ssh: problem with publickey authentication

From: Frans Englich (frans.englich_at_telia.com)
Date: 10/25/05

  • Next message: Darren Tucker: "Re: configure password prompt in SSH" 
    To: secureshell@securityfocus.com
Date: Tue, 25 Oct 2005 13:34:45 +0000

    Hello,

    I have trouble getting ssh with publickey authentication to work. The server I
    am attenmpting to log in to is not setup by me, but everything indicates that
    1) my user account exists on the machine(due to public_html page can be
    visited); and 2) that the public key I sent was properly installed. The
    server works fine for other users, and although it is possible the sysadmin
    made a mistake in setting up my account, I think the error is on my side.
    Perhaps someone can give a hint on where the problem is.

    Below series of bash commands are perhaps illuminating. I can't tell more than
    that authentication seems to fail.

    bash-2.05b$ pwd
    /home/frans
    bash-2.05b$ ls .ssh/ -alFh
    total 21K
    drwxr-xr-x 2 frans users 160 Oct 23 20:26 ./
    drwxrwxrwx 72 frans users 3.6K Oct 23 20:25 ../
    -rw------- 1 frans users 736 Oct 23 18:53 id_dsa
    -rw-r--r-- 1 frans users 604 Oct 23 18:53 id_dsa.pub
    -rw-r--r-- 1 frans users 239 Oct 23 18:54 known_hosts
    -rw-r--r-- 1 frans users 520 Oct 23 18:53 log.txt
    bash-2.05b$
    bash-2.05b$
    bash-2.05b$ ssh -v -l englich englich@<DOMAIN NAME SNIPPED>
    OpenSSH_4.2p1, OpenSSL 0.9.7d 17 Mar 2004
    debug1: Reading configuration data /usr/local/etc/ssh_config
    debug1: Connecting to <DOMAIN NAME SNIPPED> [IP-SNIPPED] port 22.
    debug1: Connection established.
    debug1: identity file /home/frans/.ssh/identity type -1
    debug1: identity file /home/frans/.ssh/id_rsa type -1
    debug1: identity file /home/frans/.ssh/id_dsa type 2
    debug1: Remote protocol version 2.0, remote software version OpenSSH_4.1
    debug1: match: OpenSSH_4.1 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_4.2
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: server->client aes128-cbc hmac-md5 none
    debug1: kex: client->server aes128-cbc hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug1: Host '<DOMAIN NAME SNIPPED>' is known and matches the RSA host key.
    debug1: Found key in /home/frans/.ssh/known_hosts:1
    debug1: ssh_rsa_verify: signature correct
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey
    debug1: Next authentication method: publickey
    debug1: Trying private key: /home/frans/.ssh/identity
    debug1: Trying private key: /home/frans/.ssh/id_rsa
    debug1: Offering public key: /home/frans/.ssh/id_dsa
    debug1: Authentications that can continue: publickey
    debug1: No more authentication methods to try.
    Permission denied (publickey).
    bash-2.05b$
    bash-2.05b$
    bash-2.05b$ ssh-agent bash
    bash-2.05b$ ssh-add
    Enter passphrase for /home/frans/.ssh/id_dsa:
    Identity added: /home/frans/.ssh/id_dsa (/home/frans/.ssh/id_dsa)
    bash-2.05b$ ssh-add -l
    1024 f1:88:2f:70:ba:80:e6:3c:a8:61:cc:cd:46:0e:11:89 /home/frans/.ssh/id_dsa
    (DSA)
    bash-2.05b$
    bash-2.05b$ # If I now again issue `ssh -v -l englich
    englich@<DOMAIN NAME SNIPPED>' I get the same output as above.

    What slightly draws my attention is the verbose output from ssh which says
    "debug1: Offering public key: /home/frans/.ssh/id_dsa", because id_dsa is my
    private key("BEGIN DSA PRIVATE KEY", etc), but that's surely just the
    message.

    Any ideas what is wrong, or how I can set a better diagnosis? What does more
    exactly "Permission denied (publickey)" mean?

    Could it be that my private key does not correspond to my public key? If the
    above commands wouldn't have triggered that, can I in some simple way check
    that? What could otherwise be wrong?

    Cheers,

                    Frans

  • Next message: Darren Tucker: "Re: configure password prompt in SSH"

    Relevant Pages

    • [SLE] Slow SSH login
      ... A> ssh B ... second delay no matter the authentication mechanism ... debug1: Authentication succeeded. ...
      (SuSE)
    • LDAP Authentication via SSH
      ... authenticate via SSH to the LDAP server. ... debug1: Connecting to ldapclient.domain port 22. ... debug1: Next authentication method: keyboard-interactive ... # rlogin service (explicit because of pam_rhost_auth) ...
      (SunManagers)
    • RE: Ssh with public key authentication
      ... Ssh with public key authentication ... debug1: Host 'machine1' is known and matches the RSA host key. ... debug3: preferred publickey,keyboard-interactive,password ... debug3: authmethod_is_enabled publickey ...
      (RedHat)
    • Help request: problems with a 5.1 server and large numbers of ssh users.
      ... FreeBSD 5.1 because I need to be able to support ldap authentication.) ... My version of ssh is 3.6.1p2 patched to address the security concerns. ... debug1: Rhosts Authentication disabled, ... debug1: Connection established. ...
      (freebsd-current)
    • Help request: problems with a 5.1 server and large numbers of ssh users.
      ... FreeBSD 5.1 because I need to be able to support ldap authentication.) ... My version of ssh is 3.6.1p2 patched to address the security concerns. ... debug1: Rhosts Authentication disabled, ... debug1: Connection established. ...
      (freebsd-hackers)