DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD General

FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 12th October 2008
rex rex is offline
Real Name: Nikhil Rathod
Shell Scout
 
Join Date: May 2008
Location: Chicago
Posts: 114
Default Permission denied (publickey). Help pls

I trying to move from password based auth to pub. key authentication using this articlehttp://www.wsrcc.com/wolfgang/sshd-config.html.

My desktop (Server) is running FreeBSD 7 and I'm trying to access it form my macbook.

But every time I try to login, I see the following message.
Permission denied (publickey).

I tried searching, but was not able to find something which could solve this problem.

Can someone pls tell me what is wrong with this article or point me to one which works.
Reply With Quote
  #2   (View Single Post)  
Old 12th October 2008
PatrickBaer PatrickBaer is offline
Fdisk Soldier
 
Join Date: May 2008
Posts: 81
Default

Without reading it, have you checked for all the requirements?

private key in .ssh/id_rsa?/declared via command line switch -i /home/user/id_private?

public key in the servers authorized_keys file?

Logging in with correct username, e.g. ssh root@server?
Reply With Quote
  #3   (View Single Post)  
Old 12th October 2008
rex rex is offline
Real Name: Nikhil Rathod
Shell Scout
 
Join Date: May 2008
Location: Chicago
Posts: 114
Default

Quote:
Originally Posted by PatrickBaer View Post
Without reading it, have you checked for all the requirements?

private key in .ssh/id_rsa?/declared via command line switch -i /home/user/id_private?
Yes, ~/.ssh/ in mac contains
id_rsa id_rsa.pub known_hosts

I tried ssh -p 2150 user@server -i ~/.ssh/id_rsa

but get the same output


Quote:
Originally Posted by PatrickBaer View Post
public key in the servers authorized_keys file?
Yes I copied id_rsa_pub to ~/.ssh/authorized_keys in the server

Quote:
Originally Posted by PatrickBaer View Post
Logging in with correct username, e.g. ssh root@server?
Yes

Note:
I got 2 users on my FreeBSD box user1 and user2 and my mac contain user3. Then I created keys for user3 and copyed the pub key to ~/.ssh/authorized_keys of user1(on the server). And then when I'm logged in into mac as user3 and then try to ssh to server (freeBSD) as user1 (ssh -p 2150 user1@server) I get this error, but I get the similar error when I try to login as user2 (ssh -p 2150 user2@server) for which there is no ~/.ssh/ directory in server. This mean there is a possibility the ssh is not reading ~/.ssh/autorized_keys.

Last edited by rex; 12th October 2008 at 06:21 PM.
Reply With Quote
  #4   (View Single Post)  
Old 12th October 2008
phoenix's Avatar
phoenix phoenix is offline
Risen from the ashes
 
Join Date: May 2008
Posts: 696
Default

Try the command with -v or -vv, and see what the error is.
__________________
Freddie

Help for FreeBSD: Handbook, FAQ, man pages, mailing lists.
Reply With Quote
  #5   (View Single Post)  
Old 12th October 2008
rex rex is offline
Real Name: Nikhil Rathod
Shell Scout
 
Join Date: May 2008
Location: Chicago
Posts: 114
Default

Quote:
Originally Posted by phoenix View Post
Try the command with -v or -vv, and see what the error is.
Code:
user3$ ssh -vv -p 2150 user1@server
OpenSSH_5.1p1, OpenSSL 0.9.7l 28 Sep 2006
debug1: Reading configuration data /etc/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to server port 2150.
debug1: Connection established.
debug1: identity file /Users/user3/.ssh/identity type -1
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /Users/user3/.ssh/id_rsa type 1
debug1: identity file /Users/user3/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.5p1 FreeBSD-20061110
debug1: match: OpenSSH_4.5p1 FreeBSD-20061110 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 132/256
debug2: bits set: 527/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '[server]:2150' is known and matches the DSA host key.
debug1: Found key in /Users/user3/.ssh/known_hosts:1
debug2: bits set: 521/1024
debug1: ssh_dss_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /Users/user3/.ssh/identity (0x0)
debug2: key: /Users/user3/.ssh/id_rsa (0x107ef0)
debug2: key: /Users/user3/.ssh/id_dsa (0x0)
Welcome to FreeBSD at REX

debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/user3/.ssh/identity
debug1: Offering public key: /Users/user3/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug1: Trying private key: /Users/user3/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).

Last edited by rex; 12th October 2008 at 07:20 PM.
Reply With Quote
  #6   (View Single Post)  
Old 12th October 2008
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

Use [code][/code] blocks next time.
Reply With Quote
  #7   (View Single Post)  
Old 12th October 2008
mdh's Avatar
mdh mdh is offline
Real Name: Matt D. Harris
FreeBSD 2.2.6 User
 
Join Date: Oct 2008
Location: West Virginia
Posts: 139
Default

Checking syslogs on the server may yield information, as well.
Reply With Quote
  #8   (View Single Post)  
Old 12th October 2008
rex rex is offline
Real Name: Nikhil Rathod
Shell Scout
 
Join Date: May 2008
Location: Chicago
Posts: 114
Default

Quote:
Originally Posted by mdh View Post
Checking syslogs on the server may yield information, as well.
and how can I check my syslogs
Reply With Quote
  #9   (View Single Post)  
Old 12th October 2008
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 445
Default

You're going to need to get physical access to the FreeBSD server (or call someone who can get access for you). I'd check /var/log/auth.log for clues.

