| View previous topic :: View next topic |
| Author |
Message |
machinelou
Apprentice
Joined: 05 Apr 2003
Posts: 267
|
 Posted: Wed Dec 28, 2005 4:42 pm Post subject: putty -> openssh error: Server refused our key. |
 |
|
I'm trying to connect from my work computer (windows) to my home computer (gentoo) using key authentication. I generated the keys using puttygen following this guide (http://www.cs.uwaterloo.ca/cscf/howto/ssh/public_key/#putty). It was working, but then I broke it by screwing with the permissions of my home directory (sshd was complaining about permissions in the logs).
I fixed the permissions (the error doesn't appear in the logs anymore) but, when I try to log in using putty and the key file, it says "Server refused our key." and makes me type in the password. I can log in when I type in the password, but want it to be able to accept my key so that I can automate various file transfers. Is there anything else I should check?
Here's the output of stat for my home directory:
| Code: | File: `.'
Size: 128 Blocks: 0 IO Block: 131072 directory
Device: 304h/772d Inode: 31992 Links: 4
Access: (0700/drwx------) Uid: ( 1002/rachelle) Gid: ( 100/ users)
Access: 2004-12-29 13:10:25.000000000 +0000
Modify: 2005-12-28 11:04:19.245264040 +0000
Change: 2005-12-28 11:04:39.938118248 +0000
|
Here's the output of stat for .ssh
| Code: | File: `.ssh'
Size: 80 Blocks: 0 IO Block: 131072 directory
Device: 304h/772d Inode: 43245 Links: 2
Access: (0700/drwx------) Uid: ( 1002/rachelle) Gid: ( 0/ root)
Access: 2005-12-21 15:35:59.000000000 +0000
Modify: 2005-12-28 10:55:09.052905992 +0000
Change: 2005-12-28 11:21:51.177346056 +0000
|
Here's authorized_keys
| Code: | File: `authorized_keys'
Size: 1142 Blocks: 8 IO Block: 131072 regular file
Device: 304h/772d Inode: 43015 Links: 1
Access: (0700/-rwx------) Uid: ( 1002/rachelle) Gid: ( 100/ users)
Access: 2005-12-28 10:55:09.049906448 +0000
Modify: 2005-12-28 10:55:09.049906448 +0000
Change: 2005-12-28 11:21:51.177346056 +0000
|
|
|
| Back to top |
|
 |
magic919
Advocate
Joined: 17 Jun 2005
Posts: 2182
Location: Berkshire, UK
|
| Posted: Wed Dec 28, 2005 5:07 pm Post subject: |
|
|
I'd be tempted to regenerate the keys before digging too deep. You could change ownership of .ssh dir to match user:users, rather than user:root. Mine is like that and mode 600.
You can restart sshd with -d [1-3] to increase verbosity of logging to see what is happening. |
|
| Back to top |
|
|
daeghrefn
Tux's lil' helper
Joined: 02 Jan 2005
Posts: 112
|
| Posted: Wed Dec 28, 2005 5:25 pm Post subject: |
|
|
According to my system, the /home/user directory is set to 755 user:users, the /home/user/.ssh directory is set to 600 user:users, and the /home/user/.ssh/authorized_keys file is set to 600 user:users.
I use PuTTY to get into my system all the time. |
|
| Back to top |
|
|
machinelou
Apprentice
Joined: 05 Apr 2003
Posts: 267
|
| Posted: Wed Dec 28, 2005 5:54 pm Post subject: |
|
|
| Bah! I tried to startup sshd with the -d option but, by coincoidence, I happen to be getting hit with an sshd worm ATM and sshd shuts down after each failed connection when using the -d option. I'll have to wait a bit before I give it another shot. I also changed the permissions to your suggestions but that hasn't worked. I already tried regenerating the keys but I might as well try again. |
|
| Back to top |
|
|
machinelou
Apprentice
Joined: 05 Apr 2003
Posts: 267
|
| Posted: Wed Dec 28, 2005 5:58 pm Post subject: |
|
|
Here's the output of sshd -d when I try to login:
| Code: | debug1: sshd version OpenSSH_4.2p1
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
socket: Address family not supported by protocol
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7
debug1: inetd sockets after dupping: 3, 3
Connection from 128.227.13.117 port 1317
debug1: Client protocol version 2.0; client software version PuTTY-Release-0.53b
debug1: no match: PuTTY-Release-0.53b
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.2
debug1: permanently_set_uid: 22/22
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes256-cbc hmac-sha1 none
debug1: kex: server->client aes256-cbc hmac-sha1 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user rachelle service ssh-connection method none
debug1: attempt 0 failures 0
Failed none for rachelle from 128.227.13.117 port 1317 ssh2
debug1: PAM: initializing for "rachelle"
debug1: PAM: setting PAM_RHOST to "n128-227-13-117.xlate.ufl.edu"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user rachelle service ssh-connection method publickey
debug1: attempt 1 failures 1
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 1002/100 (e=0/0)
debug1: trying public key file /home/rachelle/.ssh/authorized_keys
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 1002/100 (e=0/0)
debug1: trying public key file /home/rachelle/.ssh/authorized_keys2
debug1: restore_uid: 0/0
Failed publickey for rachelle from 128.227.13.117 port 1317 ssh2
debug1: userauth-request for user rachelle service ssh-connection method keyboard-interactive
debug1: attempt 2 failures 2
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=rachelle devs=
debug1: kbdint_alloc: devices 'pam'
debug1: auth2_challenge_start: trying authentication method 'pam'
Postponed keyboard-interactive for rachelle from 128.227.13.117 port 1317 ssh2
Read from socket failed: Connection reset by peer
debug1: do_cleanup
debug1: PAM: cleanup
debug1: do_cleanup
debug1: PAM: cleanup
|
|
|
| Back to top |
|
|
magic919
Advocate
Joined: 17 Jun 2005
Posts: 2182
Location: Berkshire, UK
|
| Posted: Wed Dec 28, 2005 6:12 pm Post subject: |
|
|
| It says it is trying the key and failing it. Might be worth trying higher d level (3 is max) to see if you get any more data. |
|
| Back to top |
|
|
machinelou
Apprentice
Joined: 05 Apr 2003
Posts: 267
|
| Posted: Wed Dec 28, 2005 6:38 pm Post subject: |
|
|
Thanks.. There's a lot of output, this looks like the most important part. Here's the output of sshd -ddd
| Code: | Failed none for rachelle from 128.227.13.117 port 1331 ssh2
debug3: monitor_read: checking request 45
debug1: PAM: initializing for "rachelle"
debug3: Trying to reverse map address 128.227.13.117.
debug1: PAM: setting PAM_RHOST to "n128-227-13-117.xlate.ufl.edu"
debug1: PAM: setting PAM_TTY to "ssh"
debug2: monitor_read: 45 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 3
debug3: mm_answer_authserv: service=ssh-connection, style=
debug2: monitor_read: 3 used once, disabling now
debug3: mm_request_receive entering
debug1: userauth-request for user rachelle service ssh-connection method publickey
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method publickey
debug1: test whether pkalg/pkblob are acceptable
debug3: mm_key_allowed entering
debug3: mm_request_send entering: type 20
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
debug3: mm_request_receive_expect entering: type 21
debug3: mm_request_receive entering
debug3: monitor_read: checking request 20
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 0x80a6748
debug1: temporarily_use_uid: 1002/100 (e=0/0)
debug1: trying public key file /home/rachelle/.ssh/authorized_keys
debug3: secure_filename: checking '/home/rachelle/.ssh'
debug3: secure_filename: checking '/home/rachelle'
debug3: secure_filename: terminating check at '/home/rachelle'
debug2: key_type_from_name: unknown key type 'sh-dss'
debug3: key_read: missing keytype
debug2: user_key_allowed: check options: 'sh-dss AAAAB3Nz(key removed)5SHrKeVRitTEdXQjVdebug2: key_type_from_name: unknown key type 'AAAAB3Nz(key removed)5SHrKeVRitTEdXQjVGcYdebug3: key_read: missing keytype
debug2: user_key_allowed: advance: 'AAAAB3Nz(key removed)5SHrKeVRitTEdXQjVGcYLthqxJ2y5Pdebug1: restore_uid: 0/0
debug2: key not found
debug1: temporarily_use_uid: 1002/100 (e=0/0)
debug1: trying public key file /home/rachelle/.ssh/authorized_keys2
debug1: restore_uid: 0/0
debug3: mm_answer_keyallowed: key 0x80a6748 is disallowed
debug3: mm_request_send entering: type 21
debug3: mm_request_receive entering
debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss
Failed publickey for rachelle from 128.227.13.117 port 1331 ssh2
debug1: userauth-request for user rachelle service ssh-connection method keyboard-interactive
debug1: attempt 2 failures 2
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=rachelle devs=
debug1: kbdint_alloc: devices 'pam'
debug2: auth2_challenge_start: devices pam
debug2: kbdint_next_device: devices <empty>
debug1: auth2_challenge_start: trying authentication method 'pam'
debug3: mm_sshpam_init_ctx
debug3: mm_request_send entering: type 48
debug3: mm_sshpam_init_ctx: waiting for MONITOR_ANS_PAM_INIT_CTX
debug3: mm_request_receive_expect entering: type 49
debug3: mm_request_receive entering
debug3: monitor_read: checking request 48
debug3: mm_answer_pam_init_ctx
debug3: PAM: sshpam_init_ctx entering
debug3: PAM: sshpam_thread_conv entering, 1 messages
debug3: ssh_msg_send: type 1
debug3: ssh_msg_recv entering
debug3: mm_request_send entering: type 49
debug3: mm_request_receive entering
debug3: mm_sshpam_query
debug3: mm_request_send entering: type 50
debug3: mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY
debug3: mm_request_receive_expect entering: type 51
debug3: mm_request_receive entering
debug3: monitor_read: checking request 50
debug3: mm_answer_pam_query
debug3: PAM: sshpam_query entering
debug3: ssh_msg_recv entering
debug3: mm_request_send entering: type 51
debug3: mm_request_receive entering
debug3: mm_sshpam_query: pam_query returned 0
Postponed keyboard-interactive for rachelle from 128.227.13.117 port 1331 ssh2
Read from socket failed: Connection reset by peer
debug1: do_cleanup
debug1: PAM: cleanup
debug3: PAM: sshpam_thread_cleanup entering
debug1: do_cleanup
debug1: PAM: cleanup
debug3: PAM: sshpam_thread_cleanup entering
|
It looks like it's complaining about not being able to read the keytype. I'll try regenerating the keys again... |
|
| Back to top |
|
|
machinelou
Apprentice
Joined: 05 Apr 2003
Posts: 267
|
| Posted: Wed Dec 28, 2005 6:51 pm Post subject: |
|
|
| Yep, regenerating the keys worked this time.. Thanks |
|
| Back to top |
|
|
magic919
Advocate
Joined: 17 Jun 2005
Posts: 2182
Location: Berkshire, UK
|
| Posted: Wed Dec 28, 2005 7:44 pm Post subject: |
|
|
| Excellent. Glad it all worked out. And we all get to see some stuff and learn along the way. Maybe you could mark [SOLVED] |
|
| Back to top |
|
|
bigbob73
Guru
Joined: 31 Dec 2004
Posts: 332
Location: Under the Lone Star
|
| Posted: Wed Jan 04, 2006 6:28 pm Post subject: |
|
|
| magic919 wrote: | I'd be tempted to regenerate the keys before digging too deep. You could change ownership of .ssh dir to match user:users, rather than user:root. Mine is like that and mode 600.
You can restart sshd with -d [1-3] to increase verbosity of logging to see what is happening. |
Is this a security feature of ssh? I had my permissions at 700, but it wouldn't accept the key. do you have to change permissions to add a key and then change them back?
Bigbob
_________________
A computers attention span is only as long as it's electrical cord (Murphy) |
|
| Back to top |
|
|
machinelou
Apprentice
Joined: 05 Apr 2003
Posts: 267
|
| Posted: Thu Jan 05, 2006 1:54 pm Post subject: |
|
|
| Yes -- I think.. I read in another thread here that the permissions of .ssh have to be specific otherwise it might not actually be you logging in, just someone with enough permissions to fiddle with your .ssh directory. |
|
| Back to top |
|
|
bigbob73
Guru
Joined: 31 Dec 2004
Posts: 332
Location: Under the Lone Star
|
| Posted: Thu Jan 05, 2006 2:00 pm Post subject: |
|
|
| machinelou wrote: | | Yes -- I think.. I read in another thread here that the permissions of .ssh have to be specific otherwise it might not actually be you logging in, just someone with enough permissions to fiddle with your .ssh directory. |
i have set ~/.ssh, ~/.ssh/authorized_keys, and the key all to 600 and I still can't get putty to connect using the key only. I must be missing something somewhere.
_________________
A computers attention span is only as long as it's electrical cord (Murphy) |
|
| Back to top |
|
|
daeghrefn
Tux's lil' helper
Joined: 02 Jan 2005
Posts: 112
|
| Posted: Thu Jan 05, 2006 4:11 pm Post subject: |
|
|
yeah, sshd will not accept a key if the permissions on /home/user/.ssh and contained files are not correct.
| Quote: | | i have set ~/.ssh, ~/.ssh/authorized_keys, and the key all to 600 and I still can't get putty to connect using the key only. I must be missing something somewhere. |
Check your sshd logs to see what sshd is telling you. Usually it gives you a reason as to why it rejects a key. |
|
| Back to top |
|
|
bigbob73
Guru
Joined: 31 Dec 2004
Posts: 332
Location: Under the Lone Star
|
| Posted: Thu Jan 05, 2006 6:05 pm Post subject: |
|
|
[quote="daeghrefn"]yeah, sshd will not accept a key if the permissions on /home/user/.ssh and contained files are not correct.
| Quote: | | i have set ~/.ssh, ~/.ssh/authorized_keys, and the key all to 600 and I still can't get putty to connect using the key only. I must be missing something somewhere. |
Check your sshd logs to see what sshd is telling you. Usually it gives you a reason as to why it rejects a key.[/]
log says that [sshd] socket: Address family not supported by protocol. this comes up after restarting sshd.
_________________
A computers attention span is only as long as it's electrical cord (Murphy) |
|
| Back to top |
|
|
|
Networking & Security
