SSH key based authentication failure

[JPMRaptor]

I've been trying to get ssh connections working with keys and ssh-agent to keep from having to type my password every time. I'm connecting from my Gentoo box (Open SSH 3.6.1p2) to a Solaris 7 box ( Open SSH 3.4p1).

Here's what I ran on my client to set things up:

ssh-keygen -t dsa
(enter passphrase ...)
cat ~/.ssh/id_dsa.pub | ssh username@remotehost.com 'cat - >> ~/.ssh/authorized_keys'
(enter my regular unix password on the remote box)


Then to try to get the passwordless connection:

ssh-agent bash
ssh-add ~/.ssh/id_dsa
(enter my passphrase)
ssh username@remotehost.com
(get password prompt from the remote server, not the passphrase )
ssh -i ~/.ssh/id_dsa
(still get password prompt from the remote server, not the passphrase )


When I run with -v option to ssh it looks like it's trying to use the key authentication and is failing but not reporting any kind of error message.

On the server the sshd_config file has:

RSAAuthentication yes
PubkeyAuthentication yes

The client side ssh_config has no uncommented lines.

Any help would be greatly appreciated

[rical]

Are you sure your authorized_keys file is 0600 ?

[JPMRaptor]

I heard from someone that this only works if the client computer is in the server computer known_hosts file for the user logging on. However I can't do that as my client is behind a NAT box.

I tried copying the key from my /etc/ssh/ssh_host_key to the server's known_hosts file with no luck.

Anyone have any other ideas?

[meowsqueak]

SSH refuses to perform public-key authentication if the permissions on your keys and authorized_hosts files are incorrect. Try these:

On your local machine:

Code: Select all

drwx------   .ssh/
-rw-------    .ssh/id_dsa
-rw-------    .ssh/known_hosts

On the remote machine:

Code: Select all

drwx------   .ssh/
-rw-------    .ssh/authorized_keys

I've also noticed problems if your keys are exported via NFS or SMB (a bad idea anyway IMO).

Also, my /etc/ssh/sshd_config looks like this (I have RSAAuthentication turned off) :

Code: Select all

Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
UsePrivilegeSeparation yes

KeyRegenerationInterval 3600
ServerKeyBits 768

SyslogFacility AUTH
LogLevel INFO

LoginGraceTime 600
PermitRootLogin no
StrictModes yes

RSAAuthentication no
PubkeyAuthentication yes

# rhosts authentication should not be used
RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes

PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
KeepAlive yes

# disconnect clients if they time out
ClientAliveInterval 15
ClientAliveCountMax 3

# deny root access full-stop
DenyUsers root

Subsystem       sftp    /usr/lib/sftp-server

Oh, you can also use multiple -v flags (up to three I think) to get more debugging info. Also, if you have root access to the remote host, you can run sshd with debug enabled in non-daemon mode. perhaps on a different port, gleaning even more debugging info.

[brucifer]

you could try a blank passphrase to test the connection.

Code: Select all

ssh-keygen -t dsa
<blank passphrase>
scp ./.ssh/id_dsa.pub <user>@<host>:~/.ssh/authorized_keys

then disconnect and try a reconnect. If that works then you may want to look at something in ssh-agent or file permissions as stated above. Just trying to break it down into parts, helps me solve issues.

good luck, key based auth is awesome if you ssh alot.

[jesterspet]

Two Words:

Autnentication forwarding

Enable it on the server end.

If you still have troubles, try adding the -A switch to your command line.
i.e.

Code: Select all

 ssh -A username@remotehost.com 

[elpierco]

These steps from above worked 1st try on my local network

ssh-keygen -t dsa
(enter passphrase ...)
cat ~/.ssh/id_dsa.pub | ssh username@remotehost.com 'cat - >> ~/.ssh/authorized_keys'
(enter my regular unix password on the remote box)


Then to try to get the passwordless connection:

ssh-agent bash
ssh-add ~/.ssh/id_dsa
(enter my passphrase)
ssh username@remotehost.com

and I am in now password yeah!

[Paulten]

I wrote a small article on my homepage when I did this.
Maybe it comes usefull for someone : http://paul.kde.no/modules/articles/article.php?id=5

Good you got it working.

[meowsqueak]

Also, net-misc/keychain is worth looking into.

[Paulten]

Very nice, just I'm merging it now

Have fun

[meowsqueak]

I wrote a small article on my homepage when I did this.
Maybe it comes usefull for someone : http://paul.kde.no/modules/articles/article.php?id=5

Is there any reason you are using a RSA key instead of a DSA key? DSA keys are more secure and there's no real reason I'm aware of not to use them over RSA.

[Paulten]

Is there any reason you are using a RSA key instead of a DSA key? DSA keys are more secure and there's no real reason I'm aware of not to use them over RSA.

I did not know that, probably because I saw something about RSAAuthentication in sshd_config or something like that. thank you for telling me.
Since we are on the subject, I just started reading "The Code Book" by Simon Singh. I recommend reading it.
http://www.amazon.co.uk/exec/obidos/ASI ... 69-3657423

See you