1

I have been trying to set up remote file copy without password between 2 Linux machines. I have appended my .ssh/id_rsa.pub from local to remote .ssh/authorized_keys. I have also set up correct file permissions (700 for my home directory and .ssh, 600 for authorized_keys).

SSH consistently continues to ask me for password. Any ideas? All required information should be below.

I do not have root access to either of these 2 machines.

local:

$ uname -a && ssh -V
Linux localhost 2.6.32-xxx.x86_64 #1 SMP Tue Dec 18 15:04:44 PST 2012 x86_64     x86_64 x86_64 GNU/Linux
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010

remote:

uname -a && ssh -V
Linux remotehost 4.0.5-xxx.x86_64 #1 SMP Tue Jun 9 15:09:25 PDT 2015 x86_64 x86_64 x86_64 GNU/Linux
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013

debug:

OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to remote [1.2.3.4] port 22.
debug1: Connection established.
debug3: Not a RSA1 key file .ssh/myKey.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file .ssh/myKey type 1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug3: Wrote 792 bytes for a total of 813
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug3: Wrote 24 bytes for a total of 837
debug2: dh_gen_key: priv key bits set: 119/256
debug2: bits set: 491/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: Wrote 144 bytes for a total of 981
debug3: check_host_in_hostfile: filename /some/directory/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 14
debug3: check_host_in_hostfile: filename /some/directory/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 14
debug1: Host 'remote' is known and matches the RSA host key.
debug1: Found key in /some/directory/.ssh/known_hosts:14
debug2: bits set: 496/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: Wrote 16 bytes for a total of 997
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug3: Wrote 48 bytes for a total of 1045
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /some/directory/.ssh/id_rsa (0x7fbf18b8a0b0)
debug2: key: .ssh/myKey (0x7fbf18b86460)
debug3: Wrote 64 bytes for a total of 1109
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /some/directory/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug3: Wrote 624 bytes for a total of 1733
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: .ssh/myKey
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug3: Wrote 368 bytes for a total of 2101
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
xxxx@remotehost's password:

Adding as requested by commenters:

ls -lZd / /home /home/xxxx /home/xxxx/.ssh /home/xxxx/.ssh/authorized_keys
drwxr-xr-x root   root     ?                                /
drwxr-xr-x root   root     ?                                /home
drwx------ xxxx   xxxx_gsa ?                                /home/xxxx
drwx------ xxxx   xxxx_gsa ?                                /home/xxxx/.ssh
-rw------- xxxx   xxxx_gsa ?                                /home/xxxx/.ssh/authorized_keys
dust
  • 111
  • The server is rejecting your key. Check the server log if there is some guide. If not, increase verbosity. There should be everything you need to troubleshoot this issue. – Jakuje Mar 15 '16 at 14:58
  • I don't have access to root account or logs there unfortunately. – dust Mar 15 '16 at 15:03
  • So post the details about permission, even with SELinux context, if the system is using SELinux: ls -lZd / /home /home/xxxx /home/xxxx/.ssh /home/xxxx/.ssh/authorized_keys. Also the log with -vvv (more verbose) might be helpful. – Jakuje Mar 15 '16 at 15:05
  • some more points to check, sorry if that's obvious for you:

    1. have you successfully used this very key pair with other hosts?

    2. are you sure that Offering public key: /some/directory/.ssh/id_rsa is the right one (is the matchihng pub one on remote) to take

    3. less obvious, but still: stat /home/xxxx on remote server- if it is wider than 700 then key will be refused even if/home/xxx/.ssh` is 700

     – Tagwint Mar 15 '16 at 15:14
  • Regenerate the key, check the algorithms and size of private key. In last period some additional restriction on keys (algorithm and size) are implemented. Check also that your client (ssh) is update. – Giacomo Catenazzi Mar 15 '16 at 15:25
  • Is the remote server home directory on an encrypted filesystem, by any chance? Also, see if you can access the ssh server logs on the remote system. They're usually in one of the files in /var/log. Sshd may be logging the reason why it isn't accepting your key. – Kenster Mar 15 '16 at 17:51

2 Answers2

1

Your permissions tell the issue:

-rw------- xxxx_p xxxx_gsa ?                                /home/xxxx/.ssh/authorized_keys

According to manual page for sshd:

~/.ssh/authorized_keys

[...]

If this file, the ~/.ssh directory, or the user's home directory are writable by other users, then the file could be modified or replaced by unauthorized users. In this case, sshd will not allow it to be used unless the StrictModes option has been set to “no”.

You need to make sure that /home/xxxx/.ssh/authorized_keys is owned by user xxxx and not xxxx_p. Otherwise server will reject to use that file.

Jakuje
  • 21,357
  • Sorry, this is my error in erasing personal info from the log. The permissions are fine, the user is actually xxxx. I have fixed this now in the log above. – dust Mar 15 '16 at 15:53
  • Otherwise it looks generally ok. But the server might be configured in the way that it does not accept the pubkey authentication or it can accept the keys in the different place. I would recommend you to consult system administrator, or documentation. – Jakuje Mar 15 '16 at 15:56
  • Jakuje, I think that's the only option I have now. Anyway, thank you for all the help in this thread. – dust Mar 15 '16 at 15:57
1
debug3: Not a RSA1 key file .ssh/myKey.
debug2: key_type_from_name: unknown key type '-----BEGIN'
                                              ^^^^ bzzt

That second line looks like your problem.

Different implementations of ssh use different formats. Different versions stick to one format; OpenSSH has been consistent for many years. ISTR seeing a "BEGIN" string like that elsewhere, maybe in PuTTY.

I use OpenSSH, and my authorized_keys looks like this:

$ cut -b-60 ~/.ssh/authorized_keys 
ssh-dss AAAAB3NzaC1kc3MAAACBANSxMDLaL3O6jg528/QeoCxw78qgVrqc
ssh-dss AAAAB3NzaC1kc3MAAACBAOgQyLwNkOAzsfxzm8WcYJYp/asSS7Lb
ssh-dss AAAAB3NzaC1kc3MAAACBAMyZLbylDmVUkBPEltOap1x4l4WGg5Il

Try generating a public key on the remote, and see if it looks anything like what you installed in authorized_keys. If it doesn't you'll want to find out whose ssh/sshd you're running, and how to provide a correctly formatted key.

James K. Lowden
  • 2,080