topic debug1: RSA authentication using agent refused. in Operating System - HP-UX

debug1: RSA authentication using agent refused.

PT Joao Cesar — Wed, 25 Mar 2009 15:29:45 GMT

Hi there,

We are facing some problems in several HP machines regarding the ssh access.
The error that we have is:

Sun_SSH_1.1, SSH protocols 1.5/2.0, OpenSSL 0x0090704f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to sgcdb [xxx.xxx.xx.xx] port 22.
debug1: Connection established.
debug1: identity file /home/jmc/.ssh/identity type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.9
debug1: match: OpenSSH_3.9 pat OpenSSH*
debug1: Local version string SSH-1.5-Sun_SSH_1.1
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (1024 bits).
debug1: Host 'sgcdb' is known and matches the RSA1 host key.
debug1: Found key in /home/jmc/.ssh/known_hosts:64
debug1: Encryption type: 3des
debug1: Sent encrypted session key.
debug1: cipher_init: set keylen (16 -> 32)
debug1: cipher_init: set keylen (16 -> 32)
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug1: Trying RSA authentication via agent with 'jmc@faruk.seg-social.pt'
debug1: Received RSA challenge from server.
debug1: Sending response to RSA challenge.
debug1: Remote: RSA authentication accepted.
debug1: RSA authentication using agent refused.
Permission denied.
debug1: Calling cleanup 0x3429c(0x0)

Can anyone give some light to solve the problem ?

Joao

Re: debug1: RSA authentication using agent refused.

Steven E. Protter — Wed, 25 Mar 2009 16:12:23 GMT

Shalom,

Most likely permission issues in the files in .ssh or ownership. Or both.

http://www.hpux.ws/?p=10

SEP

Re: debug1: RSA authentication using agent refused.

PT Joao Cesar — Wed, 25 Mar 2009 16:16:00 GMT

Thanks for the quick response.

That was the first thing that we have checked.

root@sgcdb[rx8620](/home/jmc)# ls -al .ssh/
total 32
-rw-r--r-- 1 jmc other 342 Jul 11 2007 authorized_keys
drwxr-xr-x 2 jmc other 96 Jul 11 2007 .
drwxr-xr-x 4 jmc other 8192 Set 20 2003 ..

Other ideas ?

Re: debug1: RSA authentication using agent refused.

PT Joao Cesar — Thu, 26 Mar 2009 10:14:41 GMT

The odd thing is that with the key in the root authorized_keys we are able to ssh. Only the "normal" users aren't doing the login.

This is our /opt/ssh/etc/sshd_config:

# $OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/opt/ssh/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

# ---- Defaults changed by Sergio Crespo 14-11-2005
# Do not permit root login
# Protocol is 1,2
# Change ListeAddress to the backup network
# Change RSAauthentication to yes
# Change the PasswordAuthentication to no
# Change the PermitEmptyPasswords to no
# Change the ChallengeResponseAuthentication to no
# ---- Add this changes and restart sshd

# ---- Start of specific IIES Access rules
# Only Change this Lines
Port 22
Protocol 1,2
ListenAddress 0.0.0.0
PermitRootLogin yes
RSAAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
X11Forwarding yes
X11UseLocalhost no
TCPKeepAlive yes
UseDNS no
# ---- End of specific IIES Access Rules

# HostKey for protocol version 1
HostKey /opt/ssh/etc/ssh_host_key
# HostKeys for protocol version 2
HostKey /opt/ssh/etc/ssh_host_rsa_key
HostKey /opt/ssh/etc/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#StrictModes yes
#MaxAuthTries 6

#PubkeyAuthentication yes

# For this to work you will also need host keys in /opt/ssh/etc/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# Kerberos options
KerberosAuthentication yes
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
UsePAM yes

#AllowTcpForwarding yes
#GatewayPorts no
#X11DisplayOffset 10
#PrintMotd yes
#PrintLastLog yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem sftp /opt/ssh/libexec/sftp-server

# sftp-server logging
#LogSftp no
#SftpLogFacility AUTH
#SftpLogLevel INFO

# sftp-server umask control
#SftpUmask

#SftpPermitChmod yes
#SftpPermitChown yes

Any help is very welcomed.

Joao

Re: debug1: RSA authentication using agent refused.

Ganesan R — Thu, 26 Mar 2009 10:51:33 GMT

Hi,

Most of the time ssh password less login will fail because of improper permissions.Make sure the following permissions on remote server.

Home directory should have 755 permission (users home directory)
$HOME/.ssh directory should have 700 permission
$HOME/.ssh/authorized_keys file should have 600 permission

The above permissions are must...

Re: debug1: RSA authentication using agent refused.

T G Manikandan — Thu, 26 Mar 2009 10:58:16 GMT

first,

can you change your authorized_keys file to
600 and .ssh directory should be 700.

Second,

can you explicitly specify -1 -2 protocol versions with this connections and check.

Re: debug1: RSA authentication using agent refused.

PT Joao Cesar — Thu, 26 Mar 2009 11:35:05 GMT

Thanks for the answers.

The permissions are correct i suppose.

root@sgcdb[rx8620](/home/jmc)# ls -al
total 112
drwxr-xr-x 4 jmc other 8192 Set 20 2003 .
root@sgcdb[rx8620](/home/jmc)# ls -al .ssh/
total 32
-rw------- 1 jmc other 342 Mar 26 11:02 authorized_keys
drwx------ 2 jmc other 96 Jul 11 2007 .
drwxr-xr-x 4 jmc other 8192 Set 20 2003 ..

Error with Protocol 1:
-bash-3.00$ ssh -v sgcdb -1
Sun_SSH_1.1, SSH protocols 1.5/2.0, OpenSSL 0x0090704f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to sgcdb [xxx.xxx.xx.xx] port 22.
debug1: Connection established.
debug1: identity file /home/jmc/.ssh/identity type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.9
debug1: match: OpenSSH_3.9 pat OpenSSH*
debug1: Local version string SSH-1.5-Sun_SSH_1.1
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (1024 bits).
debug1: Host 'sgcdb' is known and matches the RSA1 host key.
debug1: Found key in /home/jmc/.ssh/known_hosts:64
debug1: Encryption type: 3des
debug1: Sent encrypted session key.
debug1: cipher_init: set keylen (16 -> 32)
debug1: cipher_init: set keylen (16 -> 32)
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug1: Trying RSA authentication via agent with 'jmc@faruk.seg-social.pt'
debug1: Received RSA challenge from server.
debug1: Sending response to RSA challenge.
debug1: Remote: RSA authentication accepted.
debug1: RSA authentication using agent refused.
Permission denied.
debug1: Calling cleanup 0x3429c(0x0)

Error with Protocol 2:
-bash-3.00$ ssh -v sgcdb -2
Sun_SSH_1.1, SSH protocols 1.5/2.0, OpenSSL 0x0090704f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to sgcdb [xxx.xxx.xx.xx] port 22.
debug1: Connection established.
debug1: identity file /home/jmc/.ssh/id_rsa type -1
debug1: identity file /home/jmc/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.9
debug1: match: OpenSSH_3.9 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-Sun_SSH_1.1
debug1: Failed to acquire GSS-API credentials for any mechanisms (No credentials were supplied, or the credentials were unavailable or inaccessible
Unknown code 0
)
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: Peer sent proposed langtags, ctos:
debug1: Peer sent proposed langtags, stoc:
debug1: We proposed langtags, ctos: i-default
debug1: We proposed langtags, stoc: i-default
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 145/256
debug1: bits set: 1013/2048
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'sgcdb' is known and matches the RSA host key.
debug1: Found key in /home/jmc/.ssh/known_hosts:83
debug1: bits set: 998/2048
debug1: ssh_rsa_verify: signature correct
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Failed to acquire GSS-API credentials for any mechanisms (No credentials were supplied, or the credentials were unavailable or inaccessible
Unknown code 0
)
debug1: Next authentication method: publickey
debug1: Trying private key: /home/jmc/.ssh/id_rsa
debug1: Trying private key: /home/jmc/.ssh/id_dsa
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-with-mic,password).
debug1: Calling cleanup 0x3429c(0x0)

Thanks ppl for the help.

Re: debug1: RSA authentication using agent refused.

T G Manikandan — Thu, 26 Mar 2009 12:54:38 GMT

can you include -vvv for more debug output pls.

Re: debug1: RSA authentication using agent refused.

PT Joao Cesar — Thu, 26 Mar 2009 13:49:55 GMT

Of course.

