Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com User-Agent: Microsoft-Entourage/9.0.2509 Date: Mon, 26 Apr 2004 18:36:41 +1000 Subject: Re: OpenSSH public key authentication woes From: Greg Rudd To: Karl M Cc: Message-ID: In-Reply-To: Mime-version: 1.0 Content-type: text/plain; charset="ISO-8859-1" X-IsSubscribed: yes Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id i3Q8bKvO010178 On 26/4/04 4:33 pm, "Karl M" wrote: > Hi Greg... > > I don't see an authorized_keys file in your .ssh directory. It should > contain the public keys for those users/hosts that are permitted to do > public key authentication. Just cat the public keys you want together to > make your authorized_keys file. Then make sure that it is readable by your > sshd (ssh server). > > HTH > > ...Karl Hi Karl et al I named the files accidentally named the files authorized_hosts instead of keys. I have corrected this but to no avail. To make the files readable by the server I take it that you need to set the modes to 600 for the authorized_key files (which I have done) > > >> From: Greg Rudd >> To: >> CC: Didier Debuf >> Subject: OpenSSH public key authentication woes >> Date: Mon, 26 Apr 2004 16:04:41 +1000 >> >> Hi All >> >> I am trying to get public-key authentication working with openSSH under >> cygwin. I have been looking on the net and found numorious references to >> this problem but noone has posted a summary so as to prevent further emails >> on this subject to the list. >> >> What is stange is that in testing I can do public key authentication to the >> commercial version of SSH which in my case is an alpha (Tru64 4.0g and >> 5.1a) >> running 3.2.9.1 but yet can not do public key authentication either to the >> local host or from another host. >> >> >> I have checked the ssh_config and sshd_config files and both have >> RSAAuthetication and Public key authentication are enabled as well as >> Protocol 2,1 listed in both files and the identity files listed in the >> /etc/ssh_config file are: >> >> IdentityFile ~/.ssh/id_dsa >> IdentityFile ~/.ssh/identity >> IdentityFile ~/.ssh/id_rsa >> IdentityFile ~/.ssh/id_dsa >> >> And the contents of the .ssh directory are >> drwxr-xr-x 1 grudd Domain U 0 Apr 23 20:17 . >> drwxr-xr-x 1 grudd Domain U 4096 Apr 23 21:24 .. >> -rw------- 1 grudd Domain U 331 Apr 23 19:37 authorized_hosts >> -rw------- 1 grudd Domain U 1204 Apr 23 19:36 authorized_hosts2 >> -rw------- 1 grudd Domain U 668 Apr 22 18:20 foo >> -rw------- 1 grudd Domain U 602 Apr 22 18:20 foo.pub >> -rw------- 1 grudd Domain U 668 Apr 23 18:32 id_dsa >> -rw------- 1 grudd Domain U 602 Apr 23 18:32 id_dsa.pub >> -rw------- 1 grudd Domain U 527 Apr 23 18:03 id_rsa >> -rw------- 1 grudd Domain U 331 Apr 23 18:03 id_rsa.pub >> -rw------- 1 grudd Domain U 527 Apr 23 19:05 identity >> -rw------- 1 grudd Domain U 331 Apr 23 19:05 identity.pub >> -rw------- 1 grudd Domain U 220 Apr 23 20:17 known_hosts >> >> I have been working on this for a couple of days and I am now stumped for a >> solution any ideas from the experts here?? >> >> >> Thanks in advance -greg >> >> >> Debug output from the client trying to ssh via public key authentication to >> localhost >> >> >> $ ssh -vvv grudd AT localhost >> OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004 >> debug1: Reading configuration data /etc/ssh_config >> debug3: cipher ok: aes128-cbc >> [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc] >> debug3: cipher ok: 3des-cbc >> [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc] >> debug3: cipher ok: blowfish-cbc >> [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc] >> debug3: cipher ok: cast128-cbc >> [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc] >> debug3: cipher ok: arcfour >> [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc] >> debug3: cipher ok: aes192-cbc >> [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc] >> debug3: cipher ok: aes256-cbc >> [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc] >> debug3: ciphers ok: >> [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc] >> debug2: ssh_connect: needpriv 0 >> debug1: Connecting to localhost [127.0.0.1] port 22. >> debug1: Connection established. >> debug3: Not a RSA1 key file //crescent/grudd/.ssh/id_dsa. >> debug2: key_type_from_name: unknown key type '-----BEGIN' >> debug3: key_read: missing keytype >> debug3: key_read: missing whitespace >> debug3: key_read: missing whitespace >> debug3: key_read: missing whitespace >> debug3: key_read: missing whitespace >> debug3: key_read: missing whitespace >> debug3: key_read: missing whitespace >> debug3: key_read: missing whitespace >> debug3: key_read: missing whitespace >> debug3: key_read: missing whitespace >> debug3: key_read: missing whitespace >> debug2: key_type_from_name: unknown key type '-----END' >> debug3: key_read: missing keytype >> debug1: identity file //crescent/grudd/.ssh/id_dsa type 2 >> debug1: identity file //crescent/grudd/.ssh/identity type 0 >> debug1: identity file //crescent/grudd/.ssh/id_rsa type 0 >> debug3: Not a RSA1 key file //crescent/grudd/.ssh/id_dsa. >> debug2: key_type_from_name: unknown key type '-----BEGIN' >> debug3: key_read: missing keytype >> debug3: key_read: missing whitespace >> debug3: key_read: missing whitespace >> debug3: key_read: missing whitespace >> debug3: key_read: missing whitespace >> debug3: key_read: missing whitespace >> debug3: key_read: missing whitespace >> debug3: key_read: missing whitespace >> debug3: key_read: missing whitespace >> debug3: key_read: missing whitespace >> debug3: key_read: missing whitespace >> debug2: key_type_from_name: unknown key type '-----END' >> debug3: key_read: missing keytype >> debug1: identity file //crescent/grudd/.ssh/id_dsa type 2 >> debug1: Remote protocol version 2.0, remote software version >> OpenSSH_3.8.1p1 >> debug1: match: OpenSSH_3.8.1p1 pat OpenSSH* >> debug1: Enabling compatibility mode for protocol 2.0 >> debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1 >> debug1: SSH2_MSG_KEXINIT sent >> debug1: SSH2_MSG_KEXINIT received >> debug2: kex_parse_kexinit: >> diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 >> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss >> debug2: kex_parse_kexinit: >> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc >> debug2: kex_parse_kexinit: >> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc >> debug2: kex_parse_kexinit: >> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 AT openssh DOT com,hmac-sha1-96,hm >> ac-md5-96 >> debug2: kex_parse_kexinit: >> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 AT openssh DOT com,hmac-sha1-96,hm >> ac-md5-96 >> debug2: kex_parse_kexinit: none,zlib >> debug2: kex_parse_kexinit: none,zlib >> debug2: kex_parse_kexinit: >> debug2: kex_parse_kexinit: >> debug2: kex_parse_kexinit: first_kex_follows 0 >> debug2: kex_parse_kexinit: reserved 0 >> debug2: kex_parse_kexinit: >> diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 >> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss >> debug2: kex_parse_kexinit: >> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r >> ijndael-cbc AT lysator DOT liu DOT se,aes128-ctr,aes192-ctr,aes256-ctr >> debug2: kex_parse_kexinit: >> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r >> ijndael-cbc AT lysator DOT liu DOT se,aes128-ctr,aes192-ctr,aes256-ctr >> debug2: kex_parse_kexinit: >> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 AT openssh DOT com,hmac-sha1-96,hm >> ac-md5-96 >> debug2: kex_parse_kexinit: >> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 AT openssh DOT com,hmac-sha1-96,hm >> ac-md5-96 >> debug2: kex_parse_kexinit: none,zlib >> debug2: kex_parse_kexinit: none,zlib >> debug2: kex_parse_kexinit: >> debug2: kex_parse_kexinit: >> debug2: kex_parse_kexinit: first_kex_follows 0 >> debug2: kex_parse_kexinit: reserved 0 >> debug2: mac_init: found hmac-md5 >> debug1: kex: server->client aes128-cbc hmac-md5 none >> debug2: mac_init: found hmac-md5 >> debug1: kex: client->server aes128-cbc hmac-md5 none >> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent >> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP >> debug2: dh_gen_key: priv key bits set: 143/256 >> debug2: bits set: 524/1024 >> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent >> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY >> debug3: check_host_in_hostfile: filename //crescent/grudd/.ssh/known_hosts >> debug3: check_host_in_hostfile: match line 1 >> debug1: Host 'localhost' is known and matches the RSA host key. >> debug1: Found key in //crescent/grudd/.ssh/known_hosts:1 >> debug2: bits set: 496/1024 >> debug1: ssh_rsa_verify: signature correct >> debug2: kex_derive_keys >> debug2: set_newkeys: mode 1 >> debug1: SSH2_MSG_NEWKEYS sent >> debug1: expecting SSH2_MSG_NEWKEYS >> debug2: set_newkeys: mode 0 >> debug1: SSH2_MSG_NEWKEYS received >> debug1: SSH2_MSG_SERVICE_REQUEST sent >> debug2: service_accept: ssh-userauth >> debug1: SSH2_MSG_SERVICE_ACCEPT received >> debug2: key: //crescent/grudd/.ssh/id_dsa (0x100f24e0) >> debug2: key: //crescent/grudd/.ssh/id_dsa (0x100e9218) >> debug1: Authentications that can continue: >> publickey,password,keyboard-interactive >> debug3: start over, passed a different list >> publickey,password,keyboard-interactive >> debug3: preferred publickey,keyboard-interactive,password >> debug3: authmethod_lookup publickey >> debug3: remaining preferred: keyboard-interactive,password >> debug3: authmethod_is_enabled publickey >> debug1: Next authentication method: publickey >> debug1: Offering public key: //crescent/grudd/.ssh/id_dsa >> debug3: send_pubkey_test >> debug2: we sent a publickey packet, wait for reply >> debug1: Authentications that can continue: >> publickey,password,keyboard-interactive >> debug1: Offering public key: //crescent/grudd/.ssh/id_dsa >> debug3: send_pubkey_test >> debug2: we sent a publickey packet, wait for reply >> debug1: Authentications that can continue: >> publickey,password,keyboard-interactive >> debug2: we did not send a packet, disable method >> debug3: authmethod_lookup keyboard-interactive >> debug3: remaining preferred: password >> debug3: authmethod_is_enabled keyboard-interactive >> debug1: Next authentication method: keyboard-interactive >> debug2: userauth_kbdint >> debug2: we sent a keyboard-interactive packet, wait for reply >> debug1: Authentications that can continue: >> publickey,password,keyboard-interactive >> debug3: userauth_kbdint: disable: no info_req_seen >> debug2: we did not send a packet, disable method >> debug3: authmethod_lookup password >> debug3: remaining preferred: >> debug3: authmethod_is_enabled password >> debug1: Next authentication method: password >> grudd AT localhost's password: >> >> >> >> Debug output from the server. >> >> >> debug2: read_server_config: filename /etc/sshd_config >> debug1: sshd version OpenSSH_3.8.1p1 >> debug1: private host key: #0 type 0 RSA1 >> debug3: Not a RSA1 key file /etc/ssh_host_rsa_key. >> debug1: read PEM private key done: type RSA >> debug1: private host key: #1 type 1 RSA >> debug3: Not a RSA1 key file /etc/ssh_host_dsa_key. >> debug1: read PEM private key done: type DSA >> debug1: private host key: #2 type 2 DSA >> debug1: Bind to port 22 on 0.0.0.0. >> Server listening on 0.0.0.0 port 22. >> Generating 768 bit RSA key. >> RSA key generation complete. >> debug1: Server will not fork when running in debugging mode. >> Connection from 127.0.0.1 port 3545 >> debug1: Client protocol version 2.0; client software version >> OpenSSH_3.8.1p1 >> debug1: match: OpenSSH_3.8.1p1 pat OpenSSH* >> debug1: Enabling compatibility mode for protocol 2.0 >> debug1: Local version string SSH-1.99-OpenSSH_3.8.1p1 >> debug2: Network child is on pid 1572 >> debug3: preauth child monitor started >> debug3: mm_request_receive entering >> debug1: list_hostkey_types: ssh-rsa,ssh-dss >> debug1: SSH2_MSG_KEXINIT sent >> debug1: SSH2_MSG_KEXINIT received >> debug2: kex_parse_kexinit: >> diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 >> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss >> debug2: kex_parse_kexinit: >> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r >> ijndael-cbc AT lysator DOT liu DOT se,aes128-ctr,aes192-ctr,aes256-ctr >> debug2: kex_parse_kexinit: >> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r >> ijndael-cbc AT lysator DOT liu DOT se,aes128-ctr,aes192-ctr,aes256-ctr >> debug2: kex_parse_kexinit: >> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 AT openssh DOT com,hmac-sha1-96,hm >> ac-md5-96 >> debug2: kex_parse_kexinit: >> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 AT openssh DOT com,hmac-sha1-96,hm >> ac-md5-96 >> debug2: kex_parse_kexinit: none,zlib >> debug2: kex_parse_kexinit: none,zlib >> debug2: kex_parse_kexinit: >> debug2: kex_parse_kexinit: >> debug2: kex_parse_kexinit: first_kex_follows 0 >> debug2: kex_parse_kexinit: reserved 0 >> debug2: kex_parse_kexinit: >> diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 >> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss >> debug2: kex_parse_kexinit: >> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r >> ijndael-cbc AT lysator DOT liu DOT se,aes128-ctr,aes192-ctr,aes256-ctr >> debug2: kex_parse_kexinit: >> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r >> ijndael-cbc AT lysator DOT liu DOT se,aes128-ctr,aes192-ctr,aes256-ctr >> debug2: kex_parse_kexinit: >> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 AT openssh DOT com,hmac-sha1-96,hm >> ac-md5-96 >> debug2: kex_parse_kexinit: >> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 AT openssh DOT com,hmac-sha1-96,hm >> ac-md5-96 >> debug2: kex_parse_kexinit: none,zlib >> debug2: kex_parse_kexinit: none,zlib >> debug2: kex_parse_kexinit: >> debug2: kex_parse_kexinit: >> debug2: kex_parse_kexinit: first_kex_follows 0 >> debug2: kex_parse_kexinit: reserved 0 >> debug2: mac_init: found hmac-md5 >> debug1: kex: client->server aes128-cbc hmac-md5 none >> debug2: mac_init: found hmac-md5 >> debug3: mm_request_send entering: type 5 >> debug2: monitor_read: 4 used once, disabling now >> debug3: mm_request_receive entering >> debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN >> debug3: mm_request_receive_expect entering: type 5 >> debug3: mm_request_receive entering >> debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent >> debug2: kex_derive_keys >> debug2: set_newkeys: mode 1 >> debug1: SSH2_MSG_NEWKEYS sent >> debug1: expecting SSH2_MSG_NEWKEYS >> Connection closed by 127.0.0.1 >> debug1: do_cleanup >> debug1: do_cleanup >> debug2: read_server_config: filename /etc/sshd_config >> debug1: sshd version OpenSSH_3.8.1p1 >> debug1: private host key: #0 type 0 RSA1 >> debug3: Not a RSA1 key file /etc/ssh_host_rsa_key. >> debug1: read PEM private key done: type RSA >> debug1: private host key: #1 type 1 RSA >> debug3: Not a RSA1 key file /etc/ssh_host_dsa_key. >> debug1: read PEM private key done: type DSA >> debug1: private host key: #2 type 2 DSA >> >> >> >> ssh_config file >> >> >> >> -- >> Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple >> Problem reports: http://cygwin.com/problems.html >> Documentation: http://cygwin.com/docs.html >> FAQ: http://cygwin.com/faq/ >> > > _________________________________________________________________ > FREE pop-up blocking with the new MSN Toolbar ­ get it now! > http://toolbar.msn.com/go/onm00200415ave/direct/01/ > > > -- > Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple > Problem reports: http://cygwin.com/problems.html > Documentation: http://cygwin.com/docs.html > FAQ: http://cygwin.com/faq/ > > -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/