Date: Fri, 4 Feb 2005 10:35:09 -0500 | From: Steve Litt | Subject: [GoLugTech] Troubles with ssh key authorization | To: Greater Orlando Linux User Group tech list | Message-ID: <200502041035.09659.slitt@troubleshooters.com> | Content-Type: text/plain; charset="us-ascii" | | Hi all, | | I used ssh-keygen to make types dsa, rsa and rsa1 keys on box mydesk. I then | concatinated *.pub to junk.jnk and scp'ed it to box2:.ssh/authorize_keys. | | I then did the same stuff on box2. | | ssh still keeps asking me for passwords, whether I ssh by IP address or by | hostname. How can I narrow down the root cause scope of this problem? BTW I wrote a script that does this all for you. It even checks permissions which is part of the reason it can fail to authenticate by publickey. http://www.kevininscoe.com/pub/scripts/pushkeys.txt Don't forget to do ssh -vvv to get the most verbose output from the client. You must check your permissions all the way back up to the root file system (/). For instance / needs to be root:other (or 0:1) and go-w. Turn your logging on in sshd_config of the remote end: SyslogFacility AUTH LogLevel INFO Check your authlog, syslog or messages file on the remote end and see if you have a message like: "sshd[29693]: Authentication refused: bad ownership or modes for directory /" Lastly do: $ chmod go-w ~/ $ chmod 700 ~/.ssh $ chmod 600 ~/.ssh/authorized_keys ---- | Date: Fri, 4 Feb 2005 11:14:32 -0500 (EST) | From: Kevin Korb | Subject: Re: [GoLugTech] Troubles with ssh key authorization | To: Greater Orlando Linux User Group tech list | Message-ID: | Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed | | -----BEGIN PGP SIGNED MESSAGE----- | Hash: SHA1 | | Your server has a pretty old ssh on it. This may be an incompatibility | between them or something. | | |>> debug1: identity file /home/slitt/.ssh/identity type 0 |>> debug2: key_type_from_name: unknown key type '-----BEGIN' |>> debug2: key_type_from_name: unknown key type '-----END' |>> debug1: identity file /home/slitt/.ssh/id_rsa type 1 |>> debug2: key_type_from_name: unknown key type '-----BEGIN' |>> debug2: key_type_from_name: unknown key type '-----END' |>> debug1: identity file /home/slitt/.ssh/id_dsa type 2 | | | That seems to imply that something is wrong with the private key files | or that they are in a newer format than what ssh can use. Check for DOS (^m) new lines. Make sure the entire key block is on one line. - -- Kevin P. Inscoe Amateur Radio Call Sign: KE3VIN Deltona, FL 32738 Position: 28.9002N 81.2419W kevin [at] inscoe [dot] org http://www.kevininscoe.com/ GPG http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x61288D53 ---- Date: Fri, 4 Feb 2005 14:11:59 -0500 From: Steve Litt Subject: Re: [GoLugTech] ssh troubleshooting To: Greater Orlando Linux User Group tech list Message-ID: <200502041411.59387.slitt@troubleshooters.com> Content-Type: text/plain; charset="iso-8859-1" On Friday 04 February 2005 12:25 pm, Kevin P. Inscoe wrote: >> BTW I wrote a script that does this all for you. It even checks >> permissions which is part of the reason it can fail to authenticate by >> publickey. >> >> http://www.kevininscoe.com/pub/scripts/pushkeys.txt Kevin -- I deleted all files other than known_hosts on both boxes .ssh directories, and then ran your script. The problem magically went away and the 2 boxes now can ssh each other without passwords. I'm going to put this aside until our next Installfest, at which time I'll thoroughly analyze your script to see what it does that I didn't do manually (nothing that I can see), thoroughly analyze the working state, and then try to reproduce the original defect and exploit the differences. Thanks for the script. Everyone -- Kevin Inscoe's script makes key trades between already ssh'ing hosts/usernames a 10 second affair, and is highly recommended. Kevin -- your usage() routine prints this: usage: pushkeys hostname (remote user) Should the remote username really be in parentheses when I type in the command? Also I have a suggestion. At one point the user is asked for a password. It would be nice to echo a message right before that explaining to which username on which box the password applies. Thanks for the great script. SteveT