-bash-3.00$ ssh -vvv sgcdb -1
Sun_SSH_1.1, SSH protocols 1.5/2.0, OpenSSL 0x0090704f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to sgcdb [xxx.xxx.xx.xx] port 22.
debug1: Connection established.
debug2: key_type_from_name: unknown key type '1024'
debug3: key_read: no key found
debug1: identity file /home/jmc/.ssh/identity type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.9
debug1: match: OpenSSH_3.9 pat OpenSSH*
debug1: Local version string SSH-1.5-Sun_SSH_1.1
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (1024 bits).
debug3: check_host_in_hostfile: filename /home/jmc/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 64
debug3: check_host_in_hostfile: filename /home/jmc/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 64
debug1: Host 'sgcdb' is known and matches the RSA1 host key.
debug1: Found key in /home/jmc/.ssh/known_hosts:64
debug1: Encryption type: 3des
debug1: Sent encrypted session key.
debug1: cipher_init: set keylen (16 -> 32)
debug1: cipher_init: set keylen (16 -> 32)
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug1: Trying RSA authentication via agent with 'jmc@faruk.seg-social.pt'
debug1: Received RSA challenge from server.
debug1: Sending response to RSA challenge.
debug1: Remote: RSA authentication accepted.
debug1: RSA authentication using agent refused.
Permission denied.
debug1: Calling cleanup 0x3429c(0x0)

-bash-3.00$ ssh -vvv sgcdb -2
Sun_SSH_1.1, SSH protocols 1.5/2.0, OpenSSL 0x0090704f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to sgcdb [xxx.xxx.xx.xx] port 22.
debug1: Connection established.
debug1: identity file /home/jmc/.ssh/id_rsa type -1
debug1: identity file /home/jmc/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.9
debug1: match: OpenSSH_3.9 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-Sun_SSH_1.1
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc
debug2: kex_parse_kexinit: aes128-ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: i-default
debug2: kex_parse_kexinit: i-default
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug1: Failed to acquire GSS-API credentials for any mechanisms (No credentials were supplied, or the credentials were unavailable or inaccessible
Unknown code 0
)
debug1: SSH2_MSG_KEXINIT sent
debug3: kex_reset_dispatch -- should we dispatch_set(KEXINIT) here? 0 && !0
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc
debug2: kex_parse_kexinit: aes128-ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: i-default
debug2: kex_parse_kexinit: i-default
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: Peer sent proposed langtags, ctos:
debug1: Peer sent proposed langtags, stoc:
debug1: We proposed langtags, ctos: i-default
debug1: We proposed langtags, stoc: i-default
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 118/256
debug1: bits set: 981/2048
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/jmc/.ssh/known_hosts
debug2: key_type_from_name: unknown key type '1024'
debug3: key_read: no key found
debug3: check_host_in_hostfile: match line 83
debug3: check_host_in_hostfile: filename /home/jmc/.ssh/known_hosts
debug2: key_type_from_name: unknown key type '1024'
debug3: key_read: no key found
debug3: check_host_in_hostfile: match line 83
debug1: Host 'sgcdb' is known and matches the RSA host key.
debug1: Found key in /home/jmc/.ssh/known_hosts:83
debug1: bits set: 1053/2048
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug3: kex_reset_dispatch -- should we dispatch_set(KEXINIT) here? 0 && !0
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug2: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-with-mic,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug1: Failed to acquire GSS-API credentials for any mechanisms (No credentials were supplied, or the credentials were unavailable or inaccessible
Unknown code 0
)
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug2: userauth_pubkey_agent: no keys at all
debug2: userauth_pubkey_agent: no more keys
debug2: userauth_pubkey_agent: no message sent
debug1: Trying private key: /home/jmc/.ssh/id_rsa
debug3: no such identity: /home/jmc/.ssh/id_rsa
debug1: Trying private key: /home/jmc/.ssh/id_dsa
debug3: no such identity: /home/jmc/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-with-mic,password).
debug1: Calling cleanup 0x3429c(0x0)

Joao

Re: debug1: RSA authentication using agent refused.

Ganesan R — Thu, 26 Mar 2009 14:00:38 GMT

Hi,

>>>debug2: userauth_pubkey_agent: no keys at all
debug2: userauth_pubkey_agent: no more keys
debug2: userauth_pubkey_agent: no message sent <<<<

It looks the keys are not present in remote machine's authorized_keys file. Could you verify it?

Re: debug1: RSA authentication using agent refused.

PT Joao Cesar — Thu, 26 Mar 2009 14:08:24 GMT

Hi,

root@sgcdb[rx8620](/home/jmc/.ssh)# cat authorized_keys
1024 35 12337735952310019747936062665098735750088510560929016859697516464186765752575822619882873742084478688971521280023157276901313363819844199267815655692888208519996980864873395319996176882142901362xx36146756879281704758713138947747489593883108855654188747252063054225015179812970961237544600451373602943978068451 xxx@xxx.xxx.xx

I have copied the authorized_keys from another HP that is working the ssh, just for sure.

Joao