Support for here documents with sftp client in OpenSSH 2.5.1p 1-1 (RH Linux 6.2 [2.2.x kernel])

Davis, Ricardo C. RCDavis at intermedia.com
Fri Mar 16 10:35:33 EST 2001 

Damien,

I was going down the path of public key authentication when I encountered
problems.  I've been discussing it off-line using the simple example of
creating a key pair with no passphrase for an account on "myserver", then
trying to connect to myserver using the "ssh -i id_dsa myserver" command.
It's not working, so we're debugging now (see below).  If you have any
insight as to what's going on it would be appreciated.

-Ricardo

P.S.  The mode of id_dsa is 600, the mode of id_dsa.pub is 644.
____________________________________________________________________________

From:	Davis, Ricardo C.
Sent:	Thursday, March 15, 2001 5:52 PM
To:	'Markus Friedl'
Subject:	RE: Support for here documents with sftp client in OpenSSH
2.5.1p 1-1 (RH Linux 6.2 [2.2.x kernel])

-----------ssh monitor window-----------------
$ ssh -i id_dsa -p 1234 myserver.com
Permission denied (publickey,password,keyboard-interactive).
$

-----------sshd monitor window-----------------
su -
Password:
# sshd -d -d -d -p 1234
debug1: sshd version OpenSSH_2.5.1p1
debug1: load_private_key_autodetect: type 0 RSA1
debug3: Bad RSA1 key file /etc/ssh/ssh_host_dsa_key.
debug1: read SSH2 private key done: name dsa w/o comment success 1
debug1: load_private_key_autodetect: type 2 DSA
debug3: Bad RSA1 key file /etc/ssh/ssh_host_rsa_key.
debug1: read SSH2 private key done: name rsa w/o comment success 1
debug1: load_private_key_autodetect: type 1 RSA
debug1: Seeding random number generator
debug1: Bind to port 1234 on 0.0.0.0.
Server listening on 0.0.0.0 port 1234.
Generating 768 bit RSA key.
debug1: Seeding random number generator
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from 0.0.0.0 port 724
debug1: Client protocol version 2.0; client software version OpenSSH_2.5.1p1
debug1: match: OpenSSH_2.5.1p1 pat ^OpenSSH
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_2.5.1p1
debug1: list_hostkey_types: ssh-dss,ssh-rsa
debug1: send KEXINIT
debug1: done
debug1: wait KEXINIT
debug1: got kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug1: got kexinit: ssh-rsa,ssh-dss
debug1: got kexinit:
3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,r
ijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se
debug1: got kexinit:
3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,r
ijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se
debug1: got kexinit:
hmac-sha1,hmac-md5,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm
ac-md5-96
debug1: got kexinit:
hmac-sha1,hmac-md5,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm
ac-md5-96
debug1: got kexinit: none
debug1: got kexinit: none
debug1: got kexinit:
debug1: got kexinit:
debug1: first kex follow: 0
debug1: reserved: 0
debug1: done
debug2: mac_init: found hmac-sha1
debug1: kex: client->server 3des-cbc hmac-sha1 none
debug2: mac_init: found hmac-sha1
debug1: kex: server->client 3des-cbc hmac-sha1 none
debug1: Wait SSH2_MSG_KEX_DH_GEX_REQUEST.
debug1: Sending SSH2_MSG_KEX_DH_GEX_GROUP.
debug1: bits set: 1009/2049
debug1: Wait SSH2_MSG_KEX_DH_GEX_INIT.
debug1: bits set: 1013/2049
debug2: ssh_rsa_sign: done
debug1: send SSH2_MSG_NEWKEYS.
debug1: done: send SSH2_MSG_NEWKEYS.
debug1: Wait SSH2_MSG_NEWKEYS.
debug1: GOT SSH2_MSG_NEWKEYS.
debug1: done: KEX2.
debug1: userauth-request for user myaccount service ssh-connection method
none
debug1: attempt 0 failures 0
debug2: input_userauth_request: setting up authctxt for myaccount
debug1: Starting up PAM with username "myaccount"
debug1: Trying to reverse map address 0.0.0.0.
debug1: PAM setting rhost to "myserver.com"
debug2: input_userauth_request: try method none
Failed none for myaccount from 0.0.0.0 port 724 ssh2
debug1: userauth-request for user myaccount service ssh-connection method
publickey
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method publickey
DSA authentication refused for myaccount: bad ownership or modes for
'/home/myaccount/'.
debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss
Failed publickey for myaccount from 0.0.0.0 port 724 ssh2
Connection closed by 0.0.0.0
debug1: Calling cleanup 0x80514a0(0x0)
debug1: Calling cleanup 0x80638a0(0x0)
#

Ok ... so it appears it doesn't like the account's directory.  Here's the
info on those:

# ls -ld m*
drwxrwx---   10 myaccoun  acctAdm      4096 Mar 15 13:42 myaccount
# cd myaccount
# ls -ld .ssh
drwx------    2 myaccoun  myaccoun     4096 Mar 15 16:56 .ssh

Strange ... it doesn't appear to me there is a problem.


-Ricardo
-----Original Message-----
From: Markus Friedl [mailto:Markus.Friedl at informatik.uni-erlangen.de]
Sent: Thursday, March 15, 2001 5:32 PM
To: Davis, Ricardo C.
Subject: Re: Support for here documents with sftp client in OpenSSH
2.5.1p 1-1 (RH Linux 6.2 [2.2.x kernel])


On Thu, Mar 15, 2001 at 05:26:21PM -0500, Davis, Ricardo C. wrote:
> Ok, did a "chmod go-w on ~/.ssh/authorized_keys2" and tried again with the
> same results.  So next I ran ssh with the -v option.

what does sshd -d -d -d -p 1234 say when you connect with
ssh -i id_dsa -p 1234 host. ?

-m

____________________________________________________________________________


-----Original Message-----
From: Damien Miller [mailto:djm at mindrot.org]
Sent: Thursday, March 15, 2001 6:26 PM
To: Davis, Ricardo C.
Cc: openssh-unix-dev at mindrot.org
Subject: Re: Support for here documents with sftp client in OpenSSH
2.5.1p1-1 (RH Linux 6.2 [2.2.x kernel])


<snip!>

You can use public key authentication - this is exactly what it is
designed for :)

-d

-- 
| Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor man's
| http://www.mindrot.org          /   distributed filesystem'' - Dan Geer

More information about the openssh-unix-dev mailing list