Monday, January 26, 2015

linux - SSH accepts publickey authetication but won't connect with an identify file?



Problem




I recently switched to a new web server. I had been using identify files with SSH to connect on the previous server with no problems, but on the new server I can't seem to use an identify file to authenticate. It looks like it tries to read it, but then it just moves on to password authentication. I believe my files are right - I've set this up so many times!



Setup



I generated the identify file on the remote server using ssh-keygen, then copied the private key (id_rsa) back to my computer as ~/.ssh/id_remote_private. The permissions are set correctly (700/600 on ~/.ssh and the files inside), both locally and on remote.



Connect Log



Below is the connect log for the key without a passphrase. Also, not sure if this is relavant, but when I tried to use a passphrase I would get an additional error: PEM_read_PrivateKey failed.




What am I doing wrong here?




local_user$ ssh -v -i $HOME/.ssh/id_remote_private -l user1234 123.123.123.123



OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009


debug1: Reading configuration data /Users/local_user/.ssh/config
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to 123.123.123.123 [123.123.123.123] port 22.
debug1: Connection established.
debug1: identity file /Users/local_user/.ssh/id_remote_private type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '123.123.123.123' is known and matches the RSA host key.
debug1: Found key in /Users/user/.ssh/known_hosts:43
debug1: ssh_rsa_verify: signature correct

debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received



debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: publickey

debug1: Trying private key: /Users/user/.idssh/id_remote_private
debug1: read PEM private key done: type RSA

debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: password
user1234@123.123.123.123's password:

Answer



If you haven't done yet, add the public part of your key to ~/.ssh/authorized_keys on the remote side.




You can also check the content of /var/log/auth.log on the remote side for more details.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...