Openssh public key authentication not working

[TestUser]

Hi,

How to troubleshoot openssh public key authentication problem for AIX ?

I have this problem for one of the AIX user account, other user accout is workng fine. Please advise.

[Michael]

Hi, going to move this to new forums - but - please give a bit more detail. What are you trying to accomplish? login without a password? remote command execution? or just logging in?

[Michael]

Hi All,

How to troubleshoot AIX openssh public key authentication problem, it
always prompt for password ?

I have one aix user account working but not other user account. The
scenarios :

a) serverA_user1 -> sftp -> serverB_user2 - openssh public key
authenticatoin working

b) serverA_user3 -> sftp -> serverB_user4 - openssh public key
authenticatoin failed, it prompts for passowrd.

The openssh public key authentication step is correct, I am really
lost...

[Michael]

Try ssh with the -vvv option (very, very verbose) to show debugging info. Beyond that, the only thing I can suggest is to check that user3's and user4's keys are correct. To go any farther, we'll have to know your exact configuration.

[Michael]

Hi,

Here is the sftp -vvv debug information :

debug1: authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: next auth method to try is publickey
debug1: try pubkey: /home/informix/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: authentications that can continue: publickey,password
debug1: try privkey: /home/informix/.ssh/id_dsa
debug3: no such identity: /home/informix/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: next auth method to try is password
>> XXXX prompt for password :

[Michael]

debug1: next auth method to try is publickey
debug1: try pubkey: /home/informix/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: authentications that can continue: publickey,password
debug1: try privkey: /home/informix/.ssh/id_dsa
debug3: no such identity: /home/informix/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: next auth method to try is password
>> XXXX prompt for password :

What we see here is that a pub_key is being sent to the "other side", this public key will be used to encrypt a message that will need the private key to read (to verify that you 'own' the public key). The client (i.e. sftp) cannot read, or otherwise find the private key to decrypt the message. As such, you cannot respond to the secret message being sent (no packet sent), and system falls back on regular password authentification.

The simple things to check are: owner and mode of id_dsa file. As I recall, file mode must be 600 (rw-------) and owner as well.

As an example: minimum requirements are:

Code: [Select]

-rw-r--r--   1 michael  appl           5008 Aug 31 16:01 authorized_keys
-rw-------   1 michael  appl            668 Feb 09 2006  id_dsa
-rw-r--r--   2 michael  appl            604 Oct 03 2002  id_dsa.pub

The file authorized_keys contains a list of public keys (e.g. the contents of id_dsa.pub for each known remote user or identity.
The file id_dsa.pub is the public key being sent (in debug info above) and is usually world readable.
The file id_dsa is the private key, and is meant to be only accessible by the owner (hence the rw-------, 600 perms settings). This file may also be additionaly protected by a pass phrase which must be entered to access the private key before it is used. (I changed my pass phrase in February, hence the different dates between public and private keys).
The pair of keys is sometimes referred to as a keychain.

So, basically, make sure you have at least the public and private keys in $HOME/.ssh directory, with correct owner and filemode settings, and that the public key is included the "other" sides $HOME/.ssh/authorized_keys file.
The other side will also need both id_dsa and id_dsa.pub files.

[cybermav]

Hi Mike,

I have verified the file permissions, .ssh directory are all correct.
I still having the same problem. 

Please advise.

 

[Michael]

Please send me listing of the user id that works, and some samples of what and how you are trying to do it - showing when it works and when it does not.

Consider using the PM to keep it private.