[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 59303
  • Last Modified:

ssh -- Permission denied (publickey,keyboard-interactive).

This ssh message is my problem.  I can not connect to the box remotely.  I checked the following files to ensure my files are properly configured but I still have the same problem.  Do I have a permission files problem?  I have no idea what else to do?  

# ssh -p 2222 mytesthost
Permission denied (publickey,keyboard-interactive).


Okay the files for the ssh are currently as follow:

# cd /usr/local/etc
# more sshd_config
# more ssh_config
#       $OpenBSD: ssh_config,v 1.10 2001/04/03 21:19:38 todd Exp $

# This is ssh client systemwide configuration file.  See ssh(1) for more
# information.  This file provides defaults for users, and the values can
# be changed in per-user configuration files or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for various options

# Host *
#   ForwardAgent no
   ForwardX11 no
   RhostsAuthentication no
#   RhostsRSAAuthentication yes
   RSAAuthentication yes
   PasswordAuthentication yes
   FallBackToRsh no
   UseRsh no
#   BatchMode no
#   CheckHostIP yes
   StrictHostKeyChecking yes
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_dsa
#   IdentityFile ~/.ssh/id_rsa
   Port 22
   Protocol 2
#   Cipher blowfish
#   EscapeChar ~

_____________________________

# cd /usr/local/etc
# ls
# more sshd_config
#       $OpenBSD: sshd_config,v 1.42 2001/09/20 20:57:51 mouring Exp $

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin

# This is the sshd server system-wide configuration file.  See sshd(8)
# for more information.

Port 22
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
HostKey /usr/local/etc/ssh_host_key
# HostKeys for protocol version 2
HostKey /usr/local/etc/ssh_host_rsa_key
HostKey /usr/local/etc/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO
#obsoletes QuietMode and FascistLogging

# Authentication:

LoginGraceTime 600
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile     %h/.ssh/authorized_keys

# rhosts authentication should not be used
#RhostsAuthentication no
# For this to work you will also need host keys in /usr/local/etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no

# Uncomment to disable s/key passwords
#ChallengeResponseAuthentication no

# Uncomment to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt yes

# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no

# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes

X11Forwarding no
X11DisplayOffset 10
PrintMotd yes
#PrintLastLog no
KeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net
#ReverseMappingCheck yes

#Subsystem      sftp    /usr/local/libexec/sftp-server
0
nlopezzapa07
Asked:
nlopezzapa07
  • 5
  • 5
  • 4
1 Solution
 
liddlerCommented:
generaly speaking it is permissions on you .ssh in your home directory that is the problem, it should be not gropu or other writable.
the best way to find out more detail, is to shop your ssh deamon on your server, and then run it in debug mode
sshd -d
(you will have to restart it each time you test as debug won't run as a daemon)
and run the client in verbose more
ssh -v -v mytesthost
and look at the errors
0
 
nlopezzapa07Author Commented:
# ssh -v -v server
OpenSSH_3.7.1p2, SSH protocols 1.5/2.0, OpenSSL 0.9.7d 17 Mar 2004
debug1: Reading configuration data //.ssh/config
debug1: Reading configuration data /usr/local/etc/ssh_config
debug1: /usr/local/etc/ssh_config line 20: Deprecated option "RhostsAuthentication"
debug1: /usr/local/etc/ssh_config line 24: Deprecated option "FallBackToRsh"
debug1: /usr/local/etc/ssh_config line 25: Deprecated option "UseRsh"
debug2: ssh_connect: needpriv 0
debug1: Connecting to mcuspndlsn06 [158.238.243.106] port 22.
debug1: Connection established.
debug1: identity file /.ssh/id_rsa type -1
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.7.1p2
debug1: match: OpenSSH_3.7.1p2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.7.1p2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 123/256
debug2: bits set: 1596/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'mcuspndlsn06' is known and matches the RSA host key.
debug1: Found key in /.ssh/known_hosts:130
debug2: bits set: 1570/3191
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /.ssh/id_rsa (0)
debug2: key: /.ssh/id_dsa (64c98)
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /.ssh/id_rsa
debug1: Offering public key: /.ssh/id_dsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,keyboard-interactive
debug2: we did not send a packet, disable method
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: Authentications that can continue: publickey,keyboard-interactive
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,keyboard-interactive).
debug1: Calling cleanup 0x2d2e4(0x0)


Here is the print out from the server.  Now the ssh -d I am having a problem how to perform the command.  Which will be the exactly command option to use in this case, please?  

nancy
0
 
liddlerCommented:
On the server you need to kill the sshd program
kill -9 `ps -ef [Ss]shd |awk '{print $2}'`
or pkill -9 sshd
if you have pkill
then start it with
sshd -d -d
then try and ssh in from the client again and paste the output here
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
ahoffmannCommented:
you need to have x75x or better for $HOME
you need to have x700 for $HOME/.ssh
you need to have  600 for  $HOME/.ssh/authorized_keys

some versions of ssh are realy picky ...
0
 
nlopezzapa07Author Commented:
Now I can ssh to port 2222 but still not able to ssh throuhg port 22.  

