Article:
  SSH on Mac OS X for Worry-Free Wireless
Subject:   SSH Problem with Instructions
Date:   2001-11-22 08:21:08
From:   cochella
Great article; clear concise.


However, I am unable to repeat the SSH public/private key login process.


I following the instructions exactly and was always prompted for a password and not a passphrase (I chose to provide a passphrase).


The closest I can get to being prompted for a passphrase (I also get prompted for a password after entering the passphrase) is to do a few changes:


1. On the remote host put the public id_dsa.pub key in .ssh2/ and create a file called "authorization" that contains "Key id_dsa.pub". This is for multiple keys I believe.


2. Edit the id_dsa.pub key on local and remote to remove "ssh-dss" at the beginning of the key file and the "username@localhost" at the end of the key file.


After doing all of this I still get the following session:


ssh -l chris hostname.com
Enter passphrase for key '/Users/cochella/.ssh/identity':
chris@hostname.com's password:
Last login: Thu Nov 22 09:28:36 2001 from 166.70.174.201
[chris@server1 cochella]$



If I understand everything this means that passphrase encryption (based on the keys) did not take place and a lesser form of encryption via the password was executed. Is this correct?


How can I fix this?


I have been forward and backward with all possible combinations and verifying passwords.


Thank you,


Chris


Local System: Mac OSX 10.1
Remote System: RedHat 6.2 running openssh

Full Threads Oldest First

Showing messages 1 through 10 of 10.

  • SSH Problem with Instructions
    2001-11-26 19:22:35  res [View]


    1. On the remote host put the public id_dsa.pub key in .ssh2/ and create
    a file called "authorization" that contains "Key id_dsa.pub". This is for
    multiple keys I believe.


    No; this is the convention used by the SSH server from HREF="http://www.ssh.com/">ssh.com. It will not work with OpenSSH
    (which is what you say is running on the server). And if the server
    were ssh.com, you would need to convert the key format in any
    case.


    2. Edit the id_dsa.pub key on local and remote to remove "ssh-dss" at the
    beginning of the key file and the "username@localhost" at the end of the
    key file.


    The "username@localhost" is a comment and removing it does no harm, but
    the leading "ssh-dss" is part of the key format, and removing it will
    break the file.


    After doing all of this I still get the following session:
    ssh -l chris hostname.com
    Enter passphrase for key '/Users/cochella/.ssh/identity':
    chris@hostname.com's password:
    Last login: Thu Nov 22 09:28:36 2001 from 166.70.174.201
    [chris@server1 cochella]$

    If I understand everything this means that passphrase encryption (based on
    the keys) did not take place and a lesser form of encryption via the
    password was executed. Is this correct?


    There are a couple bits of confusion here.



    1. The name of the key file implies that the connection is using SSH
      protocol version 1 (you can see this more specifically using ssh -v
      ...
      . The key you generated can only be used with protocol 2, so
      public-key authentication will not work. Even if the server supports
      protocol 2, the version of OpenSSH which comes with OSX (2.3.0) will choose
      protocol 1 if it's available (this default was changed in OpenSSH-2.9).
      Try ssh -2 ....

    2. The client authentication method you employ has no bearing on what
      kind of encryption protects the session. All session encryption
      parameters are in fact negotiated and put into use before client
      authentication even takes place.




    +-----------------------------------------------------------------------------+
    | Richard Silverman | co-author: SSH, The Secure Shell (The Definitive Guide) |
    | slade@shore.net | O'Reilly, 2001 -- http://www.oreilly.com/catalog/sshtdg |
    +-----------------------------------------------------------------------------+

  • SSH Problem with Instructions
    2001-11-28 13:58:11  cochella [View]

    No; this is the convention used by the SSH server from HREF="http://www.ssh.com/">ssh.com. It will not work with OpenSSH
    (which is what you say is running on the server). And if the server
    were ssh.com, you would need to convert the key format in any
    case.

    On the remote server there is OpenSSH and I was using the wrong convention; I did not realize there were different conventions--silly. The server OpenSSH version is: openssh-2.2.0p1-2

    So, I have changed conventions to thosethat your article describes: using .ssh with an authorized_keys2 file with the public key in this file on the remote machine.

    After making these changes I still only get password authentication:


    [localhost:~/.ssh] cochella% ssh -2 -l chris -i /Users/cochella/.ssh/identity cochella.com
    chris@myhostname.com's password:
    Last login: Wed Nov 28 15:01:07 2001 from 166.70.xxx.xxx
    [chris@server1 cochella]$

    As suggested I am trying to do version 2 with the switch "-2"


    So, I do not understand what the problem is?

    Any further advice would be most helpful.

    Thanks.

    Chris
    • SSH Problem with Instructions
      2001-11-28 15:20:30  res [View]


      Use "ssh -v ..." to see what it's doing.

      Why are you using -i to tell it to use the wrong key? As I pointed out last time, ~/.ssh/identity contains a protocol-1-only key.
      • SSH Problem with Instructions
        2001-12-31 07:02:22  cochella [View]

        Here is the -v output. It appears, from what I can understand, that public key authentication is taking place. But, I get asked for the password and not the passphrase.

        Thanks,

        Chris


        _________

        [localhost:~/.ssh] cochella% ssh -2 -v -l chris myhost.com
        OpenSSH_2.9p2, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
        debug1: Reading configuration data /etc/ssh_config
        debug1: Seeding random number generator
        debug1: Rhosts Authentication disabled, originating port will not be trusted.
        debug1: restore_uid
        debug1: ssh_connect: getuid 501 geteuid 501 anon 1
        debug1: Connecting to myhost.com [209.55.121.12] port 22.
        debug1: restore_uid
        debug1: restore_uid
        debug1: Connection established.
        debug1: identity file /Users/cochella/.ssh/id_rsa type -1
        debug1: identity file /Users/cochella/.ssh/id_dsa type 2
        debug1: Remote protocol version 1.99, remote software version OpenSSH_2.2.0p1
        debug1: match: OpenSSH_2.2.0p1 pat ^OpenSSH[-_]2\.[012]
        Enabling compatibility mode for protocol 2.0
        debug1: Local version string SSH-2.0-OpenSSH_2.9p2
        debug1: SSH2_MSG_KEXINIT sent
        debug1: SSH2_MSG_KEXINIT received
        debug1: kex: server->client 3des-cbc hmac-md5 none
        debug1: kex: client->server 3des-cbc hmac-md5 none
        debug1: dh_gen_key: priv key bits set: 197/384
        debug1: bits set: 524/1024
        debug1: sending SSH2_MSG_KEXDH_INIT
        debug1: expecting SSH2_MSG_KEXDH_REPLY
        debug1: Host 'myhost.com' is known and matches the DSA host key.
        debug1: Found key in /Users/cochella/.ssh/known_hosts2:3
        debug1: bits set: 506/1024
        debug1: len 55 datafellows 49296
        debug1: ssh_dss_verify: signature correct
        debug1: kex_derive_keys
        debug1: newkeys: mode 1
        debug1: SSH2_MSG_NEWKEYS sent
        debug1: waiting for SSH2_MSG_NEWKEYS
        debug1: newkeys: mode 0
        debug1: SSH2_MSG_NEWKEYS received
        debug1: done: ssh_kex2.
        debug1: send SSH2_MSG_SERVICE_REQUEST
        debug1: service_accept: ssh-userauth
        debug1: got SSH2_MSG_SERVICE_ACCEPT
        debug1: authentications that can continue: publickey,password
        debug1: next auth method to try is publickey
        debug1: try privkey: /Users/cochella/.ssh/id_rsa
        debug1: try pubkey: /Users/cochella/.ssh/id_dsa
        debug1: authentications that can continue: publickey,password
        debug1: next auth method to try is password
        chris@myhost.com's password:
        debug1: ssh-userauth2 successful: method password
        debug1: channel 0: new [client-session]
        debug1: channel_new: 0
        debug1: send channel open 0
        debug1: Entering interactive session.
        debug1: client_init id 0 arg 0
        debug1: channel request 0: shell
        debug1: channel 0: open confirm rwindow 0 rmax 32768
        Last login: Mon Dec 31 08:11:09 2001 from 166.55.565.65
        [chris@server1 cochella]$
      • SSH Problem with Instructions
        2001-11-30 05:05:10  ahinds [View]

        I too am having the same problem with automatic logins.

        I followed the instructions to the letter. Here is part of my session transcript. Any help would be appreciated. Thanks!

