The "-----BEGIN" and "-----END" lines are typical of keys that are formatted for the commercial SSH.COM server. There should be a parameter that you can pass to "keygen" to convert an SSH.COM key to an OpenSSH key.
Tom Pfister
-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Eric_Malenfant (at) Mitel (dot) com [email concealed]
Sent: Saturday, April 18, 2009 3:37 PM
To: sean darcy; secureshell
Subject: Re: pubkey works for user: why not root ?
Remove the 1st and last lines .. The ones marked begin and end should not be included in the key.
Eric Malenfant
----- Original Message -----
From: sean darcy [seandarcy2 (at) gmail (dot) com [email concealed]]
Sent: 04/18/2009 10:27 AM AST
To: secureshell (at) securityfocus (dot) com [email concealed]
Subject: pubkey works for user: why not root ?
I can ssh for my laptop to the server as a user, but using root from
same laptop to same server fails. root can login with password. In
both cases run ssh-keygen on laptop, copy id_rsa.pub to server, cat
id_rsa.pub >> authorized_keys, restart sshd on server. On client .ssh
is 700, .ssh/id_rsa is 700. On server .ssh is 700, authorized_keys is
644 ( same as user ).
What am I missing??
sean
On client:
[root@daddy ~]# ssh -vv intel64-office
OpenSSH_5.2p1, OpenSSL 0.9.8k-fips 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to intel64-office [10.10.11.1] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /root/.ssh/id_rsa type 1
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /root/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.2
debug1: match: OpenSSH_5.2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
Tom Pfister
-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Eric_Malenfant (at) Mitel (dot) com [email concealed]
Sent: Saturday, April 18, 2009 3:37 PM
To: sean darcy; secureshell
Subject: Re: pubkey works for user: why not root ?
Remove the 1st and last lines .. The ones marked begin and end should not be included in the key.
Eric Malenfant
----- Original Message -----
From: sean darcy [seandarcy2 (at) gmail (dot) com [email concealed]]
Sent: 04/18/2009 10:27 AM AST
To: secureshell (at) securityfocus (dot) com [email concealed]
Subject: pubkey works for user: why not root ?
I can ssh for my laptop to the server as a user, but using root from
same laptop to same server fails. root can login with password. In
both cases run ssh-keygen on laptop, copy id_rsa.pub to server, cat
id_rsa.pub >> authorized_keys, restart sshd on server. On client .ssh
is 700, .ssh/id_rsa is 700. On server .ssh is 700, authorized_keys is
644 ( same as user ).
What am I missing??
sean
On client:
[root@daddy ~]# ssh -vv intel64-office
OpenSSH_5.2p1, OpenSSL 0.9.8k-fips 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to intel64-office [10.10.11.1] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /root/.ssh/id_rsa type 1
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /root/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.2
debug1: match: OpenSSH_5.2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@l
ysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@l
ysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64 (at) openssh (dot) com [email concealed],hmac-ripemd160,hmac-ripemd160@ope
nssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64 (at) openssh (dot) com [email concealed],hmac-ripemd160,hmac-ripemd160@ope
nssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib (at) openssh (dot) com [email concealed],zlib
debug2: kex_parse_kexinit: none,zlib (at) openssh (dot) com [email concealed],zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,
diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@l
ysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-c
bc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@l
ysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64 (at) openssh (dot) com [email concealed],hmac-ripemd160,hmac-ripemd160@ope
nssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64 (at) openssh (dot) com [email concealed],hmac-ripemd160,hmac-ripemd160@ope
nssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib (at) openssh (dot) com [email concealed]
debug2: kex_parse_kexinit: none,zlib (at) openssh (dot) com [email concealed]
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 128/256
debug2: bits set: 506/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'intel64-office' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:6
debug2: bits set: 532/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /root/.ssh/id_rsa (0xd24640)
debug2: key: /root/.ssh/id_dsa (0xd24658)
debug2: key: /root/.ssh/identity ((nil))
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No credentials cache found
debug1: Unspecified GSS failure. Minor code may provide more information
No credentials cache found
debug1: Unspecified GSS failure. Minor code may provide more information
debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Offering public key: /root/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Offering public key: /root/.ssh/id_dsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Trying private key: /root/.ssh/identity
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
On server:
Apr 18 10:04:41 intel64-office sshd[2612]: debug1: Forked child 30747.
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: rexec start in 5
out 5 newsock 5 pipe 7 sock 8
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: inetd sockets
after dupping: 3, 3
Apr 18 10:04:41 intel64-office sshd[30747]: Connection from
10.10.11.69 port 33776
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: Client protocol
version 2.0; client software version OpenSSH_5.2
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: match: OpenSSH_5.2
pat OpenSSH*
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: Enabling
compatibility mode for protocol 2.0
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: Local version
string SSH-2.0-OpenSSH_5.2
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: permanently_set_uid: 74/74
Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
list_hostkey_types: ssh-rsa,ssh-dss
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_KEXINIT sent
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_KEXINIT received
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: kex:
client->server aes128-ctr hmac-md5 none
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: kex:
server->client aes128-ctr hmac-md5 none
Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
SSH2_MSG_KEX_DH_GEX_REQUEST received
Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
SSH2_MSG_KEX_DH_GEX_GROUP sent
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: expecting
SSH2_MSG_KEX_DH_GEX_INIT
Apr 18 10:04:41 intel64-office sshd[30749]: debug1:
SSH2_MSG_KEX_DH_GEX_REPLY sent
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_NEWKEYS sent
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: expecting SSH2_MSG_NEWKEYS
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: SSH2_MSG_NEWKEYS received
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: KEX done
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: userauth-request
for user root service ssh-connection method none
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: attempt 0 failures 0
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: PAM: initializing for "root"
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: PAM: setting
PAM_RHOST to "daddy-hp"
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: PAM: setting
PAM_TTY to "ssh"
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: userauth-request
for user root service ssh-connection method publickey
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: attempt 1 failures 0
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: test whether
pkalg/pkblob are acceptable
Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
temporarily_use_uid: 0/0 (e=0/0)
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
file /root/.ssh/authorized_keys
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
temporarily_use_uid: 0/0 (e=0/0)
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
file /root/.ssh/authorized_keys2
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
Apr 18 10:04:41 intel64-office sshd[30747]: Failed publickey for root
from 10.10.11.69 port 33776 ssh2
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: userauth-request
for user root service ssh-connection method publickey
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: attempt 2 failures 1
Apr 18 10:04:41 intel64-office sshd[30749]: debug1: test whether
pkalg/pkblob are acceptable
Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
temporarily_use_uid: 0/0 (e=0/0)
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
file /root/.ssh/authorized_keys
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
Apr 18 10:04:41 intel64-office sshd[30747]: debug1:
temporarily_use_uid: 0/0 (e=0/0)
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: trying public key
file /root/.ssh/authorized_keys2
Apr 18 10:04:41 intel64-office sshd[30747]: debug1: restore_uid: 0/0
Apr 18 10:04:41 intel64-office sshd[30747]: Failed publickey for root
from 10.10.11.69 port 33776 ssh2
Apr 18 10:04:45 intel64-office sshd[30749]: debug1: userauth-request
for user root service ssh-connection method password
Apr 18 10:04:45 intel64-office sshd[30749]: debug1: attempt 3 failures 2
Apr 18 10:04:45 intel64-office sshd[30747]: debug1: PAM: password
authentication accepted for root
Apr 18 10:04:45 intel64-office sshd[30747]: debug1: do_pam_account: called
Apr 18 10:04:45 intel64-office sshd[30747]: Accepted password for root
from 10.10.11.69 port 33776 ssh2
[ reply ]