# ssh keys

## exodist

I have a set of ssh keys I have used for about 3 years now, every time I setup one of my systems I copy the .ssh directory in the home dirrectory and just delete the known hosts file.  then I am always able to ssh without a password.

a few days ago I reformatted a pentium4 and athlon64 at the same time. copied the .ssh froma  known good computer... it still prompts for password.

from each system I can log into any of my other machines that I have not recently reformatted wioth no password required. but to get to eachother, or from one of the other computers a password is still requested. I figured it was a change in the config files, so I copied them from the known good system(s). same behavior, I tried /etc/init.d/sshd restart, and I tried reboting.  after that I figured it is a difference for the newest version of ssh, so I modified the files by hand to try and fix any changes in behavior, I will post the files below, but basically the behavior did not change.

what has changed in recent ssh versions that prevents the ssh keys from working?

I have a key for each of the 3 dga,rsa,identity  and all 3 public keys are int he authorized_keys and authorized_keys2 files.

here are the config files:

ssh_config:

```

#   $OpenBSD: ssh_config,v 1.19 2003/08/13 08:46:31 markus Exp $

# This is the ssh client system-wide configuration file.  See

# ssh_config(5) for more information.  This file provides defaults for

# users, and the values can be changed in per-user configuration files

# or on the command line.

# Configuration data is parsed as follows:

#  1. command line options

#  2. user-specific file

#  3. system-wide file

# Any configuration value is only changed the first time it is set.

# Thus, host-specific definitions should be at the beginning of the

# configuration file, and defaults at the end.

# Site-wide defaults for various options

# Host *

#   ForwardAgent no

   ForwardX11 yes

   RhostsRSAAuthentication yes

   RSAAuthentication yes

   PasswordAuthentication yes

#   HostbasedAuthentication no

#   BatchMode no

#   CheckHostIP yes

#   AddressFamily any

#   ConnectTimeout 0

   StrictHostKeyChecking no

   IdentityFile ~/.ssh/identity

   IdentityFile ~/.ssh/id_rsa

   IdentityFile ~/.ssh/id_dsa

#   Port 22

#   Protocol 2,1

#   Cipher 3des

#   Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc

#   EscapeChar ~

```

sshd_config:

```

#   $OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $

# This is the sshd server system-wide configuration file.  See

# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with

# OpenSSH is to specify options with their default value where

# possible, but leave them commented.  Uncommented options change a

# default value.

#Port 22

Protocol 2

#ListenAddress 0.0.0.0

#ListenAddress ::

# HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

# HostKeys for protocol version 2

#HostKey /etc/ssh/ssh_host_rsa_key

#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key

#KeyRegenerationInterval 1h

#ServerKeyBits 768

# Logging

#obsoletes QuietMode and FascistLogging

#SyslogFacility AUTH

#LogLevel INFO

# Authentication:

#LoginGraceTime 2m

PermitRootLogin yes

#StrictModes yes

#MaxAuthTries 6

RSAAuthentication yes

PubkeyAuthentication yes

AuthorizedKeysFile   .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#RhostsRSAAuthentication no

# similar for protocol version 2

#HostbasedAuthentication no

# Change to yes if you don't trust ~/.ssh/known_hosts for

# RhostsRSAAuthentication and HostbasedAuthentication

#IgnoreUserKnownHosts no

# Don't read the user's ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!

#PasswordAuthentication yes

#PermitEmptyPasswords no

# Change to no to disable s/key passwords

#ChallengeResponseAuthentication yes

# Kerberos options

#KerberosAuthentication no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

#KerberosGetAFSToken no

# GSSAPI options

#GSSAPIAuthentication no

#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing, 

# and session processing. If this is enabled, PAM authentication will 

# be allowed through the ChallengeResponseAuthentication mechanism. 

# Depending on your PAM configuration, this may bypass the setting of 

# PasswordAuthentication, PermitEmptyPasswords, and 

# "PermitRootLogin without-password". If you just want the PAM account and 

# session checks to run without PAM authentication, then enable this but set 

# ChallengeResponseAuthentication=no

#UsePAM no

AllowTcpForwarding yes

#GatewayPorts no

X11Forwarding yes

#X11DisplayOffset 10

#X11UseLocalhost yes

#PrintMotd yes

#PrintLastLog yes

#TCPKeepAlive yes

#UseLogin no

#UsePrivilegeSeparation yes

#PermitUserEnvironment no

#Compression yes

#ClientAliveInterval 0

#ClientAliveCountMax 3

#UseDNS yes

#PidFile /var/run/sshd.pid

#MaxStartups 10

# no default banner path

#Banner /some/path

# override default of no subsystems

Subsystem   sftp   /usr/lib/misc/sftp-server

```

----------

## teknomage1

Are your keys older and require the Protocol line to read 'Protocol 2 1' ?

----------

## commonloon

I'd suggest trying the following:

1) ssh is picky about the perms of your .ssh dir and its content. The directory should be chmod 700. The authorized_keys file should be chmod 600 (although I'm not sure this matters).

2) See what ssh -v -v user@host produces (post it).

3) Are the keys 1 or 2? You might try changing to: 

Protocol 2,1 # i.e. both

...your sshd_config as teknomage1 suggests. You can also simply do: ssh -1 user@host the '-1' says use protocol 1

4) You can also bump up the log level and then the log may give you a better clue to why its failing. Use the init script to restart sshd or I prefer when testing remotely to do a kill -HUP `cat /var/run/sshd.pid` and use a 2nd term window to ssh in... that way, if ssh fails to restart you still have the old window open and you can fix and start sshd remotely.

Hope this helps.

----------

## exodist

```
exodist@Aswan exodist $ ssh -vv 192.168.0.3          

OpenSSH_3.9p1, OpenSSL 0.9.7d 17 Mar 2004

debug1: Reading configuration data /etc/ssh/ssh_config

debug2: ssh_connect: needpriv 0

debug1: Connecting to 192.168.0.3 [192.168.0.3] port 22.

debug1: Connection established.

debug1: identity file /home/exodist/.ssh/identity type 0

debug2: key_type_from_name: unknown key type '-----BEGIN'

debug2: key_type_from_name: unknown key type '-----END'

debug1: identity file /home/exodist/.ssh/id_rsa type 1

debug2: key_type_from_name: unknown key type '-----BEGIN'

debug2: key_type_from_name: unknown key type '-----END'

debug1: identity file /home/exodist/.ssh/id_dsa type 2

debug1: Remote protocol version 1.99, remote software version OpenSSH_3.9p1

debug1: match: OpenSSH_3.9p1 pat OpenSSH*

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_3.9p1

debug2: fd 3 setting O_NONBLOCK

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ssh-rsa,ssh-dss

debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se, aes128-ctr,aes192-ctr,aes256-ctr

debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se, aes128-ctr,aes192-ctr,aes256-ctr

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,zlib

debug2: kex_parse_kexinit: none,zlib

debug2: kex_parse_kexinit: 

debug2: kex_parse_kexinit: 

debug2: kex_parse_kexinit: first_kex_follows 0 

debug2: kex_parse_kexinit: reserved 0 

debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ssh-rsa,ssh-dss

debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se, aes128-ctr,aes192-ctr,aes256-ctr

debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se, aes128-ctr,aes192-ctr,aes256-ctr

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,zlib

debug2: kex_parse_kexinit: none,zlib

debug2: kex_parse_kexinit: 

debug2: kex_parse_kexinit: 

debug2: kex_parse_kexinit: first_kex_follows 0 

debug2: kex_parse_kexinit: reserved 0 

debug2: mac_init: found hmac-md5

debug1: kex: server->client aes128-cbc hmac-md5 none

debug2: mac_init: found hmac-md5

debug1: kex: client->server aes128-cbc hmac-md5 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug2: dh_gen_key: priv key bits set: 100/256

debug2: bits set: 484/1024

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug1: Host '192.168.0.3' is known and matches the RSA host key.

debug1: Found key in /home/exodist/.ssh/known_hosts:2

debug2: bits set: 529/1024

debug1: ssh_rsa_verify: signature correct

debug2: kex_derive_keys

debug2: set_newkeys: mode 1

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug2: set_newkeys: mode 0

debug1: SSH2_MSG_NEWKEYS received

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug2: key: /home/exodist/.ssh/id_rsa (0x808f2c8)

debug2: key: /home/exodist/.ssh/id_dsa (0x808f2e0)

debug1: Authentications that can continue: publickey,keyboard-interactive

debug1: Next authentication method: publickey

debug1: Offering public key: /home/exodist/.ssh/id_rsa

debug2: we sent a publickey packet, wait for reply

debug1: Authentications that can continue: publickey,keyboard-interactive

debug1: Offering public key: /home/exodist/.ssh/id_dsa

debug2: we sent a publickey packet, wait for reply

debug1: Authentications that can continue: publickey,keyboard-interactive

debug2: we did not send a packet, disable method

debug1: Next authentication method: keyboard-interactive

debug2: userauth_kbdint

debug2: we sent a keyboard-interactive packet, wait for reply

debug2: input_userauth_info_req

debug2: input_userauth_info_req: num_prompts 1

