CentOS - Jul 2015 - can't ssh into C7 host

hey guys,

Yesterday I had no trouble loggging into this database host. But today for
some reason I can't log in using my RSA key and password authentication
doesn't work either.

I am able to log onto the host via console. And I was able to grab the ssh
config file. Here it is:

[root at db1 ~]# grep -v '#' /etc/ssh/sshd_config  |sed
'/^\s*$/d'
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
SyslogFacility AUTHPRIV
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

So I performed a verbose ssh login, and this is what I saw:


#ssh -vvv bluethundr at db1.example.com

OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011

debug1: Reading configuration data /Users/MyUser/.ssh/config

debug1: /Users/MyUser/.ssh/config line 4: Skipping Host block because of
negated match for *.example.com

debug1: Reading configuration data /etc/ssh_config

debug1: /etc/ssh_config line 20: Applying options for *

debug2: ssh_connect: needpriv 0

debug1: Connecting to db1.example.com [104.131.222.29] port 22.

debug1: Connection established.

debug3: Incorrect RSA1 identifier

debug3: Could not load "/Users/MyUser/.ssh/id_rsa" as a RSA1 public
key

debug1: identity file /Users/MyUser/.ssh/id_rsa type 1

debug1: identity file /Users/MyUser/.ssh/id_rsa-cert type -1

debug1: identity file /Users/MyUser/.ssh/id_dsa type -1

debug1: identity file /Users/MyUser/.ssh/id_dsa-cert type -1

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_6.2

debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1
Debian-5

debug1: match: OpenSSH_6.7p1 Debian-5 pat OpenSSH*

debug2: fd 3 setting O_NONBLOCK

debug3: load_hostkeys: loading entries for host "db1.example.com" from
file
"/Users/MyUser/.ssh/known_hosts"

debug3: load_hostkeys: found key type RSA in file
/Users/MyUser/.ssh/known_hosts:172

debug3: load_hostkeys: loaded 1 keys

debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-v01 at openssh.com,
ssh-rsa-cert-v00 at openssh.com,ssh-rsa

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ssh-rsa-cert-v01 at openssh.com,
ssh-rsa-cert-v00 at openssh.com,ssh-rsa,ssh-dss-cert-v01 at openssh.com,
ssh-dss-cert-v00 at openssh.com,ssh-dss

debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
aes128-gcm at openssh.com,aes256-gcm at openssh.com
,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-cbc at lysator.liu.se

debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
aes128-gcm at openssh.com,aes256-gcm at openssh.com
,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-cbc at lysator.liu.se

debug2: kex_parse_kexinit: hmac-md5-etm at openssh.com,
hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com,umac-128-etm at
openssh.com,
hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,
hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,
hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com,
umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: hmac-md5-etm at openssh.com,
hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com,umac-128-etm at
openssh.com,
hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,
hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,
hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com,
umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib

debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit: first_kex_follows 0

debug2: kex_parse_kexinit: reserved 0

debug2: kex_parse_kexinit: curve25519-sha256 at libssh.org
,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1

debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,
aes128-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at
openssh.com

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,
aes128-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at
openssh.com

debug2: kex_parse_kexinit: umac-64-etm at openssh.com,umac-128-etm at
openssh.com,
hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,
hmac-sha1-etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com
,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: kex_parse_kexinit: umac-64-etm at openssh.com,umac-128-etm at
openssh.com,
hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,
hmac-sha1-etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com
,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: kex_parse_kexinit: none,zlib at openssh.com

debug2: kex_parse_kexinit: none,zlib at openssh.com

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit: first_kex_follows 0

debug2: kex_parse_kexinit: reserved 0

debug2: mac_setup: found hmac-sha1-etm at openssh.com

debug1: kex: server->client aes128-ctr hmac-sha1-etm at openssh.com none

debug2: mac_setup: found hmac-sha1-etm at openssh.com

debug1: kex: client->server aes128-ctr hmac-sha1-etm at openssh.com none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug2: dh_gen_key: priv key bits set: 167/320

debug2: bits set: 1025/2048

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug1: Server host key: RSA 87:92:08:3f:0d:a2:4b:72:c5:38:27:bb:1e:48:d7:c2

debug3: load_hostkeys: loading entries for host "db1.example.com" from
file
"/Users/MyUser/.ssh/known_hosts"

debug3: load_hostkeys: found key type RSA in file
/Users/MyUser/.ssh/known_hosts:172

debug3: load_hostkeys: loaded 1 keys

debug3: load_hostkeys: loading entries for host "104.131.222.29" from
file
"/Users/MyUser/.ssh/known_hosts"

debug3: load_hostkeys: found key type RSA in file
/Users/MyUser/.ssh/known_hosts:172

debug3: load_hostkeys: loaded 1 keys

debug1: Host 'db1.example.com' is known and matches the RSA host key.

