[SOLVED] SSH with key authentication

Issues related to applications and software problems and general support
Post Reply
Alex_F
Posts: 3
Joined: 2020/03/27 09:29:28

[SOLVED] SSH with key authentication

Post by Alex_F » 2020/03/27 09:57:44

I'm trying to get a SSH login from a CentOS 6.10 host "A" to a CentOS 8.1.1911 client "B" without enter the password every time, but I have no success. Reading in internet I have finded that this can be done by use a key authentication method.

This is what I have do on machine "A" that do the connection (CentOS 6.10):

Code: Select all

[afe@lis .ssh]$ ssh-keygen
Enter file in which to save the key (/home/afe/.ssh/id_rsa): /home/afe/.ssh/afe-ssh-key
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/afe/.ssh/afe-ssh-key.
Your public key has been saved in /home/afe/.ssh/afe-ssh-key.pub.

ssh-copy-id -i ~/.ssh/afe-ssh-key.pub 10.1.14.1

[afe@lis .ssh]$ ssh-copy-id -i ~/.ssh/afe-ssh-key.pub 10.1.14.1
afe@10.1.14.1's password:
Now try logging into the machine, with "ssh '10.1.14.1'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.
With the above command I have created a new RSA key for login and copied to client with ssh-copy-id. Then I have checked that the key has correctly copied in client "B" (CentOS 8.1.1911):

Code: Select all

[root@lis2 ~]# cat /home/afe/.ssh/authorized_keys
2048 35 25406803204391724297633895539201141496305088866651758453174517532090317894361025978870330553064286913327825897195290567936890937361741253375339402302849409128884611747969851909687449852890972047104807362808789961467982014400629508044473587571466654012152314007529730645776394307107996312950350383340643819576405725626922094549382509037522556561557125113336023883107157168655038607463786615298091369604720552273696422629335717541998125563389726226269778492830094675011607653138327459766087162383011532736629710924173583953554845758230995379924264840698890182840463340839867933781030962349541873987184515270681909334333 afe@lis.mydomain
Then I try to connect from "A" to "B" with ssh command but, since I get always a password request, I have used the -vvv option:

Code: Select all

[afe@lis .ssh]$ ssh -vvv -l afe -i ~/.ssh/afe-ssh-key 10.1.14.1
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 10.1.14.1 [10.1.14.1] port 22.
debug1: Connection established.
debug3: Not a RSA1 key file /home/afe/.ssh/afe-ssh-key.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/afe/.ssh/afe-ssh-key type 1
debug1: identity file /home/afe/.ssh/afe-ssh-key-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.0
debug1: match: OpenSSH_8.0 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug3: Wrote 864 bytes for a total of 885
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96
debug2: kex_parse_kexinit: hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
debug2: kex_parse_kexinit: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug2: kex_parse_kexinit: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
debug2: kex_parse_kexinit: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc
debug2: kex_parse_kexinit: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: kex_parse_kexinit: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-sha1
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug2: mac_setup: found hmac-sha1
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug3: Wrote 24 bytes for a total of 909
debug2: dh_gen_key: priv key bits set: 168/320
debug2: bits set: 999/2048
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: Wrote 272 bytes for a total of 1181
debug3: check_host_in_hostfile: host 10.1.14.1 filename /home/afe/.ssh/known_hosts
debug3: check_host_in_hostfile: host 10.1.14.1 filename /home/afe/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host '10.1.14.1' is known and matches the RSA host key.
debug1: Found key in /home/afe/.ssh/known_hosts:1
debug2: bits set: 997/2048
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: Wrote 16 bytes for a total of 1197
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug3: Wrote 52 bytes for a total of 1249
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/afe/.ssh/afe-ssh-key (0x55cede4b0c00)
debug3: Wrote 68 bytes for a total of 1317
debug3: input_userauth_banner
<omiss>
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug3: Trying to reverse map address 10.1.14.1.
debug1: Unspecified GSS failure.  Minor code may provide more information
Cannot determine realm for numeric host address

debug1: Unspecified GSS failure.  Minor code may provide more information
Cannot determine realm for numeric host address

debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/afe/.ssh/afe-ssh-key
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug3: Wrote 372 bytes for a total of 1689
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
afe@10.1.14.1's password:
I presume that the main problem is related to "debug1: Unspecified GSS failure. Minor code may provide more information Cannot determine realm for numeric host address" message.
I have tried to add the "A" host ip address to "B" /etc/hosts file without success, and I have tried also to run

Code: Select all

restorecon -Rv ~/.ssh 
in both host "A" and client "B" without success.

Does anyone can suggest me a solution o suggestion to resolve this problem?
Many Thanks,
Alessio.
Last edited by Alex_F on 2020/03/27 13:09:01, edited 1 time in total.

User avatar
TrevorH
Forum Moderator
Posts: 28089
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SSH with key authentication

Post by TrevorH » 2020/03/27 10:08:54

Is there anything in /var/log/secure on the CentOS 8 machine?
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

User avatar
jlehtone
Posts: 2601
Joined: 2007/12/11 08:17:33
Location: Finland

Re: SSH with key authentication

Post by jlehtone » 2020/03/27 10:12:27

The public keys that I have do start with "ssh-rsa ". Not "2048 ".

Alex_F
Posts: 3
Joined: 2020/03/27 09:29:28

Re: SSH with key authentication

Post by Alex_F » 2020/03/27 10:26:59

TrevorH wrote:
2020/03/27 10:08:54
Is there anything in /var/log/secure on the CentOS 8 machine?
You are right, I have forgot to check this file! This is what I have found on it:

Code: Select all

Mar 27 11:19:27 lis2 sshd[6343]: Authentication refused: bad ownership or modes for directory /home/afe
But I have no idea of what ownership or modes I have to use for this directory (I have used the modes that I have found on some articles). This is current ownership and modes for important files:

Code: Select all

[root@lis2 ~]# ls -la /home/afe/
drwx------.   2 afe  afe    48 27 mar 09.58 .ssh

[root@lis2 ~]# ls -la /home/afe/.ssh
totale 12
drwx------.  2 afe afe   48 27 mar 09.58 .
drwxrwx---. 26 afe afe 4096 27 mar 09.53 ..
-rw-r--r--.  1 afe afe 1057 27 mar 10.40 authorized_keys
-rw-r--r--.  1 afe afe  390 27 mar 09.30 known_hosts
Did anyone know the right authorization I must use?
Many thanks.

User avatar
TrevorH
Forum Moderator
Posts: 28089
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SSH with key authentication

Post by TrevorH » 2020/03/27 10:35:11

chmod 700 /home/afe

And as pointed out, that doesn't look like an ssh pubkey.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

Alex_F
Posts: 3
Joined: 2020/03/27 09:29:28

Re: SSH with key authentication

Post by Alex_F » 2020/03/27 10:48:25

Thanks to TrevorH and jlehtone.
Now the login work as expected. I have two issue: the first is the modes of /home/afe directory and the second is that, probably for my mistakes on some tries, I get a strange key on /home/afe/.ssh/authorized_keys file (I have cleaned it and resend key from host "A" and now is good).

Only one other question:
I figured out that the restriction in permission used by main directory is for security reason and I have no problem to use 700 in this case but, since I think to use this kind of logon also for a rsync operation betwheen two computer and I have some folder that should be accessible by group members, what is the correct implementation do do something like this?

Many thanks,
Alessio.

User avatar
jlehtone
Posts: 2601
Joined: 2007/12/11 08:17:33
Location: Finland

Re: SSH with key authentication

Post by jlehtone » 2020/03/27 12:58:42

Not somebody's home.

When there are multiple machines (and users in them) that all should access the same files, then a common solution is to put files into a NFS server and each machine mounts (I prefer autofs) the share. If there is just one machine, then a local directory.

The default installer creates filesystems / and /home. One could create directory /home/common (but I recommend more descriptive name).

Your account's primary group is "afe". RH has this trick, that if username and primary group are same, then files and folder you create will have g+w; group can write. This is good.

You create an another (POSIX) group and add members to it.
You make the group of /home/common to be that group.

Code: Select all

chmod 2770 /home/common
The 2, group sticky bit, assigns the group to created content, rather than the default: primary group of the creating process.

This is not idiot-proof; moving files into such directory ignored the sticky bit and then you have to chmod&chgrp.

Post Reply

Return to “CentOS 8 - General Support”