SSH public key authentication

Issues related to configuring your network
Post Reply
aray92
Posts: 1
Joined: 2011/09/01 15:54:16

SSH public key authentication

Post by aray92 » 2011/09/01 16:26:47

I've been trying for ages, but can't get this to work. On my CentOS 6 box, I generated two sets of rsa keys with:


[code]# ssh-keygen -t rsa[/code]

one went into ~/.ssh, the other into ~/
then I added the public key from ~/ to authorized_keys:

[code]# cat ~/id_rsa.pub > ~/.ssh/authorized_keys[/code]

then I restarted sshd. I then moved the key pair from ~/ to ~/.ssh/ on a different box. Now, ssh to the original CentOS box does not work. Here is the debugging output

sshd -Dddd
[code]
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 681
debug2: parse_server_config: config /etc/ssh/sshd_config len 681
debug3: /etc/ssh/sshd_config:21 setting Protocol 2
debug3: /etc/ssh/sshd_config:26 setting HostKey /etc/ssh/ssh_host_rsa_key
debug3: /etc/ssh/sshd_config:36 setting SyslogFacility AUTHPRIV
debug3: /etc/ssh/sshd_config:47 setting RSAAuthentication yes
debug3: /etc/ssh/sshd_config:48 setting PubkeyAuthentication yes
debug3: /etc/ssh/sshd_config:49 setting AuthorizedKeysFile ~/.ssh/authorized_keys
debug3: /etc/ssh/sshd_config:66 setting PasswordAuthentication yes
debug3: /etc/ssh/sshd_config:70 setting ChallengeResponseAuthentication no
debug3: /etc/ssh/sshd_config:80 setting GSSAPIAuthentication yes
debug3: /etc/ssh/sshd_config:82 setting GSSAPICleanupCredentials yes
debug3: /etc/ssh/sshd_config:96 setting UsePAM yes
debug3: /etc/ssh/sshd_config:99 setting AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
debug3: /etc/ssh/sshd_config:100 setting AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
debug3: /etc/ssh/sshd_config:101 setting AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
debug3: /etc/ssh/sshd_config:102 setting AcceptEnv XMODIFIERS
debug3: /etc/ssh/sshd_config:108 setting X11Forwarding yes
debug3: /etc/ssh/sshd_config:131 setting Subsystem sftp /usr/libexec/openssh/sftp-server
debug1: sshd version OpenSSH_5.3p1
debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-Dddd'
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug2: fd 4 setting O_NONBLOCK
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug3: fd 5 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 8 config len 681
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from 192.168.0.7 port 3157
debug1: Client protocol version 2.0; client software version OpenSSH_5.1
debug1: match: OpenSSH_5.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug2: Network child is on pid 1514
debug3: preauth child monitor started
debug3: mm_request_receive entering
debug3: privsep user:group 74:74
debug1: permanently_set_uid: 74/74
debug1: list_hostkey_types: ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
debug3: Wrote 776 bytes for a total of 797
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug3: mm_request_send entering: type 0
debug3: monitor_read: checking request 0
debug3: mm_answer_moduli: got parameters: 1024 1024 8192
debug3: mm_request_send entering: type 1
debug2: monitor_read: 0 used once, disabling now
debug3: mm_request_receive entering
debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI
debug3: mm_request_receive_expect entering: type 1
debug3: mm_request_receive entering
debug3: mm_choose_dh: remaining 0
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug3: Wrote 152 bytes for a total of 949
debug2: dh_gen_key: priv key bits set: 129/256
debug2: bits set: 518/1024
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug2: bits set: 514/1024
debug3: mm_key_sign entering
debug3: mm_request_send entering: type 5
debug3: monitor_read: checking request 5
debug3: mm_answer_sign
debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN
debug3: mm_request_receive_expect entering: type 6
debug3: mm_request_receive entering
debug3: mm_answer_sign: signature 0x152a590(271)
debug3: mm_request_send entering: type 6
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: Wrote 720 bytes for a total of 1669
debug2: monitor_read: 5 used once, disabling now
debug3: mm_request_receive entering
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug3: Wrote 48 bytes for a total of 1717
debug1: userauth-request for user root service ssh-connection method none
debug1: attempt 0 failures 0
debug3: mm_getpwnamallow entering
debug3: mm_request_send entering: type 7
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
debug3: mm_request_receive_expect entering: type 8
debug3: mm_request_receive entering
debug3: monitor_read: checking request 7
debug3: mm_answer_pwnamallow
debug3: Trying to reverse map address 192.168.0.7.
debug2: parse_server_config: config reprocess config len 681
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send entering: type 8
debug2: input_userauth_request: setting up authctxt for root
debug3: mm_start_pam entering
debug3: mm_request_send entering: type 50
debug3: mm_inform_authserv entering
debug3: mm_request_send entering: type 3
debug3: mm_inform_authrole entering
debug3: mm_request_send entering: type 4
debug2: input_userauth_request: try method none
debug3: Wrote 80 bytes for a total of 1797
debug2: monitor_read: 7 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 50
debug1: PAM: initializing for "root"
debug1: PAM: setting PAM_RHOST to "(server).(domain).local"
debug1: PAM: setting PAM_TTY to "ssh"
debug2: monitor_read: 50 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 3
debug3: mm_answer_authserv: service=ssh-connection, style=
debug2: monitor_read: 3 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 4
debug3: mm_answer_authrole: role=
debug2: monitor_read: 4 used once, disabling now
debug3: mm_request_receive entering
debug1: userauth-request for user root service ssh-connection method publickey
debug1: attempt 1 failures 0
debug2: input_userauth_request: try method publickey
debug1: test whether pkalg/pkblob are acceptable
debug3: mm_key_allowed entering
debug3: mm_request_send entering: type 21
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
debug3: mm_request_receive_expect entering: type 22
debug3: mm_request_receive entering
debug3: monitor_read: checking request 21
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 0x152cc70
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: trying public key file /root/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug3: secure_filename: checking '/root/.ssh'
debug3: secure_filename: checking '/root'
debug3: secure_filename: terminating check at '/root'
debug1: matching key found: file /root/.ssh/authorized_keys, line 1
Found matching RSA key: b3:d3:a4:2a:b3:e8:ec:d0:61:96:fd:01:00:34:ad:c6
debug1: restore_uid: 0/0
debug3: mm_answer_keyallowed: key 0x152cc70 is allowed
debug3: mm_request_send entering: type 22
debug3: Wrote 320 bytes for a total of 2117
debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa
Postponed publickey for root from 192.168.0.7 port 3157 ssh2
debug3: mm_request_receive entering
debug1: userauth-request for user root service ssh-connection method publickey
debug1: attempt 2 failures 0
debug2: input_userauth_request: try method publickey
debug3: mm_key_allowed entering
debug3: mm_request_send entering: type 21
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
debug3: mm_request_receive_expect entering: type 22
debug3: mm_request_receive entering
debug3: monitor_read: checking request 21
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 0x152ea78
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: trying public key file /root/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug3: secure_filename: checking '/root/.ssh'
debug3: secure_filename: checking '/root'
debug3: secure_filename: terminating check at '/root'
debug1: matching key found: file /root/.ssh/authorized_keys, line 1
Found matching RSA key: b3:d3:a4:2a:b3:e8:ec:d0:61:96:fd:01:00:34:ad:c6
debug1: restore_uid: 0/0
debug3: mm_answer_keyallowed: key 0x152ea78 is allowed
debug3: mm_request_send entering: type 22
debug3: mm_key_verify entering
debug3: mm_request_send entering: type 23
debug3: mm_key_verify: waiting for MONITOR_ANS_KEYVERIFY
debug3: mm_request_receive_expect entering: type 24
debug3: mm_request_receive entering
debug3: mm_request_receive entering
debug3: monitor_read: checking request 23
debug1: ssh_rsa_verify: signature correct
debug3: mm_answer_keyverify: key 0x152ec98 signature verified
debug3: mm_request_send entering: type 24
debug2: userauth_pubkey: authenticated 1 pkalg ssh-rsa
debug3: mm_do_pam_account entering
debug3: mm_request_send entering: type 51
debug3: mm_request_receive_expect entering: type 52
debug3: mm_request_receive entering
debug3: mm_request_receive_expect entering: type 51
debug3: mm_request_receive entering
debug1: do_pam_account: called
