# ssh : Keypair authentification not working.

## crevette

hello.

I setup my sshd 6 month ago and I used password authentification since then without problem.

I want to use now keypair authentification.

I read a lot of docs, but I don't know why, it's not working. I tried several time to recreate my key and to move on the server. I check the rights. Now I have no idea of my mistake.

it's like the server can't see the key in authorized_keys.

You can find a log at http://baptiste.navlink.com/files/pb_ssh

and my sshd config at http://baptiste.navlink.com/files/sshd_conf.

thanks for your help.

----------

## H0bb3z

Depending on what type of key you generated and are using, you may need to set

```
RSAAuthentication yes
```

to get the ssh key recognized.

The log seems to indicate it isn't recognizing the key presented to complete the handshake:

 *Quote:*   

> debug3: authmethod_is_enabled publickey
> 
> debug1: Next authentication method: publickey
> 
> debug2: userauth_pubkey_agent: no keys at all
> ...

 

Or you may try to generate a new key...

<EDIT>

The log shows that the key isn't recognizable:

 *Quote:*   

> debug3: Not a RSA1 key file /home/bmm80/.ssh/id_dsa.
> 
> debug2: key_type_from_name: unknown key type '-----BEGIN'
> 
> debug3: key_read: missing keytype
> ...

 

so it looks like you need to generate new keys.

</EDIT>

----------

## crevette

The keys generated are OPENSSH ssh2 dsa ans rsa.

I re created them several times, but without success.

Thanks

----------

## H0bb3z

Here's an exerp that may help (sorry for the long post):

<snip>

To generate a public and private key pair for ssh on Unix, use the ssh-keygen command. Be sure to check however, which version of the ssh protocol is supported by this command. 

Whenever possible, use the OpenSsh implementation, because this supports the widest range of protocols, keys etc. 

If you have installed both version 1 and 2 of the ssh protocol implementations, you probably have 2 versions of this command: 

For using ssh protocol 1, you must execute 

```
ssh-keygen1
```

For using ssh protocol 2, you must execute 

```
ssh-keygen2
```

The ssh-keygen command(s) create a key pair in some format and store it is specific files: 

The OpenSsh implementations supports 3 kinds of keys: 

ssh-keygen -t rsa1 (the default) generates an RSA key for protocol 1 in the files identity (private key) and identity.pub (public key) in the .ssh directory in your home directory 

ssh-keygen -t rsa generates an RSA key for protocol 2 in the files id_rsa (private key) and id_rsa.pub (public key) in the .ssh directory in your home directory 

ssh-keygen -t dsa generates an DSA key for protocol 2 in the files id_dsa (private key) and id_dsa.pub (public key) in the .ssh directory in your home directory

When connecting to another OpenSsh server, you should use protocol 2 with an DSA key.

The ssh-keygen command can transform from and to other formats of keys to be able to connect to/from Ssh2 servers/clients. Consult the man page for a description of the -e and -i options. 

Ssh1 stores the private key in the file identity in the .ssh directory in your home directory and the public key in the file identity.pub. 

Ssh2 does the same in respectively the file id_dsa_1024_a and id_dsa_1024_a.pub, but in the .ssh2 directory in your home directory. 

Moreover, Ssh2 uses the identification file in the .ssh2 directory in your home directory, to determine which identity (i.e. private and public key pair) to use for the connection. This file must enumerate all such key pairs you have generated and when connecting, they are tried in the order they appear in that file. Consult the man page if you need to know more about using multiple key pairs. You must specify all key pairs you want to use in this file, even if you only have only. Mostly this file will contain just 1 line, containing IdKey id_dsa_1024_a. You must create this identification file yourself, at least with this single line.

On the computer you wish to login to (from a remote client), you must specify which identities are allowed to connect (you must create the below specified files yourself, they are not created automagically): 

OpenSsh by default uses the file authorized_keys for protocol 1 and authorized_keys2 for protocol 2 in the .ssh directory in your home directory. In these files, the public keys of the identities you allow to connect, must be enumerated, each on a separate line. Just copy the contents of the public key file of the identities you want to allow in the appropriate file (e.g. with copy and paste or with the >> redirect). 

The ssh-keygen command can transform from and to other formats of keys to be able to connect to/from Ssh2 servers/clients. Consult the man page for a description of the -e and -i options. 

Ssh1 by default uses the file authorized_keys in the .ssh directory in your home directory, in which the public keys of the identities you allow to connect, must be enumerated, each on a separate line. Just copy the contents of the public key file of the identities you want to allow in this file (e.g. with copy and paste or with the >> redirect). 

