[gentoo-user] Cannot login with publickey on sshd

[gentoo-user] Cannot login with publickey on sshd

[Mick]

[-- Attachment #1: Type: text/plain, Size: 3719 bytes --]

Hi All,

For some reason my Gentoo rsa public key is not liked by 3.9p1-11.el4_7 sshd, 
which is running on a CentOS server.  On the Gentoo machine I am running 
net-misc/openssh-5.1_p1-r1.  This is what it shows:
===================================================
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug3: timeout: 14835 ms remain after connect
debug3: Not a RSA1 key file /home/michael/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/michael/.ssh/id_rsa type 1
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.9p1
debug1: match: OpenSSH_3.9p1 pat OpenSSH_3.*
debug1: Remote is NON-HPN aware
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1-hpn13v5
....
debug3: check_host_in_hostfile: filename /home/michael/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 17
debug1: Host '[XXXXXXXXXX]:22' is known and matches the RSA host key.
debug1: Found key in /home/michael/.ssh/known_hosts:17
debug2: bits set: 496/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: Enabling compression at level 6.
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/michael/.ssh/id_rsa (XXXXXXXX)
debug1: Authentications that can continue: 
publickey,gssapi-with-mic,password,keyboard-interactive
debug3: start over, passed a different list 
publickey,gssapi-with-mic,password,keyboard-interactive
debug3: preferred publickey
debug3: authmethod_lookup publickey
debug3: remaining preferred: 
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-with-mic,password,keyboard-interactive).
===================================================

The above response and bail out without authenticating happens when I pass the 
option:  

-o PreferredAuthentications=publickey

Otherwise, it goes through the above responses and then asks for the user's 
passwd.  I have had no problems to date using pubkey on other Gentoo, Ubuntu 
and FreeBSD machines.  Can you see anything that makes sense in the above 
CentOS response?  Is there a fix?
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] Cannot login with publickey on sshd

[Eric Martin]

[-- Attachment #1: Type: text/plain, Size: 741 bytes --]

Mick wrote:
> Hi All,
>
> For some reason my Gentoo rsa public key is not liked by 3.9p1-11.el4_7 sshd, 
> which is running on a CentOS server.  On the Gentoo machine I am running 
> net-misc/openssh-5.1_p1-r1.  This is what it shows:
> ===================================================
> debug1: fd 3 clearing O_NONBLOCK
> debug1: Connection established.
> debug3: timeout: 14835 ms remain after connect
> debug3: Not a RSA1 key file /home/michael/.ssh/id_rsa.
> debug2: key_type_from_name: unknown key type '-----BEGIN'
>   

It sounds like you're using a pgp public key, is this on purpose? 
AFAIK, you need to convert pgp keys -> openssh keys before you use
them.  Have you tried making a public key via ssh-keygen?


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

Re: [gentoo-user] Cannot login with publickey on sshd

[Mick]

[-- Attachment #1: Type: text/plain, Size: 1547 bytes --]

On Saturday 29 November 2008, Eric Martin wrote:
> Mick wrote:
> > Hi All,
> >
> > For some reason my Gentoo rsa public key is not liked by 3.9p1-11.el4_7
> > sshd, which is running on a CentOS server.  On the Gentoo machine I am
> > running net-misc/openssh-5.1_p1-r1.  This is what it shows:
> > ===================================================
> > debug1: fd 3 clearing O_NONBLOCK
> > debug1: Connection established.
> > debug3: timeout: 14835 ms remain after connect
> > debug3: Not a RSA1 key file /home/michael/.ssh/id_rsa.
> > debug2: key_type_from_name: unknown key type '-----BEGIN'
>
> It sounds like you're using a pgp public key, is this on purpose?
> AFAIK, you need to convert pgp keys -> openssh keys before you use
> them.  Have you tried making a public key via ssh-keygen?

Thanks Eric,

The "------BEGIN" string is I believe from the private key generated using 
ssh-keygen.  If looks like this:
=================================================

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC, XXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX... etc.
=================================================

where "XXXXX" is the hash of the key.

The public key starts with:
=================================================
ssh-rsa XXXXXXXXXXXXXXXXXXXXX...etc
=================================================

As I mentioned the same ssh key pair seems to work fine with other servers.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] Cannot login with publickey on sshd

[Eric Martin]

[-- Attachment #1: Type: text/plain, Size: 1724 bytes --]

Mick wrote:
> On Saturday 29 November 2008, Eric Martin wrote:
>   
>> Mick wrote:
>>     
>>> Hi All,
>>>
>>> For some reason my Gentoo rsa public key is not liked by 3.9p1-11.el4_7
>>> sshd, which is running on a CentOS server.  On the Gentoo machine I am
>>> running net-misc/openssh-5.1_p1-r1.  This is what it shows:
>>> ===================================================
>>> debug1: fd 3 clearing O_NONBLOCK
>>> debug1: Connection established.
>>> debug3: timeout: 14835 ms remain after connect
>>> debug3: Not a RSA1 key file /home/michael/.ssh/id_rsa.
>>> debug2: key_type_from_name: unknown key type '-----BEGIN'
>>>       
>> It sounds like you're using a pgp public key, is this on purpose?
>> AFAIK, you need to convert pgp keys -> openssh keys before you use
>> them.  Have you tried making a public key via ssh-keygen?
>>     
>
> Thanks Eric,
>
> The "------BEGIN" string is I believe from the private key generated using 
> ssh-keygen.  If looks like this:
> =================================================
>
> -----BEGIN RSA PRIVATE KEY-----
> Proc-Type: 4,ENCRYPTED
> DEK-Info: DES-EDE3-CBC, XXXXXXXXXXXX
>
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX... etc.
> =================================================
>
> where "XXXXX" is the hash of the key.
>
> The public key starts with:
> =================================================
> ssh-rsa XXXXXXXXXXXXXXXXXXXXX...etc
> =================================================
>
> As I mentioned the same ssh key pair seems to work fine with other servers.
>   
What did you use to generate the key?  Also, what does the client /
server say for the key fail?


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

Re: [gentoo-user] Cannot login with publickey on sshd

[Mick]

[-- Attachment #1: Type: text/plain, Size: 1719 bytes --]

On Monday 01 December 2008, Eric Martin wrote:

> What did you use to generate the key?  Also, what does the client /
> server say for the key fail?

I used something like: ssh-keygen -v -t rsa -b 2048.  I have even generated a 
second key pair and tried that too, with no success.

The client messages are in the first message I sent to the list - basically 
showing this:
====================================================
debug1: Connection established.
debug3: timeout: 14828 ms remain after connect
debug3: Not a RSA1 key file /home/michael/.ssh/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
. . .
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
====================================================
 
The server messages are shown here:

http://pastebin.centos.org/22705
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] Cannot login with publickey on sshd

[Mick]

[-- Attachment #1: Type: text/plain, Size: 2123 bytes --]

On Monday 01 December 2008, Mick wrote:
> On Monday 01 December 2008, Eric Martin wrote:
> > What did you use to generate the key?  Also, what does the client /
> > server say for the key fail?
>
> I used something like: ssh-keygen -v -t rsa -b 2048.  I have even generated
> a second key pair and tried that too, with no success.
>
> The client messages are in the first message I sent to the list - basically
> showing this:
> ====================================================
> debug1: Connection established.
> debug3: timeout: 14828 ms remain after connect
> debug3: Not a RSA1 key file /home/michael/.ssh/.ssh/id_rsa.
> debug2: key_type_from_name: unknown key type '-----BEGIN'
> debug3: key_read: missing keytype
> debug2: key_type_from_name: unknown key type 'Proc-Type:'
> debug3: key_read: missing keytype
> debug2: key_type_from_name: unknown key type 'DEK-Info:'
> debug3: key_read: missing keytype
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> . . .
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug2: key_type_from_name: unknown key type '-----END'
> debug3: key_read: missing keytype
> ====================================================
>
> The server messages are shown here:
>
> http://pastebin.centos.org/22705

I have now also tried to generate a key pair on the server, move the private 
key over to the client and then try to login - still no result!  :-(

It has to be some sort of incompatibility between the two versions of OpenSSH.  
Don't know what else to assume with this problem.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] Cannot login with publickey on sshd

[Eric Martin]

[-- Attachment #1: Type: text/plain, Size: 3283 bytes --]

Mick wrote:
> On Monday 01 December 2008, Mick wrote:
>> On Monday 01 December 2008, Eric Martin wrote:
>>> What did you use to generate the key?  Also, what does the client /
>>> server say for the key fail?
>> I used something like: ssh-keygen -v -t rsa -b 2048.  I have even generated
>> a second key pair and tried that too, with no success.
>>
>> The client messages are in the first message I sent to the list - basically
>> showing this:
>> ====================================================
>> debug1: Connection established.
>> debug3: timeout: 14828 ms remain after connect
>> debug3: Not a RSA1 key file /home/michael/.ssh/.ssh/id_rsa.
>> debug2: key_type_from_name: unknown key type '-----BEGIN'
>> debug3: key_read: missing keytype
>> debug2: key_type_from_name: unknown key type 'Proc-Type:'
>> debug3: key_read: missing keytype
>> debug2: key_type_from_name: unknown key type 'DEK-Info:'
>> debug3: key_read: missing keytype
>> debug3: key_read: missing whitespace
>> debug3: key_read: missing whitespace
>> debug3: key_read: missing whitespace
>> debug3: key_read: missing whitespace
>> debug3: key_read: missing whitespace
>> debug3: key_read: missing whitespace
>> debug3: key_read: missing whitespace
>> debug3: key_read: missing whitespace
>> debug3: key_read: missing whitespace
>> debug3: key_read: missing whitespace
>> debug3: key_read: missing whitespace
>> debug3: key_read: missing whitespace
>> . . .
>> debug3: key_read: missing whitespace
>> debug3: key_read: missing whitespace
>> debug3: key_read: missing whitespace
>> debug3: key_read: missing whitespace
>> debug2: key_type_from_name: unknown key type '-----END'
>> debug3: key_read: missing keytype
>> ====================================================
>>
>> The server messages are shown here:
>>
>> http://pastebin.centos.org/22705
> 
> I have now also tried to generate a key pair on the server, move the private 
> key over to the client and then try to login - still no result!  :-(
> 
> It has to be some sort of incompatibility between the two versions of OpenSSH.  
> Don't know what else to assume with this problem.

It definitely looks like the server doesn't like your private key.  Did
you remember to update(read: add) the public key on the server?  Also, I
generated an ssh key using the exact same syntax that you used and my
key looks different that what I can glean about your key.  The ---BEGIN,
Proc-Type and DEK-Info lines are in an old dsa key I created, while the
rsa key just says ------------BEGIN RSA PRIVATE KEY--------- followed by
key data.  The DSA key says the same, except DSA as opposed to RSA.

From the logs it looks like w formatting issue, given the whitespace
errors.  have you tried loading your key into an agent?  try:

ssh-agent /bin/bash
ssh-add ~/.ssh/id_rsa

This will unlock your key and let that session authenticate for you.  It
also has the nice side effect of checking if your private key is a real
private key.  The only time I have a problem w/pub/private keys is when
I create them on a windows box and try to export it to ssh.  The other
way around always works for me.

HTH

-- 
Eric Martin
Key fingerprint = D1C4 086E DBB5 C18E 6FDA  B215 6A25 7174 A941 3B9F


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

Re: [gentoo-user] Cannot login with publickey on sshd

[Mick]

[-- Attachment #1: Type: text/plain, Size: 1341 bytes --]

On Thursday 18 December 2008, Eric Martin wrote:
> Mick wrote:

> > I have now also tried to generate a key pair on the server, move the
> > private key over to the client and then try to login - still no result! 
> > :-(
> >
> > It has to be some sort of incompatibility between the two versions of
> > OpenSSH. Don't know what else to assume with this problem.
>
> It definitely looks like the server doesn't like your private key.  Did
> you remember to update(read: add) the public key on the server? 

Oops!  I forgot about this thread - sorry.  I finally found out what was 
causing it:

I had an entry for a previous server on the same IP address in the 
~/.ssh/config file on the client and had disabled publickey to make the login 
faster.  On that occasion the server was a router and it did not offer 
publickey authentication.  After a couple of years I had forgotten all about 
it . . . 

> The only time I have a problem w/pub/private keys is when
> I create them on a windows box and try to export it to ssh.  The other
> way around always works for me.

The MSWindows generated keys will work, either from PuTTY or Cygwin, but you 
have to be careful with hard returns at the end of lines (CR/LF).  Use 
Notepad++ to paste your key in and you should find that it works fine.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] Cannot login with publickey on sshd

[Alan McKinnon]

On Thursday 18 December 2008 23:17:13 Mick wrote:
> > The only time I have a problem w/pub/private keys is when
> > I create them on a windows box and try to export it to ssh.  The other
> > way around always works for me.
>
> The MSWindows generated keys will work, either from PuTTY or Cygwin, but
> you have to be careful with hard returns at the end of lines (CR/LF).  Use
> Notepad++ to paste your key in and you should find that it works fine.

PuTTY comes with a utility to convert it's keys to openssh format. I insist my 
PuTTY users do this themselves before they send me the public key to be 
deployed on the servers. It works well for me - if they get stroppy and don't 
do this, they don't get access <shrug>

-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Cannot login with publickey on sshd

[Eric Martin]

Great to hear that the problem is solved!  I've used puttygen before
to convert keys (both ways) but when I used it the other day to create
a key on windows & convert it wouldn't work. Oh well!

On 12/18/08, Alan McKinnon <alan.mckinnon@gmail.com> wrote:
> On Thursday 18 December 2008 23:17:13 Mick wrote:
>> > The only time I have a problem w/pub/private keys is when
>> > I create them on a windows box and try to export it to ssh.  The other
>> > way around always works for me.
>>
>> The MSWindows generated keys will work, either from PuTTY or Cygwin, but
>> you have to be careful with hard returns at the end of lines (CR/LF).  Use
>> Notepad++ to paste your key in and you should find that it works fine.
>
> PuTTY comes with a utility to convert it's keys to openssh format. I insist
> my
> PuTTY users do this themselves before they send me the public key to be
> deployed on the servers. It works well for me - if they get stroppy and
> don't
> do this, they don't get access <shrug>
>
> --
> alan dot mckinnon at gmail dot com
>
>

Re: [gentoo-user] Cannot login with publickey on sshd

[Mick]

[-- Attachment #1: Type: text/plain, Size: 461 bytes --]

On Thursday 18 December 2008, Eric Martin wrote:
> Great to hear that the problem is solved!  I've used puttygen before
> to convert keys (both ways) but when I used it the other day to create
> a key on windows & convert it wouldn't work. Oh well!

If you first paste the key in notepad++ it should work, if you just copy the 
generated file it won't.  That's what I have found anyway when helping people 
with MSWindows machines.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 197 bytes --]