debug3: PAM: do_pam_account pam_acct_mgmt = 0 (Success)
debug3: mm_request_send entering: type 52
Accepted publickey for root from 192.168.0.7 port 3157 ssh2
debug1: monitor_child_preauth: root has been authenticated by privileged process
debug3: mm_get_keystate: Waiting for new keys
debug3: mm_request_receive_expect entering: type 25
debug3: mm_request_receive entering
debug3: mm_do_pam_account returning 1
debug3: Wrote 32 bytes for a total of 2149
debug3: mm_send_keystate: Sending new keys: 0x1520418 0x1522310
debug3: mm_newkeys_to_blob: converting 0x1520418
debug3: mm_newkeys_to_blob: converting 0x1522310
debug3: mm_send_keystate: New keys have been sent
debug3: mm_send_keystate: Sending compression state
debug3: mm_request_send entering: type 25
debug3: mm_send_keystate: Finished sending state
debug3: mm_newkeys_from_blob: 0x152ea18(118)
debug2: mac_setup: found hmac-md5
debug3: mm_get_keystate: Waiting for second key
debug3: mm_newkeys_from_blob: 0x152ea18(118)
debug2: mac_setup: found hmac-md5
debug3: mm_get_keystate: Getting compression state
debug3: mm_get_keystate: Getting Network I/O buffers
debug3: mm_share_sync: Share sync
debug3: mm_share_sync: Share sync end
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: ssh_gssapi_storecreds: Not a GSSAPI mechanism
debug1: restore_uid: 0/0
debug1: SELinux support enabled
debug3: ssh_selinux_setup_pam_variables: setting execution context
debug1: PAM: establishing credentials
debug3: PAM: opening session
debug3: PAM: sshpam_store_conv called with 1 messages
PAM: pam_open_session(): Authentication failure
debug2: set_newkeys: mode 0
debug2: set_newkeys: mode 1
debug1: Entering interactive session for SSH2.
debug2: fd 5 setting O_NONBLOCK
debug2: fd 6 setting O_NONBLOCK
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 0 win 1048576 max 16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug2: session_new: allocate (allocated 0 max 10)
debug3: session_unused: session id 0 unused
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_global_request: rtype no-more-sessions@openssh.com want_reply 0
debug3: Wrote 48 bytes for a total of 2197
debug1: server_input_channel_req: channel 0 request pty-req reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: Allocating pty.
debug1: session_pty_req: session 0 alloc /dev/pts/0
debug3: ssh_selinux_setup_pty: setting TTY context on /dev/pts/0
ssh_selinux_setup_pty: security_compute_relabel: Invalid argument
debug3: ssh_selinux_setup_pty: done
debug1: server_input_channel_req: channel 0 request shell reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req shell
debug2: fd 3 setting TCP_NODELAY
debug2: channel 0: rfd 9 isatty
debug2: fd 9 setting O_NONBLOCK
debug3: fd 7 is O_NONBLOCK
debug3: Wrote 112 bytes for a total of 2309
debug1: Setting controlling tty using TIOCSCTTY.
debug3: Wrote 112 bytes for a total of 2421
debug3: Wrote 80 bytes for a total of 2501
debug3: Wrote 112 bytes for a total of 2613
debug2: channel 0: read<=0 rfd 9 len -1
debug2: channel 0: read failed
debug2: channel 0: close_read
debug2: channel 0: input open -> drain
debug2: channel 0: ibuf empty
debug2: channel 0: send eof
debug2: channel 0: input drain -> closed
debug3: Wrote 32 bytes for a total of 2645
debug1: Received SIGCHLD.
debug1: session_by_pid: pid 1516
debug1: session_exit_message: session 0 channel 0 pid 1516
debug2: channel 0: request exit-status confirm 0
debug1: session_exit_message: release channel 0
debug2: channel 0: write failed
debug2: channel 0: close_write
debug2: channel 0: send eow
debug2: channel 0: output open -> closed
debug1: session_pty_cleanup: session 0 release /dev/pts/0
debug2: channel 0: send close
debug3: channel 0: will not send data after close
debug2: notify_done: reading
debug3: Wrote 160 bytes for a total of 2805
debug3: channel 0: will not send data after close
debug2: channel 0: rcvd close
debug3: channel 0: will not send data after close
debug2: channel 0: is dead
debug2: channel 0: gc: notify user
debug1: session_by_channel: session 0 channel 0
debug1: session_close_by_channel: channel 0 child 0
debug1: session_close: session 0 pid 0
debug3: session_unused: session id 0 unused
debug2: channel 0: gc: user detached
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: server-session, nchannels 1
debug3: channel 0: status: The following connections are open:
#0 server-session (t4 r0 i3/0 o3/0 fd -1/-1 cfd -1)

