topic Re: ssh private/public key authentication in Operating System - HP-UX

ssh private/public key authentication

Andrew_adm — Wed, 11 Oct 2006 09:27:26 GMT

Hi,
I´ve generated private and public keys with ssh-keygen -t dsa in two servers for non-root user (oracle in this case). I use default files for keys but it doesn´t work properly, i´ve not entered passphrase but the server response waiting for user´s password, why is it? it shouldn´t do this. These are the debug lines with ssh -v host:
$ ssh -v safi_iur
OpenSSH_4.1, OpenSSL 0.9.7e 25 Oct 2004
HP-UX Secure Shell-A.04.00.000, HP-UX Secure Shell version
debug1: Reading configuration data /opt/ssh/etc/ssh_config
debug1: Connecting to safi_iur [172.20.32.107] port 22.
debug1: Connection established.
debug1: identity file /extend/oracle/.ssh/id_rsa type -1
debug1: identity file /extend/oracle/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.8
debug1: match: OpenSSH_3.8 pat OpenSSH_3.*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'safi_iur' is known and matches the RSA host key.
debug1: Found key in /extend/oracle/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /extend/oracle/.ssh/id_rsa
debug1: Offering public key: /extend/oracle/.ssh/id_dsa
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
Password:

One more question, it´s possible than another keys exist from time before, any problem if i delete id_dsa´s ?

Re: ssh private/public key authentication

Jonathan Fife — Wed, 11 Oct 2006 10:02:17 GMT

Most of the key-exchange problems I've run into were permissions-related.

Check /var/adm/syslog/syslog.log for any errors thrown by ssh.

Re: ssh private/public key authentication

Ivan Ferreira — Wed, 11 Oct 2006 12:14:16 GMT

You can delete any id_dsa files that you want, but ensure that you transfer the new id_dsa.pub files to the remote host if you generate a new key.

Also, ensure that the permissions for the files are correct, in both hosts run:

chown -R oracle .ssh
chmod go-w .ssh

Re: ssh private/public key authentication

John Kelly_3 — Wed, 11 Oct 2006 14:35:03 GMT

Permissions to check are -
Your home directory. Try 750 or 755.
The ~/.ssh directory. Set to 700
The ~/.ssh/authorized_keys file. Set to 600

Also make sure ownership is appropriate on all the above.

These are the most common problems.

JohnK

Re: ssh private/public key authentication

Tim Nelson — Wed, 11 Oct 2006 14:36:57 GMT

Always seems to be one of two things.

Either the public key was pasted into the authorized_keys file or the permissions are wrong.

700 or 600 on all.

Re: ssh private/public key authentication

Andrew_adm — Fri, 13 Oct 2006 07:51:29 GMT

The problem was fixed, i think he permissions werenÂ´t the only thing, one server had a 04.00.20 version and the other a 03.80.X, the connection worked properly un sense 04.00 to 03.80, i upgraded to 04.00 and actually, the authentication works in the two ways. The actual permission are 750 for oracle userÂ´s home, 700 for .ssh and 600 for id_dsa.
Thanks a lot for your help.
Regards.

Re: ssh private/public key authentication

Andrew_adm — Fri, 13 Oct 2006 07:53:37 GMT

Closed xD.
Bye, and thx again!