Login or Register to Ask a Question and Join Our Community


Debian

Remotely unlock ssh key (Gnome, Debian Lenny)

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Operating Systems Linux Debian Remotely unlock ssh key (Gnome, Debian Lenny)
# 1  
Old 04-04-2010
Remotely unlock ssh key (Gnome, Debian Lenny)
Hi,

I don't think this is a new problem, but I can't find a solution anywhere, and it's quite annoying:
In the office, I have a workstation running Debian Lenny with Gnome, and I've copied my ssh key to some other machines for secure and easy login without havin' to remember all the passwords.
Of course, my key is protected by a passphrase, so, when I try to login to one of the other machines, a window pops up, and asks me for the passphrase.
So far, so good, as long as I'm sitting at my desk this works perfectly well - but, sometimes I have to work remotely, so, I login (also by ssh) to my office workstation, and here's the problem:
I can't unlock my ssh key from remote, it seems that something (ssh-agent? Gnome keyring?) "controls" the key and prevents unlocking. The ssh client even asks me to enter the passphrase, but it's not accepted...
Any ideas? Can it be because I'm always logged in at work, and only locking the screen when I leave my desk?

Hope anyone can shed some light on this,

Harald
# 2  
Old 04-05-2010
Usually the ssh-agent shouldn't block access, as it should only be enabled for processes started from within GNOME.

Could you give a more detailed description of your setup? Location and name of SSH keys, relevant connection commands, whether or not X11 forwarding is enabled, ...
# 3  
Old 04-05-2010
Hi pludi,

thanks for your reply, and here's a more detailed description of my setup on the office system:

1. Relevant (uncommented) lines from /etc/ssh/ssh_config:

Code:
Host *
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIDelegateCredentials no

2. X11-Forwarding is enabled in ~/.ssh/config:

Code:
Host *
   ForwardX11 yes
   User root

3. Directory listing of ~/.ssh/, where the keys are located:

Code:
hhuseman@bofh:~/.ssh$ ls
config       id_dsa.keystore  id_dsa.pub.bofh  id_rsa.bofh      id_rsa.pub       known_hosts
id_dsa       id_dsa.old       id_dsa.pub.old   id_rsa.keystore  id_rsa.pub.bofh  known_hosts.old
id_dsa.bofh  id_dsa.pub       id_rsa           id_rsa.old       id_rsa.pub.old
hhuseman@bofh:~/.ssh$

4. and finally, here's a trace of a try to establish the connection from the office system:

Code:
hhuseman@bofh:~/.ssh$ ssh -v hhuseman@frodo
OpenSSH_4.7p1 Debian-2, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /home/hhuseman/.ssh/config
debug1: Applying options for frodo
debug1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to frodo.dh9dat.de [85.214.78.129] port 22.
debug1: Connection established.
debug1: identity file /home/hhuseman/.ssh/identity type -1
debug1: identity file /home/hhuseman/.ssh/id_rsa type 1
debug1: identity file /home/hhuseman/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-5
debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.7p1 Debian-2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'frodo.dh9dat.de' is known and matches the RSA host key.
debug1: Found key in /home/hhuseman/.ssh/known_hosts:1322
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/hhuseman/.ssh/identity
debug1: Offering public key: /home/hhuseman/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Offering public key: /home/hhuseman/.ssh/id_dsa
debug1: Server accepts key: pkalg ssh-dss blen 434
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Enter passphrase for key '/home/hhuseman/.ssh/id_dsa':
debug1: read PEM private key done: type <unknown>
Enter passphrase for key '/home/hhuseman/.ssh/id_dsa': 
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Enter passphrase for key '/home/hhuseman/.ssh/id_dsa':

(The system is first trying the RSA-key which is blacklisted on the target server 'cause is vulnerable - but I'm still using it on some internal systems, so I can't remove it. And, it should be harmless AFAIK, as the "right" DSA-key is tried afterwards).

I hope these informations help to bring some more light into the dark,

thanks,

Harald
# 4  
Old 04-05-2010
Yes, it's helpful, especially the last few lines in the debug output. It's asking for the passphrase protecting the private key ~/.ssh/id_dsa. If it shouldn't do that, there are 2 possible problem sources: you're using a different key pair (the .bofh key maybe), in which case you can specify it with the -i option.

Or you've used special characters when you entered the passphrase, in which case it might get ugly. Check that your terminals language settings are the same as in your GNOME environment, and that the connection program you're using supports that input method (probably UTF-8)
# 5  
Old 04-05-2010
Hi pludi,

thanks again for the reply, I've checked your suggestions:

First, id_dsa is the right key, the others are backups I've made during my tests since I suspected a problem with the key.
I've copied the DSA key pair again from my private machine, to ensure it's the right one - the result is the same, I can't unlock the key.
And, there are no special characters in the passphrase, I've typed it on the remote machine's console, and it's shown okay - so, I think the problem is not related to character sets or key encoding...
Nevertheless, here's a debug output of a successful login from my private system:

Code:
hhuseman@gimli:~$ ssh -v frodo
OpenSSH_5.1p1 Debian-5ubuntu1, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /home/hhuseman/.ssh/config
debug1: Applying options for frodo
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to frodo [85.214.78.129] port 22.
debug1: Connection established.
debug1: identity file /home/hhuseman/.ssh/identity type -1
debug1: identity file /home/hhuseman/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/hhuseman/.ssh/id_dsa type 2
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-5
debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'frodo' is known and matches the RSA host key.
debug1: Found key in /home/hhuseman/.ssh/known_hosts:20
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/hhuseman/.ssh/id_dsa

Here, a window pops up asking for the passphrase of the DSA key

Code:
debug1: Server accepts key: pkalg ssh-dss blen 434
debug1: Authentication succeeded (publickey).
debug1: Local connections to LOCALHOST:2812 forwarded to remote address 127.0.0.1:2812
debug1: Local forwarding listening on ::1 port 2812.
debug1: channel 0: new [port listener]
debug1: Local forwarding listening on 127.0.0.1 port 2812.
debug1: channel 1: new [port listener]
debug1: channel 2: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: Sending environment.
debug1: Sending env LANG = de_DE.UTF-8
debug1: Remote: No xauth program; cannot forward with spoofing.
Linux h1685471.stratoserver.net 2.6.18-028stab064.7 #1 SMP Wed Aug 26 13:11:07 MSD 2009 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
Last login: Sun Apr  4 16:23:35 2010 from p5b0130f3.dip0.t-ipconnect.de
hhuseman@h1685471:~$ debug1: client_input_channel_req: channel 2 rtype keepalive@openssh.com reply 1

hhuseman@h1685471:~$

Any other ideas?

Thanks again,

Harald
# 6  
Old 04-05-2010
Add more "-v" options to increase the verbosity.
# 7  
Old 04-05-2010
the debugger says you are not in the group
make the user part of the group and try
and the success connection is from the same machine if i am not wrong?
Last edited by gameplan; 04-05-2010 at 10:44 PM..
Login or Register to Ask a Question

Previous Thread | Next Thread

8 More Discussions You Might Find Interesting

1. Debian

Adding wallpapers in gnome shell in Debian

Hi. I'm trying add wallpapers in /usr/share/backgrounds/gnome. And I already put the image file jpg in local specified before and added configuration in /usr/share/gnome-background-properties/gnome-backgrounds.xml. <wallpaper deleted="false"> <name>NNNN</name> ... (1 Reply)
Discussion started by: malgen
1 Replies

2. Linux

Chrome browser no longer working on my debian lenny 5

Hi All, My chrome browser was working correctly on my Debian Lenny 5 PC..Today i downloaded the version from google and tried to install the deb from command line as follows: dpkg -i <latest-chrome-package> The installation failed but now my existing old chrome browser is not starting. ... (2 Replies)
Discussion started by: coolatt
2 Replies

3. UNIX Desktop Questions & Answers

How to virtualise Android OS on Debian 6 with Gnome?

Hello, please which virtualisation is most ligtweight and compatible with Debian and Gnome? I wish to run Android OS in an container and be able to see android desktop from my Gnome Thank you (0 Replies)
Discussion started by: postcd
0 Replies

4. Solaris

SSH Remotely

Hello. I am trying to ssh and run a script from a remote computer. These computers will be both Windows and MACs. I am using Solaris 8 and what I have tried is: using putty ssh user@ip_address (remote command) /folder/folder/filename.sh The issue here is that the user profile has not... (3 Replies)
Discussion started by: jkmtm
3 Replies

5. Solaris

Solaris 8 ssh public key authentication issue - Server refused our key

Hi, I've used the following way to set ssh public key authentication and it is working fine on Solaris 10, RedHat Linux and SuSE Linux servers without any problem. But I got error 'Server refused our key' on Solaris 8 system. Solaris 8 uses SSH2 too. Why? Please help. Thanks. ... (1 Reply)
Discussion started by: aixlover
1 Replies

6. Debian

How to install Java in Debian Lenny

Hi all im trying to install Java in Debian lenny with apt-get install but can find the packages...anyone can help me on this one? thanks (2 Replies)
Discussion started by: ro0t3d
2 Replies

7. Shell Programming and Scripting

downgrade sh to 3.1 - debian lenny - how?

Hello, i'd need to downgrade sh to the latest 3.1 version, been trying to pin the version in apt preferences or use aptitude but it doesn't want to work. (Best possible to GNU bash, version 3.1.17(1)-release (x86_64-pc-linux-gnu)) Linux version 2.6.26-2-amd64 (Debian 2.6.26-19lenny2)... (0 Replies)
Discussion started by: TehOne
0 Replies

8. Debian

Debian Lenny update problems

Hi everybody! I have a very big problem, I can not make any updates on my debian lenny. I get everytime this errors with apt-get update: Err http://security.debian.org lenny/updates Release.gpg Connection failed Err http://www.backports.org lenny-backports Release.gpg Connection... (2 Replies)
Discussion started by: magge
2 Replies
Login or Register to Ask a Question