5

I already checked here: Trying to do ssh authentication with key files: server refused our key

and I did all these:

*new:

  • generated key(s) via ssh-gen in a Linux client.
    • added the public key to the server via ssh-copy

now I don't see any error message, here's ssh -vvv:
http://pastebin.com/Cxspz5P3

Could it be that there's an order to the authentication process, but the server first tries to verify password, instead of trying out the publickey?

Original post: what I tried so far:

  • generated key(s) via puttygen (v.2015-12-03) in the windows client:

    • 2048 bits, and tried also key-pair with 1024 bits

  • copied "openssh public key" in 1 line format from puttygen,

    • the line that looks like:

      ssh-rsa xxxx... ==

    • pasted it to the ubuntu server to ~/.ssh/authorized_keys

    • one line for the 2048 bit key, additional line for the 1024 bit key

  • I changed the file permissions like so:

    chmod 700 ~/.ssh
chmod 600 authorized_keys
chmod 700 ~
chown -R $USER.$USER ~/

  • putty session settings:

    • 'connection' > 'data' > 'username' > myuser

    • 'connection' > 'ssh' > 'auth' > the PPK file

  • tried with both 2048 bit and 1024 keys (with their respective public keys)

  • tried also from localhost (ssh -i .ssh/mykey myuser@localhost) – got the same /var/log/auth error:

    Failed publickey for (myuser) from ::1 port 50087

  • increased log level of /etc/sshd_config: LogLevel VERBOSE (is there higher value?) on the server, and restarted. /var/log/auth.log now gives:

    **Failed publickey for** myuser from xx.xx.xx.xx port xx: RSA xx:xx:xx...

systems:

  • tried to connect from:
    • from windows (putty 2015-12-3, key is PPK)
    • from linux/mint 17 (via ssh, openssh key)
  • server: Ubuntu 14.04.2 LTS
  • keys generated by puttygen on windows (v.2015-12-03)
  • also tried with "kitty" (a putty fork)
  • ssh with password - works. always.

tail -f /var/log/auth.log isn't showing anything for failed logins, only for successful and for logouts.

Can it be cured?

is there another way to diagnose the problem?

Q&A:

Q. What is a "data" connection? Why didn't you use "ssh" in both cases?

A. it's just the section's name in putty config.

Q. cat /etc/ssh/sshd_config|grep -i author

A. AuthorizedKeysFile ~/.ssh/authorized_keys

Q. ls -lZ .ssh (on the server)

drwx------ 2 myuser myuser ? 4096 Dec  5 12:28 .   <---- the .ssh dir
-rw-r--r-- 1 myuser myuser ?  666 Dec  5 12:29 known_hosts
-rw------- 1 myuser myuser ? 1671 Dec  3 12:07 mykey.ssh
-rw------- 1 myuser myuser ?  608 Dec  3 11:47 authorized_keys
Community
  • 1
Berry Tsakala
  • 274
  • 2
  • 14
  • Should we assume you are connecting from a Windows machine? Can you connect to your Ubuntu machine from another Linux installation? How about `ssh localhost` from the Ubuntu? Where did the rsa key come from? How was it generated? Did you add it to the host or client machine? What machine was each command you show run on? What do the `putty > connection` lines mean? Are those options in the putty GUI? What is a "data" connection? Why didn't you use "ssh" in both cases? Please [edit] your question and clarify. – terdon Dec 03 '15 at 10:58
  • increase debug level on the server and restart. Or run server in debug mode and follow the messages. Some publickey failures are not logged – Jakuje Dec 03 '15 at 13:58
  • @terdon - i clarified the details you asked for, changed the log level, and ran other tests – Berry Tsakala Dec 05 '15 at 10:46
  • I have come across a similar problem with PuTTY, and it happens on some computers but not others. Did your public key have the same format as the one in the linked question: a "BEGIN" line, a "comment" line, 4 lines of ASCII with the first line beginning `ssh-rsa` and the last line ending `user@computer`? Could you clarify what you mean by "copied "openssh public key" in 1 line format from puttygen": did you copy only the line beginning with `ssh-rsa`, or did you copy all lines of ASCII, removing the line breaks so that it fit onto one line? – Jeffrey Lam Dec 16 '15 at 22:53
  • 1
    Please increase the verbosity of the OpenSSH *client* (`ssh -v [OPTIONS...] user@host` – add more `v`'s to increase verbosity to a suitable level) and include the output in your question. My way to debug issues from the server side is to run the OpenSSH *server* in debug mode, i. e. without detaching from the terminal: `sudo sshd -d` (add more `d`'s for more verbosity). Of course you need to stop the SSH service first (`sudo service ssh stop`). Maybe you can provide an excerpt of that output too. – David Foerster Dec 17 '15 at 11:04
  • can you post the output for ls -ldZ on .ssh directory and ls -lZ for its content pls? – ostendali Dec 17 '15 at 15:03
  • @ostendali - i added the ls -lZ reulst to my question – Berry Tsakala Dec 23 '15 at 08:47
  • @DavidFoerster and to all future readers: while the OP worked out how to run ssh in verbose mode (probably by using ssh in linux mint), users of PuTTY in Windows will need to run ssh in verbose mode this way: start pageant.exe (PuTTY Authentication Agent) with the private key loaded, start a command prompt (Start button, type in "command prompt" and the command prompt option will appear), and on the command line type: `putty.exe -ssh -v [OPTIONS...] user@host]`. I cannot find a verbose mode option in the PuTTY configuration window. – Jeffrey Lam Dec 23 '15 at 10:39
  • ok, there seem to be no issues there. I have just reproduced using a windows client and encountered no issues with key based auth. All I did was ti generate ppk key using putty-gen (as you did) and imported the key into authoized_keys (left the default permissions on authkey 664) and activated the keybased auth in sshd. Maybe you haven't activated and you missed this part. Can you post the "cat /etc/ssh/sshd_config|grep -i author" pls? – ostendali Dec 23 '15 at 10:42
  • I did ssh -v (from the client) and pasted the output in my OP. (thanks, @DavidFoerster ) – Berry Tsakala Dec 23 '15 at 11:02
  • @BerryTsakala: Can you run it with 3 `v`'s please (`-vvv`). I think the reason for skipping public key authentication is omitted in the current verbosity level. – David Foerster Dec 23 '15 at 11:05
  • Apparently that wasn't it. I have no further ideas at the moment. – David Foerster Dec 23 '15 at 11:08
  • here is the full ssh -vvv log: http://pastebin.com/Cxspz5P3 thanks @DavidFoerster for your help so far. – Berry Tsakala Dec 23 '15 at 11:14
  • as you can see from the verbose output it is not reading the key, so it is either key entry not correct or sshd is not aware of the location where the key is stored. – ostendali Dec 23 '15 at 11:21
  • can I just check now: you are connecting from your linux client, your public key is from `ssh-keygen` and you are using the private key from the same `ssh-keygen`? Also, are your `chmod` permissions correct on the client side? – Jeffrey Lam Dec 23 '15 at 11:22
  • @ostendali it seems to me that the server has found the public key, but perhaps the client hasn't found the private key? – Jeffrey Lam Dec 23 '15 at 11:26
  • @JeffreyLam yes to all questions: now I'm using linux client, ssh-gen keys, chmod is correct on both sides (files 600, dirs 700). – Berry Tsakala Dec 23 '15 at 11:29
  • it finds the pubkey yeah, but that is not what the key-based auth is looking for (that is for known hosts). it is however not finding/reading the authorized_keys. Anyways, @Barry Tsakala: can you use, just for test, from a linux box copy the generated rsa key using ssh-copy-id and also "cat /etc/ssh/sshd_config|grep -i author" pls? – ostendali Dec 23 '15 at 11:33
  • I have spotted some errors in the log: has anyone else spotted lines 7 and 8 of the log? They say `debug3: Incorrect RSA1 identifier` and `debug3: Could not load "/home/myuser/.ssh/mykey" as a RSA1 public key`. Are these significant? – Jeffrey Lam Dec 23 '15 at 11:40
  • @Jeffrey; there is nothing worry about that, the meaning of that is that the id_rsa file is not an RSA1 public key. so it is just complaining about RSA version since RSA1 public key are only used for protocol version 1 of SSH and are considered obsolete. it is just a harmless check on rsa version which is not related to the issue. – ostendali Dec 23 '15 at 11:46
  • @Berry: as I suspected, the problem is here"AuthorizedKeysFile ~/.ssh/authorized_keys" can you replace that entry with "AuthorizedKeysFile %h/.ssh/authorized_keys" pls? – ostendali Dec 23 '15 at 11:51

2 Answers2

2

A less error-prone way of converting public key formats than manually removing the headers and line-breaks is using ssh-keygen like this:

ssh-keygen -i -f publickeywithheaders.pub

It should output what can be appended to the authorized_keys file.

Black
  • 188
  • 10
  • You are correct, but this cannot be done in PuTTY, and to do it in Windows at all requires installation of some kind of unix/linux environment tools (other than PuTTY), such as Cygwin/X. It can be done in the OP's linux/mint 17 installation though, which was what I was about to suggest. The private key can then be copied to the Windows machine, where puttygen can import the private key and save it in PuTTY PPK format, for use with PuTTY. – Jeffrey Lam Dec 23 '15 at 10:21
  • In my example, `ssh-keygen` is not used to _generate_ the key but to _convert_ it to OpenSSH's native format. – Black Dec 23 '15 at 12:28
  • Yes sorry my mistake, I looked at your answer a little too quickly. That looks like a handy technique – Jeffrey Lam Dec 23 '15 at 18:44
1

I have come across this before in PuTTY, where the public key is written like this (like in your linked question):

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "user@computer"
ssh-rsa blah1blah2blah3blah4
blah5blah6blah7blah8
blah9blah10blah11blah12
blah13blah14=user@computer
---- END SSH2 PUBLIC KEY ----

As you know, it needs to be one line, the one starting with ssh-rsa. That is, delete the "BEGIN" line, the "comment" line, and the "END" line.

However, I am not sure if you did this:

ssh-rsa blah1blah2blah3blah4

What you need to do is this:

ssh-rsa blah1blah2blah3blah4blah5blah6blah7blah8blah9blah10blah11blah12blah13blah14=user@computer

(i.e. copy all four lines containing the key AND delete the line breaks)

Community
  • 1
Jeffrey Lam
  • 232
  • 1
  • 17