[gentoo-user] [perhaps OT] ssh from Gentoo into a RedHat server

[gentoo-user] [perhaps OT] ssh from Gentoo into a RedHat server

[Mick]

[-- Attachment #1: Type: text/plain, Size: 1215 bytes --]

Hi All,

I am trying to ssh into a RH server (CentOS) using pubkey authentication and 
this is what I am getting back:
==============================
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/michael/.ssh/id_rsa
debug1: Offering public key: /home/michael/.ssh/id_dsa
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: password
==============================

I find it confusing.  First of all I do not have a id_rsa.  Second, my id_dsa 
is my private key not my public key.  My public key is id_dsa.pub

Is this a server configuration issue, or something to do with my Gentoo set 
up?

PS. Not sure if this is relevant but although my user name on the server is 
mick, for reasons better known to him the sysadmin has created my home 
directory as /home/mic - could it be that sshd is looking for /home/mick?
-- 
Regards,
Mick

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] [perhaps OT] ssh from Gentoo into a RedHat server

[Fabio]

Hello Mick mic ! :D

On 30/05/07, Mick <michaelkintzios@gmail.com> wrote:
> Hi All,
> debug1: Next authentication method: publickey
> debug1: Trying private key: /home/michael/.ssh/id_rsa
> debug1: Offering public key: /home/michael/.ssh/id_dsa
I am not sure if you know the publickey authentication method, so
there goes an unnecessary explanation:

If you register the id_dsa.pub contents in the file
/home/mic/.ssh/authorized_keys in the server, then the publickey
authentication method returns success, what means, you enter the
server without typing your password. The debug messages suggest that
publickey method failed because you did not register the key.

> debug1: Authentications that can continue: publickey,gssapi-with-mic,password
> debug1: Next authentication method: password
> ==============================
>
> I find it confusing.  First of all I do not have a id_rsa.
You can generate one with the command ssh-keygen and using the default
statements.

> Second, my id_dsa
> is my private key not my public key.  My public key is id_dsa.pub
No problem, ssh respects that completely.

> Is this a server configuration issue, or something to do with my Gentoo set
> up?
>
> PS. Not sure if this is relevant but although my user name on the server is
> mick, for reasons better known to him the sysadmin has created my home
> directory as /home/mic - could it be that sshd is looking for /home/mick?
sshd looks into /home/mic on the server side.

> Regards,
> Mick

Cheers!


-- 
Fabio A. Correa D.

Physics Dept, Universidad Nacional, Bogota, Colombia
facorread@gmail.com
ffaaccdd@yahoo.co.uk         facorread@unal.edu.co
My webpage and OpenPGP key at http://facorread.150m.com
My alexandria.cc address is not available anymore.
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] [perhaps OT] ssh from Gentoo into a RedHat server

[Mauro Faccenda]

On Wednesday 30 May 2007 16:57, Mick wrote:
> Hi All,
>
[...]
>
> I find it confusing.  First of all I do not have a id_rsa.

it tries the default keys (id_rsa or id_dsa), if exists. if you don't want it 
to try it, you can use the -i parameter to ssh pointing to your private key 
(ssh -i ~/.ssh/id_dsa <user>@<server>),

> Second, my id_dsa is my private key not my public key.  My public key is 
> id_dsa.pub 

but you will need your private key to be authenticated. that's why it is 
*private*.

> Is this a server configuration issue, or something to do with my Gentoo set
> up?

ana in the server you'll need to put your *public* key into 
~/.ssh/authorized_keys file.

> PS. Not sure if this is relevant but although my user name on the server is
> mick, for reasons better known to him the sysadmin has created my home
> directory as /home/mic - could it be that sshd is looking for /home/mick?

that messages isn't from the server, is from client running locally. but it 
doesnt matter for what you want.

[]'s
	.m
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] [perhaps OT] ssh from Gentoo into a RedHat server

[Mick]

[-- Attachment #1: Type: text/plain, Size: 1743 bytes --]

On Wednesday 30 May 2007 21:12, Fabio wrote:
> Hello Mick mic ! :D
>
> On 30/05/07, Mick <michaelkintzios@gmail.com> wrote:
> > Hi All,
> > debug1: Next authentication method: publickey
> > debug1: Trying private key: /home/michael/.ssh/id_rsa
> > debug1: Offering public key: /home/michael/.ssh/id_dsa
>
> I am not sure if you know the publickey authentication method, so
> there goes an unnecessary explanation:
>
> If you register the id_dsa.pub contents in the file
> /home/mic/.ssh/authorized_keys in the server, then the publickey
> authentication method returns success, what means, you enter the
> server without typing your password. The debug messages suggest that
> publickey method failed because you did not register the key.

Thanks for the explanation.  I had already created an authorized_keys file 
in /home/mic/.ssh and pasted my id_dsa.pub key in there.  Then checked that 
there was nothing untoward in the /etc/ssh/sshd_config file and restarted the 
sshd service.

> > debug1: Authentications that can continue:
> > publickey,gssapi-with-mic,password debug1: Next authentication method:
> > password
> > ==============================
> >
> > I find it confusing.  First of all I do not have a id_rsa.
>
> You can generate one with the command ssh-keygen and using the default
> statements.

Sure, but I don't need an rsa key.  I am happy using my dsa key for now.

> > Second, my id_dsa
> > is my private key not my public key.  My public key is id_dsa.pub
>
> No problem, ssh respects that completely.

I know that it does.  What I don't know is why the debug message 
says: "Offering public key: /home/michael/.ssh/id_dsa" when id_dsa is a 
private key.
-- 
Regards,
Mick

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] [perhaps OT] ssh from Gentoo into a RedHat server

[Mick]

[-- Attachment #1: Type: text/plain, Size: 2556 bytes --]

On Wednesday 30 May 2007 21:42, Mauro Faccenda wrote:
> On Wednesday 30 May 2007 16:57, Mick wrote:

> > I find it confusing.  First of all I do not have a id_rsa.
>
> it tries the default keys (id_rsa or id_dsa), if exists. 

id_rsa does not exist in my local /home/michael/.ssh/ only id_dsa is there and 
the public key that I have saved in /home/mic/.ssh/authorized_keys on the 
server is my corresponding id_dsa.pub.

> if you don't want 
> it to try it, you can use the -i parameter to ssh pointing to your private
> key (ssh -i ~/.ssh/id_dsa <user>@<server>),

Trying with the -i option also fails:
======================================
 $ ssh -v -p 22 -i /home/michael/.ssh/id_dsa mick@<blah-blah>
[snip]
debug1: Found key in /home/michael/.ssh/known_hosts:18
debug1: ssh_rsa_verify: signature correct
debug1: Enabling compression at level 6.
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/michael/.ssh/id_dsa
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: password
======================================

> > Second, my id_dsa is my private key not my public key.  My public key is
> > id_dsa.pub
>
> but you will need your private key to be authenticated. that's why it is
> *private*.

That's right, so why does it:
======================================
debug1: Trying private key: /home/michael/.ssh/id_rsa <--this doesn't exist
debug1: Offering public key: /home/michael/.ssh/id_dsa <--this is my private 
key
======================================
> > Is this a server configuration issue, or something to do with my Gentoo
> > set up?
>
> ana in the server you'll need to put your *public* key into
> ~/.ssh/authorized_keys file.

I have of course done this first.

> > PS. Not sure if this is relevant but although my user name on the server
> > is mick, for reasons better known to him the sysadmin has created my home
> > directory as /home/mic - could it be that sshd is looking for /home/mick?
>
> that messages isn't from the server, is from client running locally. but it
> doesnt matter for what you want.

It matters if the server is trying to find id_dsa.pub in a non-existing 
directory.
-- 
Regards,
Mick

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] [perhaps OT] ssh from Gentoo into a RedHat server

[Mauro Faccenda]

On Thursday 31 May 2007 07:42, Mick wrote:
> On Wednesday 30 May 2007 21:42, Mauro Faccenda wrote:
> > On Wednesday 30 May 2007 16:57, Mick wrote:
> > > I find it confusing.  First of all I do not have a id_rsa.
> >
> > it tries the default keys (id_rsa or id_dsa), if exists.
>
> id_rsa does not exist in my local /home/michael/.ssh/ only id_dsa is there
> and the public key that I have saved in /home/mic/.ssh/authorized_keys on
> the server is my corresponding id_dsa.pub.
>
> > if you don't want
> > it to try it, you can use the -i parameter to ssh pointing to your
> > private key (ssh -i ~/.ssh/id_dsa <user>@<server>),
>
> Trying with the -i option also fails:
> ======================================
>  $ ssh -v -p 22 -i /home/michael/.ssh/id_dsa mick@<blah-blah>
> [snip]
> debug1: Found key in /home/michael/.ssh/known_hosts:18
> debug1: ssh_rsa_verify: signature correct
> debug1: Enabling compression at level 6.
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug1: SSH2_MSG_NEWKEYS received
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentications that can continue:
> publickey,gssapi-with-mic,password debug1: Next authentication method:
> publickey
> debug1: Offering public key: /home/michael/.ssh/id_dsa
> debug1: Authentications that can continue:
> publickey,gssapi-with-mic,password debug1: Next authentication method:
> password
> ======================================

that's strange.

which version of openssh do you use in the server and the client?
mine:
client: OpenSSH_4.5p1
server: OpenSSH_4.4p1

here mine output doing ssh to a server with only key authentication enabled:

i don't have the id_dsa.pub in my local machine too.

=======================================
debug1: Found key in /home/faccenda/.ssh/known_hosts:8
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: id_dsa
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Enter passphrase for key 'id_dsa':
=======================================

the failed part was because my key is password protected, so it asks me.

> That's right, so why does it:
> ======================================
> debug1: Trying private key: /home/michael/.ssh/id_rsa <--this doesn't exist
> debug1: Offering public key: /home/michael/.ssh/id_dsa <--this is my
> private key
> ======================================

i didn't noticed this line... really strange.

how your id_dsa was created? is it corrupted or does it has a public key on it 
instead?

you should try creating your key pair again with:

$ ssh-keygen -t dsa

i would like to see the content of this file (or, at least the "headers"), but 
its a PRIVATE key. ;)

the "headers" of mine:

-----BEGIN DSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,933FEB2C1C691496


> > > PS. Not sure if this is relevant but although my user name on the
> > > server is mick, for reasons better known to him the sysadmin has
> > > created my home directory as /home/mic - could it be that sshd is
> > > looking for /home/mick?
> >
> > that messages isn't from the server, is from client running locally. but
> > it doesnt matter for what you want.
>
> It matters if the server is trying to find id_dsa.pub in a non-existing
> directory.

but as i said, that message isn't from the server. being a redhat, i suppose 
that it uses redhat with more less the default configuration, that tries to 
read your public key on your user home in the server (~/.ssh/authorized_users 
or ~/.ssh/authorized_users2). and openssh knows where to look at. even when 
the home of the user isn't the default which is your case, right?

hope it helps,
	.m
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] [perhaps OT] ssh from Gentoo into a RedHat server

[Hans-Werner Hilse]

Hi,

On Thu, 31 May 2007 11:42:48 +0100 Mick <michaelkintzios@gmail.com>
wrote:

> > > Second, my id_dsa is my private key not my public key.  My public
> > > key is id_dsa.pub
> >
> > but you will need your private key to be authenticated. that's why
> > it is *private*.
> 
> That's right, so why does it:
> ======================================
> debug1: Trying private key: /home/michael/.ssh/id_rsa <--this doesn't exist
> debug1: Offering public key: /home/michael/.ssh/id_dsa <--this is my private key
> ======================================

What is wrong with that? It just says it is trying to access id_rsa,
not that there is one. So it fails, of course. So not existing key
isn't a matter here. It's _debugging_ output, so not necessarily
important information.

Using the private key is absolutely normal. A test message is encrypted
using it and is then being sent to the server, hence the term "offering".

I don't see what you are wondering about here.

> > > PS. Not sure if this is relevant but although my user name on the
> > > server is mick, for reasons better known to him the sysadmin has
> > > created my home directory as /home/mic - could it be that sshd is
> > > looking for /home/mick?
> >
> > that messages isn't from the server, is from client running
> > locally. but it doesnt matter for what you want.
> 
> It matters if the server is trying to find id_dsa.pub in a
> non-existing directory.

But it _is_ a client message. It doesn't tell you where the server is
searching. So yes, the server might be off track and searching in the
wrong place. You could tell by monitoring the server's logs.

sshd will always search in the home directory as specified
in /etc/passwd (in the normal case) or more sophisticated solutions
like LDAP or NSS. So make sure it really *is* configured as the home
directory.

