FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 02-08-2008, 09:43 AM
Christopher Bianchi
 
Default Cannot authenticate with DSA-pubkey in Etch

Hello everyone, the problem is this:

i wish to connect my laptop to my server with a ssh pubkey and no
password. The procedure that i use to create the key pair and setting
permission on the directories (.ssh/) on laptop and server, are correct.

I think that it's a possible error in sshd_config.

I attached to mail 2 text file, with the sshd_config and the exact
error.

Here there's the uname of machine:

ienabellamy@sunny:~$ uname -a
Linux sunny 2.4.27-3-sparc64 #1 Tue Dec 5 22:18:03 UTC 2006 sparc64
GNU/Linux


In past, i was able to connect two boxes witch pubkey, and if i remember
correct, in this way !

Thanks for the attention !


--
Christopher Bianchi <ienabellamy@gmail.com>
**** sshd_config ************************************************** ***
# What ports, IPs and protocols we listen for
Port 10022
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 1m
PermitRootLogin no
StrictModes yes

# Max number of login attempts for a single connection
MaxAuthTries 3

RSAAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to no to disable s/key passwords
ChallengeResponseAuthentication no

# Change to yes to enable tunnelled clear text passwords
PasswordAuthentication yes

AllowGroups sshusers

# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no

# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes

X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
KeepAlive yes
#UseLogin no

#MaxStartups 10:30:60

Banner /etc/issue.net

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM no

MaxStartups 2
******** END ************************************************** *********
************************************************** **********************
ienabellamy@sharpy:~$ ssh -p10022 192.168.0.100 -v
OpenSSH_4.3p2 Debian-9, OpenSSL 0.9.8c 05 Sep 2006
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.0.100 [192.168.0.100] port 10022.
debug1: Connection established.
debug1: identity file /home/ienabellamy/.ssh/identity type -1
debug1: identity file /home/ienabellamy/.ssh/id_rsa type -1
debug1: identity file /home/ienabellamy/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3p2 Debian-9
debug1: match: OpenSSH_4.3p2 Debian-9 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3p2 Debian-9
debug1: An invalid name was supplied
Configuration file does not specify default realm

debug1: An invalid name was supplied
A parameter was malformed
Validation error

debug1: An invalid name was supplied
Configuration file does not specify default realm

debug1: An invalid name was supplied
A parameter was malformed
Validation error

debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '192.168.0.100' is known and matches the RSA host key.
debug1: Found key in /home/ienabellamy/.ssh/known_hosts:8
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
Debian GNU/Linux 4.0
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: .ssh/id_dsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/ienabellamy/.ssh/identity
debug1: Trying private key: /home/ienabellamy/.ssh/id_rsa
debug1: Trying private key: /home/ienabellamy/.ssh/id_dsa
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Enter passphrase for key '/home/ienabellamy/.ssh/id_dsa': mypassword

debug1: read PEM private key done: type DSA
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).
ienabellamy@sharpy:~$

************************************************** **********************
 
Old 02-08-2008, 04:41 PM
Jonathan Wilson
 
Default Cannot authenticate with DSA-pubkey in Etch

On Friday 08 February 2008 04:43:15 Christopher Bianchi wrote:
> i wish to connect my laptop to my server with a ssh pubkey and no
> password. The procedure that i use to create the key pair and setting
> permission on the directories (.ssh/) on laptop and server, are correct.
>
> I think that it's a possible error in sshd_config.

Why, did you change anything? There is nothing wrong with the default config
in Debian, it works very well.

If you have made any changes to the sshd config, you should tell us what they
are. I know I don't have time to read through your file and look for changes.

> I attached to mail 2 text file, with the sshd_config and the exact
> error.

Embedding them in the email would have been better, no one wants to read
attachments.

> Here there's the uname of machine:
>
> ienabellamy@sunny:~$ uname -a
> Linux sunny 2.4.27-3-sparc64 #1 Tue Dec 5 22:18:03 UTC 2006 sparc64
> GNU/Linux


debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: .ssh/id_dsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/ienabellamy/.ssh/identity
debug1: Trying private key: /home/ienabellamy/.ssh/id_rsa
debug1: Trying private key: /home/ienabellamy/.ssh/id_dsa
debug1: PEM_read_PrivateKey failed

Did you check the file permissions on /home/ienabellamy/.ssh/id_rsa
and /home/ienabellamy/.ssh/ and /home/ienabellamy/.ssh/authorized_keys
(or /home/ienabellamy/.ssh/authorized_keys2 if that's what you're using) on
both machines?

