SSH with RSA Key Authentication

[w2vy]

I have a new server that I am trying to get SSH w/RSA Keys working.
My keys get rejected and I have to use my password to login.

I saw posts from a year ago saying you needed to get support to
change some configuration setting to get it working.

I have used the same keys on two different servers with success.

Yes permissions are right .ssh 700 and authorized_keys 644

I see no sshd process, so it seems out of my hands.

Anyone work through this?

Tom

[torrin]

I have a new server that I am trying to get SSH w/RSA Keys working.
My keys get rejected and I have to use my password to login.

I saw posts from a year ago saying you needed to get support to
change some configuration setting to get it working.

I can login to my account without password. I forget if my key is RSA or DSA though. I'll look at it later.

However, in order to get it to work, I did need to put in a ticket with support. Your post didn't say if you had done that or not. So I'll confirm that it needs to be done.

[w2vy]

I can login to my account without password. I forget if my key is RSA or DSA though. I'll look at it later.

However, in order to get it to work, I did need to put in a ticket with support. Your post didn't say if you had done that or not. So I'll confirm that it needs to be done.

How long ago was that? Do you have the ticket number?

I tried Chat, then Email and the finally Email and they ended up directing me to Custom Services (at $95/hr)

So much for the 'Best Effort' to get things working I was told by sales 3 weeks ago

[jalal]

Ya know... it should 'just work'. It has for me and many others. You don't give any details on what the errors are (or what package you have), so I can't make any suggestions. But I don't think support need to do anything (AFAIK).

[w2vy]

Well from Putty it says:

Using username "xanthusus".
Server refused our key
xanthusus@xanthus.us's password:

Then from another server (different key set)

xanthus:~/.ssh$ ssh -v xanthusus@xanthus.us
OpenSSH_3.7.1p2, SSH protocols 1.5/2.0, OpenSSL 0.9.7d 17 Mar 2004
debug1: Reading configuration data /usr/local/etc/ssh_config
debug1: Connecting to xanthus.us [206.130.125.172] port 22.
debug1: Connection established.
debug1: identity file /home/w2vy/.ssh/identity type -1
debug1: identity file /home/w2vy/.ssh/id_rsa type 1
debug1: identity file /home/w2vy/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.1p1
debug1: match: OpenSSH_3.1p1 pat OpenSSH_2.*,OpenSSH_3.0*,OpenSSH_3.1*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.7.1p2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'xanthus.us' is known and matches the RSA host key.
debug1: Found key in /home/w2vy/.ssh/known_hosts:24
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/w2vy/.ssh/identity
debug1: Offering public key: /home/w2vy/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /home/w2vy/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password
xanthusus@xanthus.us's password:

and then from the same server to my home system: (same keys)

xanthus:~/.ssh$ ssh -v tom@xxxx.yyyy.us
OpenSSH_3.7.1p2, SSH protocols 1.5/2.0, OpenSSL 0.9.7d 17 Mar 2004
debug1: Reading configuration data /usr/local/etc/ssh_config
debug1: Connecting to xxxx.yyyy.us [70.125.7.47] port 22.
debug1: Connection established.
debug1: identity file /home/w2vy/.ssh/identity type -1
debug1: identity file /home/w2vy/.ssh/id_rsa type 1
debug1: identity file /home/w2vy/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.2p1 FreeBSD-20050903
debug1: match: OpenSSH_4.2p1 FreeBSD-20050903 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.7.1p2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'xxxx.yyyy.us' is known and matches the DSA host key.
debug1: Found key in /home/w2vy/.ssh/known_hosts:26
debug1: ssh_dss_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/w2vy/.ssh/identity
debug1: Offering public key: /home/w2vy/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 149
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.

so in short it does not like my keys...

[torrin]

I'll PM the ticket number.

I think jalal is right, it should just work. However sometimes it doesn't.

My story is I had this set up and working for a long time. Then around June of 2005 it suddenly stopped working. I put in a ticket with westhost and they told me that they had did some maintanence and moved my account to a different server and that I needed to recreate my authorized_keys file. Fair enough. However, after I did that, it still didn't work. So after a few more E-mails, they fixed it. Now that I look back at the responses to the ticket I see there was no explaination on what changed. So I don't know if they changed just my account or all accounts.

[tbach2]

I was having problems, too, but just got it to work moments ago with help from the chat tech.

Two things had me messed up:

My authorized keys file was for ssh2, named "authorized_keys2". It should just be "authorized_keys"

My .ssh directory was located at /home/{username}/.ssh (which is actually /usr/home/{username}/.ssh ) But it should be located in the root directory ( /.ssh )

Oh, one other thing... the authorized_keys file was 700, tech said it needs to be 400. Don't know if that would really make a difference, but thought I'd mention it, just in case it helps...

[w2vy]

Well I raised a stink with support and they looked into it...

I tried it tonight and it works!

Bad news... The tech says he didn't change anything on my server

I even had them re-boot the server to make sure the setting stayed, it did.

I hate it when things fix themselves...

I suggested they set up a fresh server and try it...

I hope they do...

tom

[dankohn]

I found this thread from Google, but not the solution, so I thought I'd post it here. From OS X, I followed the directions at http://codeworks.gnomedia.com/westho...-secure-shell/ but still couldn't connect. Doing ssh -v username@example.com showed the line "No challenge". The trick was (and is) to do ssh -2 username@example.com to force use of SSHv2. With that, everything worked.

[rolling]

I was having problems with this today. When I tried ssh -v -2 me@mydomain.com, it would connect to my server, but only if I entered my password manually.

To summarise, here is what you need to do:

1. Download cwRsync or some similar package to your computer
2. run ssh-keygen -t dsa
3. Connect to your server using PuTTY
4. Accept the defaults - you need to save the keys in Documents and Settings\AccountName\.ssh on a Windows PC with no passphrase.
5. Create the directory /.ssh on your server mkdir /.ssh
6. Change the access rights to /.ssh chmod 0700 /.ssh
7. Copy the file Documents and Settings\AccountName\.ssh\id_dsa.pub to /.ssh/authorized_keys on your server. If authorized_keys already exists, then append your key to the end of the file. It is IMPERATIVE that each key in your authorized_keys occupies a single line. pico kept splitting the key into multiple lines with me I had to delete the extra linefeeds every time that I edited the file.
8. Change the access rights for authorized_keys chmod 0400 /.ssh/authorized_keys
9. Try to connect to your server ssh -v -2 mylogin@mydomain.com

If you got it right, then this is what you should see:

Code:

C:\cwRsync\bin>ssh –v -2 mylogin@mydomain.com 
OpenSSH_4.5p1, OpenSSL 0.9.8d 28 Sep 2006
debug1: Connecting to mydomain.com [xxx.xxx.xxx.xxx] port 22.
debug1: Connection established.
debug1: identity file /cygdrive/x/Documents and Settings/Simpleton/.ssh/id_rsa type 1
debug1: identity file /cygdrive/x/Documents and Settings/Simpleton/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.1p1
debug1: match: OpenSSH_3.1p1 pat OpenSSH_2.*,OpenSSH_3.0*,OpenSSH_3.1*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.5
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'mydomain.com' is known and matches the RSA host key.
debug1: Found key in /cygdrive/x/DocumentsandSettings/Simpleton/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /cygdrive/x/Documents and Settings/Simpleton/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Offering public key: /cygdrive/x/Documents and Settings/Simpleton/.ssh/id_dsa
debug1: Server accepts key: pkalg ssh-dss blen 433
debug1: read PEM private key done: type DSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
Last login: Tue May  1 10:43:24 2007 from 81.168.120.241
[mylogin][~]$

If you get Unexpected Error when you try to connect, or the server simply disconnects when you have any RSA keys in Documents and Settings\AccountName\.ssh, then you have a problem in /.ssh/authorized_keys on your server