PublicKey Authentication not working between CentOS 6 and 7 servers

Issues related to configuring your network
Post Reply
cyoho
Posts: 1
Joined: 2018/05/02 17:03:51

PublicKey Authentication not working between CentOS 6 and 7 servers

Post by cyoho » 2018/05/04 14:03:12

I have been using RSA public key authentication to connect from a CentOS 6 server to a CentOS 5 server and it's worked fine. I built a CentOS 7 server to replace the CentOS 5 server but can't get PublicKey Authentication to work. I have checked permissions on my home directory, .ssh and the keys, regenerated the key several times (ssh-keygen -t rsa), tried a different user, compared the sshd_config files (which are different because of the versions but not in a way that I think would cause this). But still no go. Running the sshd server ( on CentOS 7) in debug mode (/usr/sbin/ssh -d) shows this at the end:

debug1: matching key found: file /home/bobdog/.ssh/authorized_keys, line 1 RSA SHA256:CvNAblahblablah-long-string-of-charsPO3Y
debug1: restore_uid:0/0
Postponed publickey for cyoho from xxx.xxx.xxx.xxx port 37888 ssh2 [preauth]
debug1: userauth-request for user bobdog service ssh-connection method publickey [preauth]
debug1: attempt 2 failures 0 [preauth]
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug1: trying public key file /home/bobdog/.ssh/authorized_keys
debug1: fd 4 clearing 0_NONBLOCK
debug1: matching key found: file /home/bobdog/.ssh/authorized_keys, line 1 RSA SHA256:CvNAblahblablah-long-string-of-charsPO3Y
debug1: restore_uid:0/0
key_verify: incorrect signature
Failed publickey for bobdog from xxx.xxx.xxx.xxx port 3788 ssh2: RSA SHA256:CvNAblahblablah-long-string-of-charsPO3Y
Connection closed by xxx.xxx.xxx.xxx port 3788 [preauth]
debug1: do_cleanup

Running the connection in verbose mode (ssh -v bobdog@CentOS7Host.umpublishing.org) shows the following:

debug1: Next authentication method: publickey
debug1: Trying private key: /home/bobdog/.ssh/identity
debug1: Offering public key: /home/bobdog/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 277
debug1: read PEM private key done: type RSA
debug1: Authications that can continue: publickey, gssapi-keyex, gssapi-with-mic, password
debug1: Trying private key: /home/bobdog/.ssh/id_dsa
debug1: Trying private key: /home/bobdog/.ssh/id_ecdsa
debug1: Next authentication method: password
bobdog@CentOS7Host's password:

At this point I can login via the password.

What am I missing?
Attachments
sshd_config_CentOS7server.txt
(3.86 KiB) Downloaded 60 times
sshd_config_CentOS6server.txt
(3.82 KiB) Downloaded 54 times

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: PublicKey Authentication not working between CentOS 6 and 7 servers

Post by TrevorH » 2018/05/04 14:56:24

CentOS 7.4 includes a much newer openssh package and the openssh developers have removed a bunch of ciphers and protocols that they consider to be broken and unsafe. It's possible that a key that was generated on CentOS 5 using the defaults may now not be usable. Perhaps try generating a new key on CentOS 7 and using that instead.

Also ssh is very picking about permissions but errors will be logged to /var/log/secure on the server you're trying to connect to so it's worth looking there. I'd also doublecheck that the copy of your authorized_keys file on the el7 machine is correct as "incorrect signature" could be down to corruption.

Permissions should look like this

Code: Select all

[root@centos7 ~]# namei -mo /home/trevor/.ssh/authorized_keys
f: /home/trevor/.ssh/authorized_keys
 dr-xr-xr-x root   root   /
 drwxr-xr-x root   root   home
 drwx------ trevor trevor trevor
 drwx------ trevor trevor .ssh
 -rw------- trevor trevor authorized_keys
 
Also try restorecon -RFv /home/$USER/.ssh and see if the selinux contexts were correct (that will fix them and tell you what changed).
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply