Well, I thought I had this problem by launching the server with the same
user I am trying to ssh with, and that fixed it in development but when
I deploy the application I still get authentication errors trying to
connect with psks.
I have checked that the application user can access the private key from
the host machine by logging the results of:
File.stat( ''/home/testuser/.ssh/id_dsa'' ).readable?
and
File.stat( ''/home/testuser/.ssh/id_dsa'' ).owned?
Here are the permissions of the .ssh directory on the host and target
machines:
[testuser at hostserver .ssh]$ ls -al
total 20
drwx------ 2 testuser testuser 4096 Jul 21 17:02 .
drwx------ 3 testuser testuser 4096 Jul 21 17:02 ..
-rw------- 1 testuser testuser 668 Jul 21 17:02 id_dsa
-rw------- 1 testuser testuser 614 Jul 21 17:02 id_dsa.pub
-rw-r--r-- 1 testuser testuser 237 Jul 21 17:02 known_hosts
Here is the output of ''ssh -vv my.target.host'':
OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7a Feb 19 2003
debug1: Reading configuration data /usr/etc/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to my.target.host [10.100.0.71] port 22.
debug1: Connection established.
debug1: identity file /home/testuser/.ssh/identity type -1
debug1: identity file /home/testuser/.ssh/id_rsa type -1
debug2: key_type_from_name: unknown key type ''-----BEGIN''
debug2: key_type_from_name: unknown key type ''-----END''
debug1: identity file /home/testuser/.ssh/id_dsa type 2
debug1: Remote protocol version 1.99, remote software version
OpenSSH_3.6.1p2
debug1: match: OpenSSH_3.6.1p2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc
at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc
at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at
openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at
openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc
at lysator.liu.se
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc
at lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at
openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at
openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 128/256
debug2: bits set: 502/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host ''my.target.host'' is known and matches the RSA
host key.
debug1: Found key in /home/testuser/.ssh/known_hosts:1
debug2: bits set: 490/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/testuser/.ssh/identity ((nil))
debug2: key: /home/testuser/.ssh/id_rsa ((nil))
debug2: key: /home/testuser/.ssh/id_dsa (0x808b078)
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/testuser/.ssh/identity
debug1: Trying private key: /home/testuser/.ssh/id_rsa
debug1: Offering public key: /home/testuser/.ssh/id_dsa
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-dss blen 433
debug2: input_userauth_pk_ok: fp
46:da:84:86:a6:d3:70:5f:2a:e7:ac:38:92:e5:24:cd
debug1: read PEM private key done: type DSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Entering interactive session.
debug2: callback start
debug2: ssh_session2_setup: id 0
debug2: channel 0: request pty-req
debug2: channel 0: request shell
debug2: fd 3 setting TCP_NODELAY
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel 0: rcvd adjust 131072
Any further ideas would be appreciated.
Other environment info:
ruby 1.8.4 ( on osx tiger and RHEL3 )
web application written with rails 1.1.2
net-ssh (1.0.9)
Please let me know if I can provide any other info to help track this
problem down as I am stuck.
Thanks in advance,
-Jesse
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
With 1.0.9net/ssh I get:
irb(main):008:0> s = Net::SSH.start( ''jboss'',
''zdennis'' ) do |session| ;
end; true
Enter password for /home/zdennis/.ssh/id_dsa:
=> true
You say it works for your app''s user account via command line? Are you
switching to that user, and ssh''ing into the server box?
Can you become that user and give us output of:
ssh -vv user at server
What are the permissions for the .ssh directory and files for your
app''s
account for both client and server?
Zach
Jesse Clark wrote:
>> Hello All,
>>
>> I am having a problem getting Net::SSH to authenticate using preshared
>> keys and was wondering if anyone could offer some insight as to what
>> might be causing it.
>>
>> I have two users on my development box ( running os X ), one is my
>> normal account, one is an account I created for the application to
use.
>>
>> I used ''ssh-keygen -t dsa'' to generate key pairs for
both users.
>>
>> The permissions for all items in both .ssh directories are exactly
the same.
>>
>> I have two accounts on my remote testing machine ( RHEL3 ) with
>> identical usernames to those on the development machine. For each of
the
>> accounts on the remote machine I added the contents of id_dsa.pub from
>> each of the local accounts to .ssh/authorized_keys on the
corresponding
>> remote
>> accounts.
>>
>> I can successfully ssh without being prompted for a password using ssh
>> on the command line from both accounts on the development machine.
>>
>> However, when I attempt to connect from within my application using:
>>
>> Net::SSH.start( ''my.remote.host'',
''user'' ) do |session|
>> ...
