-   Linux - Server (
-   -   pub key authentication (

goober3 08-31-2008 10:20 AM

pub key authentication
I've tried everything but cannot get openssh to work with public key authentication. My server is CentOS 4.2, im using ssh-2 and openssh version is 5.1. Below is the output from ssh -v (i've changed the names to protect the innocent)


debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /home/john/.ssh/id_dsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password's password:

I've jacked up my sshd_config file to no end but here is what i currently have.


Port 5348
Protocol 2
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 5

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no

# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes
#ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
#UsePAM yes

#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/
#MaxStartups 10
#ShowPatchLevel no

# no default banner path
Banner /etc/ssh/sshd-banner

# override default of no subsystems
Subsystem      sftp    /usr/libexec/openssh/sftp-server

NOTE: I currently have allow password so that i can ssh in to the server and edit the file. When I turn password off, I can't ssh in so I know that part works.

I've also set the permissions of the .ssh directory and authorized_keys file as prescribed thruout the web. But, I'm not sure who should be owner of these and the path. Currently the path is /root/.ssh/authorized_keys and the owner:group is john:john. I've also tried setting the path to same location as the openssh server but to no avail.

Any help?

P.S I am linux newbie

goober3 08-31-2008 10:25 AM

additional comments
I'm using dsa and I've tried ssh-keygen as well as the Passwords and Encryption keys tool in ubuntu 8.04. Also, when it comes time for the dsa passphrase, I am never asked.

mohdshakir 09-03-2008 11:29 PM

I guess there's nothing wrong with your sshd_config, but you might want to try the tutorial below to correctly create and transfer your key to the server;
Configure passwordless ssh login

billymayday 09-04-2008 12:40 AM

Read through this post. You will note that the problem ended up being a permissions issue of various key files as described therein.

goober3 09-06-2008 09:54 AM

I've changed my permissions but it still doesnt work. I get
rexec line 84: Unsupported option UsePAM
In my /var/log/messages on the server after I try to ssh in.

On the client side, this is what is see
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/dale/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug1: Next authentication method: password

billymayday 09-06-2008 09:17 PM

Which machine gives you the rexec error? What is the client machine telling you?

Can you show

ls -lad ~/.ssh


ls -la ~/.ssh

for both the client and server machines

goober3 09-07-2008 07:55 AM

from server
total 32
drwxr-xr-x 2 root root 4096 Sep 6 08:38 .
drwxr-x--- 20 root root 4096 Sep 7 06:47 ..
-rw-r--r-- 1 root root 398 Sep 6 08:37 authorized_keys
-rw-r--r-- 1 root root 606 Aug 29 10:27 authorized_keys2

from client
drwx------ 2 dale dale 4096 2008-09-06 14:37 .
drwxr-xr-x 60 dale dale 4096 2008-09-07 06:29 ..
-rw------- 1 dale dale 1743 2008-09-06 08:32 id_rsa
-rw-r--r-- 1 dale dale 630 2008-09-06 14:37 id_rsa.keystore
-rw-r--r-- 1 dale dale 398 2008-09-06 08:32
-rw-r--r-- 1 dale dale 540 2008-09-06 08:50 known_hosts

NOTE that now, I've tried rsa keys to work but still nothing. Also I'm not using the authorized_keys2. I'm beginning to wonder if its not a client side issue. I have a linksys router with DD-WRT installed and I can log on there through ssh either if I use keys. I tried generating a key serverside but that doesnt work either.

All times are GMT -5. The time now is 06:11 AM.