debug1: Found key in /Users/MyUser/.ssh/known_hosts:172

debug2: bits set: 1017/2048

debug1: ssh_rsa_verify: signature correct

debug2: kex_derive_keys

debug2: set_newkeys: mode 1

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug2: set_newkeys: mode 0

debug1: SSH2_MSG_NEWKEYS received

debug1: Roaming not allowed by server

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug2: key: /Users/MyUser/.ssh/id_rsa (0x7fb43a404220),

debug2: key: /Users/MyUser/.ssh/id_dsa (0x0),

debug1: Authentications that can continue: publickey,password

debug3: start over, passed a different list publickey,password

debug3: preferred publickey,keyboard-interactive,password

debug3: authmethod_lookup publickey

debug3: remaining preferred: keyboard-interactive,password

debug3: authmethod_is_enabled publickey

debug1: Next authentication method: publickey

debug1: Offering RSA public key: /Users/MyUser/.ssh/id_rsa

debug3: send_pubkey_test

debug2: we sent a publickey packet, wait for reply

debug1: Authentications that can continue: publickey,password

debug1: Trying private key: /Users/MyUser/.ssh/id_dsa

debug3: no such identity: /Users/MyUser/.ssh/id_dsa: No such file or
directory

debug2: we did not send a packet, disable method

debug3: authmethod_lookup password

debug3: remaining preferred: ,password

debug3: authmethod_is_enabled password

debug1: Next authentication method: password

bluethundr at db1.example.com's password:


Can anyone give me a heads up as to why this is failing?


Thanks,

Tim

-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B

Am 19.07.2015 um 01:58 schrieb Tim Dunphy:
> hey guys,
>
> Yesterday I had no trouble loggging into this database host. But today for
> some reason I can't log in using my RSA key and password authentication
> doesn't work either.
>
> I am able to log onto the host via console. And I was able to grab the ssh
> config file. Here it is:
>
> [root at db1 ~]# grep -v '#' /etc/ssh/sshd_config  |sed
'/^\s*$/d'
egrep -v '^#|^$' /etc/ssh/sshd_config

would be straighter.
> HostKey /etc/ssh/ssh_host_rsa_key
> HostKey /etc/ssh/ssh_host_ecdsa_key
> SyslogFacility AUTHPRIV
> AuthorizedKeysFile .ssh/authorized_keys
> PasswordAuthentication yes
> ChallengeResponseAuthentication no
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials yes
>
> So I performed a verbose ssh login, and this is what I saw:
>
>
> #ssh -vvv bluethundr at db1.example.com
>
> OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
>
> debug1: Reading configuration data /Users/MyUser/.ssh/config
Odd path.
> debug1: /Users/MyUser/.ssh/config line 4: Skipping Host block because of
> negated match for *.example.com
>
> debug1: Reading configuration data /etc/ssh_config
>
> debug1: /etc/ssh_config line 20: Applying options for *
>
> debug2: ssh_connect: needpriv 0
>
> debug1: Connecting to db1.example.com [104.131.222.29] port 22.
>
> debug1: Connection established.
>
> debug3: Incorrect RSA1 identifier
>
> debug3: Could not load "/Users/MyUser/.ssh/id_rsa" as a RSA1
public key
What's wrong there?

[ ... ]
> debug1: Local version string SSH-2.0-OpenSSH_6.2
>
> debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1
> Debian-5
>
> debug1: match: OpenSSH_6.7p1 Debian-5 pat OpenSSH*
I don't see CentOS 7 involved here, neither local nor remote.

