ssh with rsa keys weirdness

"Please leave a message at the beep, we will get back to you when your support contract expires."

Moderators: phlip, Moderators General, Prelates

User avatar
ahammel
My Little Cabbage
Posts: 2135
Joined: Mon Jan 30, 2012 12:46 am UTC
Location: Vancouver BC
Contact:

ssh with rsa keys weirdness

Postby ahammel » Mon Feb 13, 2012 8:27 pm UTC

I administer two backup servers for my lab (both running FreeBSD). Becuase we have problems with ssh password guessing attacks, I'm switching to RSA-key based logins rather than username/password combinations (among other precautions). Each server has two accounts: regular user and adminstrative. I use two different computers at work (laptop and desktop) with two different public keys. I've set up the servers to accept logins to either account from either of my computers (i.e., I can use my laptop to log in as user to server #1 or my desktop to log in as admin to server #2 or any other combination).

All of the logins work perfectly, except for the regular user account on one of the servers. I can log in as admin from either my desktop or my laptop, but not as a regular user from either. The ~/.ssh/authorized_keys files in the admin and user accounts are byte-for-byte identical in the admin and user accounts. Permissions are identical. When I run 'ssh -vvv' I get the following unhelpful information:

Code: Select all

[ ... ]
debug1: Offering RSA public key: /home/[myusername]/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
[on a successful login, the next line is: ]
debug1: Server accepts key: pkalg ssh-rsa blen [000]
[but instead I get: ]
debug1: Authentications that can continue: publickey
[and ssh runs through several more login methods before giving up]


I've tried restarting ssh, rebooting, deleting and recreating the 'authorized_keys' file and a few other fixes to no apparent effect. Any ideas as to what I'm missing?
He/Him/His/Alex
God damn these electric sex pants!

LikwidCirkel
Posts: 169
Joined: Thu Nov 08, 2007 8:56 pm UTC
Location: on this forum (duh)
Contact:

Re: ssh with rsa keys weirdness

Postby LikwidCirkel » Mon Feb 13, 2012 8:46 pm UTC

On the server, if you can, check /var/log/auth.log (or similar) for ssh login errors after a failed attempt. It it doesn't tell you much, you might have to change the logging level in your sshd_config file (usually at /etc/ssh/sshd_config).

This should tell you right away if there is a bad key or even there is a file permission problem.

Also, make sure the usernames match on all systems.

You can set user and group specific authentication methods in the sshd_config file. Ensure blacklists/whitelists are OK for users.

This is pretty powerful and can get quite complex. You can allow some groups to use password auth, and force others to use only RSA auth, and even change the shell to things like /bin/false (for SFTP-Only users in a secure system for example), so check that kind of thing.

User avatar
ahammel
My Little Cabbage
Posts: 2135
Joined: Mon Jan 30, 2012 12:46 am UTC
Location: Vancouver BC
Contact:

Re: ssh with rsa keys weirdness

Postby ahammel » Tue Feb 14, 2012 6:35 pm UTC

Got it!

Thanks for the tip about increasing sshd logging verbosity. Apparently I went insane some time in the past week or so and 'chown'ed the regular user's home directory to the admin user! The sshd doesn't like that, as it turns out.
He/Him/His/Alex
God damn these electric sex pants!

LikwidCirkel
Posts: 169
Joined: Thu Nov 08, 2007 8:56 pm UTC
Location: on this forum (duh)
Contact:

Re: ssh with rsa keys weirdness

Postby LikwidCirkel » Tue Feb 14, 2012 9:16 pm UTC

No problem.

I remember sshd being ultra picky about file permissions. I've always been able to solve problems quickly by increasing verbosity and checking the logs of sshd. You can seldom tell anything useful from the client, as the server simply hangs up on errors as it damn well should for security reasons.


Return to “The Help Desk”

Who is online

Users browsing this forum: No registered users and 2 guests