Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 21 Jan 2003 23:17:56 +0000
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        questions list <freebsd-questions@FreeBSD.ORG>
Subject:   Re: ssh with public keys and no prompts...I can't get it to work!
Message-ID:  <20030121231755.GB2931@happy-idiot-talk.infracaninophi>
In-Reply-To: <20030121220140.GA91874@luke.immure.com>
References:  <20030121220140.GA91874@luke.immure.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jan 21, 2003 at 04:01:40PM -0600, Bob Willcox wrote:
> I am trying (in vain so far) to get ssh to allow me to connect using
> public keys and without any prompts (I need this for a software
> distribuiton/configuration package I need to run). I have had this work
> before, but now it seems to escape me. To simplify my testing my client
> and server system is the same (i.e., I'm attempting to use ssh to login
> to the local system).
> 
> I have built the identity keys for rsa1, rsa, and dsa and placed their
> public keys in my authorized_keys file.

You only need one out of those three.  I prefer 'rsa' because it seems
quicker and sucks up less entropy than 'dsa' but there's not that much
to choose between those two.  'rsa1' however should really be confined
for use with legacy systems that only support the SSH1 protocol
version.
 
> The system is running 4.7-STABLE from about two weeks ago. I have
> included a listing of my .ssh subdirectory and the debug output from
> both ssh and sshd below.
> 
> It appears that ssh is failing to read the private rsa key, and then
> prompting me for my passphrase.
> 
> Any help/enlightenment on this would be greatly appreciated!

One thing that can lead to wailing and gnashing of teeth is not having
the right host public keys in the ~/.ssh/known_hosts file --- if each
side of the connection should fail to list the other party, then using
key based authentication can fail without warning.

Remember that OpenSSH is IPv6 capable, so if you ssh to localhost,
you'll be connecting via ::1 rather than 127.0.0.1 and hence you'll
need a corresponding entry in ~/.ssh/known_hosts

> 
> My .ssh subdirectory contents:
> 
> $ ls -la .ssh
> total 22
> drwxr-xr-x  2 bobl  staff   512 Jan 21 15:28 .
> drwxr-xr-x  3 bobl  staff   512 Jan 21 14:13 ..
> -rw-r--r--  1 bobl  staff  1173 Jan 21 15:29 authorized_keys
> lrwxr-xr-x  1 bobl  staff    15 Jan 21 15:27 authorized_keys2 -> authorized_keys
> -rw-------  1 bobl  staff   744 Jan 21 15:27 id_dsa
> -rw-r--r--  1 bobl  staff   608 Jan 21 15:27 id_dsa.pub
> -rw-------  1 bobl  staff   951 Jan 21 14:13 id_rsa
> -rw-r--r--  1 bobl  staff   228 Jan 21 14:13 id_rsa.pub
> -rw-------  1 bobl  staff   533 Jan 21 15:28 identity
> -rw-r--r--  1 bobl  staff   337 Jan 21 15:28 identity.pub
> -rw-r--r--  1 bobl  staff   935 Jan 21 14:28 known_hosts

Another thing that can lead to problems are the wrong permissions on
the ~/.ssh files, but yours look to be fine already.
 
> The ssh debug output (again, just the last few interesting lines):
> 
> debug1: authentications that can continue: publickey,password,keyboard-interactive
> debug3: start over, passed a different list publickey,password,keyboard-interactive
> debug3: preferred publickey,keyboard-interactive,password
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_is_enabled publickey
> debug1: next auth method to try is publickey
> debug1: try pubkey: /usr/home/bobl/.ssh/id_rsa
> debug3: send_pubkey_test
> debug2: we sent a publickey packet, wait for reply
> debug1: input_userauth_pk_ok: pkalg ssh-rsa blen 149 lastkey 0x8069350 hint 0
> debug2: input_userauth_pk_ok: fp 55:61:ed:da:c6:7d:53:d0:74:d3:d8:1c:73:82:d3:1a
> debug3: sign_and_send_pubkey
> debug1: PEM_read_PrivateKey failed
> debug1: read PEM private key done: type <unknown>
> Enter passphrase for key '/usr/home/bobl/.ssh/id_rsa': 

Hmmm... This doesn't look exactly like normal OpenSSH output to me.
Have you by any chance installed some other version of ssh, like the
version from www.ssh.com?  Does the id_rsa file begin like this:

    -----BEGIN RSA PRIVATE KEY-----
    Proc-Type: 4,ENCRYPTED
    DEK-Info: DES-EDE3-CBC,C113AFA81D7CA2EB

If not, perhaps you've managed to generate SSH2 format private keys.
If so you can use 

    ssh-keygen -i -f id_rsa > id_rsa.openssh

(using ssh-keygen from OpenSSH of course) to convert to the OpenSSH
format.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030121231755.GB2931>