You are not logged in.

#1 2011-07-16 10:11:27

1080p
Member
From: New Zealand
Registered: 2011-04-24
Posts: 10

SSH Publickey Configuration [SOLVED]

Hi there,

I am attempting to configure SSH publickey authentication to a remote VPS and have struck an issue I can't seem to get past.

Attached is my remote sshd_config file and the very, very, very verbose output of my connection attempt. I am sure I have missed something simple here but for the life of me cannot see it.

AcceptEnv LANG LC_*
AddressFamily inet
AllowUsers <user>
AuthorizedKeysFile %h/.ssh/authorized_keys
#Banner /etc/issue.net
ChallengeResponseAuthentication no
ClientAliveCountMax 2
ClientAliveInterval 20
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
KeyRegenerationInterval 3600
ListenAddress <remote host>:<port>
LoginGraceTime 60
LogLevel VERBOSE
MaxAuthTries 4
MaxSessions 8
MaxStartups 5:50:20
PasswordAuthentication no
PermitRootLogin no
Protocol 2
PubkeyAuthentication yes
ServerKeyBits 2048
Subsystem sftp /usr/lib/openssh/sftp-server
[archuser@homepc ~]$ ssh -vvv -p <port> <user>@<remote host>

I have made bold a couple of lines which worry me. Could this be something in my local sshd_config which is broken?

OpenSSH_5.8p2, OpenSSL 1.0.0d 8 Feb 2011
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to <remote host> [<remote host>] port <port>.
debug2: fd 3 setting O_NONBLOCK
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug3: timeout: 24631 ms remain after connect
[b]debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/<archuser>/.ssh/id_rsa" as a RSA1 public key[/b]
debug1: identity file /home/<archuser>/.ssh/id_rsa type 1
debug1: identity file /home/<archuser>/.ssh/id_rsa-cert type -1
debug1: identity file /home/<archuser>/.ssh/id_dsa type -1
debug1: identity file /home/<archuser>/.ssh/id_dsa-cert type -1
debug1: identity file /home/<archuser>/.ssh/id_ecdsa type -1
debug1: identity file /home/<archuser>/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-6
debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.8
debug2: fd 3 setting O_NONBLOCK
debug3: put_host_port: [<remote host>]:<port>
debug3: load_hostkeys: loading entries for host "[<remote host>]:<port>" from file "/home/<archuser>/.ssh/known_hosts"
debug3: load_hostkeys: loaded 0 keys
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: zlib@openssh.com,zlib,none
debug2: kex_parse_kexinit: zlib@openssh.com,zlib,none
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 zlib@openssh.com
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 zlib@openssh.com
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 126/256
debug2: bits set: 1021/2048
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA <host key>
debug3: verify_host_key_dns
debug1: skipped DNS lookup for numerical hostname
debug3: put_host_port: [<remote host>]:<port>
debug3: put_host_port: [<remote host>]:<port>
debug3: load_hostkeys: loading entries for host "[<remote host>]:<port>" from file "/home/<archuser>/.ssh/known_hosts"
debug3: load_hostkeys: loaded 0 keys
debug3: load_hostkeys: loading entries for host "[<remote host>]:<port>" from file "/home/<archuser>/.ssh/known_hosts"
debug3: load_hostkeys: loaded 0 keys
debug1: checking without port identifier
debug3: load_hostkeys: loading entries for host "<remote host>" from file "/home/<archuser>/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/<archuser>/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys
debug1: Host '<remote host>' is known and matches the RSA host key.
debug1: Found key in /home/<archuser>/.ssh/known_hosts:1
Host key fingerprint is <host key>

debug1: found matching key w/out port
debug2: bits set: 1010/2048
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/<archuser>/.ssh/id_rsa (0x241fb90)
debug2: key: /home/<archuser>/.ssh/id_dsa ((nil))
debug2: key: /home/<archuser>/.ssh/id_ecdsa ((nil))
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred keyboard-interactive,password
debug1: No more authentication methods to try.
Permission denied (publickey).

Many thanks for an assistance.

Last edited by 1080p (2011-08-05 01:37:08)


Lean 'n mean:
Motherbord: Intel DH67CL, Processor: Intel i5 2500, RAM: Corsair DDR3 4GB (x2), SSD: Intel X-25M 80GB

Offline

#2 2011-07-16 10:49:50

1080p
Member
From: New Zealand
Registered: 2011-04-24
Posts: 10

Re: SSH Publickey Configuration [SOLVED]

To be clear, I created the key with the command 'ssh-keygen -b 4096' and haven't touched my local ssh_config file at all. I have also tried using a key created simply with 'ssh-keygen'.

debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/<archuser>/.ssh/id_rsa" as a RSA1 public key

My private key begins like this:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,DE0B34C4BCD435D90C7FF79D1139D765

LKdceolb0D...

But in general I have usually seen keys look like this:

-----BEGIN RSA PRIVATE KEY-----
LKdceolb0D...

I tried editing out the Proc-Type and Dek-Info lines but got the same error.


Lean 'n mean:
Motherbord: Intel DH67CL, Processor: Intel i5 2500, RAM: Corsair DDR3 4GB (x2), SSD: Intel X-25M 80GB

Offline

#3 2011-07-16 10:59:08

hexanol
Member
From: Canaduh
Registered: 2009-08-04
Posts: 95

Re: SSH Publickey Configuration [SOLVED]

What happens if you try to connect to your server with the following command:

ssh -o PreferredAuthentications=publickey <hostname>

Offline

#4 2011-07-16 11:32:24

1080p
Member
From: New Zealand
Registered: 2011-04-24
Posts: 10

Re: SSH Publickey Configuration [SOLVED]

I get the same error (command "ssh -vvv -o PreferredAuthentications=publickey -p <port> <user>@<host>") as before. I am assuming that there is an error locally as this is the same in every log:

debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/<archuser>/.ssh/id_rsa" as a RSA1 public key

The remote /var/log/auth.log does not report any abnormalities that I can see when I 'tail -f' it and attempt to connect.

I'm going to attempt to connect from a Windows box (PuTTY) in the morning and see if I am still refused.


Lean 'n mean:
Motherbord: Intel DH67CL, Processor: Intel i5 2500, RAM: Corsair DDR3 4GB (x2), SSD: Intel X-25M 80GB

Offline

#5 2011-07-16 12:29:23

Spider.007
Member
Registered: 2004-06-20
Posts: 1,170

Re: SSH Publickey Configuration [SOLVED]

You are focusing on your private key, but the error clearly states a problem with your public key?

Are you sure the public-key is correctly generated and installed?

Offline

#6 2011-07-16 12:32:19

hexanol
Member
From: Canaduh
Registered: 2009-08-04
Posts: 95

Re: SSH Publickey Configuration [SOLVED]

I wouldn't be worried by the "Incorrect RSA1 identifier" message, i.e.:

debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/<archuser>/.ssh/id_rsa" as a RSA1 public key

All that this means is that your id_rsa file is not an RSA1 public key, which is a good thing since RSA1 public key are only used for protocol version 1 of SSH and are mostly a thing of the past. So this is really not something to worry.

What you should be worried is the following lines:

debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred keyboard-interactive,password
debug1: No more authentication methods to try.
Permission denied (publickey).

This means that you can only authenticate via publickey to the server but that it seems like your client is configured to only try to authenticate with "keyboard-interactive" and password, so it gives up.

You can compare this with what I'm getting when I ssh to my local box (via publickey):

debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred publickey
debug3: authmethod_lookup publickey
debug3: remaining preferred: 
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey

And by the way I have the exact same message about the incorrect RSA1 identifier, and this is not causing a problem. That said, are you getting the exact same message when you try to force authentication via publickey with the '-o PreferredAuthentications=publickey" option ?

Offline

#7 2011-07-16 14:41:41

Leonid.I
Member
From: Aethyr
Registered: 2009-03-22
Posts: 999

Re: SSH Publickey Configuration [SOLVED]

I agree with hexanol. You should start afresh: remove everything in /etc/ssh except configs, restart the daemon, and regenerate your keys. Also, what do you have in your ~/.ssh?


Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd

Offline

#8 2011-07-18 05:14:07

cookiecaper
Member
Registered: 2007-09-22
Posts: 197

Re: SSH Publickey Configuration [SOLVED]

For the record, if you're trying to connect to a new SSH server, make sure your /etc/hosts.allow file is correct. I just had this issue and thought it was related to those RSA messages, but it is actually related to the new server dropping the connection in accordance with hosts.deny/hosts.allow. So, for anyone who has wandered here, before you delete your whole .ssh directory (especially if your keys are used and valuable), make sure your /etc/hosts.* files are correct.

Offline

#9 2011-07-27 04:08:33

1080p
Member
From: New Zealand
Registered: 2011-04-24
Posts: 10

Re: SSH Publickey Configuration [SOLVED]

Cheers for the replies, I am still hacking away at this. My /etc/hosts.allow and hosts.deny files are empty (other than default commented instructions) and I am assuming this is normal.

I have removed everything from my (local) ~/.ssh except known_hosts, entirely rebuilt the remote Debian box (I had lost count of the edits/hacks I had made on it) and regenerated my keys to try again.

Interestingly, I attempted a public key login before changing the default sshd_config file and it worked perfectly.

I edit the sshd_config file to what I want (the same as the first post) and try again:

debug1: Host '<remote host>' is known and matches the RSA host key.
debug1: Found key in /home/<archuser>/.ssh/known_hosts:1
Host key fingerprint is <snip>
<random ascii art>

debug2: bits set: 528/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/<archuser>/.ssh/id_rsa (0x19a5ff0)
debug2: key: /home/<archuser>/.ssh/id_dsa ((nil))
debug2: key: /home/<archuser>/.ssh/id_ecdsa ((nil))
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/<archuser>/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/<archuser>/.ssh/id_dsa
debug3: no such identity: /home/<archuser>/.ssh/id_dsa
debug1: Trying private key: /home/<archuser>/.ssh/id_ecdsa
debug3: no such identity: /home/<archuser>/.ssh/id_ecdsa
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).

I am guessing there is something wrong with my config somewhere.


Lean 'n mean:
Motherbord: Intel DH67CL, Processor: Intel i5 2500, RAM: Corsair DDR3 4GB (x2), SSD: Intel X-25M 80GB

Offline

#10 2011-07-27 04:12:09

1080p
Member
From: New Zealand
Registered: 2011-04-24
Posts: 10

Re: SSH Publickey Configuration [SOLVED]

Aargh, I post this and double check the remote sshd_config file; I still had 'AllowedUsers <user>'. Everything works as it should. This can be marked as solved.


Lean 'n mean:
Motherbord: Intel DH67CL, Processor: Intel i5 2500, RAM: Corsair DDR3 4GB (x2), SSD: Intel X-25M 80GB

Offline

#11 2011-07-27 18:43:36

Stebalien
Member
Registered: 2010-04-27
Posts: 1,237
Website

Re: SSH Publickey Configuration [SOLVED]

1080p wrote:

Aargh, I post this and double check the remote sshd_config file; I still had 'AllowedUsers <user>'. Everything works as it should. This can be marked as solved.

You have to mark it as solved (edit the title in the first post).


Steven [ web : git ]
GPG:  327B 20CE 21EA 68CF A7748675 7C92 3221 5899 410C
Do not email: honeypot@stebalien.com

Offline

Board footer

Powered by FluxBB