Re: Trouble with OpenSSH 3.4p1 - Can't connect with an RSA key pair

From: William Barnett (william.barnett_at_cchmc.org)
Date: 02/02/04 

Date: Mon, 02 Feb 2004 14:45:31 -0500

On Sat, 31 Jan 2004 11:21:07 +0800, Mike wrote:

>
> LinuxManMikeC wrote:
>> I have a computer functioning as a server using RedHat 8.0 with OpenSSH
>> 3.4p1. I am able to connect using plaintext passwords, but when I
>> disable the plaintext passwords and use only public/private keypairs I
>> can't authenticate a connection. I have the public keys installed on
>> the server in the /home/"username"/.ssh/autorized_keys file. I have
>> tried using keypairs generated using PuTTY and OpenSSH. I have only
>> used RSA keypairs. This has been a pain to try and figure out, I have
>> already checked the RedHat Network for updated packages, but they don't
>> list any bugs that may be contributing to my problem. I glanced at the
>> OpenSSH changelogs, but I don't have time right now the look through
>> them extensively. If anyone has any ideas I would appreciate the help.
>> I am new to SSH and I'm trying to configure this server so I can access
>> it from school over the Internet. Are keypairs the only secure way to
>> authenticate using SSH? If not, what are my other options? Either way I
>> would still prefer to use keypairs to prevent others from easily
>> compromising my server.
>>
>> P.S.
>> I would appreciate suggestions being emailed to me in addition to being
>> posted on the newsgroup. I'm not sure when I will have a chance to
>> check the newsgroup again.
>>
>> LinuxManMikeC
>> LinuxManMikeC@netscape.net
>
>
> Most common problem I encounter with pub/priv keys is the permissions on
> authorized_keys and ~/.ssh (remote) or even ~/.ssh/identity (local)
>
> Something like should work:
> [test@remote .ssh]$ ls -la
> total 12
> drwx------ 2 test test 4096 Dec 21 21:00 .
> drwx------ 4 test test 4096 Jan 30 18:20 ..
> -r-------- 1 test test 1490 Dec 21 21:00 authorized_keys
> [test@remote .ssh]$
>
> and
>
> [test@local .ssh]$ ls -la
> total 28
> drwx------ 2 test test 4096 Aug 27 21:31 .
> drwx------ 59 test test 4096 Jan 31 10:58 ..
> -r-------- 1 test test 3311 Aug 10 18:10 identity
> -rw------- 1 test test 1572 Dec 10 21:12 known_hosts
> [test@local .ssh]$
>
>
>
> If you run the server in debug mode, you will most likely find your answer.
>
> On another point, passwords are never exchanged in plain text using SSH.
> There is nothing particularly unsafe about using password
> authentication, so long as you stick to good practices like changing
> your "non trivial" password regularly. You are afforded a little more
> security using pub/priv keys by the fact that an attacker would need to
> key log you AND steal your private key file. If you are really worried,
> you might like to use one time passwords. It is a balance of how much
> inconvenience you are prepared to put up with versus how likely it is
> that anybody would expend that much effort to hack your PC.
>
> You should upgrade your OpenSSH to the latest 3.7x something. I was
> never able to find decent rpms for anything past 3.4, so you may be
> resigned to downloading the source and compiling.
>
> Mike

I am experiencing a similar problem using passkey authentication with the
twist that a particular user can connect successfully using passkey
authentication while another particular user skips passkey for password
authenication which then completes successfully. No special command line
parameters are used by either user, e.g., ssh <user>@<host> and both are
connecting from the same client to the same server. This leads me to
remove the client's ssh_config and server's sshd_config files from
suspicion. Neither user has created a ~/.ssh/config file. I have checked
permissions in both user's directories at both ends of the connection and
all appear to be set identically. I have output debug info from both
connection attempts into text files and diff'ed the two but am unfamiliar
enough with ssh to gain anything meaningful to me. Perhaps someone else
will spot the issue. I have copied the diff text below.

Thanks for your time and attention,

Bill

>>> BEGIN DIFF TEXT >>>
7,8c7,8
< debug1: identity file /home/barxz5/.ssh/identity type -1
< debug3: Not a RSA1 key file /home/barxz5/.ssh/id_rsa. 

---
> debug1: identity file /home/cvsadm/.ssh/identity type -1
> debug3: Not a RSA1 key file /home/cvsadm/.ssh/id_rsa.
30,31c30,31
< debug1: identity file /home/barxz5/.ssh/id_rsa type 1
< debug1: identity file /home/barxz5/.ssh/id_dsa type -1
---
> debug1: identity file /home/cvsadm/.ssh/id_rsa type 1
> debug1: identity file /home/cvsadm/.ssh/id_dsa type -1
68,69c68,69
< debug2: dh_gen_key: priv key bits set: 129/256
< debug2: bits set: 1604/3191
---
> debug2: dh_gen_key: priv key bits set: 121/256
> debug2: bits set: 1573/3191
72c72,74
< debug3: check_host_in_hostfile: filename /home/barxz5/.ssh/known_hosts
---
> debug3: check_host_in_hostfile: filename /home/cvsadm/.ssh/known_hosts
> debug3: check_host_in_hostfile: match line 1
> debug3: check_host_in_hostfile: filename /home/cvsadm/.ssh/known_hosts
74,75d75
< debug3: check_host_in_hostfile: filename /home/barxz5/.ssh/known_hosts
< debug3: check_host_in_hostfile: match line 6
77,78c77,78
< debug1: Found key in /home/barxz5/.ssh/known_hosts:1
< debug2: bits set: 1612/3191
---
> debug1: Found key in /home/cvsadm/.ssh/known_hosts:1
> debug2: bits set: 1566/3191
89,91c89,91
< debug2: key: /home/barxz5/.ssh/identity ((nil))
< debug2: key: /home/barxz5/.ssh/id_rsa (0x808bfb8)
< debug2: key: /home/barxz5/.ssh/id_dsa ((nil))
---
> debug2: key: /home/cvsadm/.ssh/identity ((nil))
> debug2: key: /home/cvsadm/.ssh/id_rsa (0x808bfb0)
> debug2: key: /home/cvsadm/.ssh/id_dsa ((nil))
99,101c99,101
< debug1: Trying private key: /home/barxz5/.ssh/identity
< debug3: no such identity: /home/barxz5/.ssh/identity
< debug1: Offering public key: /home/barxz5/.ssh/id_rsa
---
> debug1: Trying private key: /home/cvsadm/.ssh/identity
> debug3: no such identity: /home/cvsadm/.ssh/identity
> debug1: Offering public key: /home/cvsadm/.ssh/id_rsa
104,173c104,120
< debug1: Server accepts key: pkalg ssh-rsa blen 149
< debug2: input_userauth_pk_ok: fp a6:9d:53:52:c5:f3:78:61:89:1c:d2:a2:90:92:d7:64debug3: sign_and_send_pubkey
< debug1: PEM_read_PrivateKey failed
< debug1: read PEM private key done: type <unknown>
< Enter passphrase for key '/home/barxz5/.ssh/id_rsa':
< debug1: read PEM private key done: type RSA
< debug1: Authentication succeeded (publickey).
< debug1: channel 0: new [client-session]
< debug3: ssh_session2_open: channel_new: 0
< debug2: channel 0: send open
< debug1: Entering interactive session.
< debug2: callback start
< debug2: ssh_session2_setup: id 0
< debug2: channel 0: request pty-req
< debug3: tty_make_modes: ospeed 38400
< debug3: tty_make_modes: ispeed 38400
< debug3: tty_make_modes: 1 3
< debug3: tty_make_modes: 2 28
< debug3: tty_make_modes: 3 127
< debug3: tty_make_modes: 4 21
< debug3: tty_make_modes: 5 4
< debug3: tty_make_modes: 6 255
< debug3: tty_make_modes: 7 255
< debug3: tty_make_modes: 8 17
< debug3: tty_make_modes: 9 19
< debug3: tty_make_modes: 10 26
< debug3: tty_make_modes: 12 18
< debug3: tty_make_modes: 13 23
< debug3: tty_make_modes: 14 22
< debug3: tty_make_modes: 18 15
< debug3: tty_make_modes: 30 0
< debug3: tty_make_modes: 31 0
< debug3: tty_make_modes: 32 0
< debug3: tty_make_modes: 33 0
< debug3: tty_make_modes: 34 0
< debug3: tty_make_modes: 35 0
< debug3: tty_make_modes: 36 1
< debug3: tty_make_modes: 37 0
< debug3: tty_make_modes: 38 1
< debug3: tty_make_modes: 39 1
< debug3: tty_make_modes: 40 0
< debug3: tty_make_modes: 41 1
< debug3: tty_make_modes: 50 1
< debug3: tty_make_modes: 51 1
< debug3: tty_make_modes: 52 0
< debug3: tty_make_modes: 53 1
< debug3: tty_make_modes: 54 1
< debug3: tty_make_modes: 55 1
< debug3: tty_make_modes: 56 0
< debug3: tty_make_modes: 57 0
< debug3: tty_make_modes: 58 0
< debug3: tty_make_modes: 59 1
< debug3: tty_make_modes: 60 1
< debug3: tty_make_modes: 61 1
< debug3: tty_make_modes: 62 0
< debug3: tty_make_modes: 70 1
< debug3: tty_make_modes: 71 0
< debug3: tty_make_modes: 72 1
< debug3: tty_make_modes: 73 0
< debug3: tty_make_modes: 74 0
< debug3: tty_make_modes: 75 0
< debug3: tty_make_modes: 90 1
< debug3: tty_make_modes: 91 1
< debug3: tty_make_modes: 92 0
< debug3: tty_make_modes: 93 0
< debug2: channel 0: request shell
< debug2: fd 3 setting TCP_NODELAY
< debug2: callback done
< debug2: channel 0: open confirm rwindow 0 rmax 32768
< debug2: channel 0: rcvd adjust 131072
---
> debug1: Authentications that can continue: publickey,password,keyboard-interactive
> debug1: Trying private key: /home/cvsadm/.ssh/id_dsa
> debug3: no such identity: /home/cvsadm/.ssh/id_dsa
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup keyboard-interactive
> debug3: remaining preferred: password
> debug3: authmethod_is_enabled keyboard-interactive
> debug1: Next authentication method: keyboard-interactive
> debug2: userauth_kbdint
> debug2: we sent a keyboard-interactive packet, wait for reply
> debug1: Authentications that can continue: publickey,password,keyboard-interactive
> debug3: userauth_kbdint: disable: no info_req_seen
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup password
> debug3: remaining preferred:
> debug3: authmethod_is_enabled password
> debug1: Next authentication method: password