LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-01-2004, 07:17 AM   #1
Gameon
Member
 
Registered: Jan 2002
Location: Kuopio, Finland
Distribution: Debian
Posts: 37

Rep: Reputation: 15
Public key authentication problem


I've a problem setting up a working public key authentication between my windows machine and the linux box. I was able to get the thing working between the windows machine and a different unix server.

I'm running OpenSSH 3 on my Debian (running 2.4.18 kernel) with an sshd-server. On the windows machine (W2K Professional) I am using SSH Secure Shell -client.

Here is what I have done so far:

I ran ssh-keygen2 -t dsa on the windows machine and generated the keypair. I then added the keyname to the ....\Application Data\SSH\identification -file. The key itself is located in the ....\UserKeys\ -directory where the SSH Secure Shell -client automatically puts it. I then uploaded the id_dsa_2048_d.pub -file to the linux box to the ~/.ssh directory. Then I ran "cat id_dsa_2048_d.pub >> authorized_keys" in the ~/.ssh -directory. The ~/.ssh/authorized_keys -file now contains the exact contents of the *.pub -file.

So that should do it, right? The server configuration as PubkeyAuthentication enabled and the similar has worked with a unix server. Although in that case the server was also the "official" ssh server which used a bitting different system.

Anyways, here are my server configurations and other data. Perhaps you can find out something I've missed.

***** THE sshd_config *****

# Package generated configuration file
# See the sshd(8) manpage for defails

# What ports, IPs and protocols we listen for
Port 22
Port 60022
#Port 65022
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# ...but breaks Pam auth via kbdint, so we have to turn it off
# Use PAM authentication via keyboard-interactive so PAM modules can
# properly interface with the user (off due to PrivSep)
PAMAuthenticationViaKbdInt no
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 600
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys

# rhosts authentication should not be used
RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Uncomment to disable s/key passwords
#ChallengeResponseAuthentication no

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes


# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no

# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes

X11Forwarding no
X11DisplayOffset 10
PrintMotd no
#PrintLastLog no
KeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net
#ReverseMappingCheck yes

Subsystem sftp /usr/lib/sftp-server

***** RIGHTS OF THE KEY-FILES************

-rw-r--r-- 1 gameon gameon 1265 Jan 1 14:55 authorized_keys
-rw-r--r-- 1 gameon gameon 834 Dec 29 14:35 known_hosts

******DEBUG FROM THE ssh-command. I've highlighted some noteworthy lines. I can't decipher the anyhow. ************

debug: Connecting to babylon, port 22... (SOCKS not used)
debug: Ssh2/ssh2.c:2297: Entering event loop.
debug: Ssh2Client/sshclient.c:1421: Creating transport protocol.
debug: SshAuthMethodClient/sshauthmethodc.c:85: Added "publickey" to usable methods.
debug: SshAuthMethodClient/sshauthmethodc.c:85: Added "password" to usable methods.
debug: Ssh2Client/sshclient.c:1462: Creating userauth protocol.
debug: client supports 2 auth methods: 'publickey,password'
debug: Ssh2Common/sshcommon.c:530: local ip = 192.168.0.2, local port=1732
debug: Ssh2Common/sshcommon.c:532: remote ip = 192.168.0.1, remote port = 22
debug: SshConnection/sshconn.c:1945: Wrapping...
debug: Remote version: SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3
debug: OpenSSH: Major: 3 Minor: 4 Revision: 0
***debug: Ssh2Transport/trcommon.c:1518: All versions of OpenSSH handle kex guesses incorrectly.***
debug: Ssh2Transport/trcommon.c:1901: lang s to c: `', lang c to s: `'
debug: Ssh2Transport/trcommon.c:1967: c_to_s: cipher 3des-cbc, mac hmac-sha1, compression none
debug: Ssh2Transport/trcommon.c:1970: s_to_c: cipher 3des-cbc, mac hmac-sha1, compression none
debug: Remote host key found from database.
debug: Ssh2Common/sshcommon.c:331: Received SSH_CROSS_STARTUP packet from connection protocol.
debug: Ssh2Common/sshcommon.c:381: Received SSH_CROSS_ALGORITHMS packet from connection protocol.
debug: server offers auth methods 'publickey,password,keyboard-interactive'.
***debug: SshConfig/sshconfig.c:2764: Version not found on first line, assuming configuration to be old style.***
debug: Ssh2AuthPubKeyClient/authc-pubkey.c:1591: adding keyfile "C:/Documents and Settings/Administrator/Application Data/SSH/UserKeys/id_dsa_2048_b" to candidates
debug: Ssh2AuthPubKeyClient/authc-pubkey.c:1591: adding keyfile "C:/Documents and Settings/Administrator/Application Data/SSH/UserKeys/id_dsa_2048_d" to candidates
debug: server offers auth methods 'publickey,password,keyboard-interactive'.
debug: server offers auth methods 'publickey,password,keyboard-interactive'.
***debug: Ssh2AuthClient/sshauthc.c:319: Method 'publickey' disabled.***
debug: server offers auth methods 'publickey,password,keyboard-interactive'.
debug: Ssh2AuthPasswdClient/authc-passwd.c:105: Starting password query...
And then it asks me for the password...

************

The ***b.pub -file is a second key that I use to connect to the unix-server. It works just fine so the problem really can't be on the client side, right.

I hope someone can shed some light into this. Thanks for any help!
 
Old 01-01-2004, 03:25 PM   #2
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
Check the perms on the .ssh directory. Make sure that you don't have group write permissions on the directory.
 
Old 01-01-2004, 03:44 PM   #3
Gameon
Member
 
Registered: Jan 2002
Location: Kuopio, Finland
Distribution: Debian
Posts: 37

Original Poster
Rep: Reputation: 15
I checked them, but still no luck. The rights of the .ssh directory were as follows:

drwx------ 2 gameon gameon 4096 Jan 1 23:41 .ssh

What else could there possibly be wrong here?
 
Old 01-01-2004, 04:14 PM   #4
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
Try making the perms 755 instead.
 
Old 01-01-2004, 05:30 PM   #5
Gameon
Member
 
Registered: Jan 2002
Location: Kuopio, Finland
Distribution: Debian
Posts: 37

Original Poster
Rep: Reputation: 15
Still no dice... and it shouldn't need it either. I can't understand this at all.
 
Old 01-01-2004, 05:30 PM   #6
Gameon
Member
 
Registered: Jan 2002
Location: Kuopio, Finland
Distribution: Debian
Posts: 37

Original Poster
Rep: Reputation: 15
Is there any way to get some kind of log messages from the openssh-server? They might be useful. I haven't found any myself.
 
Old 01-02-2004, 06:27 AM   #7
Gameon
Member
 
Registered: Jan 2002
Location: Kuopio, Finland
Distribution: Debian
Posts: 37

Original Poster
Rep: Reputation: 15
Well I finally solved it. How stupid can this thing get, really?

The problem was that the SSH Secure Shell -client generated a public key file which is completely incompatible with the OpenSSH -server as such.

The key I generated with the SSH client contained several lines of comments and other data which were not accepted by the OpenSSH -server. I had to remove ALL those lines, leaving only the actual key remaining in the file. In addition to that, I has to add the string "ssh-dss" to the beginning of the key and then remove all the line breaks, that were generated on the windows side. So in the end I had a file that had a one large line with "ssh-dss" at the beginning, a whitespace and then the actual key in a one large block. Then I just appended the whole deal to the authorized_keys -file. Worked like a charm on the first try.
 
Old 01-02-2004, 06:33 AM   #8
Gameon
Member
 
Registered: Jan 2002
Location: Kuopio, Finland
Distribution: Debian
Posts: 37

Original Poster
Rep: Reputation: 15
Well it seems I could've done it much easier with ssh-keygen on the openssh-side...

*sigh* All that work, and for what? Well, you live and learn.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh public key authentication teacup Linux - Networking 4 11-27-2011 11:27 PM
DISCUSSION: Public key authentication with ssh david_ross LinuxAnswers Discussion 31 02-02-2011 08:13 AM
ssh public key authentication problem flgal3 Linux - Software 21 02-06-2009 11:15 AM
SSH - Problem with Public Key Authentication HaPagan Linux - Security 5 11-28-2005 11:27 PM
public/private key authentication with PuTTY NetAX Linux - Security 5 10-27-2004 06:00 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:30 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration