HPE Community
Operating System - OpenVMS
1753501 Members
4475 Online
108794 Solutions
New Discussion

Re: public key authentication failing

 
SAMI AHMAD
Regular Advisor

‎01-18-2016 09:21 AM

‎01-18-2016 09:21 AM

public key authentication failing

I have setup these public key authentication 100 times between openVMS and solaris but I am having isuses this time and I cant figure out why. please see the log below can you tell the reason why its saying public key method disabled?

i apply the same method  to other solaris nodes and they work fine.

PASY$ sftp -v pas_app@dotstodb211
Sftp2/SFTP2.C:4804: CRTL version (SYS$SHARE:DECC$SHARE ident) is: V7.3-2-04

SshFileCopy/SSHFILECOPY.C:1062: Making local connection.
Ssh2SftpServer/SSHFILEXFERS.C:2079: Received SSH_FXP_INIT
Ssh2SftpServer/SSHFILEXFERS.C:2124: version is 3
SshFileCopy/SSHFILECOPY.C:1001: Connection to local, ready to serve requests.
Sftp2/SFTP2.C:786: Connection ready.
SshReadLine/SSHREADLINE.C:3662: Initializing ReadLine...
SshFileCopy/SSHFILECOPY.C:1072: Connecting to remote host. (host = pas_app@dotstodb211, user = NULL, port = NULL)
argv[0] = /sys$system/tcpip$ssh_ssh2
argv[1] = -v
argv[2] = -x
argv[3] = -a
argv[4] = -o
argv[5] = passwordprompt %U@%H's password:
argv[6] = -o
argv[7] = authenticationnotify yes
argv[8] = pas_app@dotstodb211
argv[9] = -s
argv[10] = sftp
Sftp2/SFTP2.C:4012: notification: 0
Sftp2/SFTP2.C:4012: notification: 1

debug(18-JAN-2016 12:09:08.94): Ssh2/SSH2.C:1894: CRTL version (SYS$SHARE:DECC$SHR.EXE ident) is V7.3-2-04
debug(18-JAN-2016 12:09:08.95): SshAppCommon/SSHAPPCOMMON.C:313: Allocating global SshRegex context.
debug(18-JAN-2016 12:09:08.95): SshConfig/SSHCONFIG.C:3338: Metaconfig parsing stopped at line 4.
debug(18-JAN-2016 12:09:08.95): SshConfig/SSHCONFIG.C:855: Setting variable 'VerboseMode' to 'FALSE'.
debug(18-JAN-2016 12:09:08.95): SshConfig/SSHCONFIG.C:3246: Unable to open ssh2/ssh2_config
debug(18-JAN-2016 12:09:08.96): Connecting to dotstodb211, port 22... (SOCKS not used)
debug(18-JAN-2016 12:09:08.96): Ssh2/SSH2.C:2860: Entering event loop.
debug(18-JAN-2016 12:09:08.96): Ssh2Client/SSHCLIENT.C:1609: Creating transport protocol.
debug(18-JAN-2016 12:09:08.96): SshAuthMethodClient/SSHAUTHMETHODC.C:95: Added "publickey" to usable methods.
debug(18-JAN-2016 12:09:08.96): SshAuthMethodClient/SSHAUTHMETHODC.C:95: Added "keyboard-interactive" to usable methods.
debug(18-JAN-2016 12:09:08.96): SshAuthMethodClient/SSHAUTHMETHODC.C:95: Added "password" to usable methods.
debug(18-JAN-2016 12:09:08.97): Ssh2Client/SSHCLIENT.C:1650: Creating userauth protocol.
debug(18-JAN-2016 12:09:08.97): client supports 3 auth methods: 'publickey,keyboard-interactive,password'
debug(18-JAN-2016 12:09:08.97): SshUnixTcp/SSHUNIXTCP.C:1683: using local hostname pasy.to.dot.state.fl.us
debug(18-JAN-2016 12:09:08.97): Ssh2Common/SSHCOMMON.C:541: local ip = 156.75.145.123, local port = 53864
debug(18-JAN-2016 12:09:08.97): Ssh2Common/SSHCOMMON.C:543: remote ip = 10.200.32.16, remote port = 22
debug(18-JAN-2016 12:09:08.97): SshConnection/SSHCONN.C:2311: Wrapping...
debug(18-JAN-2016 12:09:08.97): SshReadLine/SSHREADLINE.C:3662: Initializing ReadLine...
debug(18-JAN-2016 12:09:08.97): Remote version: SSH-2.0-Sun_SSH_2.2
debug(18-JAN-2016 12:09:08.97): Sun_SSH: Major: 2 Minor: 2 Revision: 0
debug(18-JAN-2016 12:09:08.98): Ssh2Transport/TRCOMMON.C:1105: Sending packet with type 2 to connection
debug(18-JAN-2016 12:09:08.98): Ssh2Transport/TRCOMMON.C:1105: Sending packet with type 20 to connection
debug(18-JAN-2016 12:09:08.98): Ssh2Transport/TRCOMMON.C:1105: Sending packet with type 2 to connection
debug(18-JAN-2016 12:09:08.98): Ssh2Transport/TRCOMMON.C:1105: Sending packet with type 30 to connection
debug(18-JAN-2016 12:09:09.00): Ssh2Transport/TRCOMMON.C:2306: lang s to c: `de-DE,en-US,es-ES,fr-FR,it-IT,ja-JP,ko-KR,pt-BR,zh-CN,zh
-TW,i-default', lang c to s: `de-DE,en-US,es-ES,fr-FR,it-IT,ja-JP,ko-KR,pt-BR,zh-CN,zh-TW,i-default'
debug(18-JAN-2016 12:09:09.00): Ssh2Transport/TRCOMMON.C:2371: c_to_s: cipher arcfour, mac hmac-sha1, compression none
debug(18-JAN-2016 12:09:09.00): Ssh2Transport/TRCOMMON.C:2374: s_to_c: cipher arcfour, mac hmac-sha1, compression none
debug(18-JAN-2016 12:09:09.01): Ssh2Transport/TRCOMMON.C:1105: Sending packet with type 2 to connection
debug(18-JAN-2016 12:09:09.01): Ssh2Transport/TRCOMMON.C:1105: Sending packet with type 30 to connection
debug(18-JAN-2016 12:09:09.02): Remote host key found from database.
debug(18-JAN-2016 12:09:09.03): Ssh2Transport/TRCOMMON.C:1105: Sending packet with type 2 to connection
debug(18-JAN-2016 12:09:09.03): Ssh2Transport/TRCOMMON.C:1105: Sending packet with type 21 to connection
debug(18-JAN-2016 12:09:09.03): Ssh2Transport/TRCOMMON.C:1105: Sending packet with type 2 to connection
debug(18-JAN-2016 12:09:09.03): Ssh2Transport/TRCOMMON.C:1105: Sending packet with type 5 to connection
debug(18-JAN-2016 12:09:09.08): Ssh2Transport/TRCOMMON.C:1105: Sending packet with type 2 to connection
debug(18-JAN-2016 12:09:09.08): Ssh2Transport/TRCOMMON.C:1105: Sending packet with type 50 to connection
debug(18-JAN-2016 12:09:09.08): Ssh2Common/SSHCOMMON.C:342: Received SSH_CROSS_STARTUP packet from connection protocol.
debug(18-JAN-2016 12:09:09.08): Ssh2Common/SSHCOMMON.C:392: Received SSH_CROSS_ALGORITHMS packet from connection protocol.

This is a private communications network for authorized use only.
If you do not have authorizations discontinue use at once.
All information is subject to recording and review without notice.
Any unauthorized use of this network is subject to prosecution.
Use of this network implies consent to these conditions.



debug(18-JAN-2016 12:09:09.08): server offers auth methods 'gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive'.
debug(18-JAN-2016 12:09:09.09): Ssh2AuthPubKeyClient/AUTHC-PUBKEY.C:1677: adding keyfile "/PASDISK2/pas_app/ssh2/ID_RSA_2048_B" to ca
ndidates
debug(18-JAN-2016 12:09:09.09): Ssh2Transport/TRCOMMON.C:1105: Sending packet with type 2 to connection
debug(18-JAN-2016 12:09:09.09): Ssh2Transport/TRCOMMON.C:1105: Sending packet with type 50 to connection
debug(18-JAN-2016 12:09:09.10): server offers auth methods 'gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive'.
debug(18-JAN-2016 12:09:09.10): Ssh2AuthClient/SSHAUTHC.C:366: Method 'publickey' disabled.
debug(18-JAN-2016 12:09:09.10): Ssh2Transport/TRCOMMON.C:1105: Sending packet with type 2 to connection
debug(18-JAN-2016 12:09:09.10): Ssh2Transport/TRCOMMON.C:1105: Sending packet with type 50 to connection
debug(18-JAN-2016 12:09:09.10): server offers auth methods 'gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive'.
debug(18-JAN-2016 12:09:09.10): Ssh2Transport/TRCOMMON.C:1105: Sending packet with type 2 to connection
debug(18-JAN-2016 12:09:09.10): Ssh2Transport/TRCOMMON.C:1105: Sending packet with type 50 to connection
Keyboard-interactive:
Password:
0 Kudos
Reply
3 REPLIES 3
Steven Schweda
Honored Contributor

‎01-18-2016 06:58 PM

‎01-18-2016 06:58 PM

Re: public key authentication failing

> I have setup these public key authentication 100 times between openVMS
> and solaris [...]

   Your self-confidence is inspiring, but it doesn't provide much
reliable info on key file contents, location, ownership, or permissions.

> [...] can you tell the reason why its saying public key method
> disabled?

   I'd guess that "disabled" here means that the public-key
authentication attempt failed.  If you want to test that hypothesis, you
could observe a working connection, and then damage some key file, and
re-observe the resulting non-working connection.

   Generally, to avoid facilitating a break-in attempt, the server does
not tell the client much about authentication failures.  You might find
more useful info in the log files on the server.

> Sftp2/SFTP2.C:4804: CRTL version (SYS$SHARE:DECC$SHARE ident) is: V7.3-2-04

   Possibly more informative:

      tcpip show version

0 Kudos
Reply
Hoff
Honored Contributor

‎01-20-2016 10:41 AM

‎01-20-2016 10:41 AM

Re: public key authentication failing

Check the protections on the key files, and check the server logs, and check whether the server is willing to use insecure encryption — more than a few ssh servers are not.  Why?  The arcfour encryption is insecure, and will rejected by most newer ssh configurations — by OpenSSH 6.7 and later, and other ssh seervers. 

0 Kudos
Reply
Steven Schweda
Honored Contributor

‎01-20-2016 03:19 PM

‎01-20-2016 03:19 PM

Re: public key authentication failing

> [...] check whether the server is willing to use insecure encryption
> [...]

   I know nothing, but I'd say that if you get so far as a
"Keyboard-interactive:" / "Password:" prompt, then the client and server
have probably negotiated some communication scheme acceptable to both.

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.