```

looks to me like the newer sshd gives unknown type for the keys that worked fine in older versions on my older config computers. (as I said exact copy including permissions of the systems that work fine) and I changed config file to do both versions 1 and 2 and restarted sshd to apply changes before giving this info.

EDIT:  Added spaces to a few lines for line wrapping.  --pjp

----------

## exodist

rethinking it, it is the local ssh that can't id the keys, except for dsa, but since the local system can connect to remotes other than the 2 just reformatted ones I would guess the third key that it does recognise is the one it uses in those cases.    I am sure it is a server-end error cause it is only connecting to those 2 boxes that there is a problem, connecting from them to other boxes or from other boxes to other boxes there are no probs

----------

## commonloon

I think its ssh -v I normally use  :Wink:  SOrry. I did a little grep debug1. It looks like you have 3 keys (excuse me if I re-state the obvious):

```

debug1: identity file /home/exodist/.ssh/identity type 0

debug1: identity file /home/exodist/.ssh/id_rsa type 1

debug1: identity file /home/exodist/.ssh/id_dsa type 2

.

.

.

debug1: Offering public key: /home/exodist/.ssh/id_rsa

debug1: Authentications that can continue: publickey,keyboard-interactive

debug1: Offering public key: /home/exodist/.ssh/id_dsa

debug1: Authentications that can continue: publickey,keyboard-interactive

debug1: Next authentication method: keyboard-interactive

```

(1) protocol version 1 key and (2) protocol version 2 keys (from the names). From the output it looks like it only tries the version 2 keys... Did you try ssh -1 -v as well? Also, have you cat'd the authorized_keys file and verified that the identity.pub, id_rsa.pub, id_dsa.pub are in there (or which ever one you prefer).

----------

## exodist

I have all the keys in the authorized_keys  file, I put them there by:

cd ~.ssh

cat *.pub >> authorized_keys

----------

## exodist

I reformatted Computer A (Abydos) but not Computer B (Abydos) the problems remain.

here is when I try using compA as server, and CompB to connect:

```

Abydos exodist # /usr/sbin/sshd -ddd

debug2: load_server_config: filename /etc/ssh/sshd_config

debug2: load_server_config: done config len = 405

debug2: parse_server_config: config /etc/ssh/sshd_config len 405

debug1: sshd version OpenSSH_3.9p1

debug1: private host key: #0 type 0 RSA1

debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.

debug1: read PEM private key done: type RSA

debug1: private host key: #1 type 1 RSA

debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.

debug1: read PEM private key done: type DSA

debug1: private host key: #2 type 2 DSA

debug1: rexec_argv[0]='/usr/sbin/sshd'

debug1: rexec_argv[1]='-ddd'

debug2: fd 3 setting O_NONBLOCK

debug1: Bind to port 22 on ::.

Server listening on :: port 22.

Generating 768 bit RSA key.

RSA key generation complete.

debug3: fd 4 is not O_NONBLOCK

debug1: Server will not fork when running in debugging mode.

debug3: send_rexec_state: entering fd = 7 config len 405

debug3: ssh_msg_send: type 0

debug3: send_rexec_state: done

debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7

Segmentation fault

Abydos exodist # 

