Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] Keychain woes
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
slackline
Veteran
Veteran


Joined: 01 Apr 2005
Posts: 1468
Location: /uk/sheffield

PostPosted: Tue Oct 13, 2015 12:48 pm    Post subject: [SOLVED] Keychain woes Reply with quote

Hi,

I've been using RSA keys with keychain as per the Gentoo Wiki for some time without any problem. I've succesfully set things up between...


  • Home server
  • Laptop
  • Raspberry Pi B
  • Raspberry Pi2
  • Android phone
  • Work computer


Never any problem. However I got a new computer at work and have gone with Gentoo again (what else would I use?) and have followed the Gentoo Wiki on Keychain again, or at least I thought I had but I may well have done something wrong as I can't SSH into it without being asked for my password (not RSA key password). I have had no problem setting up the new computer (hamilton) and sharing its public key to allow me to SSH to my old computer (morgan) or my home server (kimura), but can not for the life of me see where I've gone wrong sharing the public keys from old/home servers (morgan/kimura) with the new computer (hamilton)

Step 1 Copy public key from old work computer (morgan) to new (hamilton)

Code:

me@morgan $ cat ~/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5HzuM1xSje7d9+8q/33n//vi7r1gjITgaKegPxNmkFbdDryWMOKH+fm6TRaZJaEvtlyY1wLXqoWyXFkhpr7QKU5cCNL9ZtnToHaHAQkM6NiV2PsNTQ2wTHwDwXu+0uO3Ucvwz21BOFOxHO5TzYpNG3jaxc8u+l63004Y6R2dJhH7YK0Cl1QZfqWd4lfK+tu1PFpGfPbfR3F8MvVtn2Uzbj0c+LsAixffMIbcvkOVFjZ4WdwyGxj6bjxgzWzFxAjQMZ/#####################################################################################== me@morgan



Code:

me@hamilton $ grep morgan ~/.ssh/authorized.keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5HzuM1xSje7d9+8q/33n//vi7r1gjITgaKegPxNmkFbdDryWMOKH+fm6TRaZJaEvtlyY1wLXqoWyXFkhpr7QKU5cCNL9ZtnToHaHAQkM6NiV2PsNTQ2wTHwDwXu+0uO3Ucvwz21BOFOxHO5TzYpNG3jaxc8u+l63004Y6R2dJhH7YK0Cl1QZfqWd4lfK+tu1PFpGfPbfR3F8MvVtn2Uzbj0c+LsAixffMIbcvkOVFjZ4WdwyGxj6bjxgzWzFxAjQMZ/#####################################################################################== me@morgan



Step 2 Check to see I'm being asked for the password for my RSA key

Code:

me@morgan $ ssh me@hamilton
me@morgan ~ $ ssh me@hamilton
Password:

 * keychain 2.8.1 ~ http://www.funtoo.org
 * Found existing ssh-agent: 8064
 * Known ssh key: /home/me/.ssh/id_rsa

me@hamilton ~ $


I was expecting to be asked for my id_rsa.pub key here. Lets check whether sshd is configured to use public key authentication on hamilton (it has by default on all other systems)...

Code:

# grep -i key /etc/ssh/sshd_config
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Ciphers and keying
#RekeyLimit default none
#PubkeyAuthentication yes                        <<<< Default option, shouldn't need changing
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
#AuthorizedKeysFile   .ssh/authorized_keys                        <<<< Default option, shouldn't need changing
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
# Change to no to disable s/key passwords



Step 3 Look in more detail at whats going on with ssh

I decide to compare the verbose output from ssh to see if I could figure out whats going on.

SSH from hamilton to morgan (both on same network at work)
Code:

$ ssh me@morgan -v
OpenSSH_7.1p1-hpn14v5, OpenSSL 1.0.2d 9 Jul 2015
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to morgan [143.167.138.142] port 22.
debug1: Connection established.
debug1: identity file /home/me/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/me/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/m/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/me/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/me/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/me/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.1p1-hpn14v5
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.9p1-hpn14v5
debug1: match: OpenSSH_6.9p1-hpn14v5 pat OpenSSH* compat 0x04000000
debug1: Authenticating to morgan:22 as 'me'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: AUTH STATE IS 0
debug1: REQUESTED ENC.NAME is 'chacha20-poly1305@openssh.com'
debug1: kex: server->client chacha20-poly1305@openssh.com <implicit> none
debug1: REQUESTED ENC.NAME is 'chacha20-poly1305@openssh.com'
debug1: kex: client->server chacha20-poly1305@openssh.com <implicit> none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-ed25519 SHA256:Ii35uqVF6yfypnBi4+koroT40/HtCjttfUIpc3sLuM4
debug1: Host 'morgan' is known and matches the ED25519 host key.
debug1: Found key in /home/me/.ssh/known_hosts:3
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/me/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: Authentication succeeded (publickey).
Authenticated to morgan ([143.167.138.142]:22).
debug1: Final hpn_buffer_size = 2097152
debug1: HPN Disabled: 0, HPN Buffer Size: 2097152
debug1: channel 0: new [client-session]
debug1: Enabled Dynamic Window Scaling
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Sending environment.
debug1: Sending env LANG = en_GB.utf8

 * keychain 2.8.1 ~ http://www.funtoo.org
 * Found existing ssh-agent: 16997
 * Known ssh key: /home/me/.ssh/id_rsa

me@morgan ~ $


Great I can SSH without passwords using RSA keys/keychain from hamilton > morgan.

SSH from morgan to hamilton

Code:

me@morgan ~ $ ssh me@hamilton -v
OpenSSH_6.9p1-hpn14v5, OpenSSL 1.0.2d 9 Jul 2015
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to hamilton [143.167.138.42] port 22.
debug1: Connection established.
debug1: identity file /home/me/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/me/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/me/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/me/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/me/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/me/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/me/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/me/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.9p1-hpn14v5
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.1p1-hpn14v5
debug1: match: OpenSSH_7.1p1-hpn14v5 pat OpenSSH* compat 0x04000000
debug1: Authenticating to hamilton:22 as 'me'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: AUTH STATE IS 0
debug1: REQUESTED ENC.NAME is 'chacha20-poly1305@openssh.com'
debug1: kex: server->client chacha20-poly1305@openssh.com <implicit> none
debug1: REQUESTED ENC.NAME is 'chacha20-poly1305@openssh.com'
debug1: kex: client->server chacha20-poly1305@openssh.com <implicit> none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-ed25519 SHA256:YSjoUHKU5aZ/OizZ7hr+0WqGJKBr0OqiC9TDPh2+U+k
debug1: Host 'hamilton' is known and matches the ED25519 host key.
debug1: Found key in /home/me/.ssh/known_hosts:51
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server                     <<<<<<<<<<<< This isn't reported when SSHing the other way
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive,hostbased
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/me/.ssh/id_rsa                      <<<<<<<<<<<< When this is offered SSHing the other way its accepted?
debug1: Authentications that can continue: publickey,keyboard-interactive,hostbased
debug1: Trying private key: /home/me/.ssh/id_dsa
debug1: Trying private key: /home/me/.ssh/id_ecdsa
debug1: Trying private key: /home/me/.ssh/id_ed25519
debug1: Next authentication method: keyboard-interactive
Password:
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to hamilton ([143.167.138.42]:22).
debug1: Final hpn_buffer_size = 2097152
debug1: HPN Disabled: 0, HPN Buffer Size: 2097152
debug1: channel 0: new [client-session]
debug1: Enabled Dynamic Window Scaling
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Sending environment.
debug1: Sending env LANG = en_GB.UTF-8

 * keychain 2.8.1 ~ http://www.funtoo.org
 * Found existing ssh-agent: 8064
 * Known ssh key: /home/me/.ssh/id_rsa

me@hamilton ~ $


I've noticed that Roaming isn't enabled on the server and a quick search led to this thread which suggested the 'Roaming not allowed on this server' message was down to the 'HostbasedAuthentication' on hamilton not being set to 'yes'.

I tried this (and restarted sshd obviously) but to no avail, and its not set on morgan.

I've started afresh three times now and keep on getting the same result so I'm either making the same stupid mistake or theres something I'm completely misunderstanding and am pretty stumped.

Any pointers, thoughts, suggestions or solutions would be very much appreciated.

Thanks in advance,

slackline
_________________
"Science is what we understand well enough to explain to a computer.  Art is everything else we do." - Donald Knuth


Last edited by slackline on Wed Oct 14, 2015 6:55 am; edited 1 time in total
Back to top
View user's profile Send private message
kikko
Apprentice
Apprentice


Joined: 29 Apr 2014
Posts: 276
Location: Milan, IT

PostPosted: Tue Oct 13, 2015 10:42 pm    Post subject: Reply with quote

Hi slackline
I've spotted a possible typo in your config:
slackline wrote:
Code:
me@hamilton $ grep morgan ~/.ssh/authorized.keys

According to your configuration (which is default one) that file should be "~/.ssh/authorized_keys" instead
Code:
#AuthorizedKeysFile   .ssh/authorized_keys                        <<<< Default option, shouldn't need changing

Regards
Back to top
View user's profile Send private message
slackline
Veteran
Veteran


Joined: 01 Apr 2005
Posts: 1468
Location: /uk/sheffield

PostPosted: Wed Oct 14, 2015 6:55 am    Post subject: Reply with quote

kikko wrote:
Hi slackline
I've spotted a possible typo in your config:
slackline wrote:
Code:
me@hamilton $ grep morgan ~/.ssh/authorized.keys

According to your configuration (which is default one) that file should be "~/.ssh/authorized_keys" instead
Code:
#AuthorizedKeysFile   .ssh/authorized_keys                        <<<< Default option, shouldn't need changing

Regards


Thank you so very much, how I made that typo I've no idea, probably habit from working with files with periods between sections of file names.
_________________
"Science is what we understand well enough to explain to a computer.  Art is everything else we do." - Donald Knuth
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum