CentOS - May 2015 - Q: respecting .ssh/id_rsa

While attempting to debug something else I ran across this:

ssh -vvv somehost
. . .
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/identity-cert type -1
debug3: Not a RSA1 key file /root/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
. . .

However if I verify the key I see this:

ssh-keygen -l -f ~/.ssh/id_rsa.pub
4096 08:70:3b:92:4c:96:1c:6a:03:a4:ae:66:8d:9e:6c:93
/root/.ssh/id_rsa.pub (RSA)

Which seems ok to me. The permissions also seem ok:

.ssh]# ll
total 40
-rw-------. 1 root root  3863 Oct 11  2012 authorized_keys
-rw-------. 1 root root  3243 Aug  9  2012 id_rsa
-rw-r--r--. 1 root root   757 Aug  9  2012 id_rsa.pub
-rw-r--r--. 1 root root 11071 May  8 09:42 known_hosts

The password-less connections complete in any case but I am perplexed
as to what is the problem with the root identity key that ssh is
reporting.

Can anyone explain to me what this means?

-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

On Fri, May 8, 2015 8:58 am, James B. Byrne wrote:
> While attempting to debug something else I ran across this:
>
> ssh -vvv somehost
> . . .
> debug1: Connection established.
> debug1: permanently_set_uid: 0/0
> debug1: identity file /root/.ssh/identity type -1
> debug1: identity file /root/.ssh/identity-cert type -1
> debug3: Not a RSA1 key file /root/.ssh/id_rsa.
> debug2: key_type_from_name: unknown key type '-----BEGIN'
> debug3: key_read: missing keytype
> debug3: key_read: missing whitespace
> . . .
>
> However if I verify the key I see this:
>
> ssh-keygen -l -f ~/.ssh/id_rsa.pub
> 4096 08:70:3b:92:4c:96:1c:6a:03:a4:ae:66:8d:9e:6c:93
> /root/.ssh/id_rsa.pub (RSA)
>
> Which seems ok to me. The permissions also seem ok:
>
> .ssh]# ll
> total 40
> -rw-------. 1 root root  3863 Oct 11  2012 authorized_keys
> -rw-------. 1 root root  3243 Aug  9  2012 id_rsa
> -rw-r--r--. 1 root root   757 Aug  9  2012 id_rsa.pub
> -rw-r--r--. 1 root root 11071 May  8 09:42 known_hosts
When checking permissions don't forget to check permissions on parent
directories (all levels up to the /). E.g., if your home directory is
world writable, ssh will ignore authorized_keys as well, as the above
permissions _can_ be changed by everybody. The same is true if / is
ridiculously world writable (I've never seen that myself, but I do mean:
check all levels of what the path ~/.ssh is).

It's not clear from your description, but I'm sure you have the
following
right: id_rsa and id_rsa.pub is a pair you have on local machine (the one
you ssh from). autorized_keys is on the remote machine (the one you
connect to), and it contains the contents of id_rsa.pub that you have on
local machine (i.e. you copied id_rsa.pub from local machine to remote and
dumped it into ~/.ssh/autorized_keys on it).

I would also check that in sshd config file (usually:
/etc/ssh/sshd_config) on remote machine you do have line

PubkeyAuthentication yes

Good luck!

Valeri
>
> The password-less connections complete in any case but I am perplexed
> as to what is the problem with the root identity key that ssh is
> reporting.
>
> Can anyone explain to me what this means?
>
> --
> ***          e-Mail is NOT a SECURE channel          ***
>         Do NOT transmit sensitive data via e-Mail
> James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
> Harte & Lyne Limited          http://www.harte-lyne.ca
> 9 Brockley Drive              vox: +1 905 561 1241
> Hamilton, Ontario             fax: +1 905 561 0757
> Canada  L8E 3C3
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++

On 5/8/2015 7:22 AM, Valeri Galtsev wrote:
> On Fri, May 8, 2015 8:58 am, James B. Byrne wrote:
>> While attempting to debug something else I ran across this:
>>
>> ssh -vvv somehost
>> . . .
>> debug1: Connection established.
>> debug1: permanently_set_uid: 0/0
>> debug1: identity file /root/.ssh/identity type -1
>> debug1: identity file /root/.ssh/identity-cert type -1
>> debug3: Not a RSA1 key file /root/.ssh/id_rsa.
>> debug2: key_type_from_name: unknown key type '-----BEGIN'
>> debug3: key_read: missing keytype
>> debug3: key_read: missing whitespace
>> . . .
>>
>> However if I verify the key I see this:
>>
>> ssh-keygen -l -f ~/.ssh/id_rsa.pub
>> 4096 08:70:3b:92:4c:96:1c:6a:03:a4:ae:66:8d:9e:6c:93
>> /root/.ssh/id_rsa.pub (RSA)
>>
>> Which seems ok to me. The permissions also seem ok:
>>
>> .ssh]# ll
>> total 40
>> -rw-------. 1 root root  3863 Oct 11  2012 authorized_keys
>> -rw-------. 1 root root  3243 Aug  9  2012 id_rsa
>> -rw-r--r--. 1 root root   757 Aug  9  2012 id_rsa.pub
>> -rw-r--r--. 1 root root 11071 May  8 09:42 known_hosts
> When checking permissions don't forget to check permissions on parent
> directories (all levels up to the /). E.g., if your home directory is
> world writable, ssh will ignore authorized_keys as well, as the above
> permissions _can_ be changed by everybody. The same is true if / is
> ridiculously world writable (I've never seen that myself, but I do
mean:
> check all levels of what the path ~/.ssh is).
>
> It's not clear from your description, but I'm sure you have the
following
> right: id_rsa and id_rsa.pub is a pair you have on local machine (the one
> you ssh from). autorized_keys is on the remote machine (the one you
> connect to), and it contains the contents of id_rsa.pub that you have on
> local machine (i.e. you copied id_rsa.pub from local machine to remote and
> dumped it into ~/.ssh/autorized_keys on it).
>
> I would also check that in sshd config file (usually:
> /etc/ssh/sshd_config) on remote machine you do have line
>
> PubkeyAuthentication yes
>
> Good luck!
>
> Valeri
>
>> The password-less connections complete in any case but I am perplexed
>> as to what is the problem with the root identity key that ssh is
>> reporting.
>>
>> Can anyone explain to me what this means?
>>
>>
Also check that the selinux context on all files and directories are set 
to "ssh_home_t".

 From the home dir:

#chcon -R -t ssh_home_t .ssh

--On Friday, May 08, 2015 09:58:32 AM -0400 "James B. Byrne" 
<byrnejb at harte-lyne.ca> wrote:
> While attempting to debug something else I ran across this:
>
> ssh -vvv somehost
> . . .
> debug1: Connection established.
> debug1: permanently_set_uid: 0/0
> debug1: identity file /root/.ssh/identity type -1
> debug1: identity file /root/.ssh/identity-cert type -1
> debug3: Not a RSA1 key file /root/.ssh/id_rsa.
> debug2: key_type_from_name: unknown key type '-----BEGIN'
> debug3: key_read: missing keytype
> debug3: key_read: missing whitespace
>
> [snip]
>
> The password-less connections complete in any case but I am perplexed
> as to what is the problem with the root identity key that ssh is
> reporting.
>
> Can anyone explain to me what this means?
IIRC there was a time when id_rsa could refer to either an
RSA1 key or RSA2 key.  I believe ssh is first trying to read
the file as an RSA1 key, finding problems, and then opening it
as an RSA2 key.  In fact, if you scroll down from there you probably
see a line like the following:

   debug1: identity file /home/somebody/.ssh/id_rsa type 1

which is a successful read (note the type is 1 and not -1).

In other words, it's nothing to worry about.  The messages are
a bit different under CentOS 7 (I suspect you're running CentOS 6
on the client), but they say about the same thing.

While the other followups would be good ideas if you actually had
a problem logging in, it sounds like you don't have a problem and
the question was just a curiosity thing.

Devin

Devin Reade wrote:
> --On Friday, May 08, 2015 09:58:32 AM -0400 "James B. Byrne"
> <byrnejb at harte-lyne.ca> wrote:
>
>> While attempting to debug something else I ran across this:
>>
>> ssh -vvv somehost
>> . . .
>> debug1: Connection established.
>> debug1: permanently_set_uid: 0/0
>> debug1: identity file /root/.ssh/identity type -1
>> debug1: identity file /root/.ssh/identity-cert type -1
>> debug3: Not a RSA1 key file /root/.ssh/id_rsa.
>> debug2: key_type_from_name: unknown key type '-----BEGIN'
>> debug3: key_read: missing keytype
>> debug3: key_read: missing whitespace
>>
>> [snip]
>>
>> The password-less connections complete in any case but I am perplexed
>> as to what is the problem with the root identity key that ssh is
>> reporting.
>>
>> Can anyone explain to me what this means?
>
> IIRC there was a time when id_rsa could refer to either an
> RSA1 key or RSA2 key.  I believe ssh is first trying to read
> the file as an RSA1 key, finding problems, and then opening it
> as an RSA2 key.  In fact, if you scroll down from there you probably
> see a line like the following:
>
>    debug1: identity file /home/somebody/.ssh/id_rsa type 1
>
> which is a successful read (note the type is 1 and not -1).
>
> In other words, it's nothing to worry about.  The messages are
> a bit different under CentOS 7 (I suspect you're running CentOS 6
> on the client), but they say about the same thing.
<snip>
I would *strongly* recommend editing your /etc/ssh/sshd_config, and
comment or delete the fallback, and replace it, like:
#Protocol 2,1
Protocol 2

That way, it won't even try.

       mark