[CentOS] Q: respecting .ssh/id_rsa
Valeri Galtsev
galtsev at kicp.uchicago.edu
Fri May 8 14:22:39 UTC 2015
On Fri, May 8, 2015 8:58 am, James B. Byrne wrote:
> While attempting to debug something else I ran across this:
>
> ssh -vvv somehost
> . . .
> debug1: Connection established.
> debug1: permanently_set_uid: 0/0
> debug1: identity file /root/.ssh/identity type -1
> debug1: identity file /root/.ssh/identity-cert type -1
> debug3: Not a RSA1 key file /root/.ssh/id_rsa.
> debug2: key_type_from_name: unknown key type '-----BEGIN'
> debug3: key_read: missing keytype
> debug3: key_read: missing whitespace
> . . .
>
> However if I verify the key I see this:
>
> ssh-keygen -l -f ~/.ssh/id_rsa.pub
> 4096 08:70:3b:92:4c:96:1c:6a:03:a4:ae:66:8d:9e:6c:93
> /root/.ssh/id_rsa.pub (RSA)
>
> Which seems ok to me. The permissions also seem ok:
>
> .ssh]# ll
> total 40
> -rw-------. 1 root root 3863 Oct 11 2012 authorized_keys
> -rw-------. 1 root root 3243 Aug 9 2012 id_rsa
> -rw-r--r--. 1 root root 757 Aug 9 2012 id_rsa.pub
> -rw-r--r--. 1 root root 11071 May 8 09:42 known_hosts
When checking permissions don't forget to check permissions on parent
directories (all levels up to the /). E.g., if your home directory is
world writable, ssh will ignore authorized_keys as well, as the above
permissions _can_ be changed by everybody. The same is true if / is
ridiculously world writable (I've never seen that myself, but I do mean:
check all levels of what the path ~/.ssh is).
It's not clear from your description, but I'm sure you have the following
right: id_rsa and id_rsa.pub is a pair you have on local machine (the one
you ssh from). autorized_keys is on the remote machine (the one you
connect to), and it contains the contents of id_rsa.pub that you have on
local machine (i.e. you copied id_rsa.pub from local machine to remote and
dumped it into ~/.ssh/autorized_keys on it).
I would also check that in sshd config file (usually:
/etc/ssh/sshd_config) on remote machine you do have line
PubkeyAuthentication yes
Good luck!
Valeri
>
> The password-less connections complete in any case but I am perplexed
> as to what is the problem with the root identity key that ssh is
> reporting.
>
> Can anyone explain to me what this means?
>
> --
> *** e-Mail is NOT a SECURE channel ***
> Do NOT transmit sensitive data via e-Mail
> James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
> Harte & Lyne Limited http://www.harte-lyne.ca
> 9 Brockley Drive vox: +1 905 561 1241
> Hamilton, Ontario fax: +1 905 561 0757
> Canada L8E 3C3
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++
More information about the CentOS
mailing list