Problem with key authorisation

Support for security such as Firewalls and securing linux
Post Reply
bandit
Posts: 1
Joined: 2012/05/05 07:23:56

Problem with key authorisation

Post by bandit » 2012/05/05 07:50:01

I have problem with Key Authorisation on my server [CentOS release 6.2 (Final)]

I try to use public/private key pair wich I use on my ubuntu server (I know it should be other it's just for debuging)

When I try to connect using my private key i get:

[quote]
user@localhost:~/.ssh$ ssh -v -p 22 -i ~/.ssh/myPrivatekey user@myserver
OpenSSH_5.8p1 Debian-7ubuntu1, OpenSSL 1.0.0e 6 Sep 2011
debug1: Reading configuration data /home/user/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to myserver [myserver] port 22.
debug1: Connection established.
debug1: identity file myPrivatekey type -1
debug1: identity file myPrivatekey-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.8p1 Debian-7ubuntu1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 6c:bc:cb:02:34:4e:8c:9a:b8:73:ed:3a:8c:0c:72:6f
debug1: checking without port identifier
debug1: Host 'myserver' is known and matches the RSA host key.
debug1: Found key in /home/user/.ssh/known_hosts:21
debug1: found matching key w/out port
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_1000' not found

debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_1000' not found

debug1: Unspecified GSS failure. Minor code may provide more information


debug1: Unspecified GSS failure. Minor code may provide more information


debug1: Next authentication method: publickey
debug1: Offering RSA public key: user@user-lap
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Offering RSA public key: root@myserver
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: myPrivatekey
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: password
[/quote]

My sshd_config on server:

[quote]
Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedKeysCommand none
#AuthorizedKeysCommandRunAs nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
[/quote]

Any help with diagnosing?

User avatar
TrevorH
Forum Moderator
Posts: 30160
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Problem with key authorisation

Post by TrevorH » 2012/05/05 11:40:47

Check the basics first...

$user/.ssh should be owned by $user:$user and chmod 700
$user/.ssh/authorized_keys should be owned $user:$user and be chmod 600

If selinux is enabled then it's worth running `restorecon -R $user/.ssh`

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Problem with key authorisation

Post by pschaff » 2012/05/05 21:32:05

Welcome to the CentOS fora. Please see the recommended reading for new users linked in my signature.

[quote]
bandit wrote:
I have problem with Key Authorisation on my server [CentOS release 6.2 (Final)]

I try to use public/private key pair wich I use on my ubuntu server (I know it should be other it's just for debuging)[/quote]
It is not clear what systems you are trying to connect from and to, nor exactly how you transferred the key[s]. Please provide details.

[quote]
...
My sshd_config on server:
...
Any help with diagnosing?[/quote]
You have made a lot of modifications from the default - "" are from the standard sshd_config:
[code]# grep -v \# tmp | uniq > T1
# grep -v \# /etc/ssh/sshd_config | uniq > T2
# diff T?
1c1,2
< Port 22
---
>
> AddressFamily inet
7,8d7
< PermitRootLogin yes
<
9a9,25
>
> ChallengeResponseAuthentication no
>
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials yes
>
> UsePAM yes
>
> AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
> AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
> AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
> AcceptEnv XMODIFIERS
>
> X11Forwarding yes
>
> Subsystem sftp /usr/libexec/openssh/sftp-server
>
[/code]"Port 22" is a do-nothing as it is the default anyway. Did you try connecting before making all those changes?

Post Reply

Return to “CentOS 6 - Security Support”