sshd public key authentication fails

Installing, Configuring, Troubleshooting server daemons such as Web and Mail
Post Reply
MickKi
Posts: 6
Joined: 2008/11/30 21:37:11

sshd public key authentication fails

Post by MickKi » 2008/11/30 22:24:31

Hi All,

I am trying to login to a server running Centos4 and OpenSSH 3.9p1-11.el4_7. The user .ssh directory and authorized_key file permissions are 700 and 600 respectively. I have allowed ChallengeResponseAuthentication yes in /etc/sshd_config. The server only ever offers passwd authentication. If on the client I force public key with -o PreferredAuthentications=publickey the connection fails to authenticate. Very verbose attempt reveals this:
[code]OpenSSH_5.1p1-hpn13v5, OpenSSL 0.9.8h 28 May 2008
debug1: Reading configuration data /home/michael/.ssh/config
debug1: Applying options for XXXXXXXXXXXXX.com
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to XXXXXXXXXXXX.com [XX.XXX.XXX.XXX] port 22.
debug2: fd 3 setting O_NONBLOCK
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug3: timeout: 14828 ms remain after connect
debug3: Not a RSA1 key file /home/michael/.ssh/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
. . .
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/michael/.ssh/.ssh/id_rsa type 1
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.9p1
debug1: match: OpenSSH_3.9p1 pat OpenSSH_3.*
debug1: Remote is NON-HPN aware
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1-hpn13v5
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: AUTH STATE IS 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: zlib@openssh.com,zlib,none
debug2: kex_parse_kexinit: zlib@openssh.com,zlib,none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-c
tr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: REQUESTED ENC.NAME is 'aes128-cbc'
debug1: kex: server->client aes128-cbc hmac-md5 zlib
debug2: mac_setup: found hmac-md5
debug1: REQUESTED ENC.NAME is 'aes128-cbc'
debug1: kex: client->server aes128-cbc hmac-md5 zlib
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 127/256
debug2: bits set: 506/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: put_host_port: [XX.XXX.XXX.XXX]:22
debug3: put_host_port: [XXXXXXXXXXX.com]:22
debug3: check_host_in_hostfile: filename /home/michael/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 18
debug3: check_host_in_hostfile: filename /home/michael/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 18
debug1: Host '[XXXXXXXXXXX.com]:22' is known and matches the RSA host key.
debug1: Found key in /home/michael/.ssh/known_hosts:18
debug2: bits set: 491/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: Enabling compression at level 6.
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/michael/.ssh/id_rsa (0xXXXXXXX)
debug1: Authentications that can continue: publickey,gssapi-with-mic,password,keyboard-interactive
debug3: start over, passed a different list publickey,gssapi-with-mic,password,keyboard-interactive
debug3: preferred publickey
debug3: authmethod_lookup publickey
debug3: remaining preferred:
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-with-mic,password,keyboard-interactive).[/code]

Despite the warnings "debug3: key_read: missing keytype" and "debug3: key_read: missing whitespace" above I know my rsa private/public key pair is sound because I use it to login successfully to all sort of different servers (Ubuntu, SuSE, FreeBSD and Gentoo).

A server log (this time without me using -o PreferredAuthentications=publickey on the client) where it eventually the client login is with passwd, is shown here [url=http://pastebin.centos.org/22705](CentOS Pastebin)[/url].

Also a colleague who is using Cygwin and Putty cannot login either with his keys. What might it be the cause this?

MickKi
Posts: 6
Joined: 2008/11/30 21:37:11

Re: sshd public key authentication fails

Post by MickKi » 2008/12/01 22:26:01

I even created a new key pair on the server and moved the private key on the client - still no success. It always drops me down to passwd authentication.

Any ideas? :-(

SSCompany
Posts: 1
Joined: 2009/03/10 14:11:04
Contact:

Re: sshd public key authentication fails

Post by SSCompany » 2009/03/10 14:21:20

You can try to use [url=http://www.sysadmin.md/quick-and-dirty-ssh-public-key-authentication.html]this[/url] guide to setup public key authentication

michaelnel
Posts: 1478
Joined: 2006/05/29 16:50:11
Location: San Francisco, CA

sshd public key authentication fails

Post by michaelnel » 2009/03/10 22:32:36

Check /etc/ssh/sshd and make sure the variable "AuthorizedKeysFile" is set to ".ssh/authorized_keys"
and not ".ssh/authorized_keys2" as was common in some earlier versions.

What's in /home/michael/.ssh/config ?

Post Reply

Return to “CentOS 4 - Server Support”