[Bug 691299] New: SSH fails to authenticaet public keys
https://bugzilla.novell.com/show_bug.cgi?id=691299 https://bugzilla.novell.com/show_bug.cgi?id=691299#c0 Summary: SSH fails to authenticaet public keys Classification: openSUSE Product: openSUSE 11.2 Version: Final Platform: x86-64 OS/Version: openSUSE 11.2 Status: NEW Severity: Major Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: orodreth.finarfin@gmail.com QAContact: qa@suse.de Found By: --- Blocker: --- Created an attachment (id=427611) --> (http://bugzilla.novell.com/attachment.cgi?id=427611) Output from ssh -vvv to OS 11.2 machine User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.16) Gecko/20110319 SUSE/3.6.16-0.2.1 Firefox/3.6.16 Prior to some change a month or 2 ago, SSH on openSUSE 11.2 was correctly working using public keys for no password login to OS 11.2 from other clients. Since some change the public keys don't work for any client, the interactive password is requested. Attempting no password logins from a Windows or OS 11.4 clients result in the OS 11.2 machine request the interactive password, which fails batch scripts. Doesn't matter whether the public key generated was DSA, RSA, RSA2, 2048 or 1024, the authorized_keys doesn't work. Even trying with a single entry authorized_key and client the public key fails and the interactive password is requested. However, the 11.2 as a client can log on to the other clients successfully using public keys, ie, 11.2 is able to use no password login to an OS 11.4 machine. Reproducible: Always Steps to Reproduce: 1. ssh -vvv OS 11.2 machine Actual Results: the OS 11.2 machine requests a password. Expected Results: The OS 11.2 machine should login without requesting a password. I'm not an expert but it looks like the the public key is never looked at, No password login doesn't work even when supplying a private key using the ssh options. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=691299
https://bugzilla.novell.com/show_bug.cgi?id=691299#c
Thomas Biege
https://bugzilla.novell.com/show_bug.cgi?id=691299
https://bugzilla.novell.com/show_bug.cgi?id=691299#c1
Petr Cerny
https://bugzilla.novell.com/show_bug.cgi?id=691299
https://bugzilla.novell.com/show_bug.cgi?id=691299#c2
--- Comment #2 from Jason steele
https://bugzilla.novell.com/show_bug.cgi?id=691299
https://bugzilla.novell.com/show_bug.cgi?id=691299#c3
--- Comment #3 from Jason steele
https://bugzilla.novell.com/show_bug.cgi?id=691299
https://bugzilla.novell.com/show_bug.cgi?id=691299#c4
--- Comment #4 from Jason steele
https://bugzilla.novell.com/show_bug.cgi?id=691299
https://bugzilla.novell.com/show_bug.cgi?id=691299#c
Jason steele
https://bugzilla.novell.com/show_bug.cgi?id=691299
https://bugzilla.novell.com/show_bug.cgi?id=691299#c5
Jason steele
https://bugzilla.novell.com/show_bug.cgi?id=691299
https://bugzilla.novell.com/show_bug.cgi?id=691299#c6
--- Comment #6 from Petr Cerny
https://bugzilla.novell.com/show_bug.cgi?id=691299
https://bugzilla.novell.com/show_bug.cgi?id=691299#c7
--- Comment #7 from Jason steele
https://bugzilla.novell.com/show_bug.cgi?id=691299
https://bugzilla.novell.com/show_bug.cgi?id=691299#c8
--- Comment #8 from Jason steele
https://bugzilla.novell.com/show_bug.cgi?id=691299
https://bugzilla.novell.com/show_bug.cgi?id=691299#c9
--- Comment #9 from Petr Cerny
Oops, almost forgot, in ~/.ssh/config Host *, IdentityFile=~/.ssh/authorized_keys.
Unless you have a completely strange setup (which I doubt), the file ~/.ssh/authorized_keys is used for storing public parts of keys, that are allowed to be used for logging into the machine this file is on. The keys used for authorizing to a remote server are by default ~/.ssh/id_* (see ssh(1) man page, the '-i' option). (In reply to comment #7)
I can't determine the exact change or package update that broke ssh. "No password" logins from other clients into this machine had been working without issue for months.
Very likely the change has been either in the configuration of the ssh client or the ssh daemon. Check your /etc/ssh/sshd_config for differences against the distro version (as a first step you can use 'rpm -V openssh' - that will tell you whether some files have changed since installation) Side note 1: a succesful key authentication would looks this on the client: debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Server host key: RSA xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx debug1: Host 'yyy' is known and matches the RSA host key. debug1: Found key in /home/user/.ssh/known_hosts:67 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,keyboard-interactive debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/user/.ssh/id_xxx debug1: Server accepts key: pkalg ssh-rsa blen 279 debug1: read PEM private key done: type RSA debug1: Authentication succeeded (publickey). Side note 2: consider upgrading to openSUSE 11.4 as 11.2 is nearing its end of support. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=691299
https://bugzilla.novell.com/show_bug.cgi?id=691299#c
Petr Cerny
https://bugzilla.novell.com/show_bug.cgi?id=691299
https://bugzilla.novell.com/show_bug.cgi?id=691299#c10
--- Comment #10 from Jason steele
https://bugzilla.novell.com/show_bug.cgi?id=691299
https://bugzilla.novell.com/show_bug.cgi?id=691299#c11
--- Comment #11 from Petr Cerny
No discrepancies found from rpm -V openssh
In my original output from "ssh -vvv george" where ssh should start looking at the public key it didn't and went on to authenticate private keys. RE: https://bugzillafiles.novell.org/attachment.cgi?id=427611
Sorry, I don't really understand this. The log says, that the only keys that ssh wanted to try didn't exist: debug1: /home/knoppix/.ssh/identity debug3: no such identity: /home/knoppix/.ssh/identity debug1: Trying private key: /home/knoppix/.ssh/id_rsa debug3: no such identity: /home/knoppix/.ssh/id_rsa debug1: Trying private key: /home/knoppix/.ssh/id_dsa debug3: no such identity: /home/knoppix/.ssh/id_dsa Hence it wasn't able to authenticate and had to fall back to password prompt.
When I use "ssh-agent" and add the public key it reads and accepts the public key, outputs a signature then sign_send the public key but still asks for the interactive password. RE: https://bugzillafiles.novell.org/attachment.cgi?id=428002
IMHO you are adding wrong file: ~/.ssh/george-rsa2-key.pub is the public part of the key and is of no interest to ssh client. You should feed ssh (or ssh-agent) the private part of the key. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=691299
https://bugzilla.novell.com/show_bug.cgi?id=691299#c12
--- Comment #12 from Jason steele
https://bugzilla.novell.com/show_bug.cgi?id=691299
https://bugzilla.novell.com/show_bug.cgi?id=691299#c13
--- Comment #13 from Petr Cerny
I had already tried logins by copying client public keys into the private keys you identify but the results were the same as you note above. SSH still asked for the interactive password.
That's not really what I suggested, and you are right: it doesn't work. The client needs to present the *private* part (of a key stored in ~/.ssh/authorized_keys on the server) to the server (and it really doesn't matter in which particular file the data is). Anything else than the private part of the key will just result in falling back to another authentication method. As a bonus, overwriting private part of the keys with public one will render the key effectively dead, unless you make a backup of the private part beforehand. Please check the man page of ssh, section AUTHENTICATION where the private/public key authentication is explained in detail. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=691299
https://bugzilla.novell.com/show_bug.cgi?id=691299#c14
--- Comment #14 from Jason steele
From client to server ssh and scp still requests password interactive. Eg, the same server/client pair testing scp and ssh in both directions.
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=691299
https://bugzilla.novell.com/show_bug.cgi?id=691299#c15
--- Comment #15 from Jason steele
The server knows the public key, and only the user knows the private key.
The user should then copy the public key to ~/.ssh/authorized_keys in his/her home directory on the remote machine.
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=691299
https://bugzilla.novell.com/show_bug.cgi?id=691299#c16
--- Comment #16 from Petr Cerny
Thank you for the reply and patience.
I read the AUTHENTICATION section and it describes the procedure as I had implemented it. The server has the public key of the public/private keys and the user/client has the private key. AUTHENTICATION in the ssh man page only suggests that the public key is named ~/.ssh/id_rsa.pub.
And that's exactly the point - you a) neither have the private part of the key in the file ~/.ssh/id_rsa.pub (this can be seen both in the ~/.ssh directory listing and in the ssh log: debug2: key: /home/knoppix/.ssh/identity ((nil)) debug2: key: /home/knoppix/.ssh/id_rsa ((nil)) debug2: key: /home/knoppix/.ssh/id_dsa ((nil)) b) nor specify the key to be used in the config file (it contains the default, which is commented out) "# IdentityFile ~/.ssh/id_rsa"; c) nor explictly state it on the command line via the '-i' option.
As you point out the user/client does have the private key part in the ~/.ssh/ in the user's home folder for when the remote server requests. It doesn't look like that request is made or acknowledged on the server side.
The keys are ignored, because they are not in the default files and you do not give ssh any hint, where to look for it. Try to use the file userid-thishost-rsa2-key (whatever it is called) from the ~/.ssh listing, as I suggested in comment #6: $ ssh -vvv -i ~/.ssh/userid-thishost-rsa2-key userid@remote -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=691299
https://bugzilla.novell.com/show_bug.cgi?id=691299#c17
--- Comment #17 from Jason steele
https://bugzilla.novell.com/show_bug.cgi?id=691299
https://bugzilla.novell.com/show_bug.cgi?id=691299#c18
--- Comment #18 from Jason steele
https://bugzilla.novell.com/show_bug.cgi?id=691299
https://bugzilla.novell.com/show_bug.cgi?id=691299#c19
--- Comment #19 from Petr Cerny
Thank you for your time and patience.
I had already tried b, c, and a), several times before I opened this bugzilla, my comment #12.
And as I wrote in comment #13, it it didn't work because you used public part of the key where private had been used (at least that is what I saw from your description and logs). (In reply to comment #18)
I forgot to say, I'm also looking at this from a Gnome-keying / ssh problem. There are gnome-keying warnings for ssh. I try to avoid keyring but I'm looking at it as interfering?
I don't really think this has anything to do with gnome-keyring, but out of curiostity: what are the warnings about? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=691299
https://bugzilla.novell.com/show_bug.cgi?id=691299#c20
Bruno Friedmann
https://bugzilla.novell.com/show_bug.cgi?id=691299
https://bugzilla.novell.com/show_bug.cgi?id=691299#c21
--- Comment #21 from Petr Cerny
There's something the sshd daemon is very tricky ... Are you sure the rights about the ~.ssh folder and on file in that are rights ?
if this is group readable ssd will refuse to use key login.
should be 0700 for ~.ssh
Seems to be OK in this case - see the last attachment. Actually AFAIR (at least in the current version) ssh is ok with anything apart from writable .ssh/config and readable private keys.
If this solve your trouble, can I suggest we add a bold line in man ssh ?
I'm not really sure this is necessary, section FILES of ssh(1)/sshd(8) is quite explicit about this. (Different thing is whether it always matched the code, though.) As always with access permissions: less is more. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=691299
https://bugzilla.novell.com/show_bug.cgi?id=691299#c22
Sebastian Krahmer
participants (1)
-
bugzilla_noreply@novell.com