LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-15-2002, 11:25 AM   #1
sitrus
Member
 
Registered: Nov 2001
Location: Finland
Distribution: Gentoo 1.4
Posts: 50

Rep: Reputation: 15
Can't connect to sshd with keyauthentication


I have slackware 9.0 beta with OpenSSH 3.5 server.

This is my sshd_config :

#Listen port 22
Port 22

#Only enable version 2
Protocol 2

#No direct root access
PermitRootLogin no

#Turn on RSA key authentication
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

#Disable .rhost files and normal password auth.
RhostsAuthentication no
PasswordAuthentication no
PermitEmptyPasswords no

#Allow only group users
AllowGroups users

#And 1 user
AllowUsers ********

#Add logging level
SyslogFacility AUTH
LogLevel INFO

#No X11Forwarding
X11Forwarding no

Subsystem sftp /usr/lib/misc/sftp-server

I have generated the key on the other pc with /usr/bin/ssh-keygen -t rsa then I pasted the key from that pc's
.ssh/id_rsa.pub to the server pc to ~/.ssh/authorized_keys

Now when I try to connect I get:
Permission denied (publickey,keyboard-interactive).

Help needed!

EDIT: syslog says this:
Dec 15 18:29:43 chemistry sshd[14102]: error: key_read: <long key here> failed

I have checked that the authorized_keys and rsa.pub from the other pc match!


Last edited by sitrus; 12-15-2002 at 11:34 AM.
 
Old 12-15-2002, 01:26 PM   #2
leed_25
Member
 
Registered: Jul 2002
Location: san francisco
Distribution: freebsd
Posts: 102

Rep: Reputation: 17
connect with
ssh -v

do the debugging messages help?
 
Old 12-15-2002, 01:56 PM   #3
sitrus
Member
 
Registered: Nov 2001
Location: Finland
Distribution: Gentoo 1.4
Posts: 50

Original Poster
Rep: Reputation: 15
Nothing too revealing in the verbose message. This is very mystic as the config should be ok and the permissions of the files are ok.

Is somebody able to see something odd in my sshd_config? The problem should be there as keys are on right places.
 
Old 12-15-2002, 02:30 PM   #4
sitrus
Member
 
Registered: Nov 2001
Location: Finland
Distribution: Gentoo 1.4
Posts: 50

Original Poster
Rep: Reputation: 15
I made a key to my server and added it to authorized keys so I can test this with connecting to localhost:

DEBUG RESULT:

xxxxx@chemistry xxxx $ ssh -v -v -v localhost
OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090607f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/xxxx/.ssh/identity type -1
debug3: Not a RSA1 key file /home/xxxx/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: no key found
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug3: key_read: no key found
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug3: key_read: no key found
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: no key found
debug1: identity file /home/xxxx/.ssh/id_rsa type 1
debug1: identity file /home/xxxx/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.5p1
debug1: match: OpenSSH_3.5p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.5p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 128/256
debug1: bits set: 1609/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/xxxx/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 14
debug1: Host 'localhost' is known and matches the RSA host key.
debug1: Found key in /home/xxxx/.ssh/known_hosts:14
debug1: bits set: 1598/3191
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: publickey,keyboard-interactive
debug3: start over, passed a different list publickey,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: next auth method to try is publickey
debug1: try privkey: /home/xxxx/.ssh/identity
debug3: no such identity: /home/xxxx/.ssh/identity
debug1: try pubkey: /home/xxxx/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: authentications that can continue: publickey,keyboard-interactive
debug1: try privkey: /home/xxxx/.ssh/id_dsa
debug3: no such identity: /home/xxxx/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: next auth method to try is keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: authentications that can continue: publickey,keyboard-interactive
debug3: userauth_kbdint: disable: no info_req_seen
debug2: we did not send a packet, disable method
debug1: no more auth methods to try
Permission denied (publickey,keyboard-interactive).
debug1: Calling cleanup 0x8066d10(0x0)
 
Old 12-15-2002, 02:32 PM   #5
leed_25
Member
 
Registered: Jul 2002
Location: san francisco
Distribution: freebsd
Posts: 102

Rep: Reputation: 17
try checking the permissions on authorized_keys. Permissions
should be read/write for the user, and not accessible by others.
 
Old 12-15-2002, 02:38 PM   #6
sitrus
Member
 
Registered: Nov 2001
Location: Finland
Distribution: Gentoo 1.4
Posts: 50

Original Poster
Rep: Reputation: 15
Permissions look fine:
-rw-r--r-- 1 xxx users 455 Dec 15 18:09 authorized_keys
 
Old 12-15-2002, 02:42 PM   #7
leed_25
Member
 
Registered: Jul 2002
Location: san francisco
Distribution: freebsd
Posts: 102

Rep: Reputation: 17
here's mine

Quote:
-rw------- 1 <user> staff 348 Feb 4 2002 authorized_keys
 
Old 12-15-2002, 02:48 PM   #8
sitrus
Member
 
Registered: Nov 2001
Location: Finland
Distribution: Gentoo 1.4
Posts: 50

Original Poster
Rep: Reputation: 15
chmod 600 ( -rw------- ) didn't help.
 
