FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 03-12-2011, 11:31 PM
Aéris
 
Default SSH Issue

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Le 13/03/2011 00:00, Michael Thompson a écrit :
> I've got a slight issue with logging into my server using public keys.

Could you paste the output of « grep sshd /var/log/auth.log »?

- --
Aeris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJNfBBrAAoJEK8zQvxDY4P9qjcIAK+zPC6kh/3HhXMzsnSE1S2U
LW4zH0Uga302IFY6YqmnX7MXWTLJFqYpuMt0HZ1plf1vDhgMTy RY1jY2zlohTDG4
0mgrfQURtw51pQc/ZL5maV2tceYB0Huxe2grgXUdtw0Av/O/dcqSuSR4vfwG5eSl
GmCDE1A07jX01jnknUfVHD2RNknzwEmRHbdmLz98YYrAGAA6cG ArTg/K4MFqX4rI
jwcWf/asyy07wMDElMqVD5ewWjZTnyPPEU/rTpqWgiab4cBYx3fAkoXFQH8PM3vL
/4XxiCqsFPRRz5CV53LbrLfMqui+ErVxvoaAxJ3s2//xuG/Y9227FgxVMTMgADo=
=xvej
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4d7c106b$0$689$426a74cc@news.free.fr">http://lists.debian.org/4d7c106b$0$689$426a74cc@news.free.fr
 
Old 03-13-2011, 01:28 AM
Adrian Levi
 
Default SSH Issue

On 13 March 2011 08:37, Michael Thompson <maverickapollo@gmail.com> wrote:
> I've got a slight issue with logging into my server using public keys.
>
> It was working fine, until I had to rebuild my desktop machine. I had
> the key copied to the server, and passwordless logins where fine.
>
> However now I have rebuilt my desktop, I cant get to the login.
>
> So heres whats happend.
>
> Rebuilt id_rsa.pub, server will not allow login. Remove id_rsa.pub and
> the server allows password based login.
>
> On the server, removed authorized_keys and known_hosts. makes no
> difference. Server still disallows keyfile, but will allow password
> when id_rsa is not present on the client.

On the server to get key based auth working you must:
1)Have the correct permissions on .ssh/*
2) have your public key in authorized_keys

On the client you need to have your key decripted for use either by:
1) using agent
2) having an empty password string in your private key.
3) correct .ssh/* permissions.

How many keys are in your server authorized_keys file? can you trim it
down to just one for testing?
What sort of changes have you made to the default sshd.conf file on
the server and ssh.conf file on the client.

Adrian



> Heres a -v of the login chat with keyfile
>
> Code:
>
> michael@eve:~$ ssh -v server
> OpenSSH_5.5p1 Debian-6, OpenSSL 0.9.8o 01 Jun 2010
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug1: Connecting to server [ser.ver.ip] port 22.
> debug1: Connection established.
> debug1: identity file /home/michael/.ssh/id_rsa type 1
> debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
> debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
> debug1: identity file /home/michael/.ssh/id_rsa-cert type -1
> debug1: identity file /home/michael/.ssh/id_dsa type -1
> debug1: identity file /home/michael/.ssh/id_dsa-cert type -1
> debug1: Remote protocol version 2.0, remote software version
> OpenSSH_5.1p1 Debian-5
> debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-6
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: server->client aes128-ctr hmac-md5 none
> debug1: kex: client->server aes128-ctr hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug1: Host 'host' is known and matches the RSA host key.
> debug1: Found key in /home/michael/.ssh/known_hosts:1
> debug1: ssh_rsa_verify: signature correct
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug1: SSH2_MSG_NEWKEYS received
> debug1: Roaming not allowed by server
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentications that can continue: publickey,password
> debug1: Next authentication method: publickey
> debug1: Offering public key: /home/michael/.ssh/id_rsa
> Received disconnect from ser.ver.ip: 2: Too many authentication
> failures for michael
>
> And without
>
> Code:
>
> michael@eve:~/.ssh$ ssh -v server
> OpenSSH_5.5p1 Debian-6, OpenSSL 0.9.8o 01 Jun 2010
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug1: Connecting to server [ser.ver.ip] port 22.
> debug1: Connection established.
> debug1: identity file /home/michael/.ssh/id_rsa type -1
> debug1: identity file /home/michael/.ssh/id_rsa-cert type -1
> debug1: identity file /home/michael/.ssh/id_dsa type -1
> debug1: identity file /home/michael/.ssh/id_dsa-cert type -1
> debug1: Remote protocol version 2.0, remote software version
> OpenSSH_5.1p1 Debian-5
> debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-6
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: server->client aes128-ctr hmac-md5 none
> debug1: kex: client->server aes128-ctr hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug1: Host 'server' is known and matches the RSA host key.
> debug1: Found key in /home/michael/.ssh/known_hosts:1
> debug1: ssh_rsa_verify: signature correct
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug1: SSH2_MSG_NEWKEYS received
> debug1: Roaming not allowed by server
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentications that can continue: publickey,password
> debug1: Next authentication method: publickey
> debug1: Trying private key: /home/michael/.ssh/id_rsa
> debug1: Trying private key: /home/michael/.ssh/id_dsa
> debug1: Next authentication method: password
> michael@server's password:
> debug1: Authentication succeeded (password).
> debug1: channel 0: new [client-session]
> debug1: Requesting no-more-sessions@openssh.com
> debug1: Entering interactive session.
> debug1: Sending environment.
> debug1: Sending env LANG = en_GB.UTF-8
> Linux s15433632 2.6.18-028stab070.4 #1 SMP Tue Aug 17 18:32:47 MSD 2010 x86_64
>
> So, is there anyway of getting the server to forget the previous keys,
> it is remembering, As previousily said, I have completly removed the
> contents of ~/.ssh/ on both the clients and the server.
> __________________
>
> --
> Michael
> http://photography.thompsonm.me.uk
>
> To see a World in a Grain of Sand
> And a Heaven in a Wild Flower,
> Hold Infinity in the palm of your hand
> And Eternity in an hour.
> --William Blake
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: http://lists.debian.org/AANLkTi=EW4oiZdGZkM9Gs9-T6MG8582ecDHq7QNCEjE+@mail.gmail.com
>
>