```

```

exodist@Giza exodist $ ssh 192.168.0.2 -vv 

OpenSSH_3.9p1, OpenSSL 0.9.7e 25 Oct 2004

debug1: Reading configuration data /etc/ssh/ssh_config

debug2: ssh_connect: needpriv 0

debug1: Connecting to 192.168.0.2 [192.168.0.2] port 22.

debug1: Connection established.

debug1: identity file /home/exodist/.ssh/identity type 0

debug2: key_type_from_name: unknown key type '-----BEGIN'

debug2: key_type_from_name: unknown key type '-----END'

debug1: identity file /home/exodist/.ssh/id_rsa type 1

debug2: key_type_from_name: unknown key type '-----BEGIN'

debug2: key_type_from_name: unknown key type '-----END'

debug1: identity file /home/exodist/.ssh/id_dsa type 2

debug1: Remote protocol version 1.99, remote software version OpenSSH_3.9p1

debug1: match: OpenSSH_3.9p1 pat OpenSSH*

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_3.9p1

debug2: fd 3 setting O_NONBLOCK

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ssh-rsa,ssh-dss

debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se, aes128-ctr,aes192-ctr,aes256-ctr

debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se, aes128-ctr,aes192-ctr,aes256-ctr

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,zlib

debug2: kex_parse_kexinit: none,zlib

debug2: kex_parse_kexinit: 

debug2: kex_parse_kexinit: 

debug2: kex_parse_kexinit: first_kex_follows 0 

debug2: kex_parse_kexinit: reserved 0 

debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ssh-rsa,ssh-dss

debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se, aes128-ctr,aes192-ctr,aes256-ctr

debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se, aes128-ctr,aes192-ctr,aes256-ctr

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,zlib

debug2: kex_parse_kexinit: none,zlib

debug2: kex_parse_kexinit: 

debug2: kex_parse_kexinit: 

debug2: kex_parse_kexinit: first_kex_follows 0 

debug2: kex_parse_kexinit: reserved 0 

debug2: mac_init: found hmac-md5

debug1: kex: server->client aes128-cbc hmac-md5 none

debug2: mac_init: found hmac-md5

debug1: kex: client->server aes128-cbc hmac-md5 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug2: dh_gen_key: priv key bits set: 128/256

debug2: bits set: 507/1024

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug1: Host '192.168.0.2' is known and matches the RSA host key.

debug1: Found key in /home/exodist/.ssh/known_hosts:4

debug2: bits set: 533/1024

debug1: ssh_rsa_verify: signature correct

debug2: kex_derive_keys

debug2: set_newkeys: mode 1

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug2: set_newkeys: mode 0

debug1: SSH2_MSG_NEWKEYS received

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug2: key: /home/exodist/.ssh/id_rsa (0x80905d8)

debug2: key: /home/exodist/.ssh/id_dsa (0x80905f0)

debug1: Authentications that can continue: publickey,keyboard-interactive

debug1: Next authentication method: publickey

debug1: Offering public key: /home/exodist/.ssh/id_rsa

debug2: we sent a publickey packet, wait for reply

Connection closed by 192.168.0.2

```

here is when I do the inverse and connect to compB from compA

```

Giza root # /usr/sbin/sshd -ddd

debug2: load_server_config: filename /etc/ssh/sshd_config

debug2: load_server_config: done config len = 405

debug2: parse_server_config: config /etc/ssh/sshd_config len 405

debug1: sshd version OpenSSH_3.9p1

debug1: private host key: #0 type 0 RSA1

debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.

debug1: read PEM private key done: type RSA

debug1: private host key: #1 type 1 RSA

debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.

debug1: read PEM private key done: type DSA

debug1: private host key: #2 type 2 DSA

debug1: rexec_argv[0]='/usr/sbin/sshd'

debug1: rexec_argv[1]='-ddd'

debug2: fd 3 setting O_NONBLOCK

debug1: Bind to port 22 on ::.

Server listening on :: port 22.

Generating 768 bit RSA key.

RSA key generation complete.

debug3: fd 4 is not O_NONBLOCK

debug1: Server will not fork when running in debugging mode.

debug3: send_rexec_state: entering fd = 7 config len 405

debug3: ssh_msg_send: type 0

debug3: send_rexec_state: done

debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7