Old 12-15-2002, 03:07 PM   #9
leed_25
Member
 
Registered: Jul 2002
Location: san francisco
Distribution: freebsd
Posts: 102

Rep: Reputation: 17
Here's my output from ssh -v.


Quote:
[stkitts] $ ssh -v localhost
OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090601f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to localhost [::1] port 22.
debug1: Connection established.
debug1: identity file /home/<user>/.ssh/identity type 0
debug1: identity file /home/<user>/.ssh/id_rsa type -1
debug1: identity file /home/<user>/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.4p1
debug1: match: OpenSSH_3.4p1 pat OpenSSH*
debug1: Local version string SSH-1.5-OpenSSH_3.4p1
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (1024 bits).
debug1: Host 'localhost' is known and matches the RSA1 host key.
debug1: Found key in /home/<user>/.ssh/known_hosts:7
debug1: Encryption type: 3des
debug1: Sent encrypted session key.
debug1: cipher_init: set keylen (16 -> 32)
debug1: cipher_init: set keylen (16 -> 32)
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug1: Trying RSA authentication with key '/home/<user>/.ssh/identity'
debug1: Received RSA challenge from server.
debug1: Sending response to host key RSA challenge.
debug1: Remote: RSA authentication accepted.
debug1: RSA authentication accepted by server.
debug1: Requesting pty.
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: fd 3 setting TCP_NODELAY
debug1: Requesting shell.
debug1: Entering interactive session.

I notice that
(1) you're using 3.5 and I'm using 3.4p1 --shouldn't be a problem
(2) you have a whole bunch of lines like this:


Quote:
debug3: Not a RSA1 key file /home/xxxx/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: no key found
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug3: key_read: no key found
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug3: key_read: no key found
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
I'm not sure what to make of this. Could your identity file or
some other file be munged? Maybe this file: /home/xxxx/.ssh/id_rsa?
 
Old 12-15-2002, 03:13 PM   #10
leed_25
Member
 
Registered: Jul 2002
Location: san francisco
Distribution: freebsd
Posts: 102

Rep: Reputation: 17
Here's another thing to try:

In your ssd_config, maybe try Protocol 2,1

see if that works.
 
Old 12-15-2002, 03:20 PM   #11
leed_25
Member
 
Registered: Jul 2002
Location: san francisco
Distribution: freebsd
Posts: 102

Rep: Reputation: 17
When you did your ssh-keygen, what did you specify for the -t option?
 
Old 12-15-2002, 03:23 PM   #12
sitrus
Member
 
Registered: Nov 2001
Location: Finland
Distribution: Gentoo 1.4
Posts: 50

Original Poster
Rep: Reputation: 15
I did rsa keys.

This WAS the config I used to have which worked(no publickey authentication)
I'm showing this because maybe there is still some default options that I would have to turn off in order for this to work?

# $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

#Port 22
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 3600
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:
#LoginGraceTime 120
PermitRootLogin no
#StrictModes yes

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

# rhosts authentication should not be used
#RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

#AFSTokenPassing no# Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no

# Set this to 'yes' to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt no

#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes

#MaxStartups 10
# no default banner path
#Banner /some/path
#VerifyReverseMapping no

# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server



Maybe there is some odd defaults in slackware basic sshd config that I would have to spesifically put to 'no'.

Last edited by sitrus; 12-15-2002 at 03:28 PM.
 
Old 12-16-2002, 09:36 AM   #13
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607Reputation: 3607
I think leed_25 got it right, you've only got Protocol 2 enabled in sshd_config, while using RSA keys
 
Old 12-16-2002, 10:25 AM   #14
sitrus
Member
 
Registered: Nov 2001
Location: Finland
Distribution: Gentoo 1.4
Posts: 50

Original Poster
Rep: Reputation: 15
I did dsa keys now and tried, but it did not help. RSA keys should work with ssh2 anyway as far as I know (They work in my Gentoo 1.4rc1 server). But I'm having these odd problems with the slackware pc.

So I made the new dsa key and added it to authorized_keys, but still saying the same:
Permission denied (publickey,keyboard-interactive).

EDIT: also added this line to /etc/ssh/sshd_config :
DSAAuthentication yes
but no luck still

Last edited by sitrus; 12-16-2002 at 10:53 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
can't connect to sshd over internet jwn7 Linux - Networking 5 09-13-2005 07:44 PM
Sshd TimeBandit Linux - Software 4 06-20-2005 12:00 PM
Cannot connect to sshd on Fedora 3. sdouble Linux - Software 3 01-16-2005 10:45 PM
[new bie] sshd: refused connect from 192.168.x.x jmcollin92 Linux - Security 2 12-14-2003 03:39 AM
Enabling SSH in mandrake 9.2 - sshd vs. sshd-xinetd DogTags Linux - Newbie 7 11-25-2003 01:17 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:29 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration