Prev   Next

open-ssh keypair Auth 

Newsgroups: gmane.linux.debian.user
Date: Fri, 28 Mar 2008 10:59:52 +1100
>> Keypairs work fine except on the frankenstein machine, with the same
>> keypair as works on my sid machine, my freeBSD machine, my gentoo box
>> and etch desktop, it still asks for my password.
>
> First things I would check would be file permissions on ~/.ssh (700) and
> ~/.ssh/authorized_keys (600) on the remote host and check
> /etc/ssh/sshd_config for PubkeyAuthentication yes

These are all ok.

Default debian install normally alows this and i have not changed the config

Rich Healey @gmail.com

open-ssh keypair Auth 

> . . . it still asks for my password.

to debug ssh problems, you can start "ssh -v -p 222" on the client after a "sshd -D -d -p 222" on the server. [I.e., don't stop your normal sshd service, especially when you are debugging remotely. Start another debug sshd instance instead. — xpt]

Also note that besides file permissions on the server, also directory permissions (at least for ~/.ssh and ~/ but also the x permission on all their parents) are important. And also permissions on the client.

NN_il_Confusionario @tiscalinet.it

open-ssh keypair Auth 

I have the same situation, keypairs work fine outbound but not inbound. Using the trick about, I found that it is the file/directory permissions problem. Here is the log:

On the client side, when it does not work:

$ ssh -v -v -v -p 222 localhost
OpenSSH_4.3p2 Debian-9, OpenSSL 0.9.8e 23 Feb 2007
debug1: Reading configuration data /etc/ssh/ssh_config
 [...]
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/tong/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Offering public key: /home/tong/.ssh/id_dsa
 [...]
 Password:

I.e., my id_rsa publickey was not accepted and moved onto id_dsa, then fall through till password prompt.

On the server side, when it does not work:

% sshd -D -d -p 222
sshd re-exec requires execution with an absolute path

% /usr/sbin/sshd -D -d -p 222
debug1: sshd version OpenSSH_4.3p2 Debian-9
 [...]
debug1: userauth-request for user tong service ssh-connection method publickey
 [...]
Failed none for tong from 127.0.0.1 port 59274 ssh2
debug1: temporarily_use_uid: 9999/1001 (e=0/0)
debug1: trying public key file /home/tong/.ssh/authorized_keys
Authentication refused: bad ownership or modes for directory /export/home/tong
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 9999/1001 (e=0/0)
debug1: trying public key file /home/tong/.ssh/authorized_keys2

There it says, "Authentication refused: bad ownership or modes" for my home directory. To fix it:

chmod 755 ~
chmod 700 ~/.ssh

Here is the correct log. On the server side,

% /usr/sbin/sshd -D -d -p 222
debug1: sshd version OpenSSH_4.3p2 Debian-9
 [...]
debug1: userauth-request for user tong service ssh-connection method publickey
 [...]
Failed none for tong from 127.0.0.1 port 47010 ssh2
debug1: temporarily_use_uid: 9999/1001 (e=0/0)
debug1: trying public key file /home/tong/.ssh/authorized_keys
debug1: matching key found: file /home/tong/.ssh/authorized_keys, line 1
Found matching RSA key: ...
debug1: restore_uid: 0/0
Postponed publickey for tong from 127.0.0.1 port 47010 ssh2
debug1: userauth-request for user tong service ssh-connection method publickey
debug1: attempt 2 failures 1
debug1: temporarily_use_uid: 9999/1001 (e=0/0)
debug1: trying public key file /home/tong/.ssh/authorized_keys
debug1: matching key found: file /home/tong/.ssh/authorized_keys, line 1
Found matching RSA key: ...
debug1: restore_uid: 0/0
debug1: ssh_rsa_verify: signature correct
debug1: do_pam_account: called
Accepted publickey for tong from 127.0.0.1 port 47010 ssh2
debug1: monitor_child_preauth: tong has been authenticated by privileged process
debug1: PAM: reinitializing credentials
debug1: permanently_set_uid: 9999/1001
debug1: Entering interactive session for SSH2.

On the client side,

debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/tong/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 149
debug2: input_userauth_pk_ok: fp ...
debug3: sign_and_send_pubkey
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Entering interactive session.

Now I am able to set

PasswordAuthentication no

to /etc/ssh/ssh_config .

% /etc/init.d/ssh restart
Restarting OpenBSD Secure Shell server: sshd.

documented on: 2008-03-29


SourceForge.net LogoXpt.SourceForge.netCreative Commons Attribution-ShareAlike License Del.icio.us digg FURL blinklist reddit Feed Me Links Technorati Stumble Upon Google Bookmarks Yahoo My Web Newsvine Socializer Ma.gnolia RawSugar Squidoo Spurl BlinkBits Netvouz Rojo Blogmarks Shadows Simpy Co.mments Scuttle Bloglines Tailrank Wists FARK smarking Segnalo
Single file version available here.
Last updated on 2008-06-06.
To discuss, comment here.
Prev   Next
 Home