topic Re: SSH Key based user level access problem. in Operating System - HP-UX

SSH Key based user level access problem.

Charles Harris — Sun, 20 Feb 2005 20:19:11 GMT

Dear all,

I'm currently struggling to get ssh password-less logins to work. I've 18 host machines that I need seamless access between all running HPUX 11.x with OpenSSH_3.7.1p2-pwexp26, SSH protocols 1.5/2.0, OpenSSL 0.9.7c 30 Sep 2003
HP-UX_Secure_Shell-A.03.71.000, HP_UX Secure Shell versions.....
I've created a .ssh directory for every user that requires equivelent access, with 700 permisions and created the id_dsa.pub / id_dsa.
I've added all the key file from all hosts to the authorized_keys file and for 14 out of the 18, everything works. On the other machines, every time I ssh to the host, it askes me for a password!?
The Debug output is as follows:

debug1: Authentications that can continue: publickey,password,keyboard-interactve^M
debug2: we did not send a packet, disable method^M

Any ideas?!

Any help comments, tips, RTFM's etc warmly received as ever!!

Thanks,

-=ChaZ=-

Re: SSH Key based user level access problem.

Charles Harris — Sun, 20 Feb 2005 21:14:57 GMT

....bit more info:

The very verbose debug output states:
debug2: we did not send a packet, disable method

just before it falls back to password based authentication, although on the working servers, this line is never seen in the logs.

Again any help, comments, suggestions greatfully received!

Cheers,

-=ChaZ=-

Re: SSH Key based user level access problem.

Florian Heigl (new acc) — Sun, 20 Feb 2005 21:27:59 GMT

Points You didn't mention:
- ownership / permissions of user's home directory
- have target machines dsa hosts keys?
I could imagine there could be problems due to rsa/dsa mismatches.

Last last I bite my teeth out on this one I had accedentially called the file .ssh/authorized.keys instead of ..._...

Unfortunately, with this type of problem the -vv option doesn't help a lot, better check the target hosts' syslogs.

Re: SSH Key based user level access problem.

Charles Harris — Sun, 20 Feb 2005 21:45:22 GMT

Hi,

Thanks for the tips, unfortunately I have no access to the syslog's on the servers in question, so no luck there....
The .ssh dir has 700 permissions and everything under it ix 755 apart from id_dsa. I've double checked the permissions to no avail.
The authorised_keys, bit me once, but this time all file names are correct!

Any more pointers warmly received!

Cheers,

ChaZ

Re: SSH Key based user level access problem.

Florian Heigl (new acc) — Sun, 20 Feb 2005 22:10:55 GMT

no syslog? what stupid os has syslog not world-readable?

anyhow - see man ssh_config for dedicating a log file in the users homedir and more fancy logging.

Re: SSH Key based user level access problem.

Charles Harris — Sun, 20 Feb 2005 22:41:59 GMT

Thanks, I'll reconfigure the ssh config to log locally.... I hope it gives me something more useful to go on! - Shame I can't do the same for the sshd_config on the remote end....

Other than permissions (which are all to spec) and the files, has anyone come across a similar situation? - I've googled and seen the same errors, but no fixes as yet....

Cheers,

ChaZ

Re: SSH Key based user level access problem.

Charles Harris — Sun, 20 Feb 2005 22:46:22 GMT

....er... setting the log level in ssh_config on the client just reveals the same verbose messages as the -vvv command line!

Any other ideas (please, starting to get desperate now!! ;-)

Cheers,

ChaZ

Re: SSH Key based user level access problem.

Florian Heigl (new acc) — Mon, 21 Feb 2005 00:50:57 GMT

*cough* - don't mean to put You on the wrong track, but:

sshd_config:
#PubkeyAuthentication yes

ensure this is set and done, if that were for some reason disabled You would search until the very end of time [*]

[*](that would be when Ry'leh comes back on earth, for the lovecraftian's among us)

Re: SSH Key based user level access problem.

Con O'Kelly — Mon, 21 Feb 2005 01:13:10 GMT

Hi Charles

Sounds like you have covered all the bases.
The output
"debug2: we did not send a packet, disable method" is the key to your problem.

Unfortuntaely its fairly generic. This message could indicate:
- no entry in "authorized_keys" file
- incorrect entry in "authorized_keys file

I'd also check the following parameter in sshd_config.
PubkeyAuthentication yes
If its set to no, you'll also get this message.

Don't know if this will help but worth a try.

Cheers
Con

Re: SSH Key based user level access problem.

Charles Harris — Mon, 21 Feb 2005 01:31:22 GMT

Thanks for the great replies, unfortunately I'm still non the wiser..... I can't change the sshd_conf because I've not got root access to the remote servers..... so no joy there....

Con: Thanks for the confirmations, I'm sure everything is fine, all configs / permissions / server & client options in the conf files are the same! The *only* difference between the remote hosts that work and the ones that don't are the inetd.sec files. Although inetd.sec has no port 22 defined, maybe there is a generic rule that is messing things up.....

Incidently, the sshd_config's on all machines don't include the line to explicitly allow host/key based authentication although the some of them work....

Very strange!?!

Any other pointers / suggestions / comments warmly received as ever!!

Thanks for the help so far,

-=ChaZ=-

Re: SSH Key based user level access problem.

Florian Heigl (new acc) — Mon, 21 Feb 2005 02:10:57 GMT

The generic rule would look like all:all:deny

If that publickey line is missing and You don't have root access, kindly ask the root person to set it for debugging. As this represents an increase in security, he could hardly be against it :)

also, cksum the authorized_keys files maybe there's a line wrap in there.

Re: SSH Key based user level access problem.

Charles Harris — Mon, 21 Feb 2005 03:35:14 GMT

Haven't checked the inetd.sec, although thinking about it, if there was a deny filter, the connection would never get established in the first place....

I've tried re-creating the pub / host keys again too, still no joy. I've generated rsa and dsa keys but again nothing good to report.....

The error implies that the client is not doing or getting something, although if I use the same client (server) I can ssh as other users to the working machines......

If anyone else has anything else to offer, I'd really appreciate it!!! - Having sold ssh as the answer to our prayers, it's starting to get on my nerves now.....

Thanks again,

ChaZ

Re: SSH Key based user level access problem.

Florian Heigl (new acc) — Mon, 21 Feb 2005 05:18:25 GMT

Please try to exclude the publickeyauth yes (or whatever) parameter being wrong. have the system administrators explicitely set it and restart sshd.
It kind of smells like it.

Re: SSH Key based user level access problem.

Gordon Morrison_1 — Mon, 21 Feb 2005 06:18:35 GMT

You might also want to check the following line in sshd_config on the hosts where it isn't working:

#AuthorizedKeysFile .ssh/authorized_keys

If is is uncommented and set to anything OTHER than .ssh/authorized_keys, I think that could explain it (or it could be 1 of 256 other things :o/)

Re: SSH Key based user level access problem.

Charles Harris — Mon, 21 Feb 2005 21:32:38 GMT

Thanks again for the tips, I've attached the logs from -vvv from bloth the client and a new sshd server I'm running on the remote end as a user (with comparible params / permissions etc)
if anyone can assist with deciphering the logs and pointing me towards a fix I would be eternally greatful (and will consider spell checking further posts ;-)

Thanks again for the help so far!!!!!

-=ChaZ=-

Re: SSH Key based user level access problem.

Charles Harris — Mon, 21 Feb 2005 21:33:47 GMT

Only one attachment at a time? ...... here's the client log.....

Thanks!

-=ChaZ=-

Re: SSH Key based user level access problem.

Con O'Kelly — Tue, 22 Feb 2005 00:17:08 GMT

Hi (again) Chaz

Perplexing problem you have!

Don't want to repeat what you've said but can I confirm your problem as follows:

Client A (user "gnsadm") can connect to "gnsadm" user account on "neutron" using Publickey authentication. Client B (User "gnsadm") cannot connect to "gnsadm" user account on "neutron" with publickey authentication and is prompted for password.

From the log files it appears very much to be a problem with the public key entry in the authorized_keys file. It appears publickey is a recognised authentication method but the server is not recognising the public key thats been sent.

Perhaps its worth comparing the sshd log on the server for a client connecton that succeeded and one that failed.

Don't know if you have it but have attached a doco on HP-SSH. Might be useful.

http://newfdawg.com/docs/HP-SSH_Explained.PDF

Cheers
Con

Re: SSH Key based user level access problem.

Charles Harris — Tue, 22 Feb 2005 00:41:19 GMT

Thanks Con,

Yes as you deduced, the scenario is exactly as you state. The log file does look like it's having a problem with the id_dsa.pub key although I've check all permissions and even run the server side configuration on another port so that I can check the logging (I have no root access to the neutron side....) but all to no avail. I removed all of the users'd id's and regenerated them, but still get the same connection problem. I'm at a total loss now...
I've read and re-read all the documents I've found and can see nothing wrong at all.

I'm going to try creating another set of ID's of both rsa and dsa flavours to see if that gives any different errors.

I'll update as soon as I've something to report!!!

Thanks again for the support (I was a bit shocked to see a *cough* hostname appear, I guess both my sed and spelling skills have also left me.... ;-)

Cheers,

-=ChaZ=-

Re: SSH Key based user level access problem.

Andrei Lica_1 — Tue, 22 Feb 2005 03:45:53 GMT

it seems to be a problem with permisions. It always was for me.

Check to have 700 on .ssh , owner and group to be your user/group or start with a rm -rf .ssh
Check also the parent directory ( /home/user ) -> 755
It's better to first create the key ( ssh-keygen -t dsa ). This will create .ssh for you

On remote, same steps. ( ssh-keygen -t dsa is not needed but it doesn't hurt )
Then transfer the public key id_pub.dsa to remote host and :
cat id_dsa.pub >> ~/.ssh/authorized_keys2
Make sure you don't have 2 keys ( in .ssh/authorized_keys2 ) for the same host

Re: SSH Key based user level access problem.

Travis Harp_1 — Tue, 22 Feb 2005 09:29:24 GMT

Does this happen to be a Trusted system?
I had a similar problem about a year ago and it turned out to be an issue with the non hp (meaning it wasn't from an hp depot) version of ssh and my trusted systems.

Once trusted was turned off it worked correctly, the fix we used was to install the hp .depot version of ssh and all was well.