debug3: channel 0: close_fds r -1 w -1 e -1 c -1
Connection closed by 192.168.0.7
debug1: do_cleanup
debug1: PAM: cleanup
debug1: PAM: deleting credentials
debug3: PAM: sshpam_thread_cleanup entering
Transferred: sent 2544, received 2480 bytes
Closing connection to 192.168.0.7 port 3157
[/code]

ssh -vvv root@(host)
[code]
OpenSSH_5.1p1, OpenSSL 0.9.8k 25 Mar 2009
debug2: ssh_connect: needpriv 0
debug1: Connecting to 192.168.0.111 [192.168.0.111] port 22.
debug1: Connection established.
debug1: identity file /cygdrive/c/Documents and Settings/(user)/.ssh/identity type -1
debug3: Not a RSA1 key file /cygdrive/c/Documents and Settings/(user)/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /cygdrive/c/Documents and Settings/(user)/.ssh/id_rsa type 1
debug1: identity file /cygdrive/c/Documents and Settings/(user)/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 120/256
debug2: bits set: 543/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /cygdrive/c/Documents and Settings/(user)/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host '192.168.0.111' is known and matches the RSA host key.
debug1: Found key in /cygdrive/c/Documents and Settings/(user)/.ssh/known_hosts:1
debug2: bits set: 502/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /cygdrive/c/Documents and Settings/(user)/.ssh/identity (0x0)
debug2: key: /cygdrive/c/Documents and Settings/(user)/.ssh/id_rsa (0xaabf08)
debug2: key: /cygdrive/c/Documents and Settings/(user)/.ssh/id_dsa (0x0)
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /cygdrive/c/Documents and Settings/(user)/.ssh/identity
debug3: no such identity: /cygdrive/c/Documents and Settings/(user)/.ssh/identity
debug1: Offering public key: /cygdrive/c/Documents and Settings/(user)/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /cygdrive/c/Documents and Settings/(user)/.ssh/id_dsa
debug3: no such identity: /cygdrive/c/Documents and Settings/(user)/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
[/code]

Here is my sshd_config:
[code]
# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile ~/.ssh/authorized_keys
#AuthorizedKeysCommand none
#AuthorizedKeysCommandRunAs nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server

[/code]

User avatar
TrevorH
Forum Moderator
Posts: 28867
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SSH public key authentication

Post by TrevorH » 2011/09/01 21:02:35

[quote]
I generated two sets of rsa keys
[/quote]

Two sets? Or did you generate one set and it produced two files? Either way, you need to run it once, that produces two files and they [u]both[/u] go in ~/.ssh

Permissions and ownership on both directory and files need to be correct. So..

