Publickey DSA Authentication Problem (long)

From: James Garrison (jhg@athensgroup.com)
Date: 06/20/02


From: James Garrison <jhg@athensgroup.com>
Date: Thu, 20 Jun 2002 17:42:47 GMT

I'm having a problem getting DSA authentication to work with one
particular host. I have it working with local machines but
can't get it to work with a remote host at my ISP. The failure
symptom is that it prompts me for the private key passphrase
and then either prompts for the remote password if password
authentication is allowed, or fails if password authentication
is turned off in .ssh/config:

   $ ssh [obfuscated]
   Enter passphrase for key '[obfuscated]/.ssh/[obfuscated].dsa':
   Permission denied (publickey,password,keyboard-interactive).

For debugging I logged into two hosts (local:works, remote:fails)
with -vvv and then ran diff to compare the two debug output streams.
The results are below, with "<" lines indicating the working ssh
connection and ">" the non-working connection. After the diff output
is the full debug listing for the non-working connection.

SSH Version on the failing host:

> rpm -qa|grep -i ssh
    openssh-clients-3.1p1-1
    openssh-3.1p1-1
    openssh-server-3.1p1-1

> ssh -V
    OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f

SSH Version on the working host is *identical*

Working host is running kernel 2.4.9-31
Failing host is running kernel 2.4.18

Comments:

1) The two private key files are identical in structure and differ
    ONLY in the base64 data... why is ssh identifying the one that
    works as type 2 and the one that doesn't as type -1? This doesn't
    appear to be the cause however -- see item (3) below.

2) I've tried generating the keypairs on several different systems
    including Linux 7.1, Linux 7.3 and Cygwin, with identical results.

3) I even tried using one of the keypairs that I know works on my
    local systems, with identical results. When using this key to
    access the failing system it is identified as type 2.

4) I do not have access to the sshd_config or /var/log/secure
    at my ISP, which makes debugging much more difficult. I'm
    hoping someone can look at the debug output and tell me what's
    wrong. I *THINK* the problem might be indicated in the diff
    listing below at the line marked "102,107c98" where, on the
    working connection it says "try pubkey" but for the failing
    host it says "try privkey". What sshd configuration option
    would cause this difference?

