Authentication without password revisited
manuel.hurtado_at_gmail.com
Date: 03/15/05
- Next message: Ben Harris: "Re: Authentication without password revisited"
- Previous message: Jacob Nevins: "Re: Protecting private keys..."
- Next in thread: Ben Harris: "Re: Authentication without password revisited"
- Reply: Ben Harris: "Re: Authentication without password revisited"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 15 Mar 2005 11:18:16 -0800
Hello,
I am trying to configure ssh to accept connections without providing
passowrd.
Specifically, I need to connect from the same machine as sshd is
running. OS is Solaris 8
With the current configuration, I can connect with ssh and sftp from
external machines and from the server, by providing username and
password, but not with user key files.
Here you have the configuration and the logs ...
I hope that anyone can turn on the light for me.
Thanks in advance!
__________________________
SERVER ENV
sshd running as root
ssh home is /.ssh
File permissions:
/.ssh>ls -l
total 4
-rw------- 1 root other 332 Jan 2 17:07 authorized_keys
-rw-r--r-- 1 root other 435 Jan 2 18:16 known_hosts
__________________________
CLIENT ENV
client (sftp) running as user weblogic
ssh home is /export/home/weblogic/.ssh/
I have created tha pub/private keys for the client with the command (no
passphrase):
# ssh-keygen -t rsa1 -N ""
Generating public/private rsa1 key pair.
Enter file in which to save the key
(/export/home/weblogic/.ssh/identity):
Your identification has been saved in
/export/home/weblogic/.ssh/identity.
Your public key has been saved in
/export/home/weblogic/.ssh/identity.pub.
The key fingerprint is:
ac:e6:94:7d:10:3c:83:3e:e7:26:44:99:77:9b:3a:03 weblogic@zipi
Then I have copied the file as
/.ssh/authorized_keys
What I am seing from the debug messages is that the client is looking
for files 'id_rsa' and 'id_dsa', instead of 'identity'.
I have noticed the following in ssh_config (which has the default
options):
...
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
...
__________________________
SERVER OUTPUT
debug2: load_server_config: filename /usr/local/etc/sshd_config
debug2: load_server_config: done config len = 164
debug2: parse_server_config: config /usr/local/etc/sshd_config len 164
debug1: sshd version OpenSSH_3.9p1
debug1: private host key: #0 type 0 RSA1
debug3: Not a RSA1 key file /usr/local/etc/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug3: Not a RSA1 key file /usr/local/etc/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
debug1: rexec_argv[0]='/usr/local/sbin/sshd'
debug1: rexec_argv[1]='-ddd'
debug2: fd 4 setting O_NONBLOCK
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug2: fd 5 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: fd 6 clearing O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 11 config len 164
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 6 out 6 newsock 6 pipe -1 sock 11
__________________________
CLIENT OUTPUT:
# sftp -vvv weblogic@zipi
Connecting to zipi...
OpenSSH_3.9p1, OpenSSL 0.9.7e 25 Oct 2004
debug1: Reading configuration data /usr/local/etc/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to zipi [10.24.0.251] port 22.
debug1: Connection established.
debug1: identity file /export/home/weblogic/.ssh/id_rsa type -1
debug1: identity file /export/home/weblogic/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version
OpenSSH_3.9p1
debug1: match: OpenSSH_3.9p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.9p1
debug2: fd 4 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 135/256
debug2: bits set: 492/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename
/export/home/weblogic/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 2
debug3: check_host_in_hostfile: filename
/export/home/weblogic/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host 'zipi' is known and matches the RSA host key.
debug1: Found key in /export/home/weblogic/.ssh/known_hosts:2
debug2: bits set: 494/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /export/home/weblogic/.ssh/id_rsa (0)
debug2: key: /export/home/weblogic/.ssh/id_dsa (0)
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug3: start over, passed a different list
publickey,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /export/home/weblogic/.ssh/id_rsa
debug3: no such identity: /export/home/weblogic/.ssh/id_rsa
debug1: Trying private key: /export/home/weblogic/.ssh/id_dsa
debug3: no such identity: /export/home/weblogic/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug3: userauth_kbdint: disable: no info_req_seen
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred:
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
weblogic@zipi's password:
...
So publickey is broken !!
- Next message: Ben Harris: "Re: Authentication without password revisited"
- Previous message: Jacob Nevins: "Re: Protecting private keys..."
- Next in thread: Ben Harris: "Re: Authentication without password revisited"
- Reply: Ben Harris: "Re: Authentication without password revisited"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