This are my permissions on the client:

# cd /.ssh
# ls -al
total 6
drwx------   2 root     root         512 Mar 17 04:25 .
drwxr-xr-x  24 root     root        1024 Mar 24 00:00 ..
-rwx------   1 root     root         607 Mar 17 04:25 authorized_keys2

# cd /home/shadows/.ssh
# ls -al
total 6
drwx------   2 shadows  wheel        512 Mar 17 04:42 .
drwx------   3 shadows  wheel        512 Mar 17 04:39 ..
-rw-r--r--   1 shadows  wheel        602 Mar 18 01:19 authorized_keys2

# ssh -v -v client
OpenSSH_3.7.1p2, SSH protocols 1.5/2.0, OpenSSL 0.9.7d 17 Mar 2004
debug1: Reading configuration data /usr/local/etc/ssh_config
debug1: /usr/local/etc/ssh_config line 20: Deprecated option "RhostsAuthentication"
debug1: /usr/local/etc/ssh_config line 24: Deprecated option "FallBackToRsh"
debug1: /usr/local/etc/ssh_config line 25: Deprecated option "UseRsh"
debug2: ssh_connect: needpriv 0
debug1: Connecting to client [X.X.X.X] port 22.
debug1: Connection established.
debug1: identity file /.ssh/id_rsa type -1
debug1: identity file /.ssh/id_dsa type -1
ssh_exchange_identification: Connection closed by remote host
debug1: Calling cleanup 0x2d2e4(0x0)
0
 
liddlerCommented:
what is the output of
sshd -d -d
running on the server?
0
 
nlopezzapa07Author Commented:
Guys,

Is it the sshd -d -d has anything missing?  I am trying to get this and the result is asking me for:

# ssh -d -d server
ssh: illegal option -- d
Usage: ssh [options] host [command]
Options:
  -l user     Log in using this user name.
  -n          Redirect input from /dev/null.
  -F config   Config file (default: ~/.ssh/config).
  -A          Enable authentication agent forwarding.
  -a          Disable authentication agent forwarding (default).
  -X          Enable X11 connection forwarding.
  -x          Disable X11 connection forwarding (default).
  -i file     Identity for public key authentication (default: ~/.ssh/identity)
  -t          Tty; allocate a tty even if command is given.
  -T          Do not allocate a tty.
  -v          Verbose; display verbose debugging messages.
              Multiple -v increases verbosity.
  -V          Display version number only.
  -q          Quiet; don't display any warning messages.
  -f          Fork into background after authentication.
  -e char     Set escape character; ``none'' = disable (default: ~).
  -c cipher   Select encryption algorithm
  -m macs     Specify MAC algorithms for protocol version 2.
  -p port     Connect to this port.  Server must be on the same port.
  -L listen-port:host:port   Forward local port to remote address
  -R listen-port:host:port   Forward remote port to local address
              These cause ssh to listen for connections on a port, and
              forward them to the other side by connecting to host:port.
  -D port     Enable dynamic application-level port forwarding.
  -C          Enable compression.
  -N          Do not execute a shell or command.
  -g          Allow remote hosts to connect to forwarded ports.
  -1          Force protocol version 1.
  -2          Force protocol version 2.
  -4          Use IPv4 only.
  -6          Use IPv6 only.
  -o 'option' Process the option as if it was read from a configuration file.
  -s          Invoke command (mandatory) as SSH2 subsystem.
  -b addr     Local IP address.
# sshd -d -d
sshd: not found
# sshd -d -d server
0
 
ahoffmannCommented:
> Now I can ssh to port 2222 but still not able to ssh throuhg port 22.  
this sound like a configuration problem of sshd itself, or a firewall problem.
how about using diff to compare the sshd_config files for both servers?

I guess you have something like:
PermitRootLogin=no
RSAAuthentication=no

> -rw-r--r--   1 shadows  wheel        602 Mar 18 01:19 authorized_keys2
as I said: some sshd are picky, change to 600
0
 
liddlerCommented:
sshd is not in your path
look in /usr/local/sbin
or search for it
find / -name sshd
then run
/path/to/sshd -d -d
but you must kill sshd first
0
 
ahoffmannCommented:
> but you must kill sshd first
.. not if you start it on another port ..
0
 
nlopezzapa07Author Commented:
Is it makes sense that the server will be the master in a cluster right?  Now, the baby is the client right?  Well I need to clarify that because many people around me are confuse about the way the cluster I maintain is built.  

Please, correct me if I am wrong but the Server is the one with the ssh and the client is the one with the sshd.  In the engineering books they are set like that and it confuses people.  If I am making the connection from the server to the client I should have the authorized_keys2 file in the server and the client.  The authorized_keys should be different for each user to make the ssh authentication.  For example:

Client Should have the following configured:
sshd
authorized_keys2 for root and admin user
/home/root/.ssh/authorized_keys2
/.ssh/authorized_keys2
and the permission set up properly

Server
/home/root/.ssh/authorized_keys2
/.ssh/authorized_keys2
and the permission set up properly

 




 
0
 
ahoffmannCommented:
> correct me if I am wrong but the Server is the one with the ssh and the client is the one with the sshd
hmm, strange view, I guess not common but unusal
0
 
liddlerCommented:
nlopezzapa07
So what was the problem?

ahoffmann
Never thought about using other ports!  Always had to re-enable telnet while I debugged. Thanks!
0
 
ahoffmannCommented:
nlopezzapa07, could you please explain your grading.
Did the graded answer solve your problem?
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 5
  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now