    ----- BEGIN DIFF OUTPUT -----

    32c32
    < debug1: identity file [obfuscated]/.ssh/[obfuscated].dsa type 2
    ---
> debug1: identity file [obfuscated]/.ssh/[obfuscated].dsa type -1
    69,70c69,70
    < debug1: dh_gen_key: priv key bits set: 134/256
    < debug1: bits set: 1528/3191
    ---
> debug1: dh_gen_key: priv key bits set: 131/256
> debug1: bits set: 1592/3191
    74c74
    < debug3: check_host_in_hostfile: match line 15
    ---
> debug3: check_host_in_hostfile: match line 25
    76c76
    < debug3: check_host_in_hostfile: match line 15
    ---
> debug3: check_host_in_hostfile: match line 25
    78,79c78,79
    < debug1: Found key in [obfuscated]/.ssh/known_hosts:15
    < debug1: bits set: 1627/3191
    ---
> debug1: Found key in [obfuscated]/.ssh/known_hosts:25
> debug1: bits set: 1622/3191
    91,97c91,93
    < debug3: input_userauth_banner
    <
    < Red Hat Linux release 7.1 (Seawolf)
    < Kernel 2.4.9-31 on an i686
    < debug1: authentications that can continue: publickey
    < debug3: start over, passed a different list publickey
    < debug3: preferred publickey,keyboard-interactive,password
    ---
> debug1: authentications that can continue: publickey,password,keyboard-interactive
> debug3: start over, passed a different list publickey,password,keyboard-interactive
> debug3: preferred publickey,keyboard-interactive
    99c95
    < debug3: remaining preferred: keyboard-interactive,password
    ---
> debug3: remaining preferred: keyboard-interactive
    102,107c98
    < debug1: try pubkey: [obfuscated]/.ssh/[obfuscated].dsa
    < debug3: send_pubkey_test
    < debug2: we sent a publickey packet, wait for reply
    < debug1: input_userauth_pk_ok: pkalg ssh-dss blen 434 lastkey 0x100b42d8 hint 0
    < debug2: input_userauth_pk_ok: fp d6:61:8e:de:38:f5:c3:2f:58:05:b4:7b:55:38:b6:81
    < debug3: sign_and_send_pubkey
    ---
> debug1: try privkey: [obfuscated]/.ssh/[obfuscated].dsa
    111,200c102,117
    < debug1: ssh-userauth2 successful: method publickey
    < debug1: fd 6 setting O_NONBLOCK
    < debug1: channel 0: new [client-session]
    < debug3: ssh_session2_open: channel_new: 0
    < debug1: send channel open 0
    < debug1: Entering interactive session.
    < debug2: callback start
    < debug1: ssh_session2_setup: id 0
    < debug1: channel request 0: pty-req
    < debug3: tty_make_modes: ospeed 38400
    < debug3: tty_make_modes: ispeed 38400
    < debug3: tty_make_modes: 1 3
    < debug3: tty_make_modes: 2 28
    < debug3: tty_make_modes: 3 8
    < debug3: tty_make_modes: 4 21
    < debug3: tty_make_modes: 5 4
    < debug3: tty_make_modes: 6 255
    < debug3: tty_make_modes: 7 255
    < debug3: tty_make_modes: 8 17
    < debug3: tty_make_modes: 9 19
    < debug3: tty_make_modes: 10 26
    < debug3: tty_make_modes: 12 18
    < debug3: tty_make_modes: 13 23
    < debug3: tty_make_modes: 14 22
    < debug3: tty_make_modes: 18 15
    < debug3: tty_make_modes: 30 1
    < debug3: tty_make_modes: 31 0
    < debug3: tty_make_modes: 32 0
    < debug3: tty_make_modes: 33 0
    < debug3: tty_make_modes: 34 0
    < debug3: tty_make_modes: 35 0
    < debug3: tty_make_modes: 36 1
