[TriLUG] sshd configuration woes

Aaron Joyner via TriLUG trilug at trilug.org
Thu Nov 23 15:12:29 EST 2017 

Yes, for whatever reason, the server did not accept the supplied public key
credentials.  It claims to accept public key authentication ("Authentications
that can continue: publickey,password"), the client presents the key, and
it is not accepted ("Offering RSA public key: /home/maar/.ssh/id_rsa").

Based on your description, I suspect your .ssh/ directory has the wrong
permissions, I believe it has to be 700 and the .ssh/authorized_keys* file
needs to be 600 or similar.  Check the sshd_config man page to be sure.
You can confirm this by inspecting the sshd logs,  though you might have to
launch it in debug mode to see enough logging to be sure.

Best of luck,
Aaron S. Joyner


On Nov 23, 2017 7:07 PM, "Paul Boyle via TriLUG" <trilug at trilug.org> wrote:

Hi,

In my lab I've converted all of my OpenSuSE boxes to CENTOS 7 and I am
running into some sshd configuration problems.  Users in my lab generate
ssh keys  (RSA keys) to be able to scp archival data to a central backup
host without having to type in a password.  This was working fine under my
OpenSuSE computational environment, but under CENTOS 7, the public key
authentication fails.  I'm having trouble figuring out what is going wrong,
and would appreciate any pointers in getting this problem fixed.  I include
a trace of an attempted ssh login from a user's account to the backup
account (ssh -v backup at bravais):

maar:/~% ssh -v backup at bravais
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: Connecting to bravais [aaa.bbb.ccc.ddd] port 22.
debug1: Connection established.
debug1: identity file /home/maar/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/maar/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/maar/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/maar/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/maar/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/maar/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/maar/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/maar/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000
debug1: Authenticating to bravais:22 as 'backup'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: rsa-sha2-512
debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC:
<implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC:
<implicit> compression: none
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:wS+uHBZWQWtkgjLdqfQ8FcwvcOnW2CUUz
QpalQri5L8
debug1: Host 'bravais' is known and matches the RSA host key.
debug1: Found key in /home/maar/.ssh/known_hosts:2
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/maar/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/maar/.ssh/id_dsa
debug1: Trying private key: /home/maar/.ssh/id_ecdsa
debug1: Trying private key: /home/maar/.ssh/id_ed25519
debug1: Next authentication method: password
backup at bravais's password:

I don't quite understand what the output is telling me.  Is it that the
sshd server isn't accepting RSA keys?

Thanks,

Paul
--
This message was sent to: Aaron S. Joyner <aaron at joyner.ws>
To unsubscribe, send a blank message to trilug-leave at trilug.org from that
address.
TriLUG mailing list : https://www.trilug.org/mailman/listinfo/trilug
Unsubscribe or edit options on the web  : https://www.trilug.org/
mailman/options/trilug/aaron%40joyner.ws
Welcome to TriLUG: http://trilug.org/welcome

More information about the TriLUG mailing list