Public key not an available authentication method
Hi folks. First time posting here so please bear with me abit :)
I'm trying to use publickey for authentication from my red hat 8.0 server to a destination AIX 5 server. PubKeyAuthentication is enabled on the AIX server and I have already copied the public key from my red hat server to the AIX server. Normal ssh with password works fine but somehow it seems like public key is not an available authentication method for ssh from the linux server to the AIX server: Authentications that can continue: password, keyboard-interactive permissions on the AIX server are as follows: $HOME 755 $HOME/.ssh 700 $HOME/.ssh/authorized_keys 600 Note: I did try to use ssh from the AIX server to itself, publickey is listed under Authentications that can continue and I am able to login automatically using publickey. Any ideas? |
Additional info. My server is behind a NAT firewall and there are a couple of other firewalls in between these 2 servers. My red hat server is cleared uni directional to the AIX server but bidirectional. Would that affect public key authentication? Normal ssh works fine this way though.
|
Two things to check:
1) start ssh with the options -vvv to investigate the negotiation 2) double check whether $HOME/.ssh/authorized_keys have the public key on a single line |
Quote:
2) The key is fine, I used cat >> $HOME/.ssh/authorized_keys. After testing various scenarios, it is found that if I ssh from a server within the same network, publickey is displayed as an option and I can login automatically with it. If I ssh from any server from a different network, publickey is not displayed as an authentication method that can continue. So it's either some setting on the firewall or switches that might be preventing the servers from using publickey :( |
Yes, it's possible to set sshd up this way. Interesting is that we make it the opposite way here: allow only publickey from external and additionally password from internal adresses. The rationale in your case maybe the admin is concerned that some private key without a passphrase might end up in the wild. And there is no sign in the public part whether the private part has a passphrase assigned. This might be improved in ssh that when there is a passphrase set to have some flag in the public part, and it should be impossible to remove the passphrase lateron. And some kind of revoke feature for keys is also missing.
Do you connect always from the same external network? Maybe setting up personal hostbased authentication could work (when hostbased authentication in general is allowed). |
Finally got this resolved. My network admins put a ssh proxy in between the 2 networks. That was stopping the publickey authentication as the ssh proxy only allowed password and keyboard interactive methods. Thanks for the attn on this matter :)
|
Did he also disable the agent forwarding by setting "AllowAgentForwarding"? Otherwise it might work so that a password is necessary to be given for the ssh-proxy, but then you can login by publickey and the agent is answering this authentication. In case you want to get rid of the proxy when coyping files: you can first open a connection to the ssh-proxy and create a tunnel by:
Code:
ssh -L 1234:final_server:22 ssh_proxy Code:
ssh -p 1234 localhost |
All times are GMT -5. The time now is 08:04 AM. |