Public key authentication problem
I've a problem setting up a working public key authentication between my windows machine and the linux box. I was able to get the thing working between the windows machine and a different unix server.
I'm running OpenSSH 3 on my Debian (running 2.4.18 kernel) with an sshd-server. On the windows machine (W2K Professional) I am using SSH Secure Shell -client. Here is what I have done so far: I ran ssh-keygen2 -t dsa on the windows machine and generated the keypair. I then added the keyname to the ....\Application Data\SSH\identification -file. The key itself is located in the ....\UserKeys\ -directory where the SSH Secure Shell -client automatically puts it. I then uploaded the id_dsa_2048_d.pub -file to the linux box to the ~/.ssh directory. Then I ran "cat id_dsa_2048_d.pub >> authorized_keys" in the ~/.ssh -directory. The ~/.ssh/authorized_keys -file now contains the exact contents of the *.pub -file. So that should do it, right? The server configuration as PubkeyAuthentication enabled and the similar has worked with a unix server. Although in that case the server was also the "official" ssh server which used a bitting different system. Anyways, here are my server configurations and other data. Perhaps you can find out something I've missed. ***** THE sshd_config ***** # Package generated configuration file # See the sshd(8) manpage for defails # What ports, IPs and protocols we listen for Port 22 Port 60022 #Port 65022 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # ...but breaks Pam auth via kbdint, so we have to turn it off # Use PAM authentication via keyboard-interactive so PAM modules can # properly interface with the user (off due to PrivSep) PAMAuthenticationViaKbdInt no # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 768 # Logging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 600 PermitRootLogin yes StrictModes yes RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # rhosts authentication should not be used RhostsAuthentication no # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Uncomment to disable s/key passwords #ChallengeResponseAuthentication no # To disable tunneled clear text passwords, change to no here! PasswordAuthentication yes # To change Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #AFSTokenPassing no #KerberosTicketCleanup no # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes X11Forwarding no X11DisplayOffset 10 PrintMotd no #PrintLastLog no KeepAlive yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net #ReverseMappingCheck yes Subsystem sftp /usr/lib/sftp-server ***** RIGHTS OF THE KEY-FILES************ -rw-r--r-- 1 gameon gameon 1265 Jan 1 14:55 authorized_keys -rw-r--r-- 1 gameon gameon 834 Dec 29 14:35 known_hosts ******DEBUG FROM THE ssh-command. I've highlighted some noteworthy lines. I can't decipher the anyhow. ************ debug: Connecting to babylon, port 22... (SOCKS not used) debug: Ssh2/ssh2.c:2297: Entering event loop. debug: Ssh2Client/sshclient.c:1421: Creating transport protocol. debug: SshAuthMethodClient/sshauthmethodc.c:85: Added "publickey" to usable methods. debug: SshAuthMethodClient/sshauthmethodc.c:85: Added "password" to usable methods. debug: Ssh2Client/sshclient.c:1462: Creating userauth protocol. debug: client supports 2 auth methods: 'publickey,password' debug: Ssh2Common/sshcommon.c:530: local ip = 192.168.0.2, local port=1732 debug: Ssh2Common/sshcommon.c:532: remote ip = 192.168.0.1, remote port = 22 debug: SshConnection/sshconn.c:1945: Wrapping... debug: Remote version: SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3 debug: OpenSSH: Major: 3 Minor: 4 Revision: 0 ***debug: Ssh2Transport/trcommon.c:1518: All versions of OpenSSH handle kex guesses incorrectly.*** debug: Ssh2Transport/trcommon.c:1901: lang s to c: `', lang c to s: `' debug: Ssh2Transport/trcommon.c:1967: c_to_s: cipher 3des-cbc, mac hmac-sha1, compression none debug: Ssh2Transport/trcommon.c:1970: s_to_c: cipher 3des-cbc, mac hmac-sha1, compression none debug: Remote host key found from database. debug: Ssh2Common/sshcommon.c:331: Received SSH_CROSS_STARTUP packet from connection protocol. debug: Ssh2Common/sshcommon.c:381: Received SSH_CROSS_ALGORITHMS packet from connection protocol. debug: server offers auth methods 'publickey,password,keyboard-interactive'. ***debug: SshConfig/sshconfig.c:2764: Version not found on first line, assuming configuration to be old style.*** debug: Ssh2AuthPubKeyClient/authc-pubkey.c:1591: adding keyfile "C:/Documents and Settings/Administrator/Application Data/SSH/UserKeys/id_dsa_2048_b" to candidates debug: Ssh2AuthPubKeyClient/authc-pubkey.c:1591: adding keyfile "C:/Documents and Settings/Administrator/Application Data/SSH/UserKeys/id_dsa_2048_d" to candidates debug: server offers auth methods 'publickey,password,keyboard-interactive'. debug: server offers auth methods 'publickey,password,keyboard-interactive'. ***debug: Ssh2AuthClient/sshauthc.c:319: Method 'publickey' disabled.*** debug: server offers auth methods 'publickey,password,keyboard-interactive'. debug: Ssh2AuthPasswdClient/authc-passwd.c:105: Starting password query... And then it asks me for the password... ************ The ***b.pub -file is a second key that I use to connect to the unix-server. It works just fine so the problem really can't be on the client side, right. I hope someone can shed some light into this. Thanks for any help! |
Check the perms on the .ssh directory. Make sure that you don't have group write permissions on the directory.
|
I checked them, but still no luck. The rights of the .ssh directory were as follows:
drwx------ 2 gameon gameon 4096 Jan 1 23:41 .ssh What else could there possibly be wrong here? |
Try making the perms 755 instead.
|
Still no dice... and it shouldn't need it either. I can't understand this at all.
|
Is there any way to get some kind of log messages from the openssh-server? They might be useful. I haven't found any myself.
|
Well I finally solved it. How stupid can this thing get, really?
The problem was that the SSH Secure Shell -client generated a public key file which is completely incompatible with the OpenSSH -server as such. The key I generated with the SSH client contained several lines of comments and other data which were not accepted by the OpenSSH -server. I had to remove ALL those lines, leaving only the actual key remaining in the file. In addition to that, I has to add the string "ssh-dss" to the beginning of the key and then remove all the line breaks, that were generated on the windows side. So in the end I had a file that had a one large line with "ssh-dss" at the beginning, a whitespace and then the actual key in a one large block. Then I just appended the whole deal to the authorized_keys -file. Worked like a charm on the first try. |
Well it seems I could've done it much easier with ssh-keygen on the openssh-side...
*sigh* All that work, and for what? Well, you live and learn. |
All times are GMT -5. The time now is 11:14 PM. |