>> end
>>
>> I can successfully connect with my normal user account, but the
account
>> I created for the application to use gives:
>>
>> Net::SSH::AuthenticationFailed in DriversController#test_ssh
>>
/opt/local/lib/ruby/gems/1.8/gems/net-ssh-1.0.9/lib/net/ssh/session.rb:129:in
>> `initialize''
>> /opt/local/lib/ruby/gems/1.8/gems/net-ssh-1.0.9/lib/net/ssh.rb:47:in
`start''
>> #{RAILS_ROOT}/app/controllers/drivers_controller.rb:166:in
`test_ssh''
>>
>> This very puzzling since I can connect successfully from the command
line.
>>
>> I have checked and double checked permissions and groups and every
other
>> possible difference between the two accounts on the remote machine to
>> make sure the accounts are setup identically.
>>
>> I also tried creating a third set of users and keys which also fails.
>>
>> I have also verified that I can connect using the form of
Net::SSH.start
>> which takes the password.
>>
>> Sorry for the long winded post. Any help would be much appreciated as
I
>> would prefer not to store passwords in application code.
>>
>> Thanks,
>> -Jesse
>> _______________________________________________
>> Net-ssh-users mailing list
>> Net-ssh-users at rubyforge.org
>> http://rubyforge.org/mailman/listinfo/net-ssh-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFEwRl9Myx0fW1d8G0RAt/LAJ0SB6a1peOmfnUGFq/9mS24Y/AnIQCfT/P9
BgWMZxOCvJTJTFWSk+e9vOU=LxFS
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jesse Clark wrote:> Well, I thought I had this problem by launching the server with the same > user I am trying to ssh with, and that fixed it in development but when > I deploy the application I still get authentication errors trying to > connect with psks. > > I have checked that the application user can access the private key from > the host machine by logging the results of: > File.stat( ''/home/testuser/.ssh/id_dsa'' ).readable? > and > File.stat( ''/home/testuser/.ssh/id_dsa'' ).owned? > > Here are the permissions of the .ssh directory on the host and target > machines: > > [testuser at hostserver .ssh]$ ls -al > total 20 > drwx------ 2 testuser testuser 4096 Jul 21 17:02 . > drwx------ 3 testuser testuser 4096 Jul 21 17:02 .. > -rw------- 1 testuser testuser 668 Jul 21 17:02 id_dsa > -rw------- 1 testuser testuser 614 Jul 21 17:02 id_dsa.pub > -rw-r--r-- 1 testuser testuser 237 Jul 21 17:02 known_hostschmod a+r id_dsa.pub And try it again Zach> > Here is the output of ''ssh -vv my.target.host'': > > OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7a Feb 19 2003 > debug1: Reading configuration data /usr/etc/ssh_config > debug1: Applying options for * > debug2: ssh_connect: needpriv 0 > debug1: Connecting to my.target.host [10.100.0.71] port 22. > debug1: Connection established. > debug1: identity file /home/testuser/.ssh/identity type -1 > debug1: identity file /home/testuser/.ssh/id_rsa type -1 > debug2: key_type_from_name: unknown key type ''-----BEGIN'' > debug2: key_type_from_name: unknown key type ''-----END'' > debug1: identity file /home/testuser/.ssh/id_dsa type 2 > debug1: Remote protocol version 1.99, remote software version > OpenSSH_3.6.1p2 > debug1: match: OpenSSH_3.6.1p2 pat OpenSSH* > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_3.8p1 > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr > debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: none,zlib > debug2: kex_parse_kexinit: none,zlib > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: none,zlib > debug2: kex_parse_kexinit: none,zlib > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: mac_init: found hmac-md5 > debug1: kex: server->client aes128-cbc hmac-md5 none > debug2: mac_init: found hmac-md5 > debug1: kex: client->server aes128-cbc hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > debug2: dh_gen_key: priv key bits set: 128/256 > debug2: bits set: 502/1024 > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > debug1: Host ''my.target.host'' is known and matches the RSA host key. > debug1: Found key in /home/testuser/.ssh/known_hosts:1 > debug2: bits set: 490/1024 > debug1: ssh_rsa_verify: signature correct > debug2: kex_derive_keys > debug2: set_newkeys: mode 1 > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug2: set_newkeys: mode 0 > debug1: SSH2_MSG_NEWKEYS received > debug1: SSH2_MSG_SERVICE_REQUEST sent > debug2: service_accept: ssh-userauth > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug2: key: /home/testuser/.ssh/identity ((nil)) > debug2: key: /home/testuser/.ssh/id_rsa ((nil)) > debug2: key: /home/testuser/.ssh/id_dsa (0x808b078) > debug1: Authentications that can continue: > publickey,password,keyboard-interactive > debug1: Next authentication method: publickey > debug1: Trying private key: /home/testuser/.ssh/identity > debug1: Trying private key: /home/testuser/.ssh/id_rsa > debug1: Offering public key: /home/testuser/.ssh/id_dsa > debug2: we sent a publickey packet, wait for reply > debug1: Server accepts key: pkalg ssh-dss blen 433 > debug2: input_userauth_pk_ok: fp > 46:da:84:86:a6:d3:70:5f:2a:e7:ac:38:92:e5:24:cd > debug1: read PEM private key done: type DSA > debug1: Authentication succeeded (publickey). > debug1: channel 0: new [client-session] > debug2: channel 0: send open > debug1: Entering interactive session. > debug2: callback start > debug2: ssh_session2_setup: id 0 > debug2: channel 0: request pty-req > debug2: channel 0: request shell > debug2: fd 3 setting TCP_NODELAY > debug2: callback done > debug2: channel 0: open confirm rwindow 0 rmax 32768 > debug2: channel 0: rcvd adjust 131072 > > Any further ideas would be appreciated. > > Other environment info: > ruby 1.8.4 ( on osx tiger and RHEL3 ) > web application written with rails 1.1.2 > net-ssh (1.0.9) > > Please let me know if I can provide any other info to help track this > problem down as I am stuck. > > Thanks in advance, > -Jesse > > With 1.0.9net/ssh I get: > > irb(main):008:0> s = Net::SSH.start( ''jboss'', ''zdennis'' ) do |session| ; > end; true > Enter password for /home/zdennis/.ssh/id_dsa: > => true > > You say it works for your app''s user account via command line? Are you > switching to that user, and ssh''ing into the server box? > Can you become that user and give us output of: > > ssh -vv user at server > > What are the permissions for the .ssh directory and files for your app''s > account for both client and server? > > Zach > > > > Jesse Clark wrote: > > >> Hello All, > >> > >> I am having a problem getting Net::SSH to authenticate using preshared > >> keys and was wondering if anyone could offer some insight as to what > >> might be causing it. > >> > >> I have two users on my development box ( running os X ), one is my > >> normal account, one is an account I created for the application to use. > >> > >> I used ''ssh-keygen -t dsa'' to generate key pairs for both users. > >> > >> The permissions for all items in both .ssh directories are exactly > the same. > >> > >> I have two accounts on my remote testing machine ( RHEL3 ) with > >> identical usernames to those on the development machine. For each of > the > >> accounts on the remote machine I added the contents of id_dsa.pub from > >> each of the local accounts to .ssh/authorized_keys on the corresponding > >> remote > >> accounts. > >> > >> I can successfully ssh without being prompted for a password using ssh > >> on the command line from both accounts on the development machine. > >> > >> However, when I attempt to connect from within my application using: > >> > >> Net::SSH.start( ''my.remote.host'', ''user'' ) do |session| > >> ... > >> end > >> > >> I can successfully connect with my normal user account, but the account > >> I created for the application to use gives: > >> > >> Net::SSH::AuthenticationFailed in DriversController#test_ssh > >> > /opt/local/lib/ruby/gems/1.8/gems/net-ssh-1.0.9/lib/net/ssh/session.rb:129:in > > >> `initialize'' > >> /opt/local/lib/ruby/gems/1.8/gems/net-ssh-1.0.9/lib/net/ssh.rb:47:in > `start'' > >> #{RAILS_ROOT}/app/controllers/drivers_controller.rb:166:in `test_ssh'' > >> > >> This very puzzling since I can connect successfully from the command > line. > >> > >> I have checked and double checked permissions and groups and every > other > >> possible difference between the two accounts on the remote machine to > >> make sure the accounts are setup identically. > >> > >> I also tried creating a third set of users and keys which also fails. > >> > >> I have also verified that I can connect using the form of > Net::SSH.start > >> which takes the password. > >> > >> Sorry for the long winded post. Any help would be much appreciated as I > >> would prefer not to store passwords in application code. > >> > >> Thanks, > >> -Jesse > >> _______________________________________________ > >> Net-ssh-users mailing list > >> Net-ssh-users at rubyforge.org > >> http://rubyforge.org/mailman/listinfo/net-ssh-users > >_______________________________________________ Net-ssh-users mailing list Net-ssh-users at rubyforge.org http://rubyforge.org/mailman/listinfo/net-ssh-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFExQKpMyx0fW1d8G0RAqtPAJ9zp1Bs74gdoYDrSkUAO5lTm0EJdwCfZqOE xm00QdMJOH0UHH0aRp8vPoc=YhU+ -----END PGP SIGNATURE-----