    < debug3: tty_make_modes: 37 0
    < debug3: tty_make_modes: 38 1
    < debug3: tty_make_modes: 39 0
    < debug3: tty_make_modes: 40 0
    < debug3: tty_make_modes: 41 1
    < debug3: tty_make_modes: 50 1
    < debug3: tty_make_modes: 51 1
    < debug3: tty_make_modes: 53 1
    < debug3: tty_make_modes: 54 1
    < debug3: tty_make_modes: 55 1
    < debug3: tty_make_modes: 56 0
    < debug3: tty_make_modes: 57 0
    < debug3: tty_make_modes: 58 0
    < debug3: tty_make_modes: 59 1
    < debug3: tty_make_modes: 60 1
    < debug3: tty_make_modes: 61 1
    < debug3: tty_make_modes: 70 1
    < debug3: tty_make_modes: 71 0
    < debug3: tty_make_modes: 72 1
    < debug3: tty_make_modes: 73 0
    < debug3: tty_make_modes: 74 0
    < debug3: tty_make_modes: 75 0
    < debug3: tty_make_modes: 90 1
    < debug3: tty_make_modes: 91 1
    < debug3: tty_make_modes: 92 0
    < debug3: tty_make_modes: 93 0
    < debug1: channel request 0: shell
    < debug1: fd 3 setting TCP_NODELAY
    < debug2: callback done
    < debug1: channel 0: open confirm rwindow 0 rmax 32768
    < debug2: channel 0: rcvd adjust 131072
    < debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
    < debug1: channel 0: rcvd eof
    < debug1: channel 0: output open -> drain
    < debug1: channel 0: rcvd close
    < debug1: channel 0: close_read
    < debug1: channel 0: input open -> closed
    < debug3: channel 0: will not send data after close
    < debug3: channel 0: will not send data after close
    < debug1: channel 0: obuf empty
    < debug1: channel 0: close_write
    < debug1: channel 0: output drain -> closed
    < debug1: channel 0: almost dead
    < debug1: channel 0: gc: notify user
    < debug1: channel 0: gc: user detached
    < debug1: channel 0: send close
    < debug1: channel 0: is dead
    < debug1: channel 0: garbage collecting
    < debug1: channel_free: channel 0: client-session, nchannels 1
    < debug3: channel_free: status: The following connections are open:
    < #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1)
    <
    < debug3: channel_close_fds: channel 0: r -1 w -1 e 6
    < debug2: fd 2 is not O_NONBLOCK
    < Connection to [obfuscated] closed.
    < debug1: Transferred: stdin 0, stdout 0, stderr 31 bytes in 5.3 seconds
    < debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 5.8
    < debug1: Exit status 1
    ---
> debug3: sign_and_send_pubkey
> debug2: we sent a publickey packet, wait for reply
> debug1: authentications that can continue: publickey,password,keyboard-interactive
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup keyboard-interactive
> debug3: remaining preferred:
> debug3: authmethod_is_enabled keyboard-interactive
> debug1: next auth method to try is keyboard-interactive
> debug2: userauth_kbdint
> debug2: we sent a keyboard-interactive packet, wait for reply
> debug1: authentications that can continue: publickey,password,keyboard-interactive
> debug3: userauth_kbdint: disable: no info_req_seen
> debug2: we did not send a packet, disable method
> debug1: no more auth methods to try
> Permission denied (publickey,password,keyboard-interactive).
> debug1: Calling cleanup 0x419c30(0x0)

----- END DIFF OUTPUT -----

----- BEGIN SSH DEBUG OUTPUT -----

> OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090603f
> debug1: Reading configuration data [obfuscated]/.ssh/config
> debug1: Applying options for [obfuscated]
> debug1: Rhosts Authentication disabled, originating port will not be trusted.
> debug1: restore_uid
> debug1: ssh_connect: getuid 500 geteuid 500 anon 1
> debug1: Connecting to [obfuscated] [xx.xx.xx.xx] port 22.
> debug1: temporarily_use_uid: 500/513 (e=500)
> debug1: restore_uid
> debug1: temporarily_use_uid: 500/513 (e=500)
> debug1: restore_uid
> debug1: Connection established.
> debug3: Not a RSA1 key file [obfuscated]/.ssh/[obfuscated].dsa.
> debug2: key_type_from_name: unknown key type '-----BEGIN'
> debug3: key_read: no key found
> debug2: key_type_from_name: unknown key type 'Proc-Type:'
> debug3: key_read: no key found
> debug2: key_type_from_name: unknown key type 'DEK-Info:'
> debug3: key_read: no key found
> debug3: key_read: no space
> debug3: key_read: no space
> debug3: key_read: no space
> debug3: key_read: no space
> debug3: key_read: no space
> debug3: key_read: no space
> debug3: key_read: no space
> debug3: key_read: no space
> debug3: key_read: no space
> debug3: key_read: no space
> debug2: key_type_from_name: unknown key type '-----END'
> debug3: key_read: no key found
> debug1: identity file [obfuscated]/.ssh/[obfuscated].dsa type -1
> debug1: Remote protocol version 1.99, remote software version OpenSSH_3.1p1
> debug1: match: OpenSSH_3.1p1 pat OpenSSH*
> Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_3.1p1
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
> debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none
> debug2: kex_parse_kexinit: none
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
> debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: mac_init: found hmac-md5
> debug1: kex: server->client aes128-cbc hmac-md5 none
> debug2: mac_init: found hmac-md5
> debug1: kex: client->server aes128-cbc hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug1: dh_gen_key: priv key bits set: 131/256
> debug1: bits set: 1592/3191
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug3: check_host_in_hostfile: filename [obfuscated]/.ssh/known_hosts
> debug3: check_host_in_hostfile: match line 25
> debug3: check_host_in_hostfile: filename [obfuscated]/.ssh/known_hosts
> debug3: check_host_in_hostfile: match line 25
> debug1: Host '[obfuscated]' is known and matches the RSA host key.
> debug1: Found key in [obfuscated]/.ssh/known_hosts:25
> debug1: bits set: 1622/3191
> debug1: ssh_rsa_verify: signature correct
> debug1: kex_derive_keys
> debug1: newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: waiting for SSH2_MSG_NEWKEYS
> debug1: newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: done: ssh_kex2.
> debug1: send SSH2_MSG_SERVICE_REQUEST
> debug1: service_accept: ssh-userauth
> debug1: got SSH2_MSG_SERVICE_ACCEPT
> debug1: authentications that can continue: publickey,password,keyboard-interactive
> debug3: start over, passed a different list publickey,password,keyboard-interactive
> debug3: preferred publickey,keyboard-interactive
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive
> debug3: authmethod_is_enabled publickey
> debug1: next auth method to try is publickey
> debug1: try privkey: [obfuscated]/.ssh/[obfuscated].dsa
> debug1: PEM_read_PrivateKey failed
> debug1: read PEM private key done: type <unknown>
> debug1: read PEM private key done: type DSA
> debug3: sign_and_send_pubkey
> debug2: we sent a publickey packet, wait for reply
> debug1: authentications that can continue: publickey,password,keyboard-interactive
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup keyboard-interactive
> debug3: remaining preferred:
> debug3: authmethod_is_enabled keyboard-interactive
> debug1: next auth method to try is keyboard-interactive
> debug2: userauth_kbdint
> debug2: we sent a keyboard-interactive packet, wait for reply
> debug1: authentications that can continue: publickey,password,keyboard-interactive
> debug3: userauth_kbdint: disable: no info_req_seen
> debug2: we did not send a packet, disable method
> debug1: no more auth methods to try
> Permission denied (publickey,password,keyboard-interactive).
> debug1: Calling cleanup 0x419c30(0x0)

----- END SSH DEBUG OUTPUT -----

-- 
James Garrison                                Athens Group, Inc.
mailto:jhg@athensgroup.com                    5608 Parkcrest Dr
http://www.athensgroup.com                    Austin, TX 78731
PGP: RSA=0x92E90A3B DH/DSS=0x498D331C         (512) 345-0600 x150



Relevant Pages

  • Publickey DSA Authentication Problem (long)
    ... can't get it to work with a remote host at my ISP. ... > debug2: we sent a publickey packet, ... > debug1: next auth method to try is keyboard-interactive ...
    (comp.security.ssh)
  • Re: OpenSSH_3.5p1 public key authentication fails
    ... > debug1: Connection established. ... next auth method to try is publickey ... > debug2: we sent a publickey packet, ...
    (comp.security.ssh)
  • Weird behaviour: whats going on?
    ... debug2: ssh_connect: needpriv 0 ... debug1: Connecting to afs.server port 22. ... debug3: Trying to reverse map address IPADDRESS ... Cannot determine realm for numeric host address ...
    (comp.security.ssh)
  • hostbased authentication
    ... debug1: Reading configuration data /etc/ssh/ssh_config ... debug2: kex_parse_kexinit: ... debug3: check_host_in_hostfile: match line 4 ... Host 'octane.airg.ca' is known and matches the RSA host key. ...
    (comp.security.ssh)
  • ssh hangs after successfull login
    ... Yesterday everything was fine with my host in uk (that is half an earth ... > debug1: Connection established. ... > debug1: Entering interactive session. ... > debug2: we sent a publickey packet, ...
    (comp.security.ssh)