Well, it's telling you debug3: Bad RSA1 key file /etc/ssh/ssh_host_rsa_key.
That's a big indicator you should recreate your rsa host keys.
--
Austin Gonyou
Systems Architect
Coremetrics, Inc.
Phone: 512-796-9023
email: [EMAIL PROTECTED]
On Tue, 3 Apr 2001, Jan Just Keijser wrote:
> Hi all,
>
> I've got a very peculiar problem: I have a single Linux box (kernel
> 2.2.17-14, glibc-2.1.3-22) running OpenSSH 2.5.2p2 that is refusing RSA
> authentication no matter what I try:
>
> the server responds ('sshd -d -d -d', replaced the IP/hostname with
> junk) with
>
> debug1: Seeding random number generator
> debug1: sshd version OpenSSH_2.5.2p2
> debug1: load_private_key_autodetect: type 0 RSA1
> debug3: Bad RSA1 key file /etc/ssh/ssh_host_rsa_key.
> debug1: read SSH2 private key done: name rsa w/o comment success 1
> debug1: load_private_key_autodetect: type 1 RSA
> debug3: Bad RSA1 key file /etc/ssh/ssh_host_dsa_key.
> debug1: read SSH2 private key done: name dsa w/o comment success 1
> debug1: load_private_key_autodetect: type 2 DSA
> debug1: Bind to port 22 on 0.0.0.0.
> Server listening on 0.0.0.0 port 22.
> Generating 768 bit RSA key.
> RSA key generation complete.
> debug1: Server will not fork when running in debugging mode.
> Connection from 666.666.666.666 port 4756
> debug1: Client protocol version 1.5; client software version
> OpenSSH_2.5.2p2
> debug1: match: OpenSSH_2.5.2p2 pat ^OpenSSH
> debug1: Local version string SSH-1.99-OpenSSH_2.5.2p2
> debug1: Rhosts Authentication disabled, originating port not trusted.
> debug1: Sent 768 bit server key and 1024 bit host key.
> debug1: Encryption type: 3des
> debug1: Received session key; encryption turned on.
> debug1: Installing crc compensation attack detector.
> debug1: Starting up PAM with username "janjust"
> debug1: Trying to reverse map address 666.666.666.666.
> debug1: PAM setting rhost to "whatever"
> debug1: Attempting authentication for janjust.
> Failed rsa for janjust from 666.666.666.666 port 4756
> Failed password for janjust from 666.666.666.666 port 4756
> Failed password for janjust from 666.666.666.666 port 4756
> Failed password for janjust from 666.666.666.666 port 4756
> Connection closed by 666.666.666.666
> debug1: Calling cleanup 0x8051ee0(0x0)
> debug1: Calling cleanup 0x8064930(0x0)
>
> the client command is (running on the same host):
>
> linuxbox [janjust]> ssh -v -1 666.666.666.666
> OpenSSH_2.5.2p2, SSH protocols 1.5/2.0, OpenSSL 0x0090581f
> debug1: Seeding random number generator
> debug1: Rhosts Authentication disabled, originating port will not be
> trusted.
> debug1: ssh_connect: getuid 25980 geteuid 0 anon 1
> debug1: Connecting to 666.666.666.666 [666.666.666.666] port 22.
> debug1: Connection established.
> debug1: identity file /local/home/janjust/.ssh/identity type 0
> debug1: Remote protocol version 1.99, remote software version
> OpenSSH_2.5.2p2
> debug1: match: OpenSSH_2.5.2p2 pat ^OpenSSH
> debug1: Local version string SSH-1.5-OpenSSH_2.5.2p2
> debug1: Waiting for server public key.
> debug1: Received server public key (768 bits) and host key (1024 bits).
> debug1: Host '666.666.666.666' is known and matches the RSA1 host key.
> debug1: Found key in /etc/ssh/ssh_known_hosts:118
> debug1: Encryption type: 3des
> debug1: Sent encrypted session key.
> debug1: Installing crc compensation attack detector.
> debug1: Received encrypted confirmation.
> debug1: Trying RSA authentication with key 'janjust@whatever'
> debug1: Server refused our key.
> debug1: Doing password authentication.
> Permission denied.
> debug1: Calling cleanup 0x80605a0(0x0)
>
>
> If I install the same kernel, glibc and openssh RPM's on a different box
> (no changes to the /etc/ssh config files) then it works like a charm!
> Also, if I ssh from my troubled-box to the ok-box then I have no
> problems either.
>
> For some reason that I cannot figure out, my troubled box is refusing to
> accept all RSA keys, no matter what I try. For completeness sake (and to
> make this message even longer), here are /etc/ssh/sshd_config and
> /etc/ssh/ssh_config, untouched from the RPM's:
>
> /etc/ssh/sshd_config:
> # $OpenBSD: sshd_config,v 1.34 2001/02/24 10:37:26 deraadt Exp $
>
> # This sshd was compiled with
> PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
>
> # This is the sshd server system-wide configuration file. See sshd(8)
> # for more information.
>
> Port 22
> #Protocol 2,1
> #ListenAddress 0.0.0.0
> #ListenAddress ::
> HostKey /etc/ssh/ssh_host_key
> HostKey /etc/ssh/ssh_host_rsa_key
> HostKey /etc/ssh/ssh_host_dsa_key
> ServerKeyBits 768
> LoginGraceTime 600
> KeyRegenerationInterval 3600
> PermitRootLogin yes
> #
> # Don't read ~/.rhosts and ~/.shosts files
> IgnoreRhosts yes
> # Uncomment if you don't trust ~/.ssh/known_hosts for
> RhostsRSAAuthentication
> #IgnoreUserKnownHosts yes
> StrictModes yes
> X11Forwarding no
> X11DisplayOffset 10
>
> PrintMotd yes
> KeepAlive yes
>
> # Logging
> SyslogFacility AUTH
> LogLevel INFO
> #obsoletes QuietMode and FascistLogging
>
> RhostsAuthentication no
> #
> # For this to work you will also need host keys in
> /etc/ssh/ssh_known_hosts
> RhostsRSAAuthentication no
> #
> RSAAuthentication yes
>
> # To disable tunneled clear text passwords, change to no here!
> PasswordAuthentication yes
> PermitEmptyPasswords no
>
> # Comment to enable s/key passwords or PAM interactive authentication
> # NB. Neither of these are compiled in by default. Please read the
> # notes in the sshd(8) manpage before enabling this on a PAM system.
> ChallengeResponseAuthentication no
>
> # To change Kerberos options
> #KerberosAuthentication no
> #KerberosOrLocalPasswd yes
> #AFSTokenPassing no
> #KerberosTicketCleanup no
>
> # Kerberos TGT Passing does only work with the AFS kaserver
> #KerberosTgtPassing yes
>
> #CheckMail yes
> #UseLogin no
>
> #MaxStartups 10:30:60
> #Banner /etc/issue.net
> #ReverseMappingCheck yes
>
> Subsystem sftp /usr/libexec/openssh/sftp-server
>
>
> /etc/ssh/ssh_config:
> # $OpenBSD: ssh_config,v 1.9 2001/03/10 12:53:51 deraadt Exp $
>
> # This is ssh client systemwide configuration file. See ssh(1) for more
>
> # information. This file provides defaults for users, and the values
> can
> # be changed in per-user configuration files or on the command line.
>
> # Configuration data is parsed as follows:
> # 1. command line options
> # 2. user-specific file
> # 3. system-wide file
> # Any configuration value is only changed the first time it is set.
> # Thus, host-specific definitions should be at the beginning of the
> # configuration file, and defaults at the end.
>
> # Site-wide defaults for various options
>
> # Host *
> # ForwardAgent no
> # ForwardX11 no
> # RhostsAuthentication no
> # RhostsRSAAuthentication yes
> # RSAAuthentication yes
> # PasswordAuthentication yes
> # FallBackToRsh no
> # UseRsh no
> # BatchMode no
> # CheckHostIP yes
> # StrictHostKeyChecking yes
> # IdentityFile ~/.ssh/identity
> # IdentityFile ~/.ssh/id_dsa
> # IdentityFile ~/.ssh/id_rsa1
> # IdentityFile ~/.ssh/id_rsa2
> # Port 22
> # Protocol 2,1
> # Cipher blowfish
> # EscapeChar ~
>
>
> any ideas, anyone?
>
> TIA,
>
> JJK / Jan Just Keijser
> Cisco Systems International BV
>
