key auth ok one way, not the other
g'day all;
I'm trying to get public key authentication working between two linux
machines - 2.6.8 kernel -- 2.4.22 kernel.
Both machines are running OpenSSH 3.9.p1. I can ssh to the 2.4.22 machine
and get authenticated using the keys. If I try to go the 2.6.8 machine I
get publickey failed. I can login after enabling password auth. Here is
the '-v -v' debug log;
wcattell@arwen .ssh]$ ssh -v -v xxx.xxxx.xxx
OpenSSH_3.9p1, OpenSSL 0.9.7b 10 Apr 2003
debug1: Reading configuration data /usr/local/etc/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to xxx.xxxx.xxx port 22.
debug1: Connection established.
debug1: identity file /home/wcattell/.ssh/identity type -1
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /home/wcattell/.ssh/id_rsa type 1
debug1: identity file /home/wcattell/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.9p1
debug1: match: OpenSSH_3.9p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.9p1
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 136/256
debug2: bits set: 498/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'xxx.xxxx.xxx' is known and matches the RSA host key.
debug1: Found key in /home/wcattell/.ssh/known_hosts:3
debug2: bits set: 505/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key:/home/wcattell/.ssh/identity ((nil))
debug2: key:/home/wcattell/.ssh/id_rsa (0x808b510)
debug2: key:/home/wcattell/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key:/home/wcattell/.ssh/identity
debug1: Offering public key:/home/wcattell/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue:publickey,keyboard-interactive
debug1: Trying private key:/home/wcattell/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: Authentications that can continue: publickey,keyboard-interactive
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied(publickey,keyboard-interactive)
----------
--My public key from 2.4.22 has been copied into ~/.ssh/authorized_keys on
xxx.xxxx.xxx(2.6.8) and vice-versa.
--2.6.8 is running ssh-agent ok
--2.4.22 is running ssh-agent but comes up with a message that it can't
connect to the agent when trying to run ssh-add.
--the /etc/ssh/sshd_config and ssh_config files are identicle between the
two hosts.
Any help or suggestions would be greatly appreciated.
TIA,
Bill
Re: key auth ok one way, not the other
On 2006-03-27, William B. Cattell <wbcattell1.nospam@yahoo.com> wrote:[color=blue]
>
> I'm trying to get public key authentication working between two linux
> machines - 2.6.8 kernel -- 2.4.22 kernel [and it works one way and
> not the other].[/color]
Compare the file permissions of $HOME/.ssh/authorized_keys, $HOME/.ssh
and $HOME between the two systems. See [url]http://openssh.com/faq.html#3.14[/url] .
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
Re: key auth ok one way, not the other
On Mon, 27 Mar 2006 09:31:20 +0000, Darren Tucker wrote:
[color=blue]
> On 2006-03-27, William B. Cattell <wbcattell1.nospam@yahoo.com> wrote:[color=green]
>>
>> I'm trying to get public key authentication working between two linux
>> machines - 2.6.8 kernel -- 2.4.22 kernel [and it works one way and
>> not the other].[/color]
>
> Compare the file permissions of $HOME/.ssh/authorized_keys, $HOME/.ssh
> and $HOME between the two systems. See [url]http://openssh.com/faq.html#3.14[/url] .[/color]
Thanks - I've made some headway after modifying permissions. I'm still
being asked for the passphrase when ssh'ing to the 2.6.8 system. I'm
thinking that if I load the agent on the 2.4.22 machine that should be
resolved. The gotcha is that I can load the agent but trying to add a key
(or even look at the loaded keys) I get a "cannot communicate with agent".
I'm trying a couple different things related to that. Thanks for the
suggestion.
Bill
Re: key auth ok one way, not the other
William B. Cattell wrote:[color=blue]
> On Mon, 27 Mar 2006 09:31:20 +0000, Darren Tucker wrote:
>[color=green]
>> On 2006-03-27, William B. Cattell <wbcattell1.nospam@yahoo.com> wrote:[color=darkred]
>>> I'm trying to get public key authentication working between two linux
>>> machines - 2.6.8 kernel -- 2.4.22 kernel [and it works one way and
>>> not the other].[/color]
>> Compare the file permissions of $HOME/.ssh/authorized_keys, $HOME/.ssh
>> and $HOME between the two systems. See [url]http://openssh.com/faq.html#3.14[/url] .[/color]
>
> Thanks - I've made some headway after modifying permissions. I'm still
> being asked for the passphrase when ssh'ing to the 2.6.8 system. I'm
> thinking that if I load the agent on the 2.4.22 machine that should be
> resolved. The gotcha is that I can load the agent but trying to add a key
> (or even look at the loaded keys) I get a "cannot communicate with agent".
>
> I'm trying a couple different things related to that. Thanks for the
> suggestion.[/color]
What does /var/log/messages say on the server machine? It usually can
tell you what is wrong. Remember that your home directory needs to be
writable only by you (not writable by the group).
--
Stein Arne
Re: key auth ok one way, not the other
On Mon, 27 Mar 2006 21:34:11 +0200, Stein Arne Storslett wrote:
[color=blue]
> William B. Cattell wrote:[color=green]
>> On Mon, 27 Mar 2006 09:31:20 +0000, Darren Tucker wrote:
>>[color=darkred]
>>> On 2006-03-27, William B. Cattell <wbcattell1.nospam@yahoo.com> wrote:
>>>> I'm trying to get public key authentication working between two linux
>>>> machines - 2.6.8 kernel -- 2.4.22 kernel [and it works one way and
>>>> not the other].
