SSH Key based authentication failure
Hi, I have generated a rsa key on the server1 and appended it to the authorized_keys2 file on server and the permissions are seems to be ok. Still its prompting for a password.
SERVER1: -------- drwx--S--- 2 owner1 group1 256 May 04 2010 .ssh -rw-r----- 1 owner1 group1 2423 Jun 08 09:02 authorized_keys2 -rw-r--r-- 1 owner1 group1 8711 Jun 08 09:00 known_hosts -rw-r----- 1 owner1 group1 388 Feb 15 2010 id_rsa.pub -rw------- 1 owner1 group1 1679 Feb 12 2010 id_rsa $ ssh -V OpenSSH_5.4p1, OpenSSL 0.9.8m 25 Feb 2010 SERVER2: -------- drwx--S--- 2 owner2 group2 256 Jun 08 08:42 .ssh -rw-r----- 1 owner2 group2 388 Jun 08 08:44 authorized_keys2 -rw-r--r-- 1 owner2 group2 0 Jun 07 16:19 known_hosts -rw------- 1 owner2 group2 887 Jun 07 16:02 id_rsa -rw-r----- 1 owner2 group2 227 Jun 07 16:02 id_rsa.pub >ssh -V OpenSSH_5.0p1, OpenSSL 0.9.8h 28 May 2008 Debug Level2 output ------------------- $ ssh -vv owner2@server2 OpenSSH_5.4p1, OpenSSL 0.9.8m 25 Feb 2010 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Failed dlopen: /usr/krb5/lib/libkrb5.a(libkrb5.a.so): 0509-022 Cannot load module /usr/krb5/lib/libkrb5.a(libkrb5.a .so). 0509-026 System error: A file or directory in the path name does not exist. debug1: Error loading Kerberos, disabling Kerberos auth. debug2: ssh_connect: needpriv 0 debug1: Connecting to server2 [ip address] port 22. debug1: Connection established. debug1: identity file /u/ibm/owner1/.ssh/csm_rsa type -1 debug1: identity file /u/ibm/owner1/.ssh/csm_rsa-cert type -1 debug2: key_type_from_name: unknown key type '-----BEGIN' debug2: key_type_from_name: unknown key type '-----END' debug1: identity file /u/ibm/owner1/.ssh/id_rsa type 1 debug1: identity file /u/ibm/owner1/.ssh/id_rsa-cert type -1 debug1: identity file /u/ibm/owner1/.ssh/id_dsa type -1 debug1: identity file /u/ibm/owner1/.ssh/id_dsa-cert type -1 debug1: identity file /u/ibm/owner1/.ssh/hmc_dsa type -1 debug1: identity file /u/ibm/owner1/.ssh/hmc_dsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.0 debug1: match: OpenSSH_5.0 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.4 debug2: fd 4 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha 1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa-cert-v00@openssh.com,ssh-dss...00@openssh.com,ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cb c,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cb c,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac -md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac -md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha 1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,r ijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,r ijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac -md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac -md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 135/256 debug2: bits set: 511/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'server2' is known and matches the RSA host key. debug1: Found key in /u/ibm/owner1/.ssh/known_hosts:37 debug2: bits set: 494/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /u/ibm/owner1/.ssh/csm_rsa (0) debug2: key: /u/ibm/owner1/.ssh/id_rsa (20046258) debug2: key: /u/ibm/owner1/.ssh/id_dsa (0) debug2: key: /u/ibm/owner1/.ssh/hmc_dsa (0) debug1: Authentications that can continue: publickey,password,keyboard-interactive debug1: Next authentication method: publickey debug1: Trying private key: /u/ibm/owner1/.ssh/csm_rsa debug1: Offering public key: /u/ibm/owner1/.ssh/id_rsa debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,password,keyboard-interactive debug1: Trying private key: /u/ibm/owner1/.ssh/id_dsa debug1: Trying private key: /u/ibm/owner1/.ssh/hmc_dsa debug2: we did not send a packet, disable method debug1: Next authentication method: keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug1: Authentications that can continue: publickey,password,keyboard-interactive debug2: we did not send a packet, disable method debug1: Next authentication method: password owner2@server2's password: =============================== ssh connectivity is working for owner1 from server1 to other users on server2. The known_hosts of server1 has an entry for the server2. Its differ from the entries of other servers. For all other servers, the entry looks like <server name>, <ip address> <ssh key> But for server2, it looks lije <server name> <ssh key> Not sure if it is really an issue. Could someone plz help me? |
The file authorized_keys2 is considered obsolete, since it was introduced in older version of OpenSSH when the 1.3 and 1.5 protocols were still in use and 2.0 was not the default. Try to rename authorized_keys2 to authorized_keys and retry. The official announcement about this topic was http://marc.info/?l=openssh-unix-dev...8718416162&w=2 back in 2001.
|
A rather-annoying characteristic of ssh is that, left to its own devices, it will start with the most-secure option available to it, and then, like the ever-helpful but otherwise clueless watchman, continue to offer less-and-less secure options (right down to "enter password," if you let it ...), happily accepting the least-secure authentication!
"Oh, I see that you don't have an XYZZY-Super-Secret Certificate. Do you have a key? No? Okay, then what's the combination? Don't have that, either? But you look like such a nice person ... that mask really looks good on you ... gee, are those real explosives? Well, then, what's the magic word? Perfect! Come right on in!!" :doh: So, you have to not only be certain that the key-files are set up correctly, but you also have to turn-off other, lesser forms of authentication. Also, remember that SSH pays close attention to the security provisions of its key-file directories! If the directory is group- or world-readable, it will be ignored. SSH does have good logging options (if you turn them on), so, as you are working it all out, be sure to turn them all on, then watch closely what gets recorded in /var/log/something. |
All times are GMT -5. The time now is 09:32 PM. |