Public key authentication problem
 

I've a problem setting up a working public key authentication between my windows machine and the linux box. I was able to get the thing working between the windows machine and a different unix server.

I'm running OpenSSH 3 on my Debian (running 2.4.18 kernel) with an sshd-server. On the windows machine (W2K Professional) I am using SSH Secure Shell -client.

Here is what I have done so far:

I ran ssh-keygen2 -t dsa on the windows machine and generated the keypair. I then added the keyname to the ....\Application Data\SSH\identification -file. The key itself is located in the ....\UserKeys\ -directory where the SSH Secure Shell -client automatically puts it. I then uploaded the id_dsa_2048_d.pub -file to the linux box to the ~/.ssh directory. Then I ran "cat id_dsa_2048_d.pub >> authorized_keys" in the ~/.ssh -directory. The ~/.ssh/authorized_keys -file now contains the exact contents of the *.pub -file.

So that should do it, right? The server configuration as PubkeyAuthentication enabled and the similar has worked with a unix server. Although in that case the server was also the "official" ssh server which used a bitting different system.

Anyways, here are my server configurations and other data. Perhaps you can find out something I've missed.

***** THE sshd_config *****

# Package generated configuration file
# See the sshd(8) manpage for defails

# What ports, IPs and protocols we listen for
Port 22
Port 60022
#Port 65022
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# ...but breaks Pam auth via kbdint, so we have to turn it off
# Use PAM authentication via keyboard-interactive so PAM modules can
# properly interface with the user (off due to PrivSep)
PAMAuthenticationViaKbdInt no
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 600
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys

# rhosts authentication should not be used
RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Uncomment to disable s/key passwords
#ChallengeResponseAuthentication no

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes


# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no

# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes

X11Forwarding no
X11DisplayOffset 10
PrintMotd no
#PrintLastLog no
KeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net
#ReverseMappingCheck yes

Subsystem sftp /usr/lib/sftp-server

***** RIGHTS OF THE KEY-FILES************

-rw-r--r-- 1 gameon gameon 1265 Jan 1 14:55 authorized_keys
-rw-r--r-- 1 gameon gameon 834 Dec 29 14:35 known_hosts

******DEBUG FROM THE ssh-command. I've highlighted some noteworthy lines. I can't decipher the anyhow. ************

debug: Connecting to babylon, port 22... (SOCKS not used)
debug: Ssh2/ssh2.c:2297: Entering event loop.
debug: Ssh2Client/sshclient.c:1421: Creating transport protocol.
debug: SshAuthMethodClient/sshauthmethodc.c:85: Added "publickey" to usable methods.
debug: SshAuthMethodClient/sshauthmethodc.c:85: Added "password" to usable methods.
debug: Ssh2Client/sshclient.c:1462: Creating userauth protocol.
debug: client supports 2 auth methods: 'publickey,password'
debug: Ssh2Common/sshcommon.c:530: local ip = 192.168.0.2, local port=1732
debug: Ssh2Common/sshcommon.c:532: remote ip = 192.168.0.1, remote port = 22
debug: SshConnection/sshconn.c:1945: Wrapping...
debug: Remote version: SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3
debug: OpenSSH: Major: 3 Minor: 4 Revision: 0
***debug: Ssh2Transport/trcommon.c:1518: All versions of OpenSSH handle kex guesses incorrectly.***
debug: Ssh2Transport/trcommon.c:1901: lang s to c: `', lang c to s: `'
debug: Ssh2Transport/trcommon.c:1967: c_to_s: cipher 3des-cbc, mac hmac-sha1, compression none
debug: Ssh2Transport/trcommon.c:1970: s_to_c: cipher 3des-cbc, mac hmac-sha1, compression none
debug: Remote host key found from database.
debug: Ssh2Common/sshcommon.c:331: Received SSH_CROSS_STARTUP packet from connection protocol.
debug: Ssh2Common/sshcommon.c:381: Received SSH_CROSS_ALGORITHMS packet from connection protocol.
debug: server offers auth methods 'publickey,password,keyboard-interactive'.
***debug: SshConfig/sshconfig.c:2764: Version not found on first line, assuming configuration to be old style.***
debug: Ssh2AuthPubKeyClient/authc-pubkey.c:1591: adding keyfile "C:/Documents and Settings/Administrator/Application Data/SSH/UserKeys/id_dsa_2048_b" to candidates
debug: Ssh2AuthPubKeyClient/authc-pubkey.c:1591: adding keyfile "C:/Documents and Settings/Administrator/Application Data/SSH/UserKeys/id_dsa_2048_d" to candidates
debug: server offers auth methods 'publickey,password,keyboard-interactive'.
debug: server offers auth methods 'publickey,password,keyboard-interactive'.
***debug: Ssh2AuthClient/sshauthc.c:319: Method 'publickey' disabled.***
debug: server offers auth methods 'publickey,password,keyboard-interactive'.
debug: Ssh2AuthPasswdClient/authc-passwd.c:105: Starting password query...
And then it asks me for the password...

************

The ***b.pub -file is a second key that I use to connect to the unix-server. It works just fine so the problem really can't be on the client side, right.

I hope someone can shed some light into this. Thanks for any help!

Check the perms on the .ssh directory. Make sure that you don't have group write permissions on the directory.

I checked them, but still no luck. The rights of the .ssh directory were as follows:

drwx------ 2 gameon gameon 4096 Jan 1 23:41 .ssh

What else could there possibly be wrong here?

Try making the perms 755 instead.

Still no dice... and it shouldn't need it either. I can't understand this at all.

Is there any way to get some kind of log messages from the openssh-server? They might be useful. I haven't found any myself.

Well I finally solved it. How stupid can this thing get, really?

The problem was that the SSH Secure Shell -client generated a public key file which is completely incompatible with the OpenSSH -server as such.

The key I generated with the SSH client contained several lines of comments and other data which were not accepted by the OpenSSH -server. I had to remove ALL those lines, leaving only the actual key remaining in the file. In addition to that, I has to add the string "ssh-dss" to the beginning of the key and then remove all the line breaks, that were generated on the windows side. So in the end I had a file that had a one large line with "ssh-dss" at the beginning, a whitespace and then the actual key in a one large block. Then I just appended the whole deal to the authorized_keys -file. Worked like a charm on the first try.

Well it seems I could've done it much easier with ssh-keygen on the openssh-side...

*sigh* All that work, and for what? Well, you live and learn.