>>> Compare the file permissions of $HOME/.ssh/authorized_keys, $HOME/.ssh
>>> and $HOME between the two systems. See [url]http://openssh.com/faq.html#3.14[/url] .[/color]
>>
>> Thanks - I've made some headway after modifying permissions. I'm still
>> being asked for the passphrase when ssh'ing to the 2.6.8 system. I'm
>> thinking that if I load the agent on the 2.4.22 machine that should be
>> resolved. The gotcha is that I can load the agent but trying to add a key
>> (or even look at the loaded keys) I get a "cannot communicate with agent".
>>
>> I'm trying a couple different things related to that. Thanks for the
>> suggestion.[/color]
>
> What does /var/log/messages say on the server machine? It usually can
> tell you what is wrong. Remember that your home directory needs to be
> writable only by you (not writable by the group).[/color]
Thanks to Darren (and the FAQ) the permissions are fixed.
/var/log/messages doesn't tell me anything other than it's accepted my
public key. I've verified the public keys are correctly inserted in
authorized_keys and the corresponding private key has (r) permissions for
the owner only.
If I su to root I can do an ssh-add and get the (root's) private key into
the agent (ssh-add -l shows the fingerprint). I'm wondering if ssh-add
needs to be suid (a bad idea, I know).
Any thoughts / ideas?
TIA,
Bill
Re: key auth ok one way, not the other
On Tue, 28 Mar 2006 11:08:39 +0000, William B. Cattell wrote:
[color=blue]
> On Mon, 27 Mar 2006 21:34:11 +0200, Stein Arne Storslett wrote:
>[color=green]
>> William B. Cattell wrote:[color=darkred]
>>> On Mon, 27 Mar 2006 09:31:20 +0000, Darren Tucker wrote:
>>>
>>>> On 2006-03-27, William B. Cattell <wbcattell1.nospam@yahoo.com> wrote:
>>>>> I'm trying to get public key authentication working between two linux
>>>>> machines - 2.6.8 kernel -- 2.4.22 kernel [and it works one way and
>>>>> not the other].
>>>> Compare the file permissions of $HOME/.ssh/authorized_keys, $HOME/.ssh
>>>> and $HOME between the two systems. See [url]http://openssh.com/faq.html#3.14[/url] .
>>>
>>> Thanks - I've made some headway after modifying permissions. I'm still
>>> being asked for the passphrase when ssh'ing to the 2.6.8 system. I'm
>>> thinking that if I load the agent on the 2.4.22 machine that should be
>>> resolved. The gotcha is that I can load the agent but trying to add a key
>>> (or even look at the loaded keys) I get a "cannot communicate with agent".
>>>
>>> I'm trying a couple different things related to that. Thanks for the
>>> suggestion.[/color]
>>
>> What does /var/log/messages say on the server machine? It usually can
>> tell you what is wrong. Remember that your home directory needs to be
>> writable only by you (not writable by the group).[/color]
>
> Thanks to Darren (and the FAQ) the permissions are fixed.
> /var/log/messages doesn't tell me anything other than it's accepted my
> public key. I've verified the public keys are correctly inserted in
> authorized_keys and the corresponding private key has (r) permissions for
> the owner only.
>
> If I su to root I can do an ssh-add and get the (root's) private key into
> the agent (ssh-add -l shows the fingerprint). I'm wondering if ssh-add
> needs to be suid (a bad idea, I know).
>
> Any thoughts / ideas?
>
> TIA,
>
> Bill[/color]
An update - I ran the agent as a user and was able to insert keys into it.
Would each user have to run the agent ro should I be able to run it at
startup (via r.local script) and let multiple users access it?
TIA,
Bill
Re: key auth ok one way, not the other
>>>>> "WBC" == William B Cattell <wbcattell1.nospam@yahoo.com> writes:
WBC> An update - I ran the agent as a user and was able to insert keys
WBC> into it. Would each user have to run the agent ro should I be
WBC> able to run it at startup (via r.local script) and let multiple
WBC> users access it?
The former. For security, ssh-agent requires that a client's uid match
its own, unless the client is root, who is allowed to talk to any agent.
This is an additional check on top of the permissions of the agent socket
node and containing directory.
Cf ssh-add.c; search for "getpeereid".
--
Richard Silverman
[email]res@qoxp.net[/email]
Re: key auth ok one way, not the other
On Thu, 30 Mar 2006 05:25:26 -0500, Richard E. Silverman wrote:
[color=blue][color=green][color=darkred]
>>>>>> "WBC" == William B Cattell <wbcattell1.nospam@yahoo.com> writes:[/color][/color]
>
> WBC> An update - I ran the agent as a user and was able to insert keys
> WBC> into it. Would each user have to run the agent ro should I be
> WBC> able to run it at startup (via r.local script) and let multiple
> WBC> users access it?
>
> The former. For security, ssh-agent requires that a client's uid match
> its own, unless the client is root, who is allowed to talk to any agent.
> This is an additional check on top of the permissions of the agent socket
> node and containing directory.
>
> Cf ssh-add.c; search for "getpeereid".[/color]
Richard - Thanks the clearing that up. It makes sense from a security
standpoint. I think it's working the way it's supposed to. Thanks to all
who've responded.
Bill
Re: key auth ok one way, not the other
On 2006-03-30, Richard E. Silverman <res@qoxp.net> wrote:[color=blue]
> The former. For security, ssh-agent requires that a client's uid match
> its own, unless the client is root, who is allowed to talk to any agent.
> This is an additional check on top of the permissions of the agent socket
> node and containing directory.
>
> Cf ssh-add.c; search for "getpeereid".[/color]
Note that (in OpenSSH at least) getpeereid is a no-op on platforms that
do not provide a way to get the info from the kernel (which is quite a
few; those will show a warning to that effect when configure runs).
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
