SSH Keys Authentication keeps asking for password


 
Thread Tools Search this Thread
# 1  
Data SSH Keys Authentication keeps asking for password

Hi!

Im trying to set access from ServerA(SunOS) to ServerB(Some custom Linux with Keyboard Interactive login) with SSH Keys. As a proof of concept I was able to do it between 2 virtual machines. Now in my real life scenario it isnt working.

I created the keys in ServerA, copied them to ServerB, chmod'd .ssh folders to 700 on both ServerA,B.

For me *it seems* its working, but at the end it still falls back to Keyboard Interactive. Here is the log of what I get.

Code:
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx] port 22.
debug1: Connection established.
debug1: identity file /xxx/.ssh/identity type -1
debug1: identity file /xxx/.ssh/id_rsa type 1
debug1: identity file /xxx/.ssh/id_dsa type -1
debug1: Logging to host: xxx.xxx.xxx.xxx
debug1: Local user: xxx Remote user: xxx
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.2
debug1: match: OpenSSH_4.2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-Sun_SSH_1.1.4
debug1: use_engine is 'yes'
debug1: pkcs11 engine initialized, now setting it as default for RSA, DSA, and symmetric ciphers
debug1: pkcs11 engine initialization complete
debug1: Failed to acquire GSS-API credentials for any mechanisms (No credentials were supplied, or the credentials were unavailable or inaccessible
Unknown code 0
)
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: Peer sent proposed langtags, ctos:
debug1: Peer sent proposed langtags, stoc:
debug1: We proposed langtags, ctos: en-US
debug1: We proposed langtags, stoc: en-US
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 125/256
debug1: bits set: 1039/2048
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'XXX.XXX.XXX.XXX' is known and matches the RSA host key.
debug1: Found key in /XXX/.ssh/known_hosts:1
debug1: bits set: 1061/2048
debug1: ssh_rsa_verify: signature correct
debug1: newkeys: mode 1
debug1: set_newkeys: setting new keys for 'out' mode
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: set_newkeys: setting new keys for 'in' mode
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /XXXX/.ssh/identity
debug1: Trying public key: /xxx/.ssh/id_rsa
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Trying private key: /xxx/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
Password:

Why it still asks for my password?

Thanks in advance
# 2  
Are there any helpful messages in /var/log/secure (or another logfile where auth messages are written to) on the target system?

Are the permission bits of ~/.ssh on the target system equal to rwx------ (0700)?

If SELinux is active on the target system, is the label of the ~/.ssh directory equal to ssh_home_t (use "ls -Zd ~/.ssh" to find out)?
# 3  
Quote:
Originally Posted by hergp
Are there any helpful messages in /var/log/secure (or another logfile where auth messages are written to) on the target system?

Are the permission bits of ~/.ssh on the target system equal to rwx------ (0700)?

If SELinux is active on the target system, is the label of the ~/.ssh directory equal to ssh_home_t (use "ls -Zd ~/.ssh" to find out)?
There are no helpfull messages, it doesnt even have a /secure folder. I tried cheking a few files around /log but it was useless...

The permissions are all Ok.

The target system is a propietary custom linux the -Zd command didnt work.
# 4  
Hmm, some more ideas:

Is the public key in ~/.ssh/authorized_keys on the target system written as a single line? Because keys are long strings, sometimes they are pasted as multiple lines instead of a single one. Happened to me several times.

Is public key login disabled in /etc/ssh/sshd_config on the target system (look for PubkeyAuthentication)?

Try to connect using a higher debug level, like ssh -vv or even ssh -vvv. Maybe something useful comes up.
This User Gave Thanks to hergp For This Post:
# 5  
Quote:
Originally Posted by hergp
Hmm, some more ideas:

Is the public key in ~/.ssh/authorized_keys on the target system written as a single line? Because keys are long strings, sometimes they are pasted as multiple lines instead of a single one. Happened to me several times.

Is public key login disabled in /etc/ssh/sshd_config on the target system (look for PubkeyAuthentication)?

Try to connect using a higher debug level, like ssh -vv or even ssh -vvv. Maybe something useful comes up.
using -vv

Code:
 Next authentication method: publickey
debug1: Trying private key: /xxx/.ssh/identity
debug1: Trying public key: /xxx/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Trying private key: /xxx/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: Next authentication method: keyboard-interactive

# 6  
Doesn't look like much. You sent a RSA key to the target host, but it didn't like it. Try ssh -vvv too.

If that does not reveal anything useful, you have to make your sshd on the target machine write to syslog. Check SyslogFacility and LogLevel in /etc/ssh/sshd_config and verify, that the syslog messages are actually written somewhere (check /etc/syslog.conf). Can't say much more considering the fact you have some sort of custom linux.
This User Gave Thanks to hergp For This Post:
# 7  
First of all thanks a lot hergp for your help. I finally figured out what was happening.

Problem was that I didnt have the following keys enabled in the sshd_config file:

Code:
RSAAuthentication yes
PubKeyAuthentication yes
AuthorizedKeysFlle %h/.ssh/authorized_keys

Besides that, since I didnt have
Code:
ssh-copy-id

command I had to manually paste the key in ServerB. That made it interpret the key as 3 separate lines.

To solve this, in case you cant use ssh-copy-id. Paste the first line of your key WITHOUT the last 2 characters, then type yourself the missing characters from line 1 and the first one from line 2, this will prevent adding a "new line" between the first and second line of the key. Repeat with the 3d line
 

Previous Thread | Next Thread
Thread Tools Search this Thread
Search this Thread:
Advanced Search

10 More Discussions You Might Find Interesting

1. UNIX for Beginners Questions & Answers

Help with password 'maintenance' or maybe I just need to generate ssh keys?

Hi gurus, I am NOT the SA of the servers so very limited on what I can do. Basically the scenario is like this: Every 6 months our password expires and we have to reset them to comply to some password rules. Thing is users, me included, tend to have plaintext copy of this difficult to... (2 Replies)
Discussion started by: newbie_01
2 Replies

2. Shell Programming and Scripting

SFTP or scp with password in a batch script without using SSH keys and expect script

Dear All, I have a requirement where I have to SFTP or SCP a file in a batch script. Unfortunately, the destination server setup is such that it doesn't allow for shell command line login. So, I am not able to set up SSH keys. My source server is having issues with Expect. So, unable to use... (5 Replies)
Discussion started by: ss112233
5 Replies

3. Linux

Linux password aging and ssh keys

Recently I have been playing with password ageing and the usage of ssh keys. I have found that if usePAM yes (default) is set in the /etc/ssh/sshd_config file then any password ageing and inactiivity can adversely affect a client with ssh keys. For example: Set PASS_MAX_DAYS to 60 in... (5 Replies)
Discussion started by: smurphy_it
5 Replies

4. Shell Programming and Scripting

How to run commands on remote server using ssh password less authentication?

Hi, I need to run a script located in a directory on remote server by using ssh authentication from my local unix server. Can anyone help me in this. I have tried the below command. It worked for echo command but when i tried to open a file using cat command it is showing "cat: cannot open... (6 Replies)
Discussion started by: ssk250
6 Replies

5. UNIX for Dummies Questions & Answers

[SSH-RSA] Still prompting for password after generating keys

Hello, I'm trying to perform these operations without entering any password, as user "fzd":fzd@machine1> scp /tmp/srcFile1 fzd@machine2:/tmp/$destFile fzd@machine1> scp fzd@machine2:/tmp/$srcFile /tmp/$destFilebut alsofzd@machine1> scp /tmp/srcFile1 machine2:/tmp/$destFile fzd@machine1> scp... (6 Replies)
Discussion started by: fzd
6 Replies

6. Red Hat

prompting for passwords even i configured ssh password less authentication

There are two servers : 1. Site 2. Testing from site server i want to connect testing server with ssh password less authentication. i generated public and private keys with ssh-keygen -t rsa on site server. cat id_rsa >> authorized_keys cat id_rsa.pub >> authorized_keys i... (15 Replies)
Discussion started by: rehantayyab82
15 Replies

7. AIX

ssh keys - no password prompt from AIX to RPA

hello, i am running an AIX 5.3 machine and i want to connect via ssh to the RPA Management site without prompting for password. i already had a public key of this server as i use the same thing for ssh connection with other AIX machines. i connected to the RPA Management Site and i run the... (9 Replies)
Discussion started by: omonoiatis9
9 Replies

8. Red Hat

SSH Prompts for Password After Keys Setup Successfully

I setup the keys between 2 servers, but my user account has no password specified for it (never set one up on the account for security reasons). When I try to SSH to the server, SSH prompts for a password that doesn't exist (so I can never connect successfully). Note: 'passwd -d Rynok' removes... (3 Replies)
Discussion started by: Rynok
3 Replies

9. HP-UX

sftp/scp/ssh script with password as authentication

Hello, Do you guys know set of commands that can incorporate to sftp/scp/ssh to add password in a script to automate file transfer. Our client is not using ssh keys authentication so we are force to create a script to pass the password into the script to transfer files via sftp/scp/ssh. We... (4 Replies)
Discussion started by: james_falco
4 Replies

10. UNIX for Dummies Questions & Answers

SSH with RSA keys - error contacting the authentication agent

Hi all, Basic Requirement: To SFTP large files (usually 10GB). We use webMethods 6.1.2 (installed on Unix) as the orchstrator and make underlying Unix system calls to do the processing. That is, if we have to SFTP a large file - webMethods will invoke a Perl script on the underlying Unix... (2 Replies)
Discussion started by: sandeeppotdar
2 Replies

Featured Tech Videos