Ssh2 by default uses the file authorization in the .ssh2 directory in your home directory. In this file the names of the files containing the public keys of the identities you want to allow to connect, must be enumerated. Each file name is specified on a separate line, preceded by the keyword Key (e.g. Key id_dsa_1024_a.pub). You must of course also copy the file containing the public key itself to that directory, using the same name as in the authorization file.

</snip>

There's a bit of redundancy there, but its good information nonetheless...

----------

## crevette

 *H0bb3z wrote:*   

> Whenever possible, use the OpenSsh implementation, because this supports the widest range of protocols, keys etc. 

 I use openssh 3.6.1_p2, the latest stable version in portage

 *H0bb3z wrote:*   

> 
> 
> If you have installed both version 1 and 2 of the ssh protocol implementations, you probably have 2 versions of this command: 
> 
> For using ssh protocol 1, you must execute 
> ...

 No, just ssh-keygen 

 *H0bb3z wrote:*   

> 
> 
> The ssh-keygen command(s) create a key pair in some format and store it is specific files: 
> 
> The OpenSsh implementations supports 3 kinds of keys: 
> ...

 I don't generated a rsa key, in my sshd config file I forced to use only SSH protocol 2

 *H0bb3z wrote:*   

> ssh-keygen -t rsa generates an RSA key for protocol 2 in the files id_rsa (private key) and id_rsa.pub (public key) in the .ssh directory in your home directory 
> 
> ssh-keygen -t dsa generates an DSA key for protocol 2 in the files id_dsa (private key) and id_dsa.pub (public key) in the .ssh directory in your home directory 
> 
> When connecting to another OpenSsh server, you should use protocol 2 with an DSA key.

 So I just send my dsa.pub file, what the use of the rsa ?

 *H0bb3z wrote:*   

>  The ssh-keygen command can transform from and to other formats of keys to be able to connect to/from Ssh2 servers/clients. Consult the man page for a description of the -e and -i options. 
> 
> Ssh1 stores the private key in the file identity in the .ssh directory in your home directory and the public key in the file identity.pub. 
> 
> Ssh2 does the same in respectively the file id_dsa_1024_a and id_dsa_1024_a.pub, but in the .ssh2 directory in your home directory. 
> ...

 I use only openssh on my client and my server, no other implementations.

 *H0bb3z wrote:*   

> On the computer you wish to login to (from a remote client), you must specify which identities are allowed to connect (you must create the below specified files yourself, they are not created automagically): 

 Done! I create .ssh, and scp the keys generated into my server user account

 *H0bb3z wrote:*   

> OpenSsh by default uses the file authorized_keys for protocol 1 and authorized_keys2 for protocol 2 in the .ssh directory in your home directory. 

 I'm not sure that openssh use authorized_keys2 to store keys, I think It was in older openssh version, but i did a symlink of authorized_keys

 *H0bb3z wrote:*   

> In these files, the public keys of the identities you allow to connect, must be enumerated, each on a separate line. Just copy the contents of the public key file of the identities you want to allow in the appropriate file (e.g. with copy and paste or with the >> redirect).

 Done

 *H0bb3z wrote:*   

> There's a bit of redundancy there, but its good information nonetheless...

 Not a problem.

It's a good way to see If a didn't make a mistake.

thanks.

I not at home for the moment, I will recheck all tomorrow.

Thanks twice

----------

## xedx

If you already have id_dsa.pub in the ~/.ssh/authorized_keys file of the remotehost,

try connecting to it using 

$ ssh -i id_dsa remotehost

 :Smile: 

----------

## crevette

So :

I set 

```
RSAAuthentication yes
```

 as H0bb3z said.

I deleted all my keys, and known_hosts file on my client.

I removed the authorized_keys files on my server.

Then I generated a dsa key.

I copied the key on my server and cat the content in ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2 (to be sure).

I chmod 700 the .ssh directory and chmod 600 the files inside for server and client.

I doesn't work.

The server ask for my remote account password.

----------

## H0bb3z

On the server side, make sure the server DSA key is were it is specified in the sshd_config file:

```
HostKey /etc/ssh_host_dsa_key
```

You may also try to explicitly turn off password auth.  Instead of:

```
#PasswordAuthentication yes
```

try

```
PasswordAuthentication no
```

Since you aren't using RSA keys, you can set the RSAAuthentication option back to 'no'.  RSA is just the particular encryption used when generating a key, so to answer your question

 *Quote:*   

> So I just send my dsa.pub file, what the use of the rsa ?

