LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   SSH Key based authentication failure (https://www.linuxquestions.org/questions/linux-newbie-8/ssh-key-based-authentication-failure-885172/)

kdheepan 06-08-2011 06:50 AM
SSH Key based authentication failure
 
Hi, I have generated a rsa key on the server1 and appended it to the authorized_keys2 file on server and the permissions are seems to be ok. Still its prompting for a password.

SERVER1:
--------
drwx--S--- 2 owner1 group1 256 May 04 2010 .ssh

-rw-r----- 1 owner1 group1 2423 Jun 08 09:02 authorized_keys2
-rw-r--r-- 1 owner1 group1 8711 Jun 08 09:00 known_hosts
-rw-r----- 1 owner1 group1 388 Feb 15 2010 id_rsa.pub
-rw------- 1 owner1 group1 1679 Feb 12 2010 id_rsa

$ ssh -V
OpenSSH_5.4p1, OpenSSL 0.9.8m 25 Feb 2010


SERVER2:
--------
drwx--S--- 2 owner2 group2 256 Jun 08 08:42 .ssh

-rw-r----- 1 owner2 group2 388 Jun 08 08:44 authorized_keys2
-rw-r--r-- 1 owner2 group2 0 Jun 07 16:19 known_hosts
-rw------- 1 owner2 group2 887 Jun 07 16:02 id_rsa
-rw-r----- 1 owner2 group2 227 Jun 07 16:02 id_rsa.pub

>ssh -V
OpenSSH_5.0p1, OpenSSL 0.9.8h 28 May 2008

Debug Level2 output
-------------------

$ ssh -vv owner2@server2
OpenSSH_5.4p1, OpenSSL 0.9.8m 25 Feb 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Failed dlopen: /usr/krb5/lib/libkrb5.a(libkrb5.a.so): 0509-022 Cannot load module /usr/krb5/lib/libkrb5.a(libkrb5.a
.so).
0509-026 System error: A file or directory in the path name does not exist.

debug1: Error loading Kerberos, disabling Kerberos auth.
debug2: ssh_connect: needpriv 0
debug1: Connecting to server2 [ip address] port 22.
debug1: Connection established.
debug1: identity file /u/ibm/owner1/.ssh/csm_rsa type -1
debug1: identity file /u/ibm/owner1/.ssh/csm_rsa-cert type -1
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /u/ibm/owner1/.ssh/id_rsa type 1
debug1: identity file /u/ibm/owner1/.ssh/id_rsa-cert type -1
debug1: identity file /u/ibm/owner1/.ssh/id_dsa type -1
debug1: identity file /u/ibm/owner1/.ssh/id_dsa-cert type -1
debug1: identity file /u/ibm/owner1/.ssh/hmc_dsa type -1
debug1: identity file /u/ibm/owner1/.ssh/hmc_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.0
debug1: match: OpenSSH_5.0 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.4
debug2: fd 4 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha
1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v00@openssh.com,ssh-dss...00@openssh.com,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cb
c,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cb
c,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac
-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac
-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha
1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,r
ijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,r
ijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac
-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac
-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 135/256
debug2: bits set: 511/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'server2' is known and matches the RSA host key.
debug1: Found key in /u/ibm/owner1/.ssh/known_hosts:37
debug2: bits set: 494/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /u/ibm/owner1/.ssh/csm_rsa (0)
debug2: key: /u/ibm/owner1/.ssh/id_rsa (20046258)
debug2: key: /u/ibm/owner1/.ssh/id_dsa (0)
debug2: key: /u/ibm/owner1/.ssh/hmc_dsa (0)
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /u/ibm/owner1/.ssh/csm_rsa
debug1: Offering public key: /u/ibm/owner1/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /u/ibm/owner1/.ssh/id_dsa
debug1: Trying private key: /u/ibm/owner1/.ssh/hmc_dsa
debug2: we did not send a packet, disable method
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
owner2@server2's password:

===============================

ssh connectivity is working for owner1 from server1 to other users on server2.

The known_hosts of server1 has an entry for the server2. Its differ from the entries of other servers.

For all other servers, the entry looks like
<server name>, <ip address> <ssh key>

But for server2, it looks lije
<server name> <ssh key>

Not sure if it is really an issue.

Could someone plz help me?

colucix 06-08-2011 07:04 AM
The file authorized_keys2 is considered obsolete, since it was introduced in older version of OpenSSH when the 1.3 and 1.5 protocols were still in use and 2.0 was not the default. Try to rename authorized_keys2 to authorized_keys and retry. The official announcement about this topic was http://marc.info/?l=openssh-unix-dev...8718416162&w=2 back in 2001.

sundialsvcs 06-08-2011 07:55 AM
A rather-annoying characteristic of ssh is that, left to its own devices, it will start with the most-secure option available to it, and then, like the ever-helpful but otherwise clueless watchman, continue to offer less-and-less secure options (right down to "enter password," if you let it ...), happily accepting the least-secure authentication!

"Oh, I see that you don't have an XYZZY-Super-Secret Certificate. Do you have a key? No? Okay, then what's the combination? Don't have that, either? But you look like such a nice person ... that mask really looks good on you ... gee, are those real explosives? Well, then, what's the magic word? Perfect! Come right on in!!" :doh:

So, you have to not only be certain that the key-files are set up correctly, but you also have to turn-off other, lesser forms of authentication.

Also, remember that SSH pays close attention to the security provisions of its key-file directories! If the directory is group- or world-readable, it will be ignored. SSH does have good logging options (if you turn them on), so, as you are working it all out, be sure to turn them all on, then watch closely what gets recorded in /var/log/something.


All times are GMT -5. The time now is 09:32 PM.