Also check perms on your home directory. As security feature, ssh won't let
you log in if the permissions are too wide open.


ls -l /home/me/.ssh/
-rw------- 1 me users 392 2008-02-04 16:03 authorized_keys

ls -ld /home/me/.ssh/
drwx------ 2 me users 80 2008-02-04 16:03 /home/me/.ssh/

ls -ld /home/jw/
drwxr-xr-x 7 me users 472 2008-02-07 19:45 /home/me/


Please explain HOW you copied your public key up to the server.

JW


--

----------------------
System Administrator - Cedar Creek Software
http://www.cedarcreeksoftware.com


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-08-2008, 06:10 PM
Christopher Bianchi
 
Default Cannot authenticate with DSA-pubkey in Etch

Emh, sorry, but i didn't past the config and the errors because I
thought that attach to the mail was better.

Anyway, the default sshd_config is NOT right for the authentication with
pubkey, because the Password Authentication is set to 'yes' in default
config.

I changed only:

PubkeyAuthentication yes
ChallengeResponseAuthentication no
PasswordAuthentication no

The permissions are ok.
And i've copied the id_dsa.pub in this way:
# scp ~/.ssh/id_dsa.pub
leopard@server.example.com:~/.ssh/authorized_keys

Jonathan Wilson, you're to nervous. Calm. Life is good. Open a txt
file ? == 2 seconds. To read 10-11 lines ? 20 seconds.

Kisses.

Any help would be appreciate.

Il giorno ven, 08/02/2008 alle 11.41 -0600, Jonathan Wilson ha scritto:
> On Friday 08 February 2008 04:43:15 Christopher Bianchi wrote:
> > i wish to connect my laptop to my server with a ssh pubkey and no
> > password. The procedure that i use to create the key pair and setting
> > permission on the directories (.ssh/) on laptop and server, are correct.
> >
> > I think that it's a possible error in sshd_config.
>
> Why, did you change anything? There is nothing wrong with the default config
> in Debian, it works very well.
>
> If you have made any changes to the sshd config, you should tell us what they
> are. I know I don't have time to read through your file and look for changes.
>
> > I attached to mail 2 text file, with the sshd_config and the exact
> > error.
>
> Embedding them in the email would have been better, no one wants to read
> attachments.
>
> > Here there's the uname of machine:
> >
> > ienabellamy@sunny:~$ uname -a
> > Linux sunny 2.4.27-3-sparc64 #1 Tue Dec 5 22:18:03 UTC 2006 sparc64
> > GNU/Linux
>
>
> debug1: Authentications that can continue: publickey
> debug1: Next authentication method: publickey
> debug1: Offering public key: .ssh/id_dsa
> debug1: Authentications that can continue: publickey
> debug1: Trying private key: /home/ienabellamy/.ssh/identity
> debug1: Trying private key: /home/ienabellamy/.ssh/id_rsa
> debug1: Trying private key: /home/ienabellamy/.ssh/id_dsa
> debug1: PEM_read_PrivateKey failed
>
> Did you check the file permissions on /home/ienabellamy/.ssh/id_rsa
> and /home/ienabellamy/.ssh/ and /home/ienabellamy/.ssh/authorized_keys
> (or /home/ienabellamy/.ssh/authorized_keys2 if that's what you're using) on
> both machines?
>
> Also check perms on your home directory. As security feature, ssh won't let
> you log in if the permissions are too wide open.
>
>
> ls -l /home/me/.ssh/
> -rw------- 1 me users 392 2008-02-04 16:03 authorized_keys
>
> ls -ld /home/me/.ssh/
> drwx------ 2 me users 80 2008-02-04 16:03 /home/me/.ssh/
>
> ls -ld /home/jw/
> drwxr-xr-x 7 me users 472 2008-02-07 19:45 /home/me/
>
>
> Please explain HOW you copied your public key up to the server.
>
> JW
>
>
> --
>
> ----------------------
> System Administrator - Cedar Creek Software
> http://www.cedarcreeksoftware.com
>
>


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-08-2008, 06:58 PM
"Douglas A. Tutty"
 
Default Cannot authenticate with DSA-pubkey in Etch

On Fri, Feb 08, 2008 at 11:43:15AM +0100, Christopher Bianchi wrote:
> i wish to connect my laptop to my server with a ssh pubkey and no
> password. The procedure that i use to create the key pair and setting
> permission on the directories (.ssh/) on laptop and server, are correct.

I've put some comments within your file. Then I've included my
sshd_config file. I use this, then follow the instructions in the
Debian-Reference under ssh without passwords. It works.

I hope this helps.

Doug.
---


>
> I think that it's a possible error in sshd_config.
> **** sshd_config ************************************************** ***
> # What ports, IPs and protocols we listen for
> Port 10022

Are both machies using the same port?

> # Authentication:
> LoginGraceTime 1m
> PermitRootLogin no
> StrictModes yes

As long as its not root that is the trouble.

>
> # Max number of login attempts for a single connection
> MaxAuthTries 3
>
> RSAAuthentication no

Shouldn't this be yes?

> PubkeyAuthentication yes

> AllowGroups sshusers

Is the user trying to ssh in sshusers on both boxes?


> X11Forwarding no
> X11DisplayOffset 10
> PrintMotd no
> PrintLastLog yes
> KeepAlive yes
> #UseLogin no
>
> #MaxStartups 10:30:60
>
> Banner /etc/issue.net
>
> Subsystem sftp /usr/lib/openssh/sftp-server
>
> UsePAM no

I have UsePAM yes

>
> MaxStartups 2

[snip debug: I've never needed it so I've never read one before]
-----


For comparison, here's my sshd_config:


# Package generated configuration file
# See the sshd(8) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
ListenAddress 192.168.1.1
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
####### added by dtutty after ~/.ssh/authorized_keys updated
PasswordAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

### added by dtutty (ref lskb on ssh, man sshd_config)
AllowGroups ssh
ClientAliveInterval 15

UsePAM yes


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-08-2008, 07:08 PM
Jeff D
 
Default Cannot authenticate with DSA-pubkey in Etch

Christopher Bianchi wrote:

Emh, sorry, but i didn't past the config and the errors because I
thought that attach to the mail was better.

Anyway, the default sshd_config is NOT right for the authentication with
pubkey, because the Password Authentication is set to 'yes' in default
config.

I changed only:


PubkeyAuthentication yes
ChallengeResponseAuthentication no
PasswordAuthentication no

The permissions are ok.
And i've copied the id_dsa.pub in this way:
# scp ~/.ssh/id_dsa.pub
leopard@server.example.com:~/.ssh/authorized_keys

Jonathan Wilson, you're to nervous. Calm. Life is good. Open a txt
file ? == 2 seconds. To read 10-11 lines ? 20 seconds.

Kisses.

Any help would be appreciate.



You can still have password athentication and key authentication at the
same time. In the future, an easier way to copy keys is to use
ssh-copy-id, that will copy over your key file to the remote server and
make sure that proper permissions are set. Permissions on your
~/.ssh/authorized_keys file should be 600. If you look at the error log
on the *server* you will see what error is, not the client.



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-08-2008, 10:00 PM
Christopher Bianchi
 
Default Cannot authenticate with DSA-pubkey in Etch

Thanks Douglasm thanks everything :-)

I've ( for curiosity ) reinstall purging all, and with the same config
all is working.

Ok, we have 2 cases:

1) I was an idiot and i set wrong permission.
2) The installation with apt-get was didn't so well

Anyway, all it's ok :-)

p.s. and the PasswordAuthentication, UsePam, RsaAuthentication are OFF !

kisses everyone!

Il giorno ven, 08/02/2008 alle 14.58 -0500, Douglas A. Tutty ha scritto:
> On Fri, Feb 08, 2008 at 11:43:15AM +0100, Christopher Bianchi wrote:
> > i wish to connect my laptop to my server with a ssh pubkey and no
> > password. The procedure that i use to create the key pair and setting
> > permission on the directories (.ssh/) on laptop and server, are correct.
>
> I've put some comments within your file. Then I've included my
> sshd_config file. I use this, then follow the instructions in the
> Debian-Reference under ssh without passwords. It works.
>
> I hope this helps.
>
> Doug.
> ---
>
>
> >
> > I think that it's a possible error in sshd_config.
> > **** sshd_config ************************************************** ***
> > # What ports, IPs and protocols we listen for
> > Port 10022
>
> Are both machies using the same port?
>
> > # Authentication:
> > LoginGraceTime 1m
> > PermitRootLogin no
> > StrictModes yes
>
> As long as its not root that is the trouble.
>
> >
> > # Max number of login attempts for a single connection
> > MaxAuthTries 3
> >
> > RSAAuthentication no
>
> Shouldn't this be yes?
>
> > PubkeyAuthentication yes
>
> > AllowGroups sshusers
>
> Is the user trying to ssh in sshusers on both boxes?
>
>
> > X11Forwarding no
> > X11DisplayOffset 10
> > PrintMotd no
> > PrintLastLog yes
> > KeepAlive yes
> > #UseLogin no
> >
> > #MaxStartups 10:30:60
> >
> > Banner /etc/issue.net
> >
> > Subsystem sftp /usr/lib/openssh/sftp-server
> >
> > UsePAM no
>
> I have UsePAM yes
>
> >
> > MaxStartups 2
>
> [snip debug: I've never needed it so I've never read one before]
> -----
>
>
> For comparison, here's my sshd_config:
>
>
> # Package generated configuration file
> # See the sshd(8) manpage for details
>
> # What ports, IPs and protocols we listen for
> Port 22
> # Use these options to restrict which interfaces/protocols sshd will bind to
> #ListenAddress ::
> #ListenAddress 0.0.0.0
> ListenAddress 192.168.1.1
> Protocol 2
> # HostKeys for protocol version 2
> HostKey /etc/ssh/ssh_host_rsa_key
> HostKey /etc/ssh/ssh_host_dsa_key
> #Privilege Separation is turned on for security
> UsePrivilegeSeparation yes
>
> # Lifetime and size of ephemeral version 1 server key
> KeyRegenerationInterval 3600
> ServerKeyBits 768
>
> # Logging
> SyslogFacility AUTH
> LogLevel INFO
>
> # Authentication:
> LoginGraceTime 120
> PermitRootLogin yes
> StrictModes yes
>
> RSAAuthentication yes
> PubkeyAuthentication yes
> #AuthorizedKeysFile %h/.ssh/authorized_keys
>
> # Don't read the user's ~/.rhosts and ~/.shosts files
> IgnoreRhosts yes
> # For this to work you will also need host keys in /etc/ssh_known_hosts
> RhostsRSAAuthentication no
> # similar for protocol version 2
> HostbasedAuthentication no
> # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
> #IgnoreUserKnownHosts yes
>
> # To enable empty passwords, change to yes (NOT RECOMMENDED)
> PermitEmptyPasswords no
>
> # Change to yes to enable challenge-response passwords (beware issues with
> # some PAM modules and threads)
> ChallengeResponseAuthentication no
>
> # Change to no to disable tunnelled clear text passwords
> #PasswordAuthentication yes
> ####### added by dtutty after ~/.ssh/authorized_keys updated
> PasswordAuthentication no
>
> # Kerberos options
> #KerberosAuthentication no
> #KerberosGetAFSToken no
> #KerberosOrLocalPasswd yes
> #KerberosTicketCleanup yes
>
> # GSSAPI options
> #GSSAPIAuthentication no
> #GSSAPICleanupCredentials yes
>
> X11Forwarding yes
> X11DisplayOffset 10
> PrintMotd no
> PrintLastLog yes
> TCPKeepAlive yes
> #UseLogin no
>
> #MaxStartups 10:30:60
> #Banner /etc/issue.net
>
> # Allow client to pass locale environment variables
> AcceptEnv LANG LC_*
>
> Subsystem sftp /usr/lib/openssh/sftp-server
>
> ### added by dtutty (ref lskb on ssh, man sshd_config)
> AllowGroups ssh
> ClientAliveInterval 15
>
> UsePAM yes
>
>


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 04:03 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org