On 20120206_132412, Bob Proulx wrote: > Paul E Condon wrote: > > "debug1: Roaming not allowed by server" > > > > Then the process switches over to asking for a password, which I > > am trying to avoid. > > On the server look in /var/log/auth.log and look at the messages > logged there from the sshd. Do you see something such as: > > Authentication refused: bad ownership or modes for file > /home/pecondon/.ssh/authorized_keys > > At the least hopefully there will be some useful message there. > > I often will start up a debugging sshd and connect to it so that all of > the messages will be in the foreground. > > Bob
Here is the debug run up to where it is waiting for me to enter a password: root@gq:~# ssh -v root@big OpenSSH_5.9p1 Debian-2, OpenSSL 1.0.0g 18 Jan 2012 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: Connecting to big [192.168.1.11] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: identity file /root/.ssh/id_rsa type 1 debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048 debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-6+squeeze1 debug1: match: OpenSSH_5.5p1 Debian-6+squeeze1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-2 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Server host key: RSA 51:cf:52:87:6f:13:43:50:73:29:2c:b4:34:11:cd:5c debug1: Host 'big' is known and matches the RSA host key. debug1: Found key in /root/.ssh/known_hosts:1 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Offering RSA public key: /root/.ssh/id_rsa debug1: Authentications that can continue: publickey,password debug1: Trying private key: /root/.ssh/id_dsa debug1: Trying private key: /root/.ssh/id_ecdsa debug1: Next authentication method: password root@big's password: All the files in /etc/ssh and ~/.ssh have correct mode and ownership. In particular .ssh/authorized_keys is readable only by owner. Also authorized keys does indeed contain copies of all public keys of all machines, and it is identical to the authorized_keys file on host, cmn, where it works and passwordless login happens correctly. I cannot find a document that explains the meaning of the debug messages. Previously, I had been suspicious of 'Roaming not allow ...' , but here is the log of a successful public key login from gq into cmn: root@gq:~# ssh -v root@cmn OpenSSH_5.9p1 Debian-2, OpenSSL 1.0.0g 18 Jan 2012 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: Connecting to cmn [192.168.1.10] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: identity file /root/.ssh/id_rsa type 1 debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048 debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-6+squeeze1 debug1: match: OpenSSH_5.5p1 Debian-6+squeeze1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-2 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Server host key: RSA d0:2e:a7:60:3e:3f:08:6c:6b:71:68:95:02:54:25:75 debug1: Host 'cmn' is known and matches the RSA host key. debug1: Found key in /root/.ssh/known_hosts:4 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Offering RSA public key: /root/.ssh/id_rsa debug1: Server accepts key: pkalg ssh-rsa blen 277 debug1: read PEM private key done: type RSA debug1: Authentication succeeded (publickey). xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Authenticated to cmn ([192.168.1.10]:22). debug1: channel 0: new [client-session] debug1: Requesting no-more-sessi...@openssh.com debug1: Entering interactive session. debug1: Sending environment. debug1: Sending env LC_COLLATE = C debug1: Sending env LANG = en_US.UTF-8 Linux cmn 2.6.32-5-686 #1 SMP Mon Jan 16 16:04:25 UTC 2012 i686 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Mon Feb 6 15:57:24 2012 from gq.lan.gnu root@cmn:~# <end of log> I have inserted a line of 'x' in the second log at the point where public key authentication is pronounced a success. The two authorized_keys files compare equal using cmp running on cmn after using scp to transfer a copy of big's file to cmn. The scp file transfer require the entering of a password, as I have come to expect for big. At least there is a little consistency in the malfunction. I can't get rsnapshot to work making passwordless backups of cmn onto gq because of this problem/feature of the latest ssh. I really like passwordless backups. -- Paul E Condon pecon...@mesanetworks.net -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120207020941.ga12...@big.lan.gnu