public key authentication failure

Gregory Steuck greg at nest.cx
Thu Dec 20 06:56:58 EST 2001


Hello,

I am attempting to make public key authentication to work between
OpenSSH 3.0.2 client on OpenBSD and SSH-1.99-OpenSSH_2.9 FreeBSD
localisations 20011202. From reading sshd -ddd and ssh -v I can't
figure out what goes wrong. Could somebody interpret the attached
typescripts for me, please?

Here's the relevant part from the server log and I don't understand it:

debug2: input_userauth_request: try method publickey
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 1005/1005 (e=0)
debug1: restore_uid
debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa
Failed publickey for incomingmail from cl.ie.nt.ip port 29365 ssh2

Another thing that puzzles me is why does it start asking for s/key
authentication? I don't even have opie setup on the server side.  I am
pretty sure it has something to do with FreeBSD "localisations".

Thanks
Greg
-------------- next part --------------
Script started on Wed Dec 19 11:36:56 2001
$ sudo -u art ~art/sendartmail
Password:
OpenSSH_3.0.2, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
debug1: Reading configuration data /etc/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: restore_uid
debug1: ssh_connect: getuid 1002 geteuid 1002 anon 1
debug1: Connecting to server.example.com [se.rv.er.ip] port 2222.
debug1: temporarily_use_uid: 1002/999 (e=1002)
debug1: restore_uid
debug1: temporarily_use_uid: 1002/999 (e=1002)
debug1: restore_uid
debug1: Connection established.
debug1: identity file /home/art/.ssh/id_rsa type 1
debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9 FreeBSD localisations 20011202
debug1: match: OpenSSH_2.9 FreeBSD localisations 20011202 pat ^OpenSSH
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.0.2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 127/256
debug1: bits set: 521/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'server.example.org' is known and matches the RSA host key.
debug1: Found key in /home/art/.ssh/known_hosts:3
debug1: bits set: 538/1024
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: publickey,password,keyboard-interactive
debug1: next auth method to try is publickey
debug1: try pubkey: /home/art/.ssh/id_rsa
debug1: authentications that can continue: publickey,password,keyboard-interactive
debug1: next auth method to try is keyboard-interactive
otp-md5 391 bu2613 ext
S/Key Password: 
debug1: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64)
Connection closed by se.rv.er.ip
debug1: Calling cleanup 0x1b7e0(0x0)
$ 
Script done on Wed Dec 19 11:38:08 2001
-------------- next part --------------
Script started on Wed Dec 19 11:40:22 2001
[greg at bum tmp]$ sudo /usr/sbin/sshd -ddd -p 2222
debug1: sshd version OpenSSH_2.9 FreeBSD localisations 20011202
debug1: private host key: #0 type 0 RSA1
debug3: No RSA1 key file /etc/ssh/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug3: No RSA1 key file /etc/ssh/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #2 type 1 RSA
debug1: Bind to port 2222 on 0.0.0.0.
Server listening on 0.0.0.0 port 2222.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from client.example.com port 29365
Connection from cl.ie.nt.ip port 29365
debug1: Client protocol version 2.0; client software version OpenSSH_3.0.2
debug1: match: OpenSSH_3.0.2 pat ^OpenSSH
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_2.9 FreeBSD localisations 20011202
debug1: Rhosts Authentication disabled, originating port not trusted.
debug1: list_hostkey_types: ssh-dss,ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-dss,ssh-rsa
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
WARNING: /etc/ssh/primes does not exist, using old prime
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: dh_gen_key: priv key bits set: 128/256
debug1: bits set: 538/1024
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: bits set: 521/1024
debug2: ssh_rsa_sign: done
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug3: Trying to reverse map address cl.ie.nt.ip.
debug1: userauth-request for user incomingmail service ssh-connection method none
debug1: attempt 0 failures 0
debug2: input_userauth_request: setting up authctxt for incomingmail
debug1: Starting up PAM with username "incomingmail"
debug2: input_userauth_request: try method none
Failed none for incomingmail from cl.ie.nt.ip port 29365 ssh2
debug1: userauth-request for user incomingmail service ssh-connection method publickey
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method publickey
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 1005/1005 (e=0)
debug1: restore_uid
debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa
Failed publickey for incomingmail from cl.ie.nt.ip port 29365 ssh2
debug1: userauth-request for user incomingmail service ssh-connection method keyboard-interactive
debug1: attempt 2 failures 2
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive language  devs 
Postponed keyboard-interactive for incomingmail from cl.ie.nt.ip port 29365 ssh2
^C
Script done on Wed Dec 19 11:41:35 2001


More information about the openssh-unix-dev mailing list