LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 08-26-2011, 02:17 AM   #1
Jangari
LQ Newbie
 
Registered: Aug 2011
Posts: 4

Rep: Reputation: Disabled
ssh key authentication not working (debian into redhat)


Hi all,

I'm working across two servers for work, using a personal account and some non-personal accounts for automated processes. The redhat box (remote) is in an institution where I don't have admin access and the local box is debian, and I do.

I set up ssh public key authentication for an automated process, at first using my own user account on the remote machine until such time as the admins decided they'd give us another user account to do this particular thing (don't want to have this process associated with my account for various reasons).

Anyway, this all worked fine:

user1@server1 -> user2@server2 via ssh with public key

Then, they gave us the other account on server2, and I did all the same ssh-keygen setting up (which I've done hundreds of times), but:

user1@server1 -> user3@server2 prompts for user3@server2's password.

I've tried rsa, dsa, passphrase, nopassphrase, double checked connecting to user2 which still works fine. So the problem is isolated to the new account. Any ideas on what could be blocking public key authentication which is specific to a user account?

Here's the output of ssh -vv user3@server2 (with server names and accounts anonymised):

Code:
OpenSSH_5.1p1 Debian-5, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to server1 [128.250.198.168] port 22.
debug1: Connection established.
debug1: identity file /home/user1/.ssh/identity type -1
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /home/user1/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /home/user1/.ssh/id_dsa type 2
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-5
debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 132/256
debug2: bits set: 506/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'server1' is known and matches the RSA host key.
debug1: Found key in /home/user1/.ssh/known_hosts:2
debug2: bits set: 505/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/user1/.ssh/identity ((nil))
debug2: key: /home/user1/.ssh/id_rsa (0xb91629e8)
debug2: key: /home/user1/.ssh/id_dsa (0xb9162a00)
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/user1/.ssh/identity
debug1: Offering public key: /home/user1/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: /home/user1/.ssh/id_dsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
Help appreciated!
 
Old 08-26-2011, 06:18 AM   #2
rodrifra
Member
 
Registered: Mar 2007
Location: Spain
Distribution: Debian
Posts: 201

Rep: Reputation: 36
Hello.

Once you have generated your key pairs (private/public) for one server, you don't need to generate more keys, you just spread your public key through the servers where you have accounts and you want to connect to.

So, in server1:/home/user1/.ssh you should have id_rsa and id_rsa.pub (in case you generated rsa keys). id_rsa.pub is the key you have to send to server2, server3 or whatever server you want to connect to. And must be in server2:/home/user2/.ssh with the name authorized_keys.

Conclusion:

Server1:/home/user1/.ssh must have a file named id_rsa.
Server2:/home/user2/.ssh must have a file named authorized_keys which contains the public key that was generated in server1 with id_rsa (id_rsa.pub).

If user2@server2 is working, just copy server2:/home/user2/.ssh/authorized_keys to server2:/home/user3/.ssh/authorized_keys (I guess you only have one public key in your authorized_keys).

Hope this helps.
 
Old 08-26-2011, 09:15 AM   #3
Jangari
LQ Newbie
 
Registered: Aug 2011
Posts: 4

Original Poster
Rep: Reputation: Disabled
I've tried copying my authorised_keys from the working account to the not-working account, and still nothing. I might kick it up to the IT people here unless someone has some further diagnostics that I could try.
 
Old 08-29-2011, 10:00 AM   #4
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 13.1
Posts: 1,330

Rep: Reputation: 254Reputation: 254Reputation: 254
As you copied the stuff to server3: what are the settings of the permission of a) the home account of user3 (it mustn’t be writable by anyone but the user himself) and b) the directory .ssh therein (it mustn’t be readable by anyone but the user himself).
 
1 members found this post helpful.
Old 08-29-2011, 10:56 PM   #5
Jangari
LQ Newbie
 
Registered: Aug 2011
Posts: 4

Original Poster
Rep: Reputation: Disabled
Quote:
the home account of user3 (it mustnít be writable by anyone but the user himself)
I'm checking this out, but I've just noticed something else interesting and possibly diagnostic: When I ssh in from the local server to the remote server with the intended user accounts, I get a stock standard prompt:
Code:
[user3@server2 ~]$
Instead of the PS2 that I have defined in ~/.profile, whereas if I'm already on server2 and I `su user3`, I get the prompt as initiated by ~/.profile.

Could this have anything to do with it? If ssh is skipping the .profile, could it be skipping all .ssh/ files as well? How could I possibly tell?
 
Old 08-29-2011, 11:12 PM   #6
Jangari
LQ Newbie
 
Registered: Aug 2011
Posts: 4

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Jangari View Post
I'm checking this out, but I've just noticed something else interesting and possibly diagnostic: When I ssh in from the local server to the remote server with the intended user accounts, I get a stock standard prompt:
Code:
[user3@server2 ~]$
Instead of the PS2 that I have defined in ~/.profile, whereas if I'm already on server2 and I `su user3`, I get the prompt as initiated by ~/.profile.

Could this have anything to do with it? If ssh is skipping the .profile, could it be skipping all .ssh/ files as well? How could I possibly tell?
I checked it out, and it appeared that user3's home was set to 777, inexplicably, so after reverting it to 700, it's now working. Thanks for your help Reuti; I wouldn't have thought to even consider that.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH skips public key authentication for a key, but works with another key simopal6 Linux - General 1 07-06-2011 09:33 AM
SSH public key authentication Jeroen1000 Linux - Security 12 09-07-2009 05:14 AM
LXer: How To Set Up SSH With Public-Key Authentication On Debian Etch LXer Syndicated Linux News 0 03-30-2008 12:50 PM
Public Key Authentication with SSH edafe Ubuntu 1 08-26-2006 12:06 PM
Can't use public key authentication with SSH Noob69 Linux - General 5 01-06-2006 07:27 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 09:46 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration