[CentOS] happy new years ssh key problem :)

Mon Jan 3 21:58:13 UTC 2011
Flaherty, Patrick <pflaherty at wsi.com>

What are the permissions for /var/lib/amanda? From what I remember sshd
doesn't like directories that aren't 700. 

Try changing "StrictModes Yes" to "StrictModes No" in
/etc/ssh/sshd_config on the server side of the connection and restarting
sshd.

The other trick you can try is starting up an ssh server in
debug/non-forking mode. 

cp /etc/ssh/sshd_config ~/temp_sshd_config
edit ~/temp_sshd_config, uncomment Port 22 and change it to Port 10000
/usr/sbin/sshd -f ~/temp_sshd_config -dd

On the client, ssh -p 10000 someuser at somehost, and watch the debug
output on the servers terminal to see what the error is.


> -----Original Message-----
> From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On
> Behalf Of bluethundr
> Sent: Friday, December 31, 2010 2:33 PM
> To: CentOS mailing list
> Subject: [CentOS] happy new years ssh key problem :)
> 
> Hi List,
> 
>  Happy  New Years and I was hoping to get some help on an ssh issue
> that I am having. For some reason I am unable to scp to hosts on this
> network using RSA keys. Here is what I am doing/what is going on;
> 
> scp the public key to remote host
> 
> [amandabackup at VIRTCENT18 ~]$ scp ~/.ssh/id_rsa_amdump.pub
> amandabackup at lb1:~
> amandabackup at lb1's password:
> id_rsa_amdump.pub
>                     100%  408     0.4KB/s   00:00
> 
> 
> 
> ssh (w/passwd) to remote host
> 
> 
> [amandabackup at VIRTCENT18 ~]$ ssh lb1
> amandabackup at lb1's password:
> Last login: Fri Dec 31 10:57:05 2010 from 192.168.1.40
> #########################################################
> #               SUMMITNJHOME.COM                        #
> #               TITLE:       LB1 BOX                    #
> #               HOST:        VIRTCENT01                 #
> #               LOCATION:    SUMMIT BASEMENT            #
> #########################################################
> 
> 
> check to see if the key exists in authorized_keys
> 
> [amandabackup at VIRTCENT01 ~]$ grep -f id_rsa_amdump.pub
> ~/.ssh/authorized_keys
> 
> 
> it didn't so cat it into authorized_keys
> 
> [amandabackup at VIRTCENT01 ~]$ cat id_rsa_amdump.pub >>
> ~/.ssh/authorized_keys
> 
> check again, just to make sure that it's there
> 
> [amandabackup at VIRTCENT01 ~]$ grep -f id_rsa_amdump.pub
> ~/.ssh/authorized_keys
> ssh-rsa BlAB3Nza/FAKE-KEY-DATA--KEY-DATAKfMq4DDa0xaKb/FAKE-KEY-DATA--
> KEY-DATAsoqCu/boKNa/FAKE-KEY-DATA--KEY-
> DATAp1n9TcDtxm2XFHcOKUw2/14/bz1pWNDI/FAKE-KEY-DATA--KEY-
> DATAr9951JdK7Ny6lk/FAKE-KEY-DATA--KEY-DATA1/FAKE-KEY-DATA--KEY-
>
DATAwh2dmgyxI9N69x3ypvWcGWShZw1BCJI06j5qIxvin99/FAKE-KEY-DATA--KEY-DATA
> 
> It is. so good so far. Check permissions on authorized_keys file
> 
> [amandabackup at VIRTCENT01 ~]$ ls -l ~/.ssh/authorized_keys
> -rw------- 1 amandabackup disk 408 Dec 31 11:02
> /var/lib/amanda/.ssh/authorized_keys
> 
> make sure we have the right home environment
> 
> HOME=/var/lib/amanda
> 
> Also good. Now, make sure ssh is looking at the right file
> 
> [root at VIRTCENT01 ~]# grep -i authorizedkeysfile /etc/ssh/sshd_config
> AuthorizedKeysFile   ~/.ssh/authorized_keys
> 
> It is. Now exit and try to ssh in
> 
> [amandabackup at VIRTCENT01 ~]$ exit
> Connection to lb1 closed.
> 
> 
> [amandabackup at VIRTCENT18 ~]$ ssh -vvv amandabackup at lb1
> OpenSSH_5.6p1lpk, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to lb1 [192.168.1.23] port 22.
> debug1: Connection established.
> debug1: identity file /var/lib/amanda/.ssh/id_rsa type -1
> debug1: identity file /var/lib/amanda/.ssh/id_rsa-cert type -1
> debug1: identity file /var/lib/amanda/.ssh/id_dsa type -1
> debug1: identity file /var/lib/amanda/.ssh/id_dsa-cert type -1
> debug1: Remote protocol version 2.0, remote software version
> OpenSSH_5.6
> debug1: match: OpenSSH_5.6 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.6
> debug2: fd 3 setting O_NONBLOCK
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-
> sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit:
>
ssh-rsa-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh.com,ssh-rsa-cert-
> v00 at openssh.com,ssh-dss-cert-v00 at openssh.com,ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
>
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-
> cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-
> cbc at lysator.liu.se
> debug2: kex_parse_kexinit:
>
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-
> cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-
> cbc at lysator.liu.se
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-
> ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-
> ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-
> sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
>
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-
> cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-
> cbc at lysator.liu.se
> debug2: kex_parse_kexinit:
>
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-
> cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-
> cbc at lysator.liu.se
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-
> ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160,hmac-
> ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib at openssh.com
> debug2: kex_parse_kexinit: none,zlib at openssh.com
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: mac_setup: found hmac-md5
> debug1: kex: server->client aes128-ctr hmac-md5 none
> debug2: mac_setup: found hmac-md5
> debug1: kex: client->server aes128-ctr hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug2: dh_gen_key: priv key bits set: 114/256
> debug2: bits set: 470/1024
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug3: check_host_in_hostfile: host lb1 filename
> /var/lib/amanda/.ssh/known_hosts
> debug3: check_host_in_hostfile: host lb1 filename
> /var/lib/amanda/.ssh/known_hosts
> debug3: check_host_in_hostfile: match line 1
> debug3: check_host_in_hostfile: host 192.168.1.23 filename
> /var/lib/amanda/.ssh/known_hosts
> debug3: check_host_in_hostfile: host 192.168.1.23 filename
> /var/lib/amanda/.ssh/known_hosts
> debug3: check_host_in_hostfile: match line 1
> debug1: Host 'lb1' is known and matches the RSA host key.
> debug1: Found key in /var/lib/amanda/.ssh/known_hosts:1
> debug2: bits set: 499/1024
> debug1: ssh_rsa_verify: signature correct
> debug2: kex_derive_keys
> debug2: set_newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug2: set_newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: Roaming not allowed by server
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug2: key: /var/lib/amanda/.ssh/id_rsa ((nil))
> debug2: key: /var/lib/amanda/.ssh/id_dsa ((nil))
> debug1: Authentications that can continue:
> publickey,password,keyboard-interactive
> debug3: start over, passed a different list
> publickey,password,keyboard-interactive
> debug3: preferred publickey,keyboard-interactive,password
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_is_enabled publickey
> debug1: Next authentication method: publickey
> debug1: Trying private key: /var/lib/amanda/.ssh/id_rsa
> debug3: no such identity: /var/lib/amanda/.ssh/id_rsa
> debug1: Trying private key: /var/lib/amanda/.ssh/id_dsa
> debug3: no such identity: /var/lib/amanda/.ssh/id_dsa
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup keyboard-interactive
> debug3: remaining preferred: password
> debug3: authmethod_is_enabled keyboard-interactive
> debug1: Next authentication method: keyboard-interactive
> debug2: userauth_kbdint
> debug2: we sent a keyboard-interactive packet, wait for reply
> debug1: Authentications that can continue:
> publickey,password,keyboard-interactive
> debug3: userauth_kbdint: disable: no info_req_seen
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup password
> debug3: remaining preferred:
> debug3: authmethod_is_enabled password
> debug1: Next authentication method: password
> amandabackup at lb1's password:
> debug3: packet_send2: adding 48 (len 67 padlen 13 extra_pad 64)
> debug2: we sent a password packet, wait for reply
> debug1: Authentication succeeded (password).
> Authenticated to lb1 ([192.168.1.23]:22).
> debug1: channel 0: new [client-session]
> debug3: ssh_session2_open: channel_new: 0
> debug2: channel 0: send open
> debug1: Requesting no-more-sessions at openssh.com
> debug1: Entering interactive session.
> debug2: callback start
> debug2: client_session2_setup: id 0
> debug2: channel 0: request pty-req confirm 1
> debug2: channel 0: request shell confirm 1
> debug2: fd 3 setting TCP_NODELAY
> debug2: callback done
> debug2: channel 0: open confirm rwindow 0 rmax 32768
> debug2: channel_input_status_confirm: type 99 id 0
> debug2: PTY allocation request accepted on channel 0
> debug2: channel 0: rcvd adjust 2097152
> debug2: channel_input_status_confirm: type 99 id 0
> debug2: shell request accepted on channel 0
> Last login: Fri Dec 31 11:02:30 2010 from 192.168.1.40
> #########################################################
> #               SUMMITNJHOME.COM                        #
> #               TITLE:       LB1 BOX                    #
> #               HOST:        VIRTCENT01                 #
> #               LOCATION:    SUMMIT BASEMENT            #
> #########################################################
> -sh-3.2$ bash
> [amandabackup at VIRTCENT01 ~]$
> 
> 
> thanks for your help and the CentOS community has done wonderful
> things to help me with my setups over the past year. Here's to a happy
> / healthy 2011!!
> 
> 
> 
> --
> GPG me!!
> 
> gpg --keyserver pgp.mit.edu --recv-keys F186197B
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos