Having trouble using public key authentication - SSH

This is a discussion on Having trouble using public key authentication - SSH ; Hi, I've just finished setting up a FreeBSD 7.0 machine, remote to me, that is used for some web site development. I need to get public key authentication working on this box mostly for nicer subversion access. Usually, I use ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Having trouble using public key authentication

  1. Having trouble using public key authentication

    Hi,

    I've just finished setting up a FreeBSD 7.0 machine, remote to me,
    that is used for some web site development. I need to get public key
    authentication working on this box mostly for nicer subversion
    access. Usually, I use ssh-keygen and generate myself a public/
    private key-pair and then copy the public key into ~/.ssh/
    authorized_keys. Now, this worked on another FreeBSD 7.0 machine I
    setup for my church, but on the other I'm having troubles. Below is a
    copy/paste of the login transaction between my FreeBSD box and that
    one:

    [/usr/home/andy/MCH]
    -> ssh -v -v malumgat
    OpenSSH_4.5p1 FreeBSD-20061110, OpenSSL 0.9.7e-p1 25 Oct 2004
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug2: ssh_connect: needpriv 0
    debug1: Connecting to malumgat [24.59.91.121] port 22.
    debug1: Connection established.
    debug1: identity file /home/andy/.ssh/identity type -1
    debug2: key_type_from_name: unknown key type '-----BEGIN'
    debug2: key_type_from_name: unknown key type '-----END'
    debug1: identity file /home/andy/.ssh/id_rsa type 1
    debug1: identity file /home/andy/.ssh/id_dsa type -1
    debug1: Remote protocol version 2.0, remote software version
    OpenSSH_4.5p1
    FreeBSD-20061110
    debug1: match: OpenSSH_4.5p1 FreeBSD-20061110 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_4.5p1 FreeBSD-20061110
    debug2: fd 3 setting O_NONBLOCK
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug2: kex_parse_kexinit:
    diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-
    sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
    debug2: kex_parse_kexinit: ssh-dss,ssh-rsa
    debug2: kex_parse_kexinit:
    aes128-cbc,3des-cbc,blowfish-cbc,cast128-
    cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-
    cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
    debug2: kex_parse_kexinit:
    aes128-cbc,3des-cbc,blowfish-cbc,cast128-
    cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-
    cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
    debug2: kex_parse_kexinit:
    hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-
    sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit:
    hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-
    sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
    debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit: first_kex_follows 0
    debug2: kex_parse_kexinit: reserved 0
    debug2: kex_parse_kexinit:
    diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-
    sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
    debug2: kex_parse_kexinit: ssh-dss
    debug2: kex_parse_kexinit:
    aes128-cbc,3des-cbc,blowfish-cbc,cast128-
    cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-
    cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
    debug2: kex_parse_kexinit:
    aes128-cbc,3des-cbc,blowfish-cbc,cast128-
    cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-
    cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
    debug2: kex_parse_kexinit:
    hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-
    sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit:
    hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-
    sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: none,zlib@openssh.com
    debug2: kex_parse_kexinit: none,zlib@openssh.com
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit: first_kex_follows 0
    debug2: kex_parse_kexinit: reserved 0
    debug2: mac_init: found hmac-md5
    debug1: kex: server->client aes128-cbc hmac-md5 none
    debug2: mac_init: found hmac-md5
    debug1: kex: client->server aes128-cbc hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug2: dh_gen_key: priv key bits set: 132/256
    debug2: bits set: 526/1024
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug1: Host 'malumgat' is known and matches the DSA host key.
    debug1: Found key in /home/andy/.ssh/known_hosts:9
    debug2: bits set: 494/1024
    debug1: ssh_dss_verify: signature correct
    debug2: kex_derive_keys
    debug2: set_newkeys: mode 1
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug2: set_newkeys: mode 0
    debug1: SSH2_MSG_NEWKEYS received
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug2: service_accept: ssh-userauth
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug2: key: /home/andy/.ssh/identity (0x0)
    debug2: key: /home/andy/.ssh/id_rsa (0x5308a0)
    debug2: key: /home/andy/.ssh/id_dsa (0x0)
    debug1: Authentications that can continue: publickey,keyboard-
    interactive
    debug1: Next authentication method: publickey
    debug1: Trying private key: /home/andy/.ssh/identity
    debug1: Offering public key: /home/andy/.ssh/id_rsa
    debug2: we sent a publickey packet, wait for reply
    debug1: Authentications that can continue: publickey,keyboard-
    interactive
    debug1: Trying private key: /home/andy/.ssh/id_dsa
    debug2: we did not send a packet, disable method
    debug1: Next authentication method: keyboard-interactive
    debug2: userauth_kbdint
    debug2: we sent a keyboard-interactive packet, wait for reply
    debug2: input_userauth_info_req
    debug2: input_userauth_info_req: num_prompts 1
    Password:
    debug2: input_userauth_info_req
    debug2: input_userauth_info_req: num_prompts 0
    debug1: Authentication succeeded (keyboard-interactive).
    debug1: channel 0: new [client-session]
    debug2: channel 0: send open
    debug1: Entering interactive session.
    debug2: callback start
    debug2: client_session2_setup: id 0
    debug2: channel 0: request pty-req confirm 0
    debug2: channel 0: request shell confirm 0
    debug2: fd 3 setting TCP_NODELAY
    debug2: callback done
    debug2: channel 0: open confirm rwindow 0 rmax 32768
    debug2: channel 0: rcvd adjust 131072

    Any help is greatly appreciated.

    Andy

  2. Re: Having trouble using public key authentication

    >>>>> "AF" == Andrew Falanga writes:

    AF> Hi, I've just finished setting up a FreeBSD 7.0 machine, remote to
    AF> me, that is used for some web site development. I need to get
    AF> public key authentication working on this box mostly for nicer
    AF> subversion access. Usually, I use ssh-keygen and generate myself
    AF> a public/ private key-pair and then copy the public key into
    AF> ~/.ssh/ authorized_keys. Now, this worked on another FreeBSD 7.0
    AF> machine I setup for my church, but on the other I'm having
    AF> troubles. Below is a copy/paste of the login transaction between
    AF> my FreeBSD box and that one: ...

    This doesn't tell you much, except that you are engaging in publickey
    authentication and the server is denying your key. There are lots of
    things that could be wrong. The most common is file permissions on the
    server side: all three of ~, ~/.ssh, and ~/.ssh/authorized_keys must *not*
    be group or world writable. Also make sure the account is not excluded by
    {Allow,Deny}{Users,Groups} statements, and that it is not locked or
    otherwise excluded by PAM. Check the syslog messages from sshd. If none
    of these helps, run sshd in debug mode to find out why it's rejecting this
    login.

    --
    Richard Silverman
    res@qoxp.net



  3. Re: Having trouble using public key authentication

    @usenet

    I had the same problem when I tried logging in into an ssh account which was also a sudoer (on an Ubuntu Server). The problem went away when I created a user with lesser privileges and logged into that account.

    I guess thats a security feature. There should be some way to get over that. But I do not know how.

+ Reply to Thread