        ---
        [localhost:~/.ssh] ahinds% ssh -v xxx.com
        OpenSSH_2.9p2, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
        debug1: Reading configuration data /etc/ssh_config
        debug1: Seeding random number generator
        debug1: Rhosts Authentication disabled, originating port will not be trusted.
        debug1: restore_uid
        debug1: ssh_connect: getuid 501 geteuid 501 anon 1
        debug1: Connecting to xxx.com [xxx.xx.xxx.xx] port 22.
        debug1: restore_uid
        debug1: restore_uid
        debug1: Connection established.
        debug1: identity file /Users/ahinds/.ssh/identity type -1
        debug1: identity file /Users/ahinds/.ssh/id_rsa type -1
        debug1: identity file /Users/ahinds/.ssh/id_dsa type 2
        debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9p2
        debug1: match: OpenSSH_2.9p2 pat ^OpenSSH
        Enabling compatibility mode for protocol 2.0
        debug1: Local version string SSH-2.0-OpenSSH_2.9p2
        debug1: SSH2_MSG_KEXINIT sent
        debug1: SSH2_MSG_KEXINIT received
        debug1: kex: server->client aes128-cbc hmac-md5 none
        debug1: kex: client->server aes128-cbc hmac-md5 none
        debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
        debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
        debug1: dh_gen_key: priv key bits set: 125/256
        debug1: bits set: 1049/2049
        debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
        debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
        debug1: Host 'xxx.com' is known and matches the RSA host key.
        debug1: Found key in /Users/ahinds/.ssh/known_hosts2:1
        debug1: bits set: 1012/2049
        debug1: ssh_rsa_verify: signature correct
        debug1: kex_derive_keys
        debug1: newkeys: mode 1
        debug1: SSH2_MSG_NEWKEYS sent
        debug1: waiting for SSH2_MSG_NEWKEYS
        debug1: newkeys: mode 0
        debug1: SSH2_MSG_NEWKEYS received
        debug1: done: ssh_kex2.
        debug1: send SSH2_MSG_SERVICE_REQUEST
        debug1: service_accept: ssh-userauth
        debug1: got SSH2_MSG_SERVICE_ACCEPT
        debug1: authentications that can continue: publickey,password,keyboard-interactive
        debug1: next auth method to try is publickey
        debug1: try privkey: /Users/ahinds/.ssh/identity
        debug1: try privkey: /Users/ahinds/.ssh/id_rsa
        debug1: try pubkey: /Users/ahinds/.ssh/id_dsa
        debug1: authentications that can continue: publickey,password,keyboard-interactive
        debug1: next auth method to try is password
        ahinds@xxx.com's password:
        • SSH Problem with Instructions
          2001-12-31 06:52:52  cochella [View]

          Have you found a solution yet?

          Thanks,

          Chris
          • SSH Problem with Instructions
            2007-04-02 08:32:59  bglnelissen [View]

            i have had the same problems, it worried me the whole day, one way was doing ok, the other way was asking my password.

            But now it is fixed. My problem where the permissions of my home folder, .ssh folder and the content of the .ssh folder.
            I did a (i can be wrong, if so corrent me but i dont know the default permissions of the home folder so i took 755)

            change the rights of EVERY file in my homefolder, this is done with the -R flag. It might be nicer if you dont use it at all and type (chmod 755 /Users/USERNAME/)
            $ chmod -R 755 /Users/USERNAME/

            change the permissions of the .ssh folder
            < code >$ chmod 700 ~/.ssh

            change the permissions of the .ssh folders content
            < code >$ chmod 600 ~/.ssh/*

            good luck.
          • SSH Problem with Instructions
            2002-04-29 11:44:47  hanspoo [View]

            Somebody found a solution to this ?

            Maybe RPM's.

            Hans Poo
            • SSH Problem with Instructions
              2002-05-10 21:12:37  bdharring [View]

              After a frustrating (hugely) night, I have finally cracked it on my setup... this is a stupid error but you cannot have world permissions set on at least the authorized_keys* files, and possibly on the local ./ssh/identity|rsa|dsa pubkeys.
              easy way to test this- on the intended system to log into, add to sshd_conf file the option StrictMode no .
              if this fixes it (try both ssh -1 and ssh -2 in case you have either protocol setup screwed up), then you should only have to remove the world readable permission.
              Good luck with it... I'm still struggling with it, but this at least got it to work for protocol 1.
              • SSH Problem with Instructions
                2003-05-12 12:13:49  anonymous2 [View]

                FROM HOME WHILE LOGGED IN AS MYSELF 'craig', I GENERATE SOME KEY PAIR:

                ssh-keygen -t dsa

                THEN I BECOME ROOT AND COPY MY KEYS TO MY ROOT ACCOUNT ALSO

                su -
                cd /var/root/.ssh
                cp ~craig/.ssh/id* .

                THEN I TRY MY PORT FORWARDING TO WORK MAIL SERVER, I CHANGED THE HOST NAME

                sudo ssh -2 -L 25:localhost:25 craig@work.example.com

                THE RESULT:
                surprisingly it no longer requires me to enter my root password for PORT FORWARDING on a PRIVILEDGED PORT.

                is this a security violoation.
                it always asked me for my root password prior to even trying to do port forwarding.

                -craig