 

you don't need it if you are using DSA to generate the keys.

One additional question: did you enter a passphrase when you generated your keys?  If you did, you will be prompted for that passphrase everytime you use the key (its like password-protecting your SSH key).  If you set a password on the key, this is likely the prompt you're seeing...

Check out Daniel Robbin's article on OpenSSH key management:

http://www-106.ibm.com/developerworks/library/l-keyc?t=gr,p=RSA-DSA

----------

## paranode

This is outlined in the Gentoo Linux Security Guide

----------

## FRLinux

 *paranode wrote:*   

> This is outlined in the Gentoo Linux Security Guide

 

You actually need to check that you are using the SAME user on both machines. I thought this was obvious.

Steph

----------

## H0bb3z

Or you can use the -l switch to specify a different user on the remote machine:

```
ssh -l user@remotehost
```

----------

## chmod

```
debug2: key_type_from_name: unknown key type '-----BEGIN'

```

Take out the -----BEGIN stuff. And the end stuff. Your authorized_keys file should contain a single line for each key (its ok if it autowraps off the end of the line).

Here is an example:

```

ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAmkixajjDN0bVj/tUIGk6e2DtwVzerX23:SDlW+wrLzlwoKxisdsFRb2HbB1Eq/fZjsc4jl9SkDRKdAD3wz3F5tgMym84iSHNYSktEDZh7guhJ232OxbLC+6SsepgFfgmCjPdlmJxBlBPumr/sjyJBeQBCxyeEHD2Y4dnNQ4JxgxP0= user@hostname
```

Strip off everything that doesn't look like that.

----------

## crevette

the key is in 1 line 

```
ssh-dss AAAA...............(etc)...........B3NzaC1 bmm80@Kaze
```

----------

## Ari Rahikkala

I'm having pretty much the same problem. This post will be, er, part one of a full coredump of the situation...

First, generics. I've used ssh with password authentication for years without any problems. Pubkey authentication just looks rather interesting so I'd like to try it out. It's no priority thing, just something that would be fun to get to work. The hosts in question are ari (aka ari.servebeer.com and p166-122.customer.soneraliving.fi), my Gentoo box at home and calvin (aka lyseo.edu.ouka.fi), my school's Debian server (which I don't have admin rights at). I could set up pubkey authentication from calvin back to ari without much trouble. It worked exactly as it should. My username on ari is ari, on calvin it is lighten.

Now, a couple of configuration files and usual relevant info:

On ari: http://www.lyseo.edu.ouka.fi/~lighten/ssh-trouble/ari/ssh_config

http://www.lyseo.edu.ouka.fi/~lighten/ssh-trouble/ari/sshd_config

http://www.lyseo.edu.ouka.fi/~lighten/ssh-trouble/ari/connect-to-calvin-ssh-vvv-log

```
ari@ari ari $ ls -ld .ssh

drwx------    2 ari      users         112 Oct 13 21:43 .ssh

ari@ari ari $ ls -l .ssh

total 16

-rw-------    1 ari      users         604 Oct 13 17:58 authorized_keys

-rw-------    1 ari      users         744 Oct 13 22:08 id_dsa

-rw-r--r--    1 ari      users         611 Oct 13 22:08 id_dsa.pub

-rw-------    1 ari      users        2223 Oct 13 17:46 known_hosts

ari@ari ari $ cat .ssh/id_dsa

-----BEGIN DSA PRIVATE KEY-----

Proc-Type: 4,ENCRYPTED

DEK-Info: DES-EDE3-CBC,6483BF4D4F3AEC56

hZ8RheUzOy48aHab8zz/ZwJG/ZEbsAcvZLuH4K42DzXtk2+MHDsNEywe0KKQqqO7

...don't you try to copy my private key, you dirty cracker...

Bq7Qv/ehBt2I09FkRwUqMMjQFeYlhdGN8OYGTgP4qJhnBmOzaKrKkUApDzfZEPiD

3uEvxSu1jKd3+qb1pXtW9w==

-----END DSA PRIVATE KEY-----

ari@ari ari $ cat .ssh/id_dsa.pub 

ssh-dss AAAAB3...nolinebreaks...laaa/nw== ari@ari.servebeer.com

ari@ari ari $ ssh -V

OpenSSH_3.7.1p2, SSH protocols 1.5/2.0, OpenSSL 0.9.6k 30 Sep 2003

```

On calvin: http://www.lyseo.edu.ouka.fi/~lighten/ssh-trouble/calvin/ssh_config

http://www.lyseo.edu.ouka.fi/~lighten/ssh-trouble/calvin/sshd_config

http://www.lyseo.edu.ouka.fi/~lighten/ssh-trouble/calvin/connect-to-ari-ssh-vvv-log

```
[lighten@calvin][~]% ls -ld .ssh

drwx------    2 lighten  lyseo        4096 2003-10-13 21:57 .ssh

[lighten@calvin][~]% ls -l .ssh  

yhteensä 16

-rw-------    1 lighten  lyseo         744 2003-10-13 17:58 id_dsa

-rw-------    1 lighten  lyseo         604 2003-10-13 17:58 id_dsa.pub

-rw-------    1 lighten  lyseo        4023 2003-10-13 17:51 known_hosts

-rw-------    1 lighten  lyseo        1122 2002-09-16 13:46 known_hosts~

[lighten@calvin][~]% ssh -V

OpenSSH_3.6.1p2-pwexp22 Debian 1:3.6.1p2-3, SSH protocols 1.5/2.0, OpenSSL 0x0090703f

```

The format of my id_dsa on calvin is the same as that of the one on ari.

Next, a log of how I'm trying to make this work... from the beginning to the end:

```
ari@ari ari $ ssh-keygen -t dsa

Generating public/private dsa key pair.

Enter file in which to save the key (/home/ari/.ssh/id_dsa): 

/home/ari/.ssh/id_dsa already exists.

Overwrite (y/n)? y

Enter passphrase (empty for no passphrase): <hidden from prying eyes>

Enter same passphrase again: <still hidden from prying eyes>

Your identification has been saved in /home/ari/.ssh/id_dsa.

Your public key has been saved in /home/ari/.ssh/id_dsa.pub.

The key fingerprint is:

b6:c6:ba:5e:32:e8:e5:8f:f6:ca:be:58:04:a9:15:57 ari@ari.servebeer.com

ari@ari ari $ scp .ssh/id_dsa.pub lighten@lyseo.edu.ouka.fi: 

lighten@lyseo.edu.ouka.fi's password: 

id_dsa.pub                                                                                                                                                                                                                              100%  611     0.0KB/s   00:00    

ari@ari ari $ ssh lighten@lyseo.edu.ouka.fi

lighten@lyseo.edu.ouka.fi's password: 

Linux calvin 2.4.21 #1 SMP Sun Jun 15 20:21:55 EEST 2003 i686 GNU/Linux

*------------------------------------------------------------------------*

|                                                                        |

| Work-hakemistossa olleet tavarat on nyt siirretty /work/{tunnus}       |

| -nimiseen hakemistoon. Oman work-hakemiston luominen onnistuu          |

| calvinilla suorittamalla valikosta "Tee work-hakemisto" tai ajamalla   |

| "tee_work" -niminen ohjelma.                                           |

|                                                                        |

| Ongelmia? Kysymyksiä? Kommentteja? Suuntaa postiohjelmasi osoitteeseen |

| sysadmin@lyseo.edu.ouka.fi ja kysy mitä ikinä haluat!                  |

|                                                                        |

| Matematiikan luokassa (26) ja kirjastossa EI SAA PELATA!               |

|                                                                        |

| Eikö salasanan vaihto tunnu onnistuvan? Käväiseppä atk-luokassa, etsi  |

| sieltä joku ylläpitäjän näköinen henkilö ja pyydä häntä vaihtamaan     |

| salasanasi uudeksi.                                                    |

|                                                                        |

|                                                            -- Ylläpito |

*------------------------------------------------------------------------*

You have mail.

Last login: Mon Oct 13 22:24:50 2003 from p166-122.customer.soneraliving.fi

[lighten@calvin][~]% cat id_dsa.pub >> .ssh/authorized_keys2

[lighten@calvin][~]% cat .ssh/authorized_keys2 

ssh-dss AAAA...smaller, shorter and cut,..QIvunY= ari@ari.servebeer.com

[lighten@calvin][~]% logout

Connection to lyseo.edu.ouka.fi closed.

ari@ari ari $ ssh lighten@lyseo.edu.ouka.fi

lighten@lyseo.edu.ouka.fi's password: 

...
```

I might post further info tomorrow, but am hoping there's some local guru who can see the critical difference in the configuration files or whatever is causing this... I'm leaving it here for now.

----------

