Solved

ssh public key authentication not working.

Posted on 2003-12-04
10
20,540 Views
Last Modified: 2013-12-04
I have accounts on three linux machine, let's call them Home, Away1 and Away2.  All the machines have SSH installed and working (that is, I can use ssh to login from one machine to the others successfully).

I want to start using public key authentication.  So on my Home machine I followd the proscribed proceedure:

home$ ssh-keygen -t dsa
home$ scp ~/.ssh/id_dsa.pub remote
home$ ssh username@away1
away1$ cat ~/id_dsa.pub >> ~/.ssh/authorized_keys
away1$ chmod 644 ~/.ssh/authorized_keys
away1$ exit
home$ ssh username@remote -

...and once I set the local environment using keychain, Away1 asked me for my public key password. Fine so far.

Then I followed the same proceedure with Away2.  But this time it didn't work--Away2 keeps asking me for the account password, not the public key password.

Away2 has a different version of ssh than Away1.  Possibly this is responsible for the problem but I haven't been able to figure it out.  Can anyone help me?

relevant info:

Versions:
===============================
home $ ssh -V
OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090701f

away1 $ ssh -V
OpenSSH_3.7.1p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7a Feb 19 2003

away2 $ ssh -V
ssh: SSH Secure Shell 2.4.0 (non-commercial version) on i686-pc-linux-gnu


Permissions on Away2 (one that doesn't work)
=================================
away2~$ ls -ld
drwx---r-x   8 me users        1024 Dec  4 12:29 ./
away2~$ ls -ld .ssh*
drwxr-xr-x   2 me users        1024 Dec  4 12:03 .ssh/
drwxr-xr-x   3 me users        1024 Dec  4 12:03 .ssh2/
away2~$ ls -l .ssh
total 2
-rw-r--r--   1 me users         218 Dec  4 13:04 authorized_keys
-rw-r--r--   1 me users         218 Dec  4 13:04 authorized_keys2
away2~$ ls -l .ssh2
total 4
-rw-r--r--   1 me users         218 Dec  4 13:04 authorized_keys
-rw-r--r--   1 me users         218 Dec  4 13:04 authorized_keys2
drwx------   2 me users        1024 Dec  4 12:00 hostkeys/
-rw-------   1 me users         512 Dec  4 12:00 random_seed


Note that I think Away2 uses .ssh2 but I created .ssh, and the authorized_keys2 files just to make sure.


Verbose output from ssh:
==============================
$ ssh -l me away2 -vvv
OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090701f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to away2.com [218.208.147.36] port 22.
debug1: Connection established.
debug1: identity file /home/me/.ssh/identity type -1
debug3: Not a RSA1 key file /home/me/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: no key found
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug3: key_read: no key found
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug3: key_read: no key found
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: no key found
debug1: identity file /home/me/.ssh/id_rsa type 1
debug3: Not a RSA1 key file /home/me/.ssh/id_dsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: no key found
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug3: key_read: no key found
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug3: key_read: no key found
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: no key found
debug1: identity file /home/me/.ssh/id_dsa type 2
debug1: Remote protocol version 1.99, remote software version 2.4.0 SSH Secure Shell (non-commercial)
debug1: match: 2.4.0 SSH Secure Shell (non-commercial) pat 2.*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.5p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-dss
debug2: kex_parse_kexinit: 3des-cbc,cast128-cbc,blowfish-cbc,twofish-cbc,arcfour,none
debug2: kex_parse_kexinit: 3des-cbc,cast128-cbc,blowfish-cbc,twofish-cbc,arcfour,none
debug2: kex_parse_kexinit: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,none
debug2: kex_parse_kexinit: hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,none
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client 3des-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server 3des-cbc hmac-md5 none
debug1: dh_gen_key: priv key bits set: 209/384
debug1: bits set: 485/1024
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug3: check_host_in_hostfile: filename /home/me/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 19
debug3: check_host_in_hostfile: filename /home/me/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 19
debug1: Host 'metafoundry.he.net' is known and matches the DSA host key.
debug1: Found key in /home/me/.ssh/known_hosts:19
debug1: bits set: 545/1024
debug1: ssh_dss_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: next auth method to try is publickey
debug1: userauth_pubkey_agent: testing agent key /home/me/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: authentications that can continue: publickey,password
debug3: clear_auth_state: key_free 0x8090b90
debug1: userauth_pubkey_agent: testing agent key /home/me/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: authentications that can continue: publickey,password
debug3: clear_auth_state: key_free 0x8091198
debug2: userauth_pubkey_agent: no more keys
debug2: userauth_pubkey_agent: no message sent
debug1: try privkey: /home/me/.ssh/identity
debug3: no such identity: /home/me/.ssh/identity
debug1: try pubkey: /home/me/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: authentications that can continue: publickey,password
debug2: userauth_pubkey_agent: no more keys
debug2: userauth_pubkey_agent: no message sent
debug1: try pubkey: /home/me/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: authentications that can continue: publickey,password
debug2: userauth_pubkey_agent: no more keys
debug2: userauth_pubkey_agent: no message sent
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: next auth method to try is password
me@away2.com's password:




0
Comment
Question by:glorpo2
  • 4
  • 2
  • 2
  • +2
10 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 9880339
It's not working on away2 because it uses a very different SSH server. I believe it can interoperate with OpenSSH, but you need to find out how to set it up for public key authentication at http://www.ssh.com/
0
 

Author Comment

by:glorpo2
ID: 9880431
>It's not working on away2 because it uses a very different SSH server. I believe it can
>interoperate with OpenSSH, but you need to find out how to set it up for public key
>authentication at http://www.ssh.com/

jlevie, where on the ssh.com site does it explain how to interoperate with OpenSSH and specifically how to get my system working?
0
 
LVL 62

Expert Comment

by:gheist
ID: 9881490
chmod go-rwx ~/.ssh
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 62

Expert Comment

by:gheist
ID: 9881649
Few differences.
...
debug1: identity file /home/me/.ssh/identity type 0
...
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 111 lastkey 0x11111 hint -1


0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 9882221
chmod 700 ~/.ssh  # on both ends
ssh -2 -v me@away2
0
 

Author Comment

by:glorpo2
ID: 9882355
Hi,  thanks for the attempts to help.  I do appreciate it.

I chmoded .ssh (& .ssh2) to 700 on away2 (it was already that way on home machine).  No dice, same result.

Tried adding the -2 flag to ssh, that didn't help either.

Any more ideas?

0
 

Author Comment

by:glorpo2
ID: 9884152
OK, I figured out the problem.  There were a couple of things wrong.

The ssh on the Away2 machine is SSH2 from ssh.com, not openssh.  We knew that

SSH2 requires that the dsa public key be in a different format than openssh.  So I created an SSH2 dsa compatible pub. key on my Home machine from my dsa private key, like this:

home$ ssh-keygen -x -f id_dsa > ssh2.dsa.pub

The new file ssh2.dsa.pub was in a format that SSH2 (from ssh.com) could understand.

The second problem was that SSH2 uses different filenames to keep track of keys than openssh does.  Here's how I had to set it up:

home$ scp ssh2.dsa.pub me@away.com:~/.ssh2/rt_dsa.pub
   (then, on the away2 machine:)
away2$ echo "Key rt_dsa.pub" > ~/.ssh2/authorization

Now everything works right!!

Since I solved the problem myself I guess I just keep the points for another question.  Thanks, hope this post might be helpful to someone else in the future.




0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 9888326
Ask support at experts-exchange.com to make this a 0 points PAQ and points refunded for you.
0
 

Author Comment

by:glorpo2
ID: 9889049
Thank you, I made the request for a points refund and will use them on other questions.
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 9889246
As requested in:
http://www.experts-exchange.com/Community_Support/Q_20818350.html

Paq'd and 125 points refunded.

modulo

Community Support Moderator
Experts Exchange
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question