[NCLUG] openssh and publickey

William Dan Terry william.terry at knotworks.com
Mon Dec 10 12:28:00 MST 2001 

I have KRUD/RedHat 7.1 (and the openssh that comes with it) on two
systems. I created a key set and put them on both systems. I've been using
ssh since its inception so I'm familiar with the basics and have my
permissions set correctly and haven't had any trouble getting it to work.

However, I can't get openssh to work. I have it set to publickey
only. Following are config files and log entries.

I did create new ssh2 keys (DSA). I copied the keys to identity and
authorization. I did the copy to identity because the verbose client only
looked for that file by default.

Any help would be greatly appreciated.

TIA, William

//------------------------ sshd_config

#	$OpenBSD: sshd_config,v 1.38 2001/04/15 21:41:29 deraadt Exp $

# This sshd was compiled with
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

# This is the sshd server system-wide configuration file.  See sshd(8)
# for more information.

Port 22
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /etc/ssh/ssh_host_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin no
#
# Don't read ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# Uncomment if you don't trust ~/.ssh/known_hosts for
RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
StrictModes no
X11Forwarding no
X11DisplayOffset 10
PrintMotd yes
#PrintLastLog no
KeepAlive yes

# Logging
SyslogFacility AUTH
#LogLevel INFO
LogLevel VERBOSE
#obsoletes QuietMode and FascistLogging

RhostsAuthentication no
#
# For this to work you will also need host keys in
/etc/ssh/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
#
RSAAuthentication no

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no

PubkeyAuthentication yes

# Uncomment to disable s/key passwords 
ChallengeResponseAuthentication no

# Uncomment to enable PAM keyboard-interactive authentication 
# Warning: enabling this may bypass the setting of
'PasswordAuthentication'
#PAMAuthenticationViaKbdInt yes

# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no

# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes

#CheckMail yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net
ReverseMappingCheck no

Subsystem	sftp	/usr/libexec/openssh/sftp-server


//------------------------ ssh_config

#	$OpenBSD: ssh_config,v 1.10 2001/04/03 21:19:38 todd Exp $

# This is ssh client systemwide configuration file.  See ssh(1) for more
# information.  This file provides defaults for users, and the values
can
# be changed in per-user configuration files or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for various options

# Host *
#   ForwardAgent no
#   ForwardX11 no
#   RhostsAuthentication no
#   RhostsRSAAuthentication yes
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   FallBackToRsh no
#   UseRsh no
#   BatchMode no
#   CheckHostIP yes
#   StrictHostKeyChecking yes
   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_dsa
#   IdentityFile ~/.ssh/id_rsa
#   Port 22
   Protocol 2
   Cipher blowfish
#   EscapeChar ~


//------------------------ client-side

[wterry at bandersnatch ~]$ ssh -v -v jabiru
OpenSSH_2.9p2, SSH protocols 1.5/2.0, OpenSSL 0x0090600f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Seeding random number generator
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: restore_uid
debug1: ssh_connect: getuid 500 geteuid 0 anon 1
debug1: Connecting to jabiru [192.168.1.31] port 22.
debug1: temporarily_use_uid: 500/500 (e=0)
debug1: restore_uid
debug1: temporarily_use_uid: 500/500 (e=0)
debug1: restore_uid
debug1: Connection established.
debug1: read PEM private key done: type DSA
debug1: read PEM private key done: type RSA
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /home/wterry/.ssh/identity type -1
debug1: Remote protocol version 2.0, remote software version
OpenSSH_2.9p2
debug1: match: OpenSSH_2.9p2 pat ^OpenSSH
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_2.9p2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 120/256
debug1: bits set: 1023/2049
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'jabiru' is known and matches the RSA host key.
debug1: Found key in /home/wterry/.ssh/known_hosts2:1
debug1: bits set: 1060/2049
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: publickey
debug1: next auth method to try is publickey
debug1: try privkey: /home/wterry/.ssh/identity
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Enter passphrase for key '/home/wterry/.ssh/identity': 
debug1: read PEM private key done: type DSA
debug1: sig size 20 20
debug2: we sent a publickey packet, wait for reply
debug1: authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: no more auth methods to try
Permission denied (publickey).
debug1: Calling cleanup 0x8063520(0x0)
[wterry at bandersnatch ~]$ 


//------------------------ client-side

[root at jabiru ssh]# tail /var/log/messages
Dec  8 14:05:32 jabiru sshd[1048]: Server listening on 0.0.0.0 port 22.
Dec  8 14:05:32 jabiru sshd: sshd startup succeeded
Dec  8 14:05:37 jabiru sshd[1052]: Connection from 192.168.1.13 port
33454
Dec  8 14:05:37 jabiru sshd[1052]: Enabling compatibility mode for
protocol 2.0
Dec  8 14:05:37 jabiru sshd[1052]: Could not reverse map address
192.168.1.13.
Dec  8 14:05:37 jabiru sshd[1052]: Failed none for wterry from
192.168.1.13 port 33454 ssh2
Dec  8 14:05:52 jabiru sshd[1052]: Failed publickey for wterry from
192.168.1.13 port 33454 ssh2
Dec  8 14:05:52 jabiru sshd[1052]: Connection closed by 192.168.1.13


___________W__i__l__l__i__a__m_____D__a__n_____T__e__r__r__y___________
How do we acquire wisdom along with all these shiny things? -David Brin

    PGP public key:     http://www.knotworks.com/wdt_pgp_pubkey.asc
    fingerprint:   DC 80 E4 18 E2 CB AC F4  8C 59 9B 9C BB A2 D7 4B

More information about the NCLUG mailing list