debug2: kex_derive_keys

debug2: set_newkeys: mode 1

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug2: set_newkeys: mode 0

debug1: SSH2_MSG_NEWKEYS received

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug2: key: /root/.ssh/identity ((nil))

debug2: key: /root/.ssh/id_rsa ((nil))

debug2: key: /root/.ssh/id_dsa (0x2b32f134cf60)

debug1: Authentications that can continue: publickey,password

debug1: Next authentication method: publickey

debug1: Trying private key: /root/.ssh/identity

debug1: Trying private key: /root/.ssh/id_rsa

debug1: Offering public key: /root/.ssh/id_dsa

debug2: we sent a publickey packet, wait for reply

debug1: Authentications that can continue: publickey,password

debug2: we did not send a packet, disable method

debug1: Next authentication method: password

root@MY_SERVER's password:

@anomie:

Code:

ops:~/.ssh# ls -ld /root /root/.ssh

drwxrwsr-x 8 nagios nagios 4096 Jul 22 17:11 /root

drwx------ 2 root  root  4096 Jul 23 09:34 /root/.ssh

-------

Code:

ops:~/.ssh# egrep -i 'root|allow|deny' /etc/ssh/sshd_config

PermitRootLogin yes

# Allow client to pass locale environment variables

AllowUsers root slum

@lewisforlife:
And this his my sshd_config file:

Code:

ops:~/.ssh# cat /etc/ssh/sshd_config

# Package generated configuration file

# See the sshd(8) manpage for details



# What ports, IPs and protocols we listen for

Port 22223

# Use these options to restrict which interfaces/protocols sshd will bind to

#ListenAddress ::

#ListenAddress 0.0.0.0

Protocol 2

# HostKeys for protocol version 2

HostKey /etc/ssh/ssh_host_rsa_key

HostKey /etc/ssh/ssh_host_dsa_key

#Privilege Separation is turned on for security

UsePrivilegeSeparation yes



# Lifetime and size of ephemeral version 1 server key

KeyRegenerationInterval 3600

ServerKeyBits 768



# Logging

SyslogFacility AUTH

LogLevel INFO



# Authentication:

LoginGraceTime 120

PermitRootLogin yes

StrictModes yes



RSAAuthentication yes

PubkeyAuthentication yes

#AuthorizedKeysFile    %h/.ssh/authorized_keys



# Don't read the user's ~/.rhosts and ~/.shosts files

IgnoreRhosts yes

# For this to work you will also need host keys in /etc/ssh_known_hosts

RhostsRSAAuthentication no

# similar for protocol version 2

HostbasedAuthentication no

# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication

#IgnoreUserKnownHosts yes



# To enable empty passwords, change to yes (NOT RECOMMENDED)

PermitEmptyPasswords no



# Change to yes to enable challenge-response passwords (beware issues with

# some PAM modules and threads)

ChallengeResponseAuthentication no



# Change to no to disable tunnelled clear text passwords

#PasswordAuthentication yes



# Kerberos options

#KerberosAuthentication no

#KerberosGetAFSToken no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes



# GSSAPI options

#GSSAPIAuthentication no

#GSSAPICleanupCredentials yes



X11Forwarding yes

X11DisplayOffset 10

PrintMotd no

PrintLastLog yes

TCPKeepAlive yes

#UseLogin no



#MaxStartups 10:30:60

#Banner /etc/issue.net



# Allow client to pass locale environment variables

AcceptEnv LANG LC_*



Subsystem sftp /usr/lib/openssh/sftp-server



UsePAM yes

AllowUsers root slum

Thanks again guys to help me with that! I hope you'll figure out something... :)

ClemSF

And I would like to add, I tried to change the name to the file "authorized_keys" to "authorized_keys2", just in case. However, the issue is still the same!

And about /var/log/auth.log, there is nothing in this file ?!
I don't have any authpriv in this folder.

Shutdown your OpenSSH server. Then replace:

Code:

#PasswordAuthentication yes

with

Code:

PasswordAuthentication no

Then start it back up again.

I tried to remove the authentification and I get this error now:

Code:

ops:# ssh root@MY_SERVER -p 22223

Permission denied (publickey).

But, I don't really want to remove the authentification in general... I just want that my two servers knows each other and ssh without password.

Thank you anyway lewisforlife!
PS: what are you thinking with this "Permission denied" ?

It sounds like your public/private keys are not matching up. I would make a new public/private key pair. Remember, the private key stays on the client, and the public key goes to the box running the OpenSSH server. Are you using RSA?

*Also, I would really recommend leaving PasswordAuthentication off. Unless you use extremely strong passwords, this is very risky to have turned on if you have have the SSH port opened in your router meaning you can connect from outside of your network.

Oh ok! Good to know!

My Private/Public Keys were good. But I found this issue!
It was a permission problem. On my /root directory, the right changed to another user... I don't know why but it was the issue!

Thank you guys to gave me some of your time on this :)

Bingo. The sshd_config StrictModes directive requires that 1) your home directory is owned by you; 2) your home directory is not group/world writable.

Glad you got it fixed up.