```

```

exodist@Abydos / $ ssh 192.168.0.3 -vv

OpenSSH_3.9p1, OpenSSL 0.9.7e 25 Oct 2004

debug1: Reading configuration data /etc/ssh/ssh_config

debug2: ssh_connect: needpriv 0

debug1: Connecting to 192.168.0.3 [192.168.0.3] port 22.

debug1: Connection established.

debug1: identity file /home/exodist/.ssh/identity type 0

debug2: key_type_from_name: unknown key type '-----BEGIN'

debug2: key_type_from_name: unknown key type '-----END'

debug1: identity file /home/exodist/.ssh/id_rsa type 1

debug2: key_type_from_name: unknown key type '-----BEGIN'

debug2: key_type_from_name: unknown key type '-----END'

debug1: identity file /home/exodist/.ssh/id_dsa type 2

debug1: Remote protocol version 1.99, remote software version OpenSSH_3.9p1

debug1: match: OpenSSH_3.9p1 pat OpenSSH*

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_3.9p1

debug2: fd 3 setting O_NONBLOCK

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ssh-rsa,ssh-dss

debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se, aes128-ctr,aes192-ctr,aes256-ctr

debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se, aes128-ctr,aes192-ctr,aes256-ctr

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,zlib

debug2: kex_parse_kexinit: none,zlib

debug2: kex_parse_kexinit: 

debug2: kex_parse_kexinit: 

debug2: kex_parse_kexinit: first_kex_follows 0 

debug2: kex_parse_kexinit: reserved 0 

debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ssh-rsa,ssh-dss

debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se, aes128-ctr,aes192-ctr,aes256-ctr

debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se, aes128-ctr,aes192-ctr,aes256-ctr

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,zlib

debug2: kex_parse_kexinit: none,zlib

debug2: kex_parse_kexinit: 

debug2: kex_parse_kexinit: 

debug2: kex_parse_kexinit: first_kex_follows 0 

debug2: kex_parse_kexinit: reserved 0 

debug2: mac_init: found hmac-md5

debug1: kex: server->client aes128-cbc hmac-md5 none

debug2: mac_init: found hmac-md5

debug1: kex: client->server aes128-cbc hmac-md5 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug2: dh_gen_key: priv key bits set: 120/256

debug2: bits set: 522/1024

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug1: Host '192.168.0.3' is known and matches the RSA host key.

debug1: Found key in /home/exodist/.ssh/known_hosts:2

debug2: bits set: 507/1024

debug1: ssh_rsa_verify: signature correct

debug2: kex_derive_keys

debug2: set_newkeys: mode 1

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug2: set_newkeys: mode 0

debug1: SSH2_MSG_NEWKEYS received

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug2: key: /home/exodist/.ssh/id_rsa (0x5554f0)

debug2: key: /home/exodist/.ssh/id_dsa (0x555510)

debug1: Authentications that can continue: publickey,keyboard-interactive

debug1: Next authentication method: publickey

debug1: Offering public key: /home/exodist/.ssh/id_rsa

debug2: we sent a publickey packet, wait for reply

debug1: Authentications that can continue: publickey,keyboard-interactive

debug1: Offering public key: /home/exodist/.ssh/id_dsa

debug2: we sent a publickey packet, wait for reply

debug1: Authentications that can continue: publickey,keyboard-interactive

debug2: we did not send a packet, disable method

debug1: Next authentication method: keyboard-interactive

debug2: userauth_kbdint

debug2: we sent a keyboard-interactive packet, wait for reply

debug2: input_userauth_info_req

debug2: input_userauth_info_req: num_prompts 1

Password: 

debug2: input_userauth_info_req

debug2: input_userauth_info_req: num_prompts 0

debug1: Authentication succeeded (keyboard-interactive).

debug1: channel 0: new [client-session]

debug2: channel 0: send open

debug1: Entering interactive session.

debug2: callback start

debug2: x11_get_proto: /usr/bin/xauth -f /tmp/ssh-eEjqB16640/xauthfile generate :0.0 MIT-MAGIC-COOKIE-1 untrusted timeout 1200 2>/dev/null

debug2: x11_get_proto: /usr/bin/xauth -f /tmp/ssh-eEjqB16640/xauthfile list :0.0 . 2>/dev/null

debug1: Requesting X11 forwarding with authentication spoofing.

debug2: channel 0: request x11-req confirm 0

debug2: client_session2_setup: id 0

debug2: channel 0: request pty-req confirm 0

debug2: channel 0: request shell confirm 0

debug2: fd 3 setting TCP_NODELAY

debug2: callback done

debug2: channel 0: open confirm rwindow 0 rmax 32768

debug2: channel 0: rcvd adjust 131072

Last login: Fri Feb 18 12:33:57 2005 from 192.168.0.2

Environment:

  USER=exodist

  LOGNAME=exodist

  HOME=/home/exodist

  PATH=/usr/bin:/bin:/usr/sbin:/sbin

  MAIL=/var/mail/exodist

  SHELL=/bin/bash

  SSH_CLIENT=::ffff:192.168.0.2 33837 22

  SSH_CONNECTION=::ffff:192.168.0.2 33837 ::ffff:192.168.0.3 22

  SSH_TTY=/dev/pts/1

  TERM=Eterm

  DISPLAY=localhost:11.0

  REMOTEHOST=192.168.0.2

Running /usr/X11R6/bin/xauth remove unix:11.0

/usr/X11R6/bin/xauth add unix:11.0 MIT-MAGIC-COOKIE-1 83b62c0c238422c9f7fca65945ecb38a

```

Basically on compA ssh segfaults upon connection attemp, and compB just doesn't use the keys properly, I have one other local computer witht he same version of ssh and same config files that works fine. I can also connect to a remote system with my keys from any of the 3 systems, the only problems are connecting to these 2 computers compA and compB

here are my updated config files, they are the same on all 3 of the computers, note, the third one compC with the same config files and an identical copy of .ssh from the 2 comps with problems works fine, I can connect to it with keys.

```

#   $OpenBSD: ssh_config,v 1.19 2003/08/13 08:46:31 markus Exp $

# This is the ssh client system-wide configuration file.  See

# ssh_config(5) for more information.  This file provides defaults for

# users, and the values can be changed in per-user configuration files

# or on the command line.

# Configuration data is parsed as follows:

#  1. command line options

#  2. user-specific file

#  3. system-wide file

# Any configuration value is only changed the first time it is set.

# Thus, host-specific definitions should be at the beginning of the

# configuration file, and defaults at the end.

# Site-wide defaults for various options

# Host *

#   ForwardAgent no

   ForwardX11 yes

#   RhostsRSAAuthentication yes

   RSAAuthentication yes

   PasswordAuthentication yes

#   HostbasedAuthentication no

#   BatchMode no

#   CheckHostIP yes

#   AddressFamily any

#   ConnectTimeout 0

   StrictHostKeyChecking no

   IdentityFile ~/.ssh/identity

   IdentityFile ~/.ssh/id_rsa

   IdentityFile ~/.ssh/id_dsa

#   Port 22

   Protocol 2,1

#   Cipher 3des

#   Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc

#   EscapeChar ~

```

```

#   $OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $

# This is the sshd server system-wide configuration file.  See

# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with

# OpenSSH is to specify options with their default value where

# possible, but leave them commented.  Uncommented options change a

# default value.

Port 22

Protocol 2,1

#ListenAddress 0.0.0.0

ListenAddress ::

# HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

# HostKeys for protocol version 2

#HostKey /etc/ssh/ssh_host_rsa_key

#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key

#KeyRegenerationInterval 1h

#ServerKeyBits 768

# Logging

#obsoletes QuietMode and FascistLogging

#SyslogFacility AUTH

#LogLevel INFO

# Authentication:

#LoginGraceTime 2m

PermitRootLogin yes

#StrictModes yes

#MaxAuthTries 6

RSAAuthentication yes

PubkeyAuthentication yes

AuthorizedKeysFile   .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#RhostsRSAAuthentication no

# similar for protocol version 2

#HostbasedAuthentication no

# Change to yes if you don't trust ~/.ssh/known_hosts for

# RhostsRSAAuthentication and HostbasedAuthentication

#IgnoreUserKnownHosts no

# Don't read the user's ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!

PasswordAuthentication no

PermitEmptyPasswords yes

# Change to no to disable s/key passwords

#ChallengeResponseAuthentication yes

# Kerberos options

#KerberosAuthentication no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

#KerberosGetAFSToken no

# GSSAPI options

#GSSAPIAuthentication no

#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing, 

# and session processing. If this is enabled, PAM authentication will 

# be allowed through the ChallengeResponseAuthentication mechanism. 

# Depending on your PAM configuration, this may bypass the setting of 

# PasswordAuthentication, PermitEmptyPasswords, and 

# "PermitRootLogin without-password". If you just want the PAM account and 

# session checks to run without PAM authentication, then enable this but set 

# ChallengeResponseAuthentication=no

UsePAM yes

AllowTcpForwarding yes

#GatewayPorts no

X11Forwarding yes

#X11DisplayOffset 10

#X11UseLocalhost yes

#PrintMotd yes

#PrintLastLog yes

#TCPKeepAlive yes

#UseLogin no

UsePrivilegeSeparation no

#PermitUserEnvironment no

#Compression yes

#ClientAliveInterval 0

#ClientAliveCountMax 3

#UseDNS yes

#PidFile /var/run/sshd.pid

#MaxStartups 10

# no default banner path

#Banner /some/path

# override default of no subsystems

Subsystem   sftp   /usr/lib/misc/sftp-server

```

EDIT:  Added spaces to a few lines for line wrapping.  --pjp

----------

## commonloon

Segfault... weird. My only suggestion left is to try re-emerging openssh and openssl on the machine that it segfaulting. As you said it seem after the pub key is sent over that it is what triggers the segfault.

----------

## exodist

I tried re-ermerging both of those, no luck

----------

## teknomage1

Maybe PAM is at fault?

----------

## exodist

I only have a vague idea of what pam is, some kind of authentication system right? I do nto care about it so if it is the problem how do I deal with it?

----------

## teknomage1

Hmm, well I would suggest searching the forums first, but you said you re-emerged ssh and ssl so maybe re-emerge pam too?

----------

## exodist

I actually unmerged all the pam related stuff I could find and re-did openssl and openssh for the n'th time, still no luck, I think I might try manually compiling ssh direct from openssh OVER the ebuilds install and hope it kicks the ebuilds ass  :Wink: 

----------

## commonloon

You should be able to set PAM off in the conf. PAM stands for pluggable authentication module... check out /etc/pam.d/sshd. Essentially, it is a way to off load some of the authentication detals from the calling program. I think w/ the level of debug you posted we'd see a pam line right before the problem if that was related...

[edit]

..but then I could be wrong:

https://bugs.gentoo.org/show_bug.cgi?id=65567

This also looks interesting:

https://bugs.gentoo.org/show_bug.cgi?id=82463

[/edit]

----------

## exodist

I tried removing all pam related stuff and re-emerging ssh, it did not use pam and still segfaulted

I also have the permissions checked on the .ssh/* files, just to be extra causious I tried chmod 400 authorised_keys and it still didn't work.

----------

## exodist

well I decided to give up trying to make my keys that I have on several systems work on these, instead I generated a single rsa key, recompiled openssh after deleting the old /etc/ssh directory (start fresh), I then copied the single rsa key to each of my systems, and the .pub file inbto authorized_keys on every system I need to connect to, now the amd64 no longer gives me a segfault, any system with the key can connect to it, and it can connect to any system with the pub key in the authorized_keys file. however my pentium4 now gives me a segfault, go figure, the pentium3, the p2 freebsd system, and the athlion64 system work, but p4 still down.

----------

