Samuel Winchenbach
2010-Apr-02 20:02 UTC
AuthorizedKeysFile with default value prevents Public/Private key authentication
Hi All, I noticed that if I put: AuthorizedKeysFile .ssh/authorized_keys in my sshd_config file, pub/priv key authentication no longer worked. I am using OpenSSH_5.4p1, OpenSSL 0.9.8n 24 Mar 2010 on Archlinux. Sam ****************** Here is my WORKING config ****************** Port 22 ListenAddress 0.0.0.0 Protocol 2 PermitRootLogin no PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication no UsePAM yes Subsystem sftp /usr/lib/ssh/sftp-server ****************** END ****************** ****************** Here is my NON-WORKING config ****************** Port 22 ListenAddress 0.0.0.0 Protocol 2 PermitRootLogin no PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication no UsePAM yes Subsystem sftp /usr/lib/ssh/sftp-server ****************** END ****************** ****************** Here is a ssh -v to the server in question ****************** [swinchen at strongbad ~]$ ssh -v swinchen@********.org OpenSSH_5.4p1, OpenSSL 0.9.8n 24 Mar 2010 debug1: Reading configuration data /home/swinchen/.ssh/config debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to ********.org [130.111.XXX.XXX] port 22. debug1: Connection established. debug1: identity file /home/swinchen/.ssh/id_rsa type -1 debug1: identity file /home/swinchen/.ssh/id_rsa-cert type -1 debug1: identity file /home/swinchen/.ssh/id_dsa type -1 debug1: identity file /home/swinchen/.ssh/id_dsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.4 debug1: match: OpenSSH_5.4 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.4 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host '********.org' is known and matches the RSA host key. debug1: Found key in /home/swinchen/.ssh/known_hosts:1 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Trying private key: /home/swinchen/.ssh/id_rsa debug1: PEM_read_PrivateKey failed debug1: read PEM private key done: type <unknown> Enter passphrase for key '/home/swinchen/.ssh/id_rsa': debug1: read PEM private key done: type RSA debug1: Authentications that can continue: publickey debug1: Trying private key: /home/swinchen/.ssh/id_dsa debug1: No more authentication methods to try. Permission denied (publickey). ****************** END ******************
Jim Rees
2010-Apr-02 20:27 UTC
AuthorizedKeysFile with default value prevents Public/Private key authentication
What happens if you change it to ~/.ssh/authorized_keys ? Maybe the man page is wrong. I could be paranoid but I avoid the use of relative paths in security sensitive config files.
Iain Morgan
2010-Apr-02 20:46 UTC
AuthorizedKeysFile with default value prevents Public/Private key authentication
This issue was reported to the list shortly after the release of 5.4p1 and should be fixed in an upcoming release. Please check the list archive for details. On Fri, Apr 02, 2010 at 15:02:34 -0500, Samuel Winchenbach wrote:> Hi All, > > I noticed that if I put: > > AuthorizedKeysFile .ssh/authorized_keys in my sshd_config file, > pub/priv key authentication no longer worked. > > I am using OpenSSH_5.4p1, OpenSSL 0.9.8n 24 Mar 2010 > on Archlinux. > > Sam > > > ****************** Here is my WORKING config ****************** > > Port 22 > ListenAddress 0.0.0.0 > > > Protocol 2 > > PermitRootLogin no > > PubkeyAuthentication yes > #AuthorizedKeysFile .ssh/authorized_keys > > PasswordAuthentication no > PermitEmptyPasswords no > > ChallengeResponseAuthentication no > > UsePAM yes > > Subsystem sftp /usr/lib/ssh/sftp-server > > ****************** END ****************** > ****************** Here is my NON-WORKING config ****************** > > > Port 22 > ListenAddress 0.0.0.0 > > > Protocol 2 > > PermitRootLogin no > > PubkeyAuthentication yes > AuthorizedKeysFile .ssh/authorized_keys > > PasswordAuthentication no > PermitEmptyPasswords no > > ChallengeResponseAuthentication no > > UsePAM yes > > Subsystem sftp /usr/lib/ssh/sftp-server > > ****************** END ****************** > ****************** Here is a ssh -v to the server in question > ****************** > > [swinchen at strongbad ~]$ ssh -v swinchen@********.org > OpenSSH_5.4p1, OpenSSL 0.9.8n 24 Mar 2010 > debug1: Reading configuration data /home/swinchen/.ssh/config > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Applying options for * > debug1: Connecting to ********.org [130.111.XXX.XXX] port 22. > debug1: Connection established. > debug1: identity file /home/swinchen/.ssh/id_rsa type -1 > debug1: identity file /home/swinchen/.ssh/id_rsa-cert type -1 > debug1: identity file /home/swinchen/.ssh/id_dsa type -1 > debug1: identity file /home/swinchen/.ssh/id_dsa-cert type -1 > debug1: Remote protocol version 2.0, remote software version OpenSSH_5.4 > debug1: match: OpenSSH_5.4 pat OpenSSH* > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_5.4 > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug1: kex: server->client aes128-ctr hmac-md5 none > debug1: kex: client->server aes128-ctr hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > debug1: Host '********.org' is known and matches the RSA host key. > debug1: Found key in /home/swinchen/.ssh/known_hosts:1 > debug1: ssh_rsa_verify: signature correct > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug1: SSH2_MSG_NEWKEYS received > debug1: Roaming not allowed by server > debug1: SSH2_MSG_SERVICE_REQUEST sent > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug1: Authentications that can continue: publickey > debug1: Next authentication method: publickey > debug1: Trying private key: /home/swinchen/.ssh/id_rsa > debug1: PEM_read_PrivateKey failed > debug1: read PEM private key done: type <unknown> > Enter passphrase for key '/home/swinchen/.ssh/id_rsa': > debug1: read PEM private key done: type RSA > debug1: Authentications that can continue: publickey > debug1: Trying private key: /home/swinchen/.ssh/id_dsa > debug1: No more authentication methods to try. > Permission denied (publickey). > ****************** END ****************** > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev-- Iain Morgan