From owner-freebsd-questions Tue Jan 21 15:18:12 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DCD5237B401 for ; Tue, 21 Jan 2003 15:18:08 -0800 (PST) Received: from smtp.infracaninophile.co.uk (happy-idiot-talk.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 42C0D43F65 for ; Tue, 21 Jan 2003 15:18:07 -0800 (PST) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost.infracaninophile.co.uk [IPv6:::1]) by smtp.infracaninophile.co.uk (8.12.6/8.12.6) with ESMTP id h0LNI184062972 for ; Tue, 21 Jan 2003 23:18:01 GMT (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost) by happy-idiot-talk.infracaninophile.co.uk (8.12.6/8.12.6/Submit) id h0LNHub3062971 for freebsd-questions@FreeBSD.ORG; Tue, 21 Jan 2003 23:17:56 GMT Date: Tue, 21 Jan 2003 23:17:56 +0000 From: Matthew Seaman To: questions list Subject: Re: ssh with public keys and no prompts...I can't get it to work! Message-ID: <20030121231755.GB2931@happy-idiot-talk.infracaninophi> Mail-Followup-To: Matthew Seaman , questions list References: <20030121220140.GA91874@luke.immure.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030121220140.GA91874@luke.immure.com> User-Agent: Mutt/1.5.3i X-Spam-Status: No, hits=-3.3 required=5.0 tests=IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,SPAM_PHRASE_01_02, USER_AGENT,USER_AGENT_MUTT version=2.43 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Jan 21, 2003 at 04:01:40PM -0600, Bob Willcox wrote: > I am trying (in vain so far) to get ssh to allow me to connect using > public keys and without any prompts (I need this for a software > distribuiton/configuration package I need to run). I have had this work > before, but now it seems to escape me. To simplify my testing my client > and server system is the same (i.e., I'm attempting to use ssh to login > to the local system). > > I have built the identity keys for rsa1, rsa, and dsa and placed their > public keys in my authorized_keys file. You only need one out of those three. I prefer 'rsa' because it seems quicker and sucks up less entropy than 'dsa' but there's not that much to choose between those two. 'rsa1' however should really be confined for use with legacy systems that only support the SSH1 protocol version. > The system is running 4.7-STABLE from about two weeks ago. I have > included a listing of my .ssh subdirectory and the debug output from > both ssh and sshd below. > > It appears that ssh is failing to read the private rsa key, and then > prompting me for my passphrase. > > Any help/enlightenment on this would be greatly appreciated! One thing that can lead to wailing and gnashing of teeth is not having the right host public keys in the ~/.ssh/known_hosts file --- if each side of the connection should fail to list the other party, then using key based authentication can fail without warning. Remember that OpenSSH is IPv6 capable, so if you ssh to localhost, you'll be connecting via ::1 rather than 127.0.0.1 and hence you'll need a corresponding entry in ~/.ssh/known_hosts > > My .ssh subdirectory contents: > > $ ls -la .ssh > total 22 > drwxr-xr-x 2 bobl staff 512 Jan 21 15:28 . > drwxr-xr-x 3 bobl staff 512 Jan 21 14:13 .. > -rw-r--r-- 1 bobl staff 1173 Jan 21 15:29 authorized_keys > lrwxr-xr-x 1 bobl staff 15 Jan 21 15:27 authorized_keys2 -> authorized_keys > -rw------- 1 bobl staff 744 Jan 21 15:27 id_dsa > -rw-r--r-- 1 bobl staff 608 Jan 21 15:27 id_dsa.pub > -rw------- 1 bobl staff 951 Jan 21 14:13 id_rsa > -rw-r--r-- 1 bobl staff 228 Jan 21 14:13 id_rsa.pub > -rw------- 1 bobl staff 533 Jan 21 15:28 identity > -rw-r--r-- 1 bobl staff 337 Jan 21 15:28 identity.pub > -rw-r--r-- 1 bobl staff 935 Jan 21 14:28 known_hosts Another thing that can lead to problems are the wrong permissions on the ~/.ssh files, but yours look to be fine already. > The ssh debug output (again, just the last few interesting lines): > > debug1: authentications that can continue: publickey,password,keyboard-interactive > debug3: start over, passed a different list publickey,password,keyboard-interactive > debug3: preferred publickey,keyboard-interactive,password > debug3: authmethod_lookup publickey > debug3: remaining preferred: keyboard-interactive,password > debug3: authmethod_is_enabled publickey > debug1: next auth method to try is publickey > debug1: try pubkey: /usr/home/bobl/.ssh/id_rsa > debug3: send_pubkey_test > debug2: we sent a publickey packet, wait for reply > debug1: input_userauth_pk_ok: pkalg ssh-rsa blen 149 lastkey 0x8069350 hint 0 > debug2: input_userauth_pk_ok: fp 55:61:ed:da:c6:7d:53:d0:74:d3:d8:1c:73:82:d3:1a > debug3: sign_and_send_pubkey > debug1: PEM_read_PrivateKey failed > debug1: read PEM private key done: type > Enter passphrase for key '/usr/home/bobl/.ssh/id_rsa': Hmmm... This doesn't look exactly like normal OpenSSH output to me. Have you by any chance installed some other version of ssh, like the version from www.ssh.com? Does the id_rsa file begin like this: -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,C113AFA81D7CA2EB If not, perhaps you've managed to generate SSH2 format private keys. If so you can use ssh-keygen -i -f id_rsa > id_rsa.openssh (using ssh-keygen from OpenSSH of course) to convert to the OpenSSH format. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message