0

I'm trying to connect to Server with ssh and id_rsa key. That key is only key in authorized_keys (just added with ssh-copy-id) When i do connect, server ask doesnt end with keys but always ask for user pass there is output

any suggestion? I suppose is Q of sshd config tunning? [SOLVED] - was question of permissions set on .ssh and authorized_keys

output with debug level: >> ssh-add id_rsa;ssh -vv vps

Enter passphrase for id_rsa: 
Identity added: id_rsa (id_rsa)
OpenSSH_5.5p1, OpenSSL 1.0.0i-fips 19 Apr 2012
debug1: Reading configuration data /home/yurij/.ssh/config
debug1: Applying options for vps
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 78.47.XX.XX [78.47.XX.XX] port 22
debug1: Connection established.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /home/yurij/.ssh/id_rsa type 1
debug1: identity file /home/yurij/.ssh/id_rsa-cert type -1
debug1: identity file /home/yurij/.ssh/id_dsa type -1
debug1: identity file /home/yurij/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.5
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 119/256
debug2: bits set: 515/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: checking without port identifier
debug1: Host '78.47.184.37' is known and matches the RSA host key.
debug1: Found key in /home/yurij/.ssh/known_hosts:9
debug1: found matching key w/out port
debug2: bits set: 487/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/yurij/.ssh/id_rsa (0xb9608568)
debug2: key: id_rsa (0xb9609890)
debug2: key: /home/yurij/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/yurij/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/yurij/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: Next authentication method: password

sudo tail -F /var/log/secure when i tried to connect with keys and then logged with pass

Nov  8 10:18:50 sshd[3892]: pam_unix(sshd:session): session opened for user yurij by (uid=0)
Nov  8 10:20:23 sshd[3892]: pam_unix(sshd:session): session closed for user yurij
^Z
Yurij73
  • 1,992
  • Check the log files under /var/log. Mind you you can run both the server and client in debug mode. That gives you a lot more information. – jippie Nov 05 '12 at 19:08
  • Where did the key come from? Are you sure you didn't make an copy/paste error somewhere? It is a pretty common mistake to accidentally introduce newlines in the key. – jippie Nov 05 '12 at 19:10
  • i did ssh-copy-id from me to remote server so exact copy in server/home/me/.ssh/authorized_keys is – Yurij73 Nov 05 '12 at 19:16
  • and where did the key come from before that? You certainly want to check server logs too. Log on to the server and start your own daemon on a high port (>1024). Add couple of -d flags to enable debugging. Then connect from your client to that new port OR you can even check it locally on the server. – jippie Nov 05 '12 at 19:52
  • More -v flags increase verbosity for ssh. More -d flags increase verbosity for sshd. – jippie Nov 05 '12 at 19:56
  • Start your sshd in debug-mode. This will tell you what is going wrong. – Nils Nov 05 '12 at 22:03
  • 2
    Post the output of \ls -ld ~ ~/.ssh ~/.ssh/authorized_keys on the server. See the checklist; in particular, your home directory must not be group-writable. Also from that checklist: watch out for SELinux. – Gilles 'SO- stop being evil' Nov 05 '12 at 23:04
  • \ls -ld ~ ~/.ssh ~/.ssh/authorized_keys That is about settled rights:

    drwx------ 4 yurij yurij 4096 Oct 31 13:36 /home/admin drwxrwxr-x 4 yurij yurij 4096 Nov 5 13:51 /home/admin/.ssh -rw-rw-r-- 1 yurij yurij 224 Nov 5 13:52 /home/admin/.ssh/authorized_keys

     – Yurij73 Nov 06 '12 at 12:33
  • @Nils, how to run sshd in debug mode? – Yurij73 Nov 06 '12 at 12:39
  • 1
    $(which sshd) -d - see @jippie. – Nils Nov 06 '12 at 20:31
  • which sshd which: no sshd in (/usr/local/bin:/bin:/usr/bin:/home/admin/bin) DO i need set ENV for sshd in .rc? – Yurij73 Nov 07 '12 at 20:17

2 Answers2

2

According to your ls output:

drwx------ 4 yurij yurij 4096 Oct 31 13:36 /home/admin
drwxrwxr-x 4 yurij yurij 4096 Nov 5 13:51 /home/admin/.ssh
-rw-rw-r-- 1 yurij yurij 224 Nov 5 13:52 /home/admin/.ssh/authorized_keys

You have group write on the .ssh directory and the authorized_keys file. This is most likely the problem as ssh doesn't like group write.

Have a look at /var/log/secure - it's probably got warnings about permissions on /home/admin/.ssh, such as:

Nov  5 16:17:18 servername sshd[1234]: Authentication refused: bad ownership or modes for directory /home/admin/.ssh
James O'Gorman
  • 273
  • Yes, ssh is very picky when it comes to file permissions. – jippie Nov 06 '12 at 20:53
  • Wow, Now it WORKS! with permissions set as drwx------ 4 yurij yurij 4096 Nov 6 08:40 /home/admin drwxr-x--- 4 yurij yurij 4096 Nov 6 08:34 /home/admin/.ssh -rw------- 1 yurij yurij 224 Nov 6 07:51 /home/admin/.ssh/authorized_keys – Yurij73 Nov 08 '12 at 15:38
0

Check the value of AuthorizedKeysFile in the sshd config file (/etc/sshd_config or /etc/ssh/sshd_config).

Some configurations place the key files outside of the user's directory and manage them in a central place, such as LDAP.

If it is set to .ssh/authorized_keys, the default, it is looking in your home directory and the key files are broken somehow. Try logging in with your password and comparing the md5sums of the local and remote files.

anonfunc
  • 231