Public key authentication not working

From: J. David Blackstone (jdavidb_at_goreadthebible.com)
Date: 04/15/05

  • Next message: David E. Meier: "publickey/password login"
    Date: Fri, 15 Apr 2005 14:04:34 +0000
    To: secureshell@securityfocus.com
    
    

      (I sent this message yesterday, from my work address, but it doesn't seem to have made it to the list. I presume that means HTML messages are being silently rejected. Maybe I can use this to finally convince somebody at my company that automatically converting outgoing messages to HTML should be stopped.)

      I'm unable to get public key authentication set up to work on a remote server on which I do not have administrative privileges. Given the debugging information below, can anyone tell me what is going wrong?

      The remote server administrator has checked, and the sshd configuration file does not appear to contain "RSAAuthentication no" or "PubkeyAuthentication no." (I may be barking up the wrong tree with these options. Please let me know.) The file does contain "#RSAAuthentication yes," but I presume the fact that the line is commented out is not a problem because I presume that is the default.

      In the course of trying to get this to work, I have tried DSA, RSA, and SSH1 keys in several locations, including remotehost:~.ssh/authorized_keys2 and remotehost:~.ssh/authorized_keys.

      I've looked at the permissions on the directories, and I don't think there was a problem (will send the output of ls -l if anyone thinks it will help).

    Script started on Thu Apr 14 12:58:35 2005
    h:w $ ssh -vvv <myuserid>@<myipaddress>
    OpenSSH_3.0.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
    debug1: Reading configuration data /etc/ssh_config
    debug1: Applying options for *
    debug1: Seeding random number generator
    debug1: Rhosts Authentication disabled, originating port will not be trusted.
    debug1: restore_uid
    debug1: ssh_connect: getuid 102 geteuid 102 anon 1
    debug1: Connecting to <myipaddress> [<myipaddress>] port 22.
    debug1: temporarily_use_uid: 102/1 (e=102)
    debug1: restore_uid
    debug1: temporarily_use_uid: 102/1 (e=102)
    debug1: restore_uid
    debug1: Connection established.
    debug1: identity file /usr/local/.ssh/identity type 0
    debug3: Not a RSA1 key file /usr/local/.ssh/id_rsa.
    debug2: key_type_from_name: unknown key type '-----BEGIN'
    debug3: key_read: no key found
    debug3: key_read: no space
    debug3: key_read: no space
    debug3: key_read: no space
    debug3: key_read: no space
    debug3: key_read: no space
    debug3: key_read: no space
    debug3: key_read: no space
    debug3: key_read: no space
    debug3: key_read: no space
    debug3: key_read: no space
    debug3: key_read: no space
    debug3: key_read: no space
    debug3: key_read: no space
    debug2: key_type_from_name: unknown key type '-----END'
    debug3: key_read: no key found
    debug1: identity file /usr/local/.ssh/id_rsa type 1
    debug3: Not a RSA1 key file /usr/local/.ssh/id_dsa.
    debug2: key_type_from_name: unknown key type '-----BEGIN'
    debug3: key_read: no key found
    debug3: key_read: no space
    debug3: key_read: no space
    debug3: key_read: no space
    debug3: key_read: no space
    debug3: key_read: no space
    debug3: key_read: no space
    debug3: key_read: no space
    debug3: key_read: no space
    debug3: key_read: no space
    debug3: key_read: no space
    debug2: key_type_from_name: unknown key type '-----END'
    debug3: key_read: no key found
    debug1: identity file /usr/local/.ssh/id_dsa type 2
    debug1: Remote protocol version 1.99, remote software version OpenSSH_3.8.1p1
    debug1: match: OpenSSH_3.8.1p1 pat ^OpenSSH
    Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_3.0.1p1
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
    debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
    debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se
    debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: none
    debug2: kex_parse_kexinit: none
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit: first_kex_follows 0
    debug2: kex_parse_kexinit: reserved 0
    debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
    debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
    debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
    debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: none,zlib
    debug2: kex_parse_kexinit: none,zlib
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit: first_kex_follows 0
    debug2: kex_parse_kexinit: reserved 0
    debug2: mac_init: found hmac-md5
    debug1: kex: server->client aes128-cbc hmac-md5 none
    debug2: mac_init: found hmac-md5
    debug1: kex: client->server aes128-cbc hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug1: dh_gen_key: priv key bits set: 118/256
    debug1: bits set: 1050/2048
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug3: check_host_in_hostfile: filename /usr/local/.ssh/known_hosts
    debug3: check_host_in_hostfile: match line 78
    debug1: Host '<myipaddress>' is known and matches the RSA host key.
    debug1: Found key in /usr/local/.ssh/known_hosts:78
    debug1: bits set: 1065/2048
    debug1: ssh_rsa_verify: signature correct
    debug1: kex_derive_keys
    debug1: newkeys: mode 1
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: waiting for SSH2_MSG_NEWKEYS
    debug1: newkeys: mode 0
    debug1: SSH2_MSG_NEWKEYS received
    debug1: done: ssh_kex2.
    debug1: send SSH2_MSG_SERVICE_REQUEST
    debug1: service_accept: ssh-userauth
    debug1: got SSH2_MSG_SERVICE_ACCEPT
    debug1: authentications that can continue: publickey,password,keyboard-interactive,hostbased
    debug3: start over, passed a different list publickey,password,keyboard-interactive,hostbased
    debug3: preferred publickey,keyboard-interactive,password
    debug3: authmethod_lookup publickey
    debug3: remaining preferred: keyboard-interactive,password
    debug3: authmethod_is_enabled publickey
    debug1: next auth method to try is publickey
    debug1: try pubkey: /usr/local/.ssh/id_rsa
    debug3: send_pubkey_test
    debug2: we sent a publickey packet, wait for reply
    debug1: authentications that can continue: publickey,password,keyboard-interactive,hostbased
    debug1: try pubkey: /usr/local/.ssh/id_dsa
    debug3: send_pubkey_test
    debug2: we sent a publickey packet, wait for reply
    debug1: authentications that can continue: publickey,password,keyboard-interactive,hostbased
    debug2: we did not send a packet, disable method
    debug3: authmethod_lookup keyboard-interactive
    debug3: remaining preferred: password
    debug3: authmethod_is_enabled keyboard-interactive
    debug1: next auth method to try is keyboard-interactive
    debug2: userauth_kbdint
    debug2: we sent a keyboard-interactive packet, wait for reply
    debug1: authentications that can continue: publickey,password,keyboard-interactive,hostbased
    debug3: userauth_kbdint: disable: no info_req_seen
    debug2: we did not send a packet, disable method
    debug3: authmethod_lookup password
    debug3: remaining preferred:
    debug3: authmethod_is_enabled password
    debug1: next auth method to try is password
    <myuserid>@<myipaddress>'s password:
    debug1: packet_send2: adding 64 (len 52 padlen 12 extra_pad 64)
    debug2: we sent a password packet, wait for reply
    debug1: authentications that can continue: publickey,password,keyboard-interactive,hostbased
    Permission denied, please try again.
    <myuserid>@<myipaddress>'s password:
    debug1: packet_send2: adding 64 (len 52 padlen 12 extra_pad 64)
    debug2: we sent a password packet, wait for reply
    debug1: authentications that can continue: publickey,password,keyboard-interactive,hostbased
    Permission denied, please try again.
    <myuserid>@<myipaddress>'s password:
    debug1: packet_send2: adding 64 (len 52 padlen 12 extra_pad 64)
    debug2: we sent a password packet, wait for reply
    debug1: authentications that can continue: publickey,password,keyboard-interactive,hostbased
    debug2: we did not send a packet, disable method
    debug1: no more auth methods to try
    Permission denied (publickey,password,keyboard-interactive,hostbased).
    debug1: Calling cleanup 0x3dbc8(0x0)
    h:w $ ^D

    script done on Thu Apr 14 12:58:43 2005


  • Next message: David E. Meier: "publickey/password login"

    Relevant Pages