Hi all,
I've got a very peculiar problem: I have a single Linux box (kernel
2.2.17-14, glibc-2.1.3-22) running OpenSSH 2.5.2p2 that is refusing RSA
authentication no matter what I try:
the server responds ('sshd -d -d -d', replaced the IP/hostname with
junk) with
debug1: Seeding random number generator
debug1: sshd version OpenSSH_2.5.2p2
debug1: load_private_key_autodetect: type 0 RSA1
debug3: Bad RSA1 key file /etc/ssh/ssh_host_rsa_key.
debug1: read SSH2 private key done: name rsa w/o comment success 1
debug1: load_private_key_autodetect: type 1 RSA
debug3: Bad RSA1 key file /etc/ssh/ssh_host_dsa_key.
debug1: read SSH2 private key done: name dsa w/o comment success 1
debug1: load_private_key_autodetect: type 2 DSA
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from 666.666.666.666 port 4756
debug1: Client protocol version 1.5; client software version
OpenSSH_2.5.2p2
debug1: match: OpenSSH_2.5.2p2 pat ^OpenSSH
debug1: Local version string SSH-1.99-OpenSSH_2.5.2p2
debug1: Rhosts Authentication disabled, originating port not trusted.
debug1: Sent 768 bit server key and 1024 bit host key.
debug1: Encryption type: 3des
debug1: Received session key; encryption turned on.
debug1: Installing crc compensation attack detector.
debug1: Starting up PAM with username "janjust"
debug1: Trying to reverse map address 666.666.666.666.
debug1: PAM setting rhost to "whatever"
debug1: Attempting authentication for janjust.
Failed rsa for janjust from 666.666.666.666 port 4756
Failed password for janjust from 666.666.666.666 port 4756
Failed password for janjust from 666.666.666.666 port 4756
Failed password for janjust from 666.666.666.666 port 4756
Connection closed by 666.666.666.666
debug1: Calling cleanup 0x8051ee0(0x0)
debug1: Calling cleanup 0x8064930(0x0)
the client command is (running on the same host):
linuxbox [janjust]> ssh -v -1 666.666.666.666
OpenSSH_2.5.2p2, SSH protocols 1.5/2.0, OpenSSL 0x0090581f
debug1: Seeding random number generator
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: ssh_connect: getuid 25980 geteuid 0 anon 1
debug1: Connecting to 666.666.666.666 [666.666.666.666] port 22.
debug1: Connection established.
debug1: identity file /local/home/janjust/.ssh/identity type 0
debug1: Remote protocol version 1.99, remote software version
OpenSSH_2.5.2p2
debug1: match: OpenSSH_2.5.2p2 pat ^OpenSSH
debug1: Local version string SSH-1.5-OpenSSH_2.5.2p2
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (1024 bits).
debug1: Host '666.666.666.666' is known and matches the RSA1 host key.
debug1: Found key in /etc/ssh/ssh_known_hosts:118
debug1: Encryption type: 3des
debug1: Sent encrypted session key.
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug1: Trying RSA authentication with key 'janjust@whatever'
debug1: Server refused our key.
debug1: Doing password authentication.
Permission denied.
debug1: Calling cleanup 0x80605a0(0x0)
If I install the same kernel, glibc and openssh RPM's on a different box
(no changes to the /etc/ssh config files) then it works like a charm!
Also, if I ssh from my troubled-box to the ok-box then I have no
problems either.
For some reason that I cannot figure out, my troubled box is refusing to
accept all RSA keys, no matter what I try. For completeness sake (and to
make this message even longer), here are /etc/ssh/sshd_config and
/etc/ssh/ssh_config, untouched from the RPM's:
/etc/ssh/sshd_config:
# $OpenBSD: sshd_config,v 1.34 2001/02/24 10:37:26 deraadt Exp $
# This sshd was compiled with
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
# This is the sshd server system-wide configuration file. See sshd(8)
# for more information.
Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /etc/ssh/ssh_host_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin yes
#
# Don't read ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# Uncomment if you don't trust ~/.ssh/known_hosts for
RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
StrictModes yes
X11Forwarding no
X11DisplayOffset 10
PrintMotd yes
KeepAlive yes
# Logging
SyslogFacility AUTH
LogLevel INFO
#obsoletes QuietMode and FascistLogging
RhostsAuthentication no
#
# For this to work you will also need host keys in
/etc/ssh/ssh_known_hosts
RhostsRSAAuthentication no
#
RSAAuthentication yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no
# Comment to enable s/key passwords or PAM interactive authentication
# NB. Neither of these are compiled in by default. Please read the
# notes in the sshd(8) manpage before enabling this on a PAM system.
ChallengeResponseAuthentication no
# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no
# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes
#CheckMail yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
#ReverseMappingCheck yes
Subsystem sftp /usr/libexec/openssh/sftp-server
/etc/ssh/ssh_config:
# $OpenBSD: ssh_config,v 1.9 2001/03/10 12:53:51 deraadt Exp $
# This is ssh client systemwide configuration file. See ssh(1) for more
# information. This file provides defaults for users, and the values
can
# be changed in per-user configuration files or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for various options
# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsAuthentication no
# RhostsRSAAuthentication yes
# RSAAuthentication yes
# PasswordAuthentication yes
# FallBackToRsh no
# UseRsh no
# BatchMode no
# CheckHostIP yes
# StrictHostKeyChecking yes
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_dsa
# IdentityFile ~/.ssh/id_rsa1
# IdentityFile ~/.ssh/id_rsa2
# Port 22
# Protocol 2,1
# Cipher blowfish
# EscapeChar ~
any ideas, anyone?
TIA,
JJK / Jan Just Keijser
Cisco Systems International BV