If I had to take a WAG, you're using StrictModes in sshd_config, and you've set your permissions on your home directory and/or its .ssh subdirectory to be too "generous".

On a side note: Don't ever shut off your working authentication method until after you've got pubkey authentication working properly.
__________________
Kill your t.v.
Reply With Quote
Old 12th October 2008
mdh's Avatar
mdh mdh is offline
Real Name: Matt D. Harris
FreeBSD 2.2.6 User
 
Join Date: Oct 2008
Location: West Virginia
Posts: 139
Default

Is there any way you can get a console to the server? If not you may have to hook up some support from someone at the physical location or go there. Not a fun situation to be in; a lot of providers nowadays offer emergency network consoles for these sorts of cases.

If you're colocated and can add more physical equipment to your rack, I can say I've had good experiences using Cyclades gear for remote network serial consoles, so you may want to check them out.
Reply With Quote
Old 13th October 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,165
Default

@mdh, in his first message rex clearly states that his server is his desktop

you should see something like this
Code:
debug1: Offering public key: /home/j65nko/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 277
debug2: input_userauth_pk_ok: fp 7b:cd:bd:bc:86:50:b0:82:e4:ae:59:d3:02:e7:56:a4
debug1: Authentication succeeded (publickey).
It looks like your desktop server does not accept the key.

I would recommend to revert to the previous sshd.config, in other words back out the modifications proposed in http://www.wsrcc.com/wolfgang/sshd-config.html.
Then check the permissions of your .ssh directory contents, as Anomie suggested.

Then retry again.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 13th October 2008
mdh's Avatar
mdh mdh is offline
Real Name: Matt D. Harris
FreeBSD 2.2.6 User
 
Join Date: Oct 2008
Location: West Virginia
Posts: 139
Default

Quote:
Originally Posted by J65nko View Post
@mdh, in his first message rex clearly states that his server is his desktop
Oh, oops. I now realize he was asking how to check syslogs, not pointing out the fact that he couldn't get to the box to check the syslogs because he couldn't access it... My bad.

Quote:
Originally Posted by rex View Post
and how can I check my syslogs
Let me appropriately answer this now; generally your syslogs are, unless you've modified /etc/syslog.conf, stored in /var/log/. You should check the logs "auth.log" and "messages" for information from sshd.
Reply With Quote
Old 14th October 2008
rex rex is offline
Real Name: Nikhil Rathod
Shell Scout
 
Join Date: May 2008
Location: Chicago
Posts: 114
Talking

Thank you all for the replies and I apologize for the late response. After it didn't worked for the first time I reverted back to the password authentication. Now today I followed the same article to configure the public key authentication and it worked. the only difference this time is that I sicked with the original ssh port I.E. 22, where as last time I was trying my ssh server was configured for different port.

Now is it necessary to use port 22 when I'm using public key as this is the only thing I've changed and it worked.

Now that it is working next step is to use the private key that I've generated in osx with putty on Windows. Can it be done or I'll have to create new pair of keys for windows.
Reply With Quote
Old 14th October 2008
phoenix's Avatar
phoenix phoenix is offline
Risen from the ashes
 
Join Date: May 2008
Posts: 696
Default

Quote:
Originally Posted by rex View Post
Thank you all for the replies and I apologize for the late response. After it didn't worked for the first time I reverted back to the password authentication. Now today I followed the same article to configure the public key authentication and it worked. the only difference this time is that I sicked with the original ssh port I.E. 22, where as last time I was trying my ssh server was configured for different port.

Now is it necessary to use port 22 when I'm using public key as this is the only thing I've changed and it worked.
Nope, doesn't matter what port you use. That's not the issue here (not sure what is).

Quote:
Now that it is working next step is to use the private key that I've generated in osx with putty on Windows. Can it be done or I'll have to create new pair of keys for windows.
PuTTY doesn't use OpenSSH keys directly, it uses it's own PPK format. You have to run puttygen.exe and import the OpenSSH key. Then save the PPK key, and tell PuTTY to use that.
__________________
Freddie

Help for FreeBSD: Handbook, FAQ, man pages, mailing lists.
Reply With Quote
Reply

Tags
public key authentication, ssh, sshd_config

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
/tmp on ram write denied gosha OpenBSD General 8 29th March 2009 04:46 PM
FFS permission issue marc OpenBSD General 2 2nd February 2009 07:31 PM
Tightvnc startup script not loading fonts - permission denied master-richie FreeBSD Ports and Packages 2 3rd August 2008 09:29 PM
Permission denied delboy FreeBSD Ports and Packages 11 24th May 2008 09:26 PM
FTPD User Access Denied wastedbreath FreeBSD General 7 21st May 2008 03:44 AM


All times are GMT. The time now is 07:38 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick