Re: OpenSSH key based authorisation problem
On 19 January 2011 07:35, Rob Owens wrote: > I was going to tell you that .ssh should not be world readable, but I > just tested it and it works fine like that. (I guess that changed > sometime since I first set up ssh on my machine). > > Can you post the authorized_keys file? Remember that those are all > public keys in there, so it's not sensitive (unless it contains an email > address that you want to keep private). I'm wondering if there is a > problem with that file. I was getting cranky with it, so I rebooted the machine and the problem went away :-) I don't know why or how, but it is so. authorized_kays file had only the id_rsa.pub key in it, only 1 key, nothing else. At least it's fixed now. Adrian -- 24x7x365 != 24x7x52 Stupid or bad maths? hm. I've lost a machine.. literally _lost_. it responds to ping, it works completely, I just can't figure out where in my apartment it is. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktikwqbre8g95woejiysefghdar62_c5nrswhd...@mail.gmail.com
Re: OpenSSH key based authorisation problem
On Wed, Jan 19, 2011 at 06:06:56AM +1000, Adrian Levi wrote: > On 19 January 2011 02:37, Rob Owens wrote: > > Any time I've ever had trouble with key based authentication, it was > > because of improper permissions on my .ssh folder. It should be set: > > > > chmod 700 ~/.ssh > > > > I'd double-check that before going any further. > > I checked that but didn't spot anything wrong with it compared to my > .ssh folder. > carolyn@jupiter:~$ ls -la .ssh/ > total 24 > drwx-- 2 carolyn carolyn 4096 Jan 19 06:06 . > drwxr-xr-x 4 carolyn carolyn 4096 Jan 18 21:57 .. > -rw--- 1 carolyn carolyn 397 Jan 19 06:07 authorized_keys > -rw--- 1 carolyn carolyn 1679 Jan 18 21:26 id_rsa > -rw-r--r-- 1 carolyn carolyn 397 Jan 18 21:26 id_rsa.pub > -rw-r--r-- 1 carolyn carolyn 442 Jan 18 21:54 known_hosts > carolyn@jupiter:~$ > > adrian@jupiter:~$ ls -la .ssh/ > total 24 > drwx-- 2 adrian adrian 4096 Aug 6 09:29 . > drwxr-xr-x 15 adrian adrian 4096 Jan 18 20:48 .. > -rw--- 1 adrian adrian 1140 Aug 11 11:00 authorized_keys > -rw--- 1 adrian adrian 3243 Aug 11 10:46 id_rsa > -rw-r--r-- 1 adrian adrian 739 Aug 11 10:46 id_rsa.pub > -rw-r--r-- 1 adrian adrian 2830 Jan 18 19:20 known_hosts > adrian@jupiter:~$ > I was going to tell you that .ssh should not be world readable, but I just tested it and it works fine like that. (I guess that changed sometime since I first set up ssh on my machine). Can you post the authorized_keys file? Remember that those are all public keys in there, so it's not sensitive (unless it contains an email address that you want to keep private). I'm wondering if there is a problem with that file. -Rob -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110118213515.ga4...@aurora.owens.net
Re: OpenSSH key based authorisation problem
On 19 January 2011 05:06, Rob Owens wrote: > That is the default location for authorized_keys, but it can be changed > in sshd_config with the AuthorizedKeysFile parameter. Better check and > make sure somebody didn't alter it from the default. 'Somebody' ~me? :) This exact config file works perfectly on another host same OpenSSH version, and my account works properly. I have tried to create 2 new users post squeeze upgrade but neither work as they should. ###Begin conf file # Package generated configuration file # See the sshd(8) manpage for details # What ports, IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 768 # Logging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 120 PermitRootLogin yes StrictModes yes RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Change to no to disable tunnelled clear text passwords PasswordAuthentication no # Kerberos options #KerberosAuthentication no #KerberosGetAFSToken no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net # Allow client to pass locale environment variables AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server UsePAM yes #End conf file# Adrian -- 24x7x365 != 24x7x52 Stupid or bad maths? hm. I've lost a machine.. literally _lost_. it responds to ping, it works completely, I just can't figure out where in my apartment it is. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktikxarw+wdtzsy3dsyxyp4v-5cm1qp46zagtp...@mail.gmail.com
Re: OpenSSH key based authorisation problem
On 19 January 2011 02:37, Rob Owens wrote: > Any time I've ever had trouble with key based authentication, it was > because of improper permissions on my .ssh folder. It should be set: > > chmod 700 ~/.ssh > > I'd double-check that before going any further. I checked that but didn't spot anything wrong with it compared to my .ssh folder. carolyn@jupiter:~$ ls -la .ssh/ total 24 drwx-- 2 carolyn carolyn 4096 Jan 19 06:06 . drwxr-xr-x 4 carolyn carolyn 4096 Jan 18 21:57 .. -rw--- 1 carolyn carolyn 397 Jan 19 06:07 authorized_keys -rw--- 1 carolyn carolyn 1679 Jan 18 21:26 id_rsa -rw-r--r-- 1 carolyn carolyn 397 Jan 18 21:26 id_rsa.pub -rw-r--r-- 1 carolyn carolyn 442 Jan 18 21:54 known_hosts carolyn@jupiter:~$ adrian@jupiter:~$ ls -la .ssh/ total 24 drwx-- 2 adrian adrian 4096 Aug 6 09:29 . drwxr-xr-x 15 adrian adrian 4096 Jan 18 20:48 .. -rw--- 1 adrian adrian 1140 Aug 11 11:00 authorized_keys -rw--- 1 adrian adrian 3243 Aug 11 10:46 id_rsa -rw-r--r-- 1 adrian adrian 739 Aug 11 10:46 id_rsa.pub -rw-r--r-- 1 adrian adrian 2830 Jan 18 19:20 known_hosts adrian@jupiter:~$ Adrian -- 24x7x365 != 24x7x52 Stupid or bad maths? hm. I've lost a machine.. literally _lost_. it responds to ping, it works completely, I just can't figure out where in my apartment it is. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktikrjbfxn3p07o9gwvnqqkv52npcems29h9zl...@mail.gmail.com
Re: OpenSSH key based authorisation problem
On Tue, Jan 18, 2011 at 06:25:44PM +0100, François TOURDE wrote: > Le 14992ième jour après Epoch, > Adrian Levi écrivait: > > > Carolyn is a newly created test account, nothing but "adduser carolyn" > > and "ssh-keygen -b4096" > > My key is 4096 bytes long, it works, default length keys didn't work > > so I thought i'd try the same key length. > > > > This box is newly updated from lenny to testing, although the package > > versions are identical (Version: 1:5.5p1-6) with another Squeeze box > > that works perfectly. > > > > I discovered this problem while trying to set up a sftp account for a > > Website designer, My accound can sftp perfectly. > > > > I can't think on what else to provide at the moment. > > Did you put the public key on the correct .ssh/authorised_keys ? The new > user (carolyn) must have his/her own ~/.ssh/authorized_keys, or you must > try "ssh -v adrian@localhost" if you put the key on adrian's home. > That is the default location for authorized_keys, but it can be changed in sshd_config with the AuthorizedKeysFile parameter. Better check and make sure somebody didn't alter it from the default. -Rob -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110118190635.ga2...@aurora.owens.net
Re: OpenSSH key based authorisation problem
Le 14992ième jour après Epoch, Adrian Levi écrivait: > Carolyn is a newly created test account, nothing but "adduser carolyn" > and "ssh-keygen -b4096" > My key is 4096 bytes long, it works, default length keys didn't work > so I thought i'd try the same key length. > > This box is newly updated from lenny to testing, although the package > versions are identical (Version: 1:5.5p1-6) with another Squeeze box > that works perfectly. > > I discovered this problem while trying to set up a sftp account for a > Website designer, My accound can sftp perfectly. > > I can't think on what else to provide at the moment. Did you put the public key on the correct .ssh/authorised_keys ? The new user (carolyn) must have his/her own ~/.ssh/authorized_keys, or you must try "ssh -v adrian@localhost" if you put the key on adrian's home. My 2 cents. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87zkqygm3r@fermat.tourde.home
Re: OpenSSH key based authorisation problem
On Tue, Jan 18, 2011 at 09:55:32PM +1000, Adrian Levi wrote: > It seems that users other than me are not able to login to the server. > I use key nased authentication via putty and from other debian boxes > fine but other users from putty (haven't tried other users from linux) > fail with "No more authentication methods available". > Any time I've ever had trouble with key based authentication, it was because of improper permissions on my .ssh folder. It should be set: chmod 700 ~/.ssh I'd double-check that before going any further. -Rob -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110118163739.ga1...@aurora.owens.net
OpenSSH key based authorisation problem
It seems that users other than me are not able to login to the server. I use key nased authentication via putty and from other debian boxes fine but other users from putty (haven't tried other users from linux) fail with "No more authentication methods available". adrian@jupiter:~$ ssh -v localhost OpenSSH_5.5p1 Debian-6, OpenSSL 0.9.8o 01 Jun 2010 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to localhost [::1] port 22. debug1: Connection established. debug1: identity file /home/adrian/.ssh/id_rsa type 1 debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-4096 debug1: Checking blacklist file /etc/ssh/blacklist.RSA-4096 debug1: identity file /home/adrian/.ssh/id_rsa-cert type -1 debug1: identity file /home/adrian/.ssh/id_dsa type -1 debug1: identity file /home/adrian/.ssh/id_dsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-6 debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-6 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'localhost' is known and matches the RSA host key. debug1: Found key in /home/adrian/.ssh/known_hosts:7 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Offering public key: /home/adrian/.ssh/id_rsa debug1: Server accepts key: pkalg ssh-rsa blen 533 debug1: read PEM private key done: type RSA debug1: Authentication succeeded (publickey). debug1: channel 0: new [client-session] debug1: Requesting no-more-sessi...@openssh.com debug1: Entering interactive session. debug1: Sending environment. debug1: Sending env LANG = en_AU.UTF-8 Linux jupiter 2.6.32-5-686 #1 SMP Wed Jan 12 04:01:41 UTC 2011 i686 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. No mail. Last login: Tue Jan 18 21:53:03 2011 from c211-31-35-102.rochd5.qld.optusnet.com.au adrian@jupiter:~$ And another user that does not work: carolyn@jupiter:~$ ssh -v localhost OpenSSH_5.5p1 Debian-6, OpenSSL 0.9.8o 01 Jun 2010 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to localhost [::1] port 22. debug1: Connection established. debug1: identity file /home/carolyn/.ssh/id_rsa type 1 debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048 debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048 debug1: identity file /home/carolyn/.ssh/id_rsa-cert type -1 debug1: identity file /home/carolyn/.ssh/id_dsa type -1 debug1: identity file /home/carolyn/.ssh/id_dsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-6 debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-6 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY The authenticity of host 'localhost (::1)' can't be established. RSA key fingerprint is fb:48:f6:04:2e:86:58:f7:1b:38:07:72:51:8e:0a:f1. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'localhost' (RSA) to the list of known hosts. debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Offering public key: /home/carolyn/.ssh/id_rsa debug1: Authentications that can continue: publickey debug1: Trying private key: /home/carolyn/.ssh/id_dsa debug1: No more authentication methods to try. Permission denied (publickey). carolyn@jupiter:~$ Carolyn is a newly created test account, nothing but "adduser