View previous topic :: View next topic |
Author |
Message |
slackline Veteran
Joined: 01 Apr 2005 Posts: 1468 Location: /uk/sheffield
|
Posted: Tue Oct 13, 2015 12:48 pm Post subject: [SOLVED] Keychain woes |
|
|
Hi,
I've been using RSA keys with keychain as per the Gentoo Wiki for some time without any problem. I've succesfully set things up between...
- Home server
- Laptop
- Raspberry Pi B
- Raspberry Pi2
- Android phone
- Work computer
Never any problem. However I got a new computer at work and have gone with Gentoo again (what else would I use?) and have followed the Gentoo Wiki on Keychain again, or at least I thought I had but I may well have done something wrong as I can't SSH into it without being asked for my password (not RSA key password). I have had no problem setting up the new computer (hamilton) and sharing its public key to allow me to SSH to my old computer (morgan) or my home server (kimura), but can not for the life of me see where I've gone wrong sharing the public keys from old/home servers (morgan/kimura) with the new computer (hamilton)
Step 1 Copy public key from old work computer (morgan) to new (hamilton)
Code: |
me@morgan $ cat ~/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5HzuM1xSje7d9+8q/33n//vi7r1gjITgaKegPxNmkFbdDryWMOKH+fm6TRaZJaEvtlyY1wLXqoWyXFkhpr7QKU5cCNL9ZtnToHaHAQkM6NiV2PsNTQ2wTHwDwXu+0uO3Ucvwz21BOFOxHO5TzYpNG3jaxc8u+l63004Y6R2dJhH7YK0Cl1QZfqWd4lfK+tu1PFpGfPbfR3F8MvVtn2Uzbj0c+LsAixffMIbcvkOVFjZ4WdwyGxj6bjxgzWzFxAjQMZ/#####################################################################################== me@morgan
|
Code: |
me@hamilton $ grep morgan ~/.ssh/authorized.keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5HzuM1xSje7d9+8q/33n//vi7r1gjITgaKegPxNmkFbdDryWMOKH+fm6TRaZJaEvtlyY1wLXqoWyXFkhpr7QKU5cCNL9ZtnToHaHAQkM6NiV2PsNTQ2wTHwDwXu+0uO3Ucvwz21BOFOxHO5TzYpNG3jaxc8u+l63004Y6R2dJhH7YK0Cl1QZfqWd4lfK+tu1PFpGfPbfR3F8MvVtn2Uzbj0c+LsAixffMIbcvkOVFjZ4WdwyGxj6bjxgzWzFxAjQMZ/#####################################################################################== me@morgan
|
Step 2 Check to see I'm being asked for the password for my RSA key
Code: |
me@morgan $ ssh me@hamilton
me@morgan ~ $ ssh me@hamilton
Password:
* keychain 2.8.1 ~ http://www.funtoo.org
* Found existing ssh-agent: 8064
* Known ssh key: /home/me/.ssh/id_rsa
me@hamilton ~ $
|
I was expecting to be asked for my id_rsa.pub key here. Lets check whether sshd is configured to use public key authentication on hamilton (it has by default on all other systems)...
Code: |
# grep -i key /etc/ssh/sshd_config
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Ciphers and keying
#RekeyLimit default none
#PubkeyAuthentication yes <<<< Default option, shouldn't need changing
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
#AuthorizedKeysFile .ssh/authorized_keys <<<< Default option, shouldn't need changing
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
# Change to no to disable s/key passwords
|
Step 3 Look in more detail at whats going on with ssh
I decide to compare the verbose output from ssh to see if I could figure out whats going on.
SSH from hamilton to morgan (both on same network at work)
Code: |
$ ssh me@morgan -v
OpenSSH_7.1p1-hpn14v5, OpenSSL 1.0.2d 9 Jul 2015
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to morgan [143.167.138.142] port 22.
debug1: Connection established.
debug1: identity file /home/me/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/me/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/m/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/me/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/me/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/me/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.1p1-hpn14v5
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.9p1-hpn14v5
debug1: match: OpenSSH_6.9p1-hpn14v5 pat OpenSSH* compat 0x04000000
debug1: Authenticating to morgan:22 as 'me'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: AUTH STATE IS 0
debug1: REQUESTED ENC.NAME is 'chacha20-poly1305@openssh.com'
debug1: kex: server->client chacha20-poly1305@openssh.com <implicit> none
debug1: REQUESTED ENC.NAME is 'chacha20-poly1305@openssh.com'
debug1: kex: client->server chacha20-poly1305@openssh.com <implicit> none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-ed25519 SHA256:Ii35uqVF6yfypnBi4+koroT40/HtCjttfUIpc3sLuM4
debug1: Host 'morgan' is known and matches the ED25519 host key.
debug1: Found key in /home/me/.ssh/known_hosts:3
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/me/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: Authentication succeeded (publickey).
Authenticated to morgan ([143.167.138.142]:22).
debug1: Final hpn_buffer_size = 2097152
debug1: HPN Disabled: 0, HPN Buffer Size: 2097152
debug1: channel 0: new [client-session]
debug1: Enabled Dynamic Window Scaling
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Sending environment.
debug1: Sending env LANG = en_GB.utf8
* keychain 2.8.1 ~ http://www.funtoo.org
* Found existing ssh-agent: 16997
* Known ssh key: /home/me/.ssh/id_rsa
me@morgan ~ $
|
Great I can SSH without passwords using RSA keys/keychain from hamilton > morgan.
SSH from morgan to hamilton
Code: |
me@morgan ~ $ ssh me@hamilton -v
OpenSSH_6.9p1-hpn14v5, OpenSSL 1.0.2d 9 Jul 2015
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to hamilton [143.167.138.42] port 22.
debug1: Connection established.
debug1: identity file /home/me/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/me/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/me/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/me/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/me/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/me/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/me/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/me/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.9p1-hpn14v5
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.1p1-hpn14v5
debug1: match: OpenSSH_7.1p1-hpn14v5 pat OpenSSH* compat 0x04000000
debug1: Authenticating to hamilton:22 as 'me'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: AUTH STATE IS 0
debug1: REQUESTED ENC.NAME is 'chacha20-poly1305@openssh.com'
debug1: kex: server->client chacha20-poly1305@openssh.com <implicit> none
debug1: REQUESTED ENC.NAME is 'chacha20-poly1305@openssh.com'
debug1: kex: client->server chacha20-poly1305@openssh.com <implicit> none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-ed25519 SHA256:YSjoUHKU5aZ/OizZ7hr+0WqGJKBr0OqiC9TDPh2+U+k
debug1: Host 'hamilton' is known and matches the ED25519 host key.
debug1: Found key in /home/me/.ssh/known_hosts:51
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server <<<<<<<<<<<< This isn't reported when SSHing the other way
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive,hostbased
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/me/.ssh/id_rsa <<<<<<<<<<<< When this is offered SSHing the other way its accepted?
debug1: Authentications that can continue: publickey,keyboard-interactive,hostbased
debug1: Trying private key: /home/me/.ssh/id_dsa
debug1: Trying private key: /home/me/.ssh/id_ecdsa
debug1: Trying private key: /home/me/.ssh/id_ed25519
debug1: Next authentication method: keyboard-interactive
Password:
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to hamilton ([143.167.138.42]:22).
debug1: Final hpn_buffer_size = 2097152
debug1: HPN Disabled: 0, HPN Buffer Size: 2097152
debug1: channel 0: new [client-session]
debug1: Enabled Dynamic Window Scaling
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Sending environment.
debug1: Sending env LANG = en_GB.UTF-8
* keychain 2.8.1 ~ http://www.funtoo.org
* Found existing ssh-agent: 8064
* Known ssh key: /home/me/.ssh/id_rsa
me@hamilton ~ $
|
I've noticed that Roaming isn't enabled on the server and a quick search led to this thread which suggested the 'Roaming not allowed on this server' message was down to the 'HostbasedAuthentication' on hamilton not being set to 'yes'.
I tried this (and restarted sshd obviously) but to no avail, and its not set on morgan.
I've started afresh three times now and keep on getting the same result so I'm either making the same stupid mistake or theres something I'm completely misunderstanding and am pretty stumped.
Any pointers, thoughts, suggestions or solutions would be very much appreciated.
Thanks in advance,
slackline _________________ "Science is what we understand well enough to explain to a computer. Art is everything else we do." - Donald Knuth
Last edited by slackline on Wed Oct 14, 2015 6:55 am; edited 1 time in total |
|
Back to top |
|
|
kikko Apprentice
Joined: 29 Apr 2014 Posts: 276 Location: Milan, IT
|
Posted: Tue Oct 13, 2015 10:42 pm Post subject: |
|
|
Hi slackline
I've spotted a possible typo in your config:
slackline wrote: | Code: | me@hamilton $ grep morgan ~/.ssh/authorized.keys |
|
According to your configuration (which is default one) that file should be "~/.ssh/authorized_keys" instead
Code: | #AuthorizedKeysFile .ssh/authorized_keys <<<< Default option, shouldn't need changing
|
Regards |
|
Back to top |
|
|
slackline Veteran
Joined: 01 Apr 2005 Posts: 1468 Location: /uk/sheffield
|
Posted: Wed Oct 14, 2015 6:55 am Post subject: |
|
|
kikko wrote: | Hi slackline
I've spotted a possible typo in your config:
slackline wrote: | Code: | me@hamilton $ grep morgan ~/.ssh/authorized.keys |
|
According to your configuration (which is default one) that file should be "~/.ssh/authorized_keys" instead
Code: | #AuthorizedKeysFile .ssh/authorized_keys <<<< Default option, shouldn't need changing
|
Regards |
Thank you so very much, how I made that typo I've no idea, probably habit from working with files with periods between sections of file names. _________________ "Science is what we understand well enough to explain to a computer. Art is everything else we do." - Donald Knuth |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|