[code]
[trevor@eee ~]$ ls -la .ssh
drwx------. 2 trevor trevor 4096 Jul 17 02:19 .
drwx------. 33 trevor trevor 4096 Aug 13 00:41 ..
-rw-------. 1 trevor trevor 951 Apr 14 2007 id_rsa
-rw-------. 1 trevor trevor 225 Apr 14 2007 id_rsa_pub
[/code]

Now you need to copy ~/.ssh/id_rsa.pub to ~/.ssh/authorized_keys and it needs to have the same permissions again.

h_fat
Posts: 48
Joined: 2007/04/13 17:23:48

Re: SSH public key authentication

Post by h_fat » 2011/09/04 05:03:03

The SELinux contexts need to be right as well if you didn't disable that. The command "restorecon -R .ssh" should fix that.

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

SSH public key authentication

Post by pschaff » 2011/09/14 18:18:59

Welcome to the CentOS fora. Please see the recommended reading for new users linked in my signature.

[quote]
aray92 wrote:
I've been trying for ages, but can't get this to work. On my CentOS 6 box, I generated two sets of rsa keys with:


[code]# ssh-keygen -t rsa[/code]

one went into ~/.ssh, the other into ~/
then I added the public key from ~/ to authorized_keys:

[code]# cat ~/id_rsa.pub > ~/.ssh/authorized_keys[/code][/quote]

That really makes no sense, and it is unclear what you are trying to accomplish. Usually ssh-keygen will by default create[code]
~/.ssh/id_rsa
~/.ssh/id_rsa.pub
[/code]
The public key id_rsa.pub needs to be added to ~/.ssh/authorized_keys on the [b]remote[/b] machine, and this can be accomplished by[code]
ssh-copy-id remoteuser@remotemachine[/code]

The locally-generated private key should [b]not[/b] be transferred to the remote box. If you want to come from the remote box back to the local box, then the remote public key should be added to the local ~/.ssh/authorized_keys.

[quote]
then I restarted sshd.[/quote]
No need for that.

[quote]
I then moved the key pair from ~/ to ~/.ssh/ on a different box.[/quote]
Wrong. The remote key pair should be generated on the remote box.

[quote]
Now, ssh to the original CentOS box does not work.[/quote]
Not sure what's going on there. May be due to your changes to the sshd_config. See below.

[quote]
Here is the debugging output[/quote]
Way too much of that for me to attempt to make any sense of.

[quote]
ssh -vvv root@(host)
[code]
OpenSSH_5.1p1, OpenSSL 0.9.8k 25 Mar 2009
debug2: ssh_connect: needpriv 0
debug1: Connecting to 192.168.0.111 [192.168.0.111] port 22.
debug1: Connection established.
debug1: identity file /cygdrive/c/Documents and Settings/(user)/.ssh/identity type -1
debug3: Not a RSA1 key file /cygdrive/c/Documents and Settings/(user)/.ssh/id_rsa.[/code][/quote]
The remote Windows machine probably does not like the Unix line terminations or other formatting. Again, the key pair should be generated on the remote machine.

[quote]
Here is my sshd_config:[/quote]
Not very useful.

The changes between the original /etc/ssh/sshd_config and yours are:[code]
< #HostKey /etc/ssh/ssh_host_rsa_key
---
> HostKey /etc/ssh/ssh_host_rsa_key
47,49c47,49
< #RSAAuthentication yes
< #PubkeyAuthentication yes
< #AuthorizedKeysFile .ssh/authorized_keys
---
> RSAAuthentication yes
> PubkeyAuthentication yes
> AuthorizedKeysFile ~/.ssh/authorized_keys
77d76
< #KerberosUseKuserok yes
[/code]
What was the intent of those changes? Most are just explicitly specifying the defaults but the "AuthorizedKeysFile" may be problematic. Get things working before making changes.

briankb
Posts: 1
Joined: 2011/10/22 08:47:20

[CONFIRMED] SSH public key authentication

Post by briankb » 2011/10/23 10:10:19

I may have confirmed the problem that Mr. aray92 has described.

I've been meaning to check out CentOS 6.0 just for fun, and also to see if I could contribute something back to the community. So when I read this post today I decided I would take the opportunity and try to help. Hopefully, in reproducing his problem, I haven't made any simple mistakes. I grabbed a spare machine (Optiplex 745) to start a test installation. I used grub2 to boot CentOS-6.0-x86_64-bin-DVD1.iso from a usb key. I chose "Use All Space" on the partition setup screen. I chose "Web Server" on the packages screen. After installation completed, the machine rebooted and I logged in as root. To get networking going I had to run `system-config-network`, and `ifup eth0`. This is a fresh install of CentOS 6.0 with a mundane configuration.

I then mounted the usb drive and copied the public key to create the authorized_keys file:
[code]
# cp /mnt/id_rsa.pub /root/.ssh/authorized_keys
# chmod 700 /root/.ssh
# chmod 600 /root/.ssh/authorized_keys
[/code]
This key was originally created using `ssh-keygen -t rsa`. An md5sum confirms that the key on the client (a Fedora 16 machine) is the same as the host's authorized_keys. I made no changes to sshd_config, since the default settings also provide the public key authentication method.

However, the client was unable to connect using the public key. Here is some of the debug output from the Fedora client:
[code]
[root@centos ~]# ssh -vvv 192.168.1.5
debug1: Connecting to 192.168.1.5 [192.168.1.5] port 22.
debug1: Connection established.
debug3: Incorrect RSA1 identifier
debug3: Could not load "/root/.ssh/id_rsa" as a RSA1 public key
debug2: key: /root/.ssh/id_rsa (0x220bd108)
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /root/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).
[/code]
Here's the full output on the client: http://pastebin.centos.org/37987

I'm not sure if the "Incorrect RSA1 identifier" message has any relevant consequence. I mentioned that I created this key the usual way.
I went back and changed sshd_config for the purpose of generating a debug log. I disabled GSSAPIAuthentication and PasswordAuthentication, and set the LogLevel to DEBUG3:
[code]
Oct 22 21:35:28 cloud sshd[1945]: debug1: userauth-request for user root service ssh-connection method publickey
Oct 22 21:35:28 cloud sshd[1944]: debug3: mm_answer_keyallowed: key_from_blob: 0x7f3343729d80
Oct 22 21:35:28 cloud sshd[1944]: debug1: trying public key file /root/.ssh/authorized_keys
Oct 22 21:35:28 cloud sshd[1944]: Failed publickey for root from 192.168.1.4 port 46722 ssh2
Oct 22 21:35:28 cloud sshd[1944]: debug3: mm_answer_keyallowed: key 0x7f3343729d80 is not allowed
[/code]
Here is the full log from the server: http://pastebin.centos.org/37988

It is clearly using the authorized_keys file, so I'm not sure why the method fails. I mentioned that the md5sum confirmed the client's key with the authorized_keys file.

I also took a further step by installing CentOS 5.7 in the same way. I copied the key to the authorized_keys file and then tried to log in from the client. This time the client connected as expected. That's what prompted me to make this report. Now hopefully someone smarter than me can sort out what is going on here!

asklinux
Posts: 1
Joined: 2011/10/31 12:14:26

Re: [CONFIRMED] SSH public key authentication

Post by asklinux » 2011/10/31 12:26:25

Hi guys,

There is no problem with SSH Public Key authentication.

I don't know what are you trying to achieve (aray92, briankb).
Very simple to do SSH key authentication.

I guess only two steps would be enough for that.

Step 1. Generate pair of keys (By default keys would be generate under /root/.ssh/ )
ssh-keygen -t rsa

Step 2. Copy public to remote server
scp ~/.ssh/id_rsa.pub remote.server.ip:.ssh/authorized_keys

Now try to connect to remote server
ssh 192.168.0.7
Thats it.


Asklinux.info

Post Reply

Return to “CentOS 6 - Networking Support”