--
24x7x365 != 24x7x52 Stupid or bad maths?
<erno> hm. I've lost a machine.. literally _lost_. it responds to
ping, it works completely, I just can't figure out where in my
apartment it is.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: AANLkTiktS3LhfdVzbeQc-VGryDy45==v63vgQsqapnrn@mail.gmail.com">http://lists.debian.org/AANLkTiktS3LhfdVzbeQc-VGryDy45==v63vgQsqapnrn@mail.gmail.com
 
Old 03-13-2011, 08:15 AM
Michael Thompson
 
Default SSH Issue

On 13 March 2011 02:28, Adrian Levi <adrian.levi@gmail.com> wrote:
> On the server to get key based auth working you must:
> 1)Have the correct permissions on .ssh/*

Permissions on all ~/.ssh are fine and correct at 0644

> 2) have your public key in authorized_keys

Both authorized_keys on the server and client have been deleted.
without anyting in the ~ ssh directorys it allows login via password.
As soon as key-gen -t rsa is performed on the client, the server
disallows login, unless ssh -o PreferredAuthentications=password -l
user server_address is used.

Is there another file the server may of stored the key in, which I'm unaware of?

>
> On the client you need to have your key decripted for use either by:
> 1) using agent
> 2) having an empty password string in your private key.

Empty password in the actual keyfile.

> 3) correct .ssh/* permissions.
>
> How many keys are in your server authorized_keys file? can you trim it
> down to just one for testing?

Its empty. (~/.ssh)

> What sort of changes have you made to the default sshd.conf file on
> the server and ssh.conf file on the client.

None, apart from diasallow root logins.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: AANLkTi=mOE5L2Az5b+86frmE3e3-ovL48j8a3dsHnfz_@mail.gmail.com">http://lists.debian.org/AANLkTi=mOE5L2Az5b+86frmE3e3-ovL48j8a3dsHnfz_@mail.gmail.com
 
Old 03-13-2011, 11:37 AM
Michael Thompson
 
Default SSH Issue

This is now solved. MaxAuthRetries was set to 1, so when the server
rejected the ID, it exceeded the value.

Increasing this amount so the server could procede to password
interactive login worked and let me send the new keyfile to server.

Thanks for all your help.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: AANLkTineAUeedq4_OVCRfxkJj_VGV7uYeJNA8dypnB0V@mail .gmail.com">http://lists.debian.org/AANLkTineAUeedq4_OVCRfxkJj_VGV7uYeJNA8dypnB0V@mail .gmail.com
 

Thread Tools




All times are GMT. The time now is 07:28 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org