[ ... ]
> debug1: Offering RSA public key: /Users/MyUser/.ssh/id_rsa
>
> debug3: send_pubkey_test
>
> debug2: we sent a publickey packet, wait for reply
>
> debug1: Authentications that can continue: publickey,password
>
> debug1: Trying private key: /Users/MyUser/.ssh/id_dsa
>
> debug3: no such identity: /Users/MyUser/.ssh/id_dsa: No such file or
> directory
>
> debug2: we did not send a packet, disable method
>
> debug3: authmethod_lookup password
>
> debug3: remaining preferred: ,password
>
> debug3: authmethod_is_enabled password
>
> debug1: Next authentication method: password
>
> bluethundr at db1.example.com's password:
>
>
> Can anyone give me a heads up as to why this is failing?
Read the syslog() logfile of the SSH daemon logging. That should give 
you a hint.
> Thanks,
>
> Tim
Alexander

Cool thanks! I'll check it out.

On Sat, Jul 18, 2015 at 9:56 PM, Alexander Dalloz <ad+lists at uni-x.org>
wrote:
> Am 19.07.2015 um 01:58 schrieb Tim Dunphy:
>
>> hey guys,
>>
>> Yesterday I had no trouble loggging into this database host. But today
for
>> some reason I can't log in using my RSA key and password
authentication
>> doesn't work either.
>>
>> I am able to log onto the host via console. And I was able to grab the
ssh
>> config file. Here it is:
>>
>> [root at db1 ~]# grep -v '#' /etc/ssh/sshd_config  |sed
'/^\s*$/d'
>>
>
> egrep -v '^#|^$' /etc/ssh/sshd_config
>
> would be straighter.
>
>  HostKey /etc/ssh/ssh_host_rsa_key
>> HostKey /etc/ssh/ssh_host_ecdsa_key
>> SyslogFacility AUTHPRIV
>> AuthorizedKeysFile .ssh/authorized_keys
>> PasswordAuthentication yes
>> ChallengeResponseAuthentication no
>> GSSAPIAuthentication yes
>> GSSAPICleanupCredentials yes
>>
>> So I performed a verbose ssh login, and this is what I saw:
>>
>>
>> #ssh -vvv bluethundr at db1.example.com
>>
>> OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
>>
>> debug1: Reading configuration data /Users/MyUser/.ssh/config
>>
>
> Odd path.
>
>  debug1: /Users/MyUser/.ssh/config line 4: Skipping Host block because of
>> negated match for *.example.com
>>
>> debug1: Reading configuration data /etc/ssh_config
>>
>> debug1: /etc/ssh_config line 20: Applying options for *
>>
>> debug2: ssh_connect: needpriv 0
>>
>> debug1: Connecting to db1.example.com [104.131.222.29] port 22.
>>
>> debug1: Connection established.
>>
>> debug3: Incorrect RSA1 identifier
>>
>> debug3: Could not load "/Users/MyUser/.ssh/id_rsa" as a RSA1
public key
>>
>
> What's wrong there?
>
> [ ... ]
>
>  debug1: Local version string SSH-2.0-OpenSSH_6.2
>>
>> debug1: Remote protocol version 2.0, remote software version
OpenSSH_6.7p1
>> Debian-5
>>
>> debug1: match: OpenSSH_6.7p1 Debian-5 pat OpenSSH*
>>
>
> I don't see CentOS 7 involved here, neither local nor remote.
>
> [ ... ]
>
>  debug1: Offering RSA public key: /Users/MyUser/.ssh/id_rsa
>>
>> debug3: send_pubkey_test
>>
>> debug2: we sent a publickey packet, wait for reply
>>
>> debug1: Authentications that can continue: publickey,password
>>
>> debug1: Trying private key: /Users/MyUser/.ssh/id_dsa
>>
>> debug3: no such identity: /Users/MyUser/.ssh/id_dsa: No such file or
>> directory
>>
>> debug2: we did not send a packet, disable method
>>
>> debug3: authmethod_lookup password
>>
>> debug3: remaining preferred: ,password
>>
>> debug3: authmethod_is_enabled password
>>
>> debug1: Next authentication method: password
>>
>> bluethundr at db1.example.com's password:
>>
>>
>> Can anyone give me a heads up as to why this is failing?
>>
>
> Read the syslog() logfile of the SSH daemon logging. That should give you
> a hint.
>
>  Thanks,
>>
>> Tim
>>
>
> Alexander
>
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>


-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B