If the target server is ancient, it might also be searching in
".ssh/authorized_keys2". Maybe DSA auth is disabled. Why don't you
check server side logs (or let your sysadmin do that)?

-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] [perhaps OT] ssh from Gentoo into a RedHat server

[Randy Barlow]

Mauro Faccenda wrote:
> being a redhat, i suppose 
> that it uses redhat with more less the default configuration, that tries to 
> read your public key on your user home in the server (~/.ssh/authorized_users 
> or ~/.ssh/authorized_users2).

This is something I've wondered about for a while - what's the 
difference between authorized_users and authorized_users2?

R

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] [perhaps OT] ssh from Gentoo into a RedHat server

[Hans-Werner Hilse]

Hi,

On Thu, 31 May 2007 09:08:38 -0400 Randy Barlow
<randy@electronsweatshop.com> wrote:

> Mauro Faccenda wrote:
> > being a redhat, i suppose 
> > that it uses redhat with more less the default configuration, that
> > tries to read your public key on your user home in the server
> > (~/.ssh/authorized_users or ~/.ssh/authorized_users2).
> 
> This is something I've wondered about for a while - what's the 
> difference between authorized_users and authorized_users2?

I think this is some compatibility cruft from the first sshd versions
using the protocol version 2. Comments in "pathnames.h" from the
OpenSSH distribution indicate that, too.

-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] [perhaps OT] ssh from Gentoo into a RedHat server

[Mauro Faccenda]

On Thursday 31 May 2007 09:38, Hans-Werner Hilse wrote:
> wrote:
> > > > Second, my id_dsa is my private key not my public key.  My public
> > > > key is id_dsa.pub
> > >
> > > but you will need your private key to be authenticated. that's why
> > > it is *private*.
> >
> > That's right, so why does it:
> > ======================================
> > debug1: Trying private key: /home/michael/.ssh/id_rsa <--this doesn't
> > exist debug1: Offering public key: /home/michael/.ssh/id_dsa <--this is
> > my private key ======================================
>
> What is wrong with that? It just says it is trying to access id_rsa,
> not that there is one. So it fails, of course. So not existing key
> isn't a matter here. It's _debugging_ output, so not necessarily
> important information.
>
> Using the private key is absolutely normal. A test message is encrypted
> using it and is then being sent to the server, hence the term "offering".
>
> I don't see what you are wondering about here.

what's wrong there is that it's saying that id_dsa is a PUBLIC key. ;)

[]'s
	.m
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] [perhaps OT] ssh from Gentoo into a RedHat server

[Mick]

[-- Attachment #1: Type: text/plain, Size: 2006 bytes --]

On Thursday 31 May 2007 13:14, Mauro Faccenda wrote:
> On Thursday 31 May 2007 07:42, Mick wrote:
> > On Wednesday 30 May 2007 21:42, Mauro Faccenda wrote:
[snip]
> > debug1: Offering public key: /home/michael/.ssh/id_dsa
> > debug1: Authentications that can continue:
> > publickey,gssapi-with-mic,password debug1: Next authentication method:
> > password
> > ======================================
>
> that's strange.
>
> which version of openssh do you use in the server and the client?
> mine:
> client: OpenSSH_4.5p1
> server: OpenSSH_4.4p1

Installed versions:  4.5_p1-r1(19:45:58 02/23/07)
(X -X509 -chroot -hpn -kerberos ldap -libedit 
pam -selinux -skey -smartcard -static tcpd)

> > That's right, so why does it:
> > ======================================
> > debug1: Trying private key: /home/michael/.ssh/id_rsa <--this doesn't
> > exist debug1: Offering public key: /home/michael/.ssh/id_dsa <--this is
> > my private key
> > ======================================
>
> i didn't noticed this line... really strange.
>
> how your id_dsa was created? is it corrupted or does it has a public key on
> it instead?

It was created with 'ssh-keygen -t dsa'.

> you should try creating your key pair again with:
>
> $ ssh-keygen -t dsa

I would, but it seems to work fine with other servers, hence the point of this 
thread.  What I am going to try out nevertheless is generating an RSA key and 
see if the server accepts it.  Perhaps as Hans-Werner suggested the server 
may have been configured to only use dsa keys (I find this odd, but I don't 
know much about RH).

> i would like to see the content of this file (or, at least the "headers"),
> but its a PRIVATE key. ;)
>
> the "headers" of mine:
>
> -----BEGIN DSA PRIVATE KEY-----
> Proc-Type: 4,ENCRYPTED
> DEK-Info: DES-EDE3-CBC,933FEB2C1C691496

This is mine:

-----BEGIN DSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC, XXXXXXXXXXX[snip]

-- 
Regards,
Mick

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] [perhaps OT] ssh from Gentoo into a RedHat server

[Mick]

[-- Attachment #1: Type: text/plain, Size: 1471 bytes --]


On 31/05/07, Mick <michaelkintzios@gmail.com> wrote:
> On Thursday 31 May 2007 13:14, Mauro Faccenda wrote:

> > you should try creating your key pair again with:
> >
> > $ ssh-keygen -t dsa
> 
> I would, but it seems to work fine with other servers, hence the point of this
> thread.  What I am going to try out nevertheless is generating an RSA key and
> see if the server accepts it.  Perhaps as Hans-Werner suggested the server
> may have been configured to only use dsa keys (I find this odd, but I don't
> know much about RH).

Not sure if this server has been configured to only use its own generated keys (is this possible?) because it will not accept a new RSA key of mine:

==========================================
debug1: Found key in /home/michael/.ssh/known_hosts:18
debug1: ssh_rsa_verify: signature correct
debug1: Enabling compression at level 6.
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: publickey
debug1: Offering public key: .ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: password
==========================================

It think it's high time I have words with the sysadmin - wish me luck.  ;-)

-- 
Regards,
Mick

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 1929 bytes --]

Re: [gentoo-user] [perhaps OT] ssh from Gentoo into a RedHat server

[Randy Barlow]

On Thu, May 31, 2007 2:28 pm, Mick wrote:
> Aha! We're getting somewhere.  There's no /home/mic specified in
> /etc/passwd
> but /:
>
> mick:x:502:10::/:/bin/bash
>
> What do you make of this?!

That's surely not right, try changing it to

mick:x:502:10::/home/mic:/bin/bash

-- 
Randy Barlow
http://www.electronsweatshop.com
"Oh me of little faith..."
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] [perhaps OT] ssh from Gentoo into a RedHat server

[Hans-Werner Hilse]

Hi,

On Thu, 31 May 2007 19:28:09 +0100
Mick <michaelkintzios@gmail.com> wrote:

> > sshd will always search in the home directory as specified
> > in /etc/passwd (in the normal case) or more sophisticated solutions
> > like LDAP or NSS. So make sure it really *is* configured as the home
> > directory.
> 
> Aha! We're getting somewhere.  There's no /home/mic specified in /etc/passwd 
> but /:
> 
> mick:x:502:10::/:/bin/bash
> 
> What do you make of this?!

LART your admin :-) and be sure he/she corrects that to read the "real"
homedir instead... (well, you could just use / as your home, but I
guess your admin didn't give you rights to write stuff there...) All
the details in "man 5 passwd".

For obvious reasons, specifying your home dir from SSH client side upon
connection is not possible. Otherwise, a lot of public keys for the
root account would be lingerin' around in /tmp, I guess ;-)

-hwh

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] [perhaps OT] ssh from Gentoo into a RedHat server

[Mick]

[-- Attachment #1: Type: text/plain, Size: 834 bytes --]

On Thursday 31 May 2007 20:05, Hans-Werner Hilse wrote:

> On Thu, 31 May 2007 19:28:09 +0100 Mick <michaelkintzios@gmail.com> wrote:

> > Aha! We're getting somewhere.  There's no /home/mic specified in
> > /etc/passwd but /:
> >
> > mick:x:502:10::/:/bin/bash
> >
> > What do you make of this?!
>
> LART your admin :-) and be sure he/she corrects that to read the "real"
> homedir instead... (well, you could just use / as your home, but I
> guess your admin didn't give you rights to write stuff there...) All
> the details in "man 5 passwd".

LART him indeed (although I found out that it was the server owner and friend 
of mine that changed all these settings using webmin.  Aaarghh!)

I am grateful for your help.  After I changed the user home directory it's all 
working nicely.  :)
-- 
Regards,
Mick

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]