LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-08-2011, 07:50 AM   #1
kdheepan
LQ Newbie
 
Registered: Jun 2011
Posts: 1

Rep: Reputation: Disabled
SSH Key based authentication failure


Hi, I have generated a rsa key on the server1 and appended it to the authorized_keys2 file on server and the permissions are seems to be ok. Still its prompting for a password.

SERVER1:
--------
drwx--S--- 2 owner1 group1 256 May 04 2010 .ssh

-rw-r----- 1 owner1 group1 2423 Jun 08 09:02 authorized_keys2
-rw-r--r-- 1 owner1 group1 8711 Jun 08 09:00 known_hosts
-rw-r----- 1 owner1 group1 388 Feb 15 2010 id_rsa.pub
-rw------- 1 owner1 group1 1679 Feb 12 2010 id_rsa

$ ssh -V
OpenSSH_5.4p1, OpenSSL 0.9.8m 25 Feb 2010


SERVER2:
--------
drwx--S--- 2 owner2 group2 256 Jun 08 08:42 .ssh

-rw-r----- 1 owner2 group2 388 Jun 08 08:44 authorized_keys2
-rw-r--r-- 1 owner2 group2 0 Jun 07 16:19 known_hosts
-rw------- 1 owner2 group2 887 Jun 07 16:02 id_rsa
-rw-r----- 1 owner2 group2 227 Jun 07 16:02 id_rsa.pub

>ssh -V
OpenSSH_5.0p1, OpenSSL 0.9.8h 28 May 2008

Debug Level2 output
-------------------

$ ssh -vv owner2@server2
OpenSSH_5.4p1, OpenSSL 0.9.8m 25 Feb 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Failed dlopen: /usr/krb5/lib/libkrb5.a(libkrb5.a.so): 0509-022 Cannot load module /usr/krb5/lib/libkrb5.a(libkrb5.a
.so).
0509-026 System error: A file or directory in the path name does not exist.

debug1: Error loading Kerberos, disabling Kerberos auth.
debug2: ssh_connect: needpriv 0
debug1: Connecting to server2 [ip address] port 22.
debug1: Connection established.
debug1: identity file /u/ibm/owner1/.ssh/csm_rsa type -1
debug1: identity file /u/ibm/owner1/.ssh/csm_rsa-cert type -1
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /u/ibm/owner1/.ssh/id_rsa type 1
debug1: identity file /u/ibm/owner1/.ssh/id_rsa-cert type -1
debug1: identity file /u/ibm/owner1/.ssh/id_dsa type -1
debug1: identity file /u/ibm/owner1/.ssh/id_dsa-cert type -1
debug1: identity file /u/ibm/owner1/.ssh/hmc_dsa type -1
debug1: identity file /u/ibm/owner1/.ssh/hmc_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.0
debug1: match: OpenSSH_5.0 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.4
debug2: fd 4 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha
1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v00@openssh.com,ssh-dss...00@openssh.com,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cb
c,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cb
c,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac
-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac
-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha
1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,r
ijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,r
ijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac
-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac
-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 135/256
debug2: bits set: 511/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'server2' is known and matches the RSA host key.
debug1: Found key in /u/ibm/owner1/.ssh/known_hosts:37
debug2: bits set: 494/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /u/ibm/owner1/.ssh/csm_rsa (0)
debug2: key: /u/ibm/owner1/.ssh/id_rsa (20046258)
debug2: key: /u/ibm/owner1/.ssh/id_dsa (0)
debug2: key: /u/ibm/owner1/.ssh/hmc_dsa (0)
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /u/ibm/owner1/.ssh/csm_rsa
debug1: Offering public key: /u/ibm/owner1/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /u/ibm/owner1/.ssh/id_dsa
debug1: Trying private key: /u/ibm/owner1/.ssh/hmc_dsa
debug2: we did not send a packet, disable method
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
owner2@server2's password:

===============================

ssh connectivity is working for owner1 from server1 to other users on server2.

The known_hosts of server1 has an entry for the server2. Its differ from the entries of other servers.

For all other servers, the entry looks like
<server name>, <ip address> <ssh key>

But for server2, it looks lije
<server name> <ssh key>

Not sure if it is really an issue.

Could someone plz help me?
 
Old 06-08-2011, 08:04 AM   #2
colucix
LQ Guru
 
Registered: Sep 2003
Location: Bologna
Distribution: CentOS 6.5 OpenSuSE 12.3
Posts: 10,509

Rep: Reputation: 1978Reputation: 1978Reputation: 1978Reputation: 1978Reputation: 1978Reputation: 1978Reputation: 1978Reputation: 1978Reputation: 1978Reputation: 1978Reputation: 1978
The file authorized_keys2 is considered obsolete, since it was introduced in older version of OpenSSH when the 1.3 and 1.5 protocols were still in use and 2.0 was not the default. Try to rename authorized_keys2 to authorized_keys and retry. The official announcement about this topic was http://marc.info/?l=openssh-unix-dev...8718416162&w=2 back in 2001.
 
Old 06-08-2011, 08:55 AM   #3
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 8,624
Blog Entries: 4

Rep: Reputation: 2999Reputation: 2999Reputation: 2999Reputation: 2999Reputation: 2999Reputation: 2999Reputation: 2999Reputation: 2999Reputation: 2999Reputation: 2999Reputation: 2999
A rather-annoying characteristic of ssh is that, left to its own devices, it will start with the most-secure option available to it, and then, like the ever-helpful but otherwise clueless watchman, continue to offer less-and-less secure options (right down to "enter password," if you let it ...), happily accepting the least-secure authentication!

"Oh, I see that you don't have an XYZZY-Super-Secret Certificate. Do you have a key? No? Okay, then what's the combination? Don't have that, either? But you look like such a nice person ... that mask really looks good on you ... gee, are those real explosives? Well, then, what's the magic word? Perfect! Come right on in!!"

So, you have to not only be certain that the key-files are set up correctly, but you also have to turn-off other, lesser forms of authentication.

Also, remember that SSH pays close attention to the security provisions of its key-file directories! If the directory is group- or world-readable, it will be ignored. SSH does have good logging options (if you turn them on), so, as you are working it all out, be sure to turn them all on, then watch closely what gets recorded in /var/log/something.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh public key authentication teacup Linux - Networking 4 11-28-2011 12:27 AM
clogin automated login with key-based ssh authentication m4rtin Programming 4 01-25-2010 01:06 PM
problem with ssh key-based authentication kaplan71 Linux - Security 5 12-09-2009 11:34 AM
SSH public key authentication Jeroen1000 Linux - Security 12 09-07-2009 05:14 AM
Key based authentication only for root for SSH the_gripmaster Linux - Security 4 04-18-2009 06:43 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 09:25 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration