Re: ssh publickey auth

To: felix <felix@fkp.tu-darmstadt.de>
Cc: Dale Amon <amon@vnl.com>, debian-security@lists.debian.org
Subject: Re: ssh publickey auth
From: Dale Amon <amon@vnl.com>
Date: Tue, 14 Sep 2004 16:01:57 +0100
Message-id: <[🔎] 20040914150157.GH9939@vnl.com>
In-reply-to: <[🔎] 200409141608.38745.felix@fkp.tu-darmstadt.de>
References: <[🔎] 20040914135822.GE9939@vnl.com> <[🔎] 200409141608.38745.felix@fkp.tu-darmstadt.de>

On Tue, Sep 14, 2004 at 04:08:38PM +0200, felix wrote:
> i had the same problem just a few days ago on a newly installed computer.
> the solution was that on one particular machine the /home/.ssh-directory for 

This is the destination machine:

/user1:
total 12
drwxr-xr-x   3 user1 user1 4096 2004-09-14 14:13 .
drwxr-xr-x  30 root   root   4096 2004-09-14 14:13 ..
drwxr-xr-x   2 user1 user1 4096 2004-09-14 14:13 .ssh

/user1/.ssh:
total 12
drwxr-xr-x  2 user1 user1 4096 2004-09-14 14:13 .
drwxr-xr-x  3 user1 user1 4096 2004-09-14 14:13 ..
-rw-------  1 user1 user1  614 2004-09-14 14:13 authorized_keys

authorized keys contains the id_dsa.pub from the client machine;
and this is the client machine:

/user1:
total 1
drwxr-xr-x   3 root root  72 Sep 14 14:11 .
drwxr-xr-x  33 root root 904 Sep 14 14:11 ..
drwxr-xr-x   2 root root 104 Sep 14 14:11 .ssh

/user1/.ssh:
total 8
drwxr-xr-x  2 root root 104 Sep 14 14:11 .
drwxr-xr-x  3 root root  72 Sep 14 14:11 ..
-rw-------  1 root root 668 Sep 14 14:11 id_dsa
-rw-r--r--  1 root root 614 Sep 14 14:11 id_dsa.pub

> this user was generated by ssh-keygen with the wrong permission (it was 
> worldwritable for some reason, did not go into details to figure out why)
> i'm not sure, wether this will do in your case, but try <ssh -v> to get all 
> the stuff, that's how i finally noticed what went wrong.

Yeah, I've been running both client and server with debug:

client side:

user1@otv:~$ ssh -2 -v share1.islandone.org -l user1
OpenSSH_3.8.1p1 Debian 1:3.8.1p1-8, OpenSSL 0.9.7d 17 Mar 2004
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to share1.islandone.org [10.0.0.171] port 22.
debug1: Connection established.
debug1: identity file /user1/.ssh/id_rsa type -1
debug1: identity file /user1/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.8.1p1 Debian 1:3.8.1p1-8
debug1: match: OpenSSH_3.8.1p1 Debian 1:3.8.1p1-8 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1 Debian 1:3.8.1p1-8
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
The authenticity of host 'share1.islandone.org (10.0.0.171)' can't be established.
DSA key fingerprint is 4d:e0:d5:2f:f4:4c:fe:ba:2a:b0:67:0b:7a:bc:2f:79.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/user1/.ssh/known_hosts).
debug1: ssh_dss_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /user1/.ssh/id_rsa
debug1: Offering public key: /user1/.ssh/id_dsa
debug1: Server accepts key: pkalg ssh-dss blen 434
Enter passphrase for key '/user1/.ssh/id_dsa': 
debug1: Next authentication method: keyboard-interactive
Password: ^C

and the server side:

debug1: sshd version OpenSSH_3.8.1p1 Debian 1:3.8.1p1-8
debug1: read PEM private key done: type DSA
debug1: private host key: #0 type 2 DSA
socket: Address family not supported by protocol
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: Server will not fork when running in debugging mode.
Connection from 10.0.0.25 port 2743
debug1: Client protocol version 2.0; client software version OpenSSH_3.8.1p1 Debian 1:3.8.1p1-8
debug1: match: OpenSSH_3.8.1p1 Debian 1:3.8.1p1-8 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1 Debian 1:3.8.1p1-8
debug1: permanently_set_uid: 101/65534
debug1: list_hostkey_types: ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user user1 service ssh-connection method none
debug1: attempt 0 failures 0
Failed none for user1 from 10.0.0.25 port 2743 ssh2
debug1: PAM: initializing for "user1"
debug1: userauth-request for user user1 service ssh-connection method publickey
debug1: attempt 1 failures 1
debug1: test whether pkalg/pkblob are acceptable
reverse mapping checking getaddrinfo for scout.islandone.org failed - POSSIBLE BREAKIN ATTEMPT!
debug1: PAM: setting PAM_RHOST to "10.0.0.25"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: temporarily_use_uid: 1008/1008 (e=0/0)
debug1: trying public key file /user1/.ssh/authorized_keys
debug1: matching key found: file /user1/.ssh/authorized_keys, line 1
Found matching DSA key: ee:c5:7d:12:df:db:e7:d6:aa:43:17:c0:19:e0:a0:35
debug1: restore_uid: 0/0
Postponed publickey for user1 from 10.0.0.25 port 2743 ssh2
debug1: userauth-request for user user1 service ssh-connection method keyboard-interactive
debug1: attempt 2 failures 1
debug1: keyboard-interactive devs 
debug1: auth2_challenge: user=user1 devs=
debug1: kbdint_alloc: devices 'pam'
debug1: auth2_challenge_start: trying authentication method 'pam'
Postponed keyboard-interactive for user1 from 10.0.0.25 port 2743 ssh2
Connection closed by 10.0.0.25

And yes, there are some things on my test lan's dns 
that need sorted :-)

I might add that the target machine is a testbed with
sarge-di installed about a week or two ago and then
updated and added to via dselect. So it is really
bog-standard debian.

-- 
------------------------------------------------------
   Dale Amon     amon@islandone.org    +44-7802-188325
       International linux systems consultancy
     Hardware & software system design, security
    and networking, systems programming and Admin
	      "Have Laptop, Will Travel"
------------------------------------------------------

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: ssh publickey auth
  - From: Oliver Hitz <oliver@net-track.ch>
- Re: ssh publickey auth
  - From: fox@fr.clara.net (Fox)

References:
- ssh publickey auth
  - From: Dale Amon <amon@vnl.com>
- Re: ssh publickey auth
  - From: felix <felix@fkp.tu-darmstadt.de>

Prev by Date: Re: ssh publickey auth
Next by Date: Re: ssh publickey auth
Previous by thread: Re: ssh publickey auth
Next by thread: Re: ssh publickey auth
Index(es):
- Date
- Thread