openssh 5.3 needs password vs. 4.3 using private keys


 
Thread Tools Search this Thread
Top Forums UNIX for Advanced & Expert Users openssh 5.3 needs password vs. 4.3 using private keys
# 1  
Old 01-10-2012
openssh 5.3 needs password vs. 4.3 using private keys

Hello,
I just installed a bran new Centos 6.2 including openssh 5.3.

On older servers I installed older Linux including openssh 4.3,
I am using keygen with private/public keys to log root on all servers (in a LAN) without typing password each time.
To do this, of course, I have my local private key (privkey) and public key in each server (/root/.ssh/authorized_keys), I get in with command :
# ssh -i privkey root@server
Each server has this specific lines in /etc/ssh/sshd_config :
PermitRootLogin yes
and specific chmod on :
# ls -la /root/.ssh
drwx------. 2 root root 4096 Jan 9 14:53 .
dr-xr-x---. 4 root root 4096 Jan 10 11:55 ..
-rw-r--r--. 1 root root 1204 Jan 9 14:53 authorized_keys



This is working for ages on all other servers (without typing password), but not on my new centos 6.2 with openssh 5.3.
ssh is now requesting the password except if I launch the sshd daemon by hand :
# /usr/sbin/sshd

It sounds like a bug or did I missed a new feature in 5.3 ?
Thanks in advance for your valuable help.
Regards.
# 2  
Old 01-10-2012
This is happening to me as well. Except that only on ONE centos 6.2 server, out of 4, and only for root.

Same exact configuration is added to all machines (diff hardware), for users 'root' and 'web.' web works for all machines, and root only for 3 machines.

Login for root works on the borked machine if I start the sshd daemon by hand on a diff port (i.e.
Code:
sshd -dd -p 2222 -f /dev/null

, also if I load default config
Code:
-f /etc/ssh/sshd_config

).

I got tired of the problem and blew away the centos install and reinstalled, yet the problem persists.

This is not a permissions issue.

BTW, this is a DSA key. Might be important, will try with RSA keys in a bit.

This is what the ssh client debug looks like when the publickey authentication method fails:
Code:
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug3: no such identity: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug3: no such identity: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: read PEM private key done: type DSA
debug3: sign_and_send_pubkey
debug2: we sent a publickey packet, wait for reply
debug3: Wrote 576 bytes for a total of 1685
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password

It seems sshd just ignores the pubkey packet.

This is all that appears in /var/log/secure:

Code:
Jan 10 11:52:29 db1 sshd[1321]: Accepted password for root from 192.168.2.100 port 48686 ssh2
Jan 10 11:52:29 db1 sshd[1321]: pam_unix(sshd:session): session opened for user root by (uid=0)

When I manually start the daemon this is what appears in the sshd output (remember root pubkey access works this way):

Code:
debug1: userauth-request for user root service ssh-connection method publickey
debug1: attempt 1 failures 0
debug2: input_userauth_request: try method publickey
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: trying public key file /root/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug1: matching key found: file /root/.ssh/authorized_keys, line 1
Found matching DSA key: 7e:0b:c4:a3:29:21:be:42:62:47:62:c2:3d:87:bd:9e
debug1: restore_uid: 0/0
debug1: ssh_dss_verify: signature correct
debug2: userauth_pubkey: authenticated 1 pkalg ssh-dss
debug1: do_pam_account: called
Accepted publickey for root from 192.168.2.2 port 50232 ssh2
debug1: monitor_child_preauth: root has been authenticated by privileged process

I haven't dug into the sshd init.d scripts to see if it's being loaded with some weird configuration, but that's my next step after playing with RSA keys.

I've already spent too much time on this issue. Any hints or ideas would be greatly appreciated.


edit: Same issue for an RSA key and the init.d scripts aren't calling sshd in any weird fashion. I'm stumped.

---------- Post updated at 02:00 PM ---------- Previous update was at 01:28 PM ----------

Here's the ssh client debug info for user web (which works).

Code:
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug3: no such identity: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug3: no such identity: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: read PEM private key done: type DSA
debug3: sign_and_send_pubkey
debug2: we sent a publickey packet, wait for reply
debug3: Wrote 576 bytes for a total of 1685
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0

The only thing that occurs to me, is that this maybe a hw issue of some sort? Doesn't really make sense to me, because web works and a manual start of sshd works for root authentication, but here's the cpu info anyway:

/proc/cpuinfo:
Code:
processor    : 0
vendor_id    : AuthenticAMD
cpu family    : 15
model        : 28
model name    : AMD Sempron(tm) Processor 2600+
stepping    : 0
cpu MHz        : 1599.712
cache size    : 128 KB
fdiv_bug    : no
hlt_bug        : no
f00f_bug    : no
coma_bug    : no
fpu        : yes
fpu_exception    : yes
cpuid level    : 1
wp        : yes
flags        : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx mmxext fxsr_opt lm 3dnowext 3dnow up lahf_lm
bogomips    : 3199.42
clflush size    : 64
cache_alignment    : 64
address sizes    : 40 bits physical, 48 bits virtual
power management: ts ttp

---------- Post updated at 04:13 PM ---------- Previous update was at 03:00 PM ----------

More hints: this could be a problem in Redhat's service command and the way it handles init.d scripts and their runtimelvls (although, I can't see why nor do I understand why that would be an issue). I no longer care, I'm going to use the manual load workaround (i.e. gross hack) since I've already wasted too much time on this stupid issue.

Anyway, here are the contents of fix_sshd:

Code:
#!/bin/sh

. /etc/rc.d/init.d/functions

service sshd stop
echo -n "Starting sshd manually: "
/usr/sbin/sshd -f /etc/ssh/sshd_config && success || failure
echo
exit $?

And this is what I did, sorry much easier to post steps than to write it out (note when sshd asks for a passwd and when the pubkeys work):
Code:
[root@db1 ~]# ./fix_sshd 
Stopping sshd:                                             [  OK  ]
Starting sshd manually:                                    [  OK  ]
[root@db1 ~]# logout
Connection to db1 closed.
xxxxx@dev:~/dev$ ssh root@db1
Last login: Tue Jan 10 13:48:52 2012 from xxxxxx
[root@db1 ~]# 
[root@db1 ~]# nano /etc/init.d/sshd 
# here i add fix_sshd to the end of start()
[root@db1 ~]#  
[root@db1 ~]# service sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd:                                             [  OK  ]
Stopping sshd:                                             [  OK  ]
Starting sshd manually:                                    [  OK  ]
[root@db1 ~]# logout
Connection to db1 closed.
xxxxxxxx@dev:~/dev$ ssh root@db1
root@db1's password: 
Last login: Tue Jan 10 13:55:00 2012 from xxxxxxx
[root@db1 ~]# 
[root@db1 ~]# ./fix_sshd 
Stopping sshd:                                             [  OK  ]
Starting sshd manually:                                    [  OK  ]
[root@db1 ~]# logout
Connection to db1 closed.
xxxxxx@dev:~/dev$ ssh root@db1
Last login: Tue Jan 10 13:57:34 2012 from xxxxxxx
[root@db1 ~]#


Last edited by ats; 01-10-2012 at 04:33 PM..
# 3  
Old 01-10-2012
This is another hopelessly broken condition (that fails silently and uselessly) due to SELinux. You can solve this problem, if you haven't already chosen to uninstall SELinux, by running this command:

restorecon -R -v /root/.ssh


Good luck! SELinux still has a large amount of maturing to do in my opinion.

-John
This User Gave Thanks to jsheehy For This Post:
# 4  
Old 01-10-2012
Thanks, I was suspecting SE towards the end. But since I found no indications this was the problem I did not delve into it.

This fixed the problem. Many thanks again.

Oh, wait.

Did I already say thank you? Because seriously, thank you.
# 5  
Old 01-11-2012
Hello guys,
Thank you very much jsheehy for the SElinux point.

Yesterday, after my problem, I "yum update" my centos 6.2 and end up with a "kernel panic", that forced me to reinstall, so I choosed 5.3 as I was stressed by users. Centos 5.3 works perfectly.

@ats, thanks for your contribution, FYI, I was using a dsa key, hardware is a Dell poweredge 2950.
Thanks you.
Regards.
Login or Register to Ask a Question

Previous Thread | Next Thread

9 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

sftp using private and public keys

hi guys , i have few files i have to do sftp, the public and private key work like a magic , no problem at all the syntax is as below sftp -0 identityfile=~/ure/blsl/loc2/.ssh/id_rsa_ssh1 ssh1@remote >log_dir/file.timestamp<<end lcd folder cd folder put * quit end ================ my... (3 Replies)
Discussion started by: rockymayavia
3 Replies

2. Shell Programming and Scripting

SFTP - Private and Public keys

Hi All, I have a query....say on server A, I have generated the Private and Public keys and shared the public key with server B. Now i can surelyconnect(without password) from server A to server B..... but can i similarly connect from server B to server A as well Regards (1 Reply)
Discussion started by: Arpit Narula
1 Replies

3. Shell Programming and Scripting

Shell script for SFTP using Public and private keys

Hi all, I needed a shell script for file transfering using public/private keys for authentication. Could you please help me out on this? A procedure to write a shell script is enough. Thanks in advance. Regards. Vidya N (8 Replies)
Discussion started by: Vidya N
8 Replies

4. UNIX for Advanced & Expert Users

help with private keys (blocs) extraction from file

Hello, I need to extract blocs (private keys) from a file so that each bloc gets extracted to a separate file (*.priv), on the fly I started to fiddle with awk, without much luck so far.... A block always has this pattern: ----- BEGIN CERTIFICATE ----- variable number of lines (never... (7 Replies)
Discussion started by: pat38000
7 Replies

5. Solaris

ssh private keys stored on home server

Where in the world are the ssh private keys stored on the home server? I know the public keys are renamed to authorized_keys under the /export/home//.ssh directory on the remote server. (1 Reply)
Discussion started by: jastanle84
1 Replies

6. AIX

OpenSSH always ask for password

Hello together, I have a Problem with openssh on AIX 5.3. We have a big amount of AIX-hosts that run with openssh but one donīt! Every time we try to connect via ssh to the host, we get a password prompt. The myth ist, that there is no Error or somthing else. Here the output of ssh -vvvv to... (14 Replies)
Discussion started by: heifei
14 Replies

7. HP-UX

Problem - Creating SSH Public/Private keys. Please help.

HI, I'm trying to create SSH public/private keys using following command. hp023:/users/vikram> ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/users/vikram/.ssh/id_rsa): rsa Enter passphrase (empty for no passphrase): Enter same passphrase... (9 Replies)
Discussion started by: vickramshetty
9 Replies

8. UNIX for Dummies Questions & Answers

ssh public/private Keys

Hello, I have an issue with an outside party trying to deliver a file to our server via SFTP. I have setup the .ssh directory under the home directory for the user account that is being used and setup the authorized_keys file with correct permissons etc for .ssh directory and file. We... (2 Replies)
Discussion started by: richo king
2 Replies

9. UNIX for Advanced & Expert Users

SSH public and private keys

Firstly, i apologise if i have posted in a wrong section of the forum. Please let me know which is the correct section my post should go to. I have to SCP a file from one server(server A) to another (server B). I read around that a secure way is to use public and private keys. Assuming my... (2 Replies)
Discussion started by: new2ss
2 Replies
Login or Register to Ask a Question