SSH without a password not working (Public Key)

Hi,

I am trying to setup some unattended backups to my server using an SSH public key, but everytime I try to SSH in I get prompted for my password. These are the steps I followed...

1. I created my the public key on my client system using the following command:

ssh-keygen -t dsa

I left the passphrase empty

2. I verified that my private and public key were created in ~.ssh
3. On my home directory on my server I created the folder .ssh and set the permissions to 0700, and the authorized_keys file with the permissions of 0600.
4. I next used the command

ssh remote_host "echo $(cat ~/.ssh/id_dsa.pub) >> ~/.ssh/authorized_keys"
5. I next verified that my key was added to authorized_keys file on the server.
6. then I try to ssh, but I am still asked for a password.

I have set this up many times on my Linux server without an issue. Is there something in the ssh_config file that I need to change on OS X Server 10.5.8?

Thanks!

Mac Pro, Mac OS X (10.5.8)

Posted on Sep 30, 2009 1:19 PM

22 replies

ScottMSEM Author

Level 1

5 points

Oct 16, 2009 11:23 AM in response to ScottMSEM

The default configuration of OpenSSH has been altered in a way that has disabled authentication through public keys.

bcurtis

Level 1

0 points

Oct 19, 2009 5:35 PM in response to ScottMSEM

I had the same problem, and the +ssh -vv+ suggestion was very helpful (thanks jaydisc!).

I found this, based on ScottMSEM's suggestion that it was an OpenSSH issue:
http://www.openssh.com/faq.html#3.14

After running +chmod 600 ~/.ssh/authorized_keys+ the login went fine. Since you (Scott) seem to have the same 644 perms on authorized_keys as I did, I suspect this might help you as well.

Good luck!

foilpan

Level 4

1,385 points

Oct 19, 2009 7:15 PM in response to bcurtis

right. that's why i suggested checking permissions on the files before. ssh won't play unless the permissions on the authorized_keys file are set exactly. the default configuration hasn't changed… at least i haven't had any trouble with the many servers on which i use this method of key authentication.

ScottMSEM Author

Level 1

5 points

Oct 20, 2009 9:13 AM in response to foilpan

I tried to change the permissions to 600 my authorized_keys, but I still get prompted. As I mentioned in an earlier post, I reinstalled 10.5 server on a VMWare test, and had no problems setting up sshkeys. It is pretty clear that something has changed on my install. That being said, I have copied and pasted the full results of my ssh -vv attempt. Please let me know if you see anything...

OpenSSH_5.2p1, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to 192.168.1.5 [192.168.1.5] port 22.
debug1: Connection established.
debug1: identity file /Users/sford/.ssh/identity type -1
debug1: identity file /Users/sford/.ssh/id_rsa type -1
debug2: key type_fromname: unknown key type '-----BEGIN'
debug2: key type_fromname: unknown key type 'Proc-Type:'
debug2: key type_fromname: unknown key type 'DEK-Info:'
debug2: key type_fromname: unknown key type '-----END'
debug1: identity file /Users/sford/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1
debug1: match: OpenSSH_5.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2 MSGKEXINIT sent
debug1: SSH2 MSGKEXINIT received
debug2: kex parsekexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie- hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex parsekexinit: ssh-rsa,ssh-dss
debug2: kex parsekexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blow fish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex parsekexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blow fish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex parsekexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.co m,hmac-sha1-96,hmac-md5-96
debug2: kex parsekexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.co m,hmac-sha1-96,hmac-md5-96
debug2: kex parsekexinit: none,zlib@openssh.com,zlib
debug2: kex parsekexinit: none,zlib@openssh.com,zlib
debug2: kex parsekexinit:
debug2: kex parsekexinit:
debug2: kex parsekexinit: first kexfollows 0
debug2: kex parsekexinit: reserved 0
debug2: kex parsekexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie- hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex parsekexinit: ssh-rsa,ssh-dss
debug2: kex parsekexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes1 92-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex parsekexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes1 92-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex parsekexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.co m,hmac-sha1-96,hmac-md5-96
debug2: kex parsekexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.co m,hmac-sha1-96,hmac-md5-96
debug2: kex parsekexinit: none,zlib@openssh.com
debug2: kex parsekexinit: none,zlib@openssh.com
debug2: kex parsekexinit:
debug2: kex parsekexinit:
debug2: kex parsekexinit: first kexfollows 0
debug2: kex parsekexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2 MSG_KEX_DH_GEXREQUEST(1024<1024<8192) sent
debug1: expecting SSH2 MSG_KEX_DH_GEXGROUP
debug2: dh genkey: priv key bits set: 123/256
debug2: bits set: 526/1024
debug1: SSH2 MSG_KEX_DH_GEXINIT sent
debug1: expecting SSH2 MSG_KEX_DH_GEXREPLY
debug1: Host '192.168.1.5' is known and matches the RSA host key.
debug1: Found key in /Users/sford/.ssh/known_hosts:1
debug2: bits set: 541/1024
debug1: ssh rsaverify: signature correct
debug2: kex derivekeys
debug2: set_newkeys: mode 1
debug1: SSH2 MSGNEWKEYS sent
debug1: expecting SSH2 MSGNEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2 MSGNEWKEYS received
debug1: SSH2 MSG_SERVICEREQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2 MSG_SERVICEACCEPT received
debug2: key: /Users/sford/.ssh/id_dsa (0x100124fd0)
debug2: key: /Users/sford/.ssh/identity (0x0)
debug2: key: /Users/sford/.ssh/id_rsa (0x0)
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/sford/.ssh/id_dsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Trying private key: /Users/sford/.ssh/identity
debug1: Trying private key: /Users/sford/.ssh/id_rsa
debug2: we did not send a packet, disable method
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input userauth_inforeq
debug2: input userauth_inforeq: num_prompts 1

foilpan

Level 4

1,385 points

Oct 20, 2009 7:51 PM in response to ScottMSEM

adding another -v gave me a clue. to be certain, i tested the exact same scenario you mentioned in your initial post. generated a new dsa key, copied it to authorized_keys on the server, verified perms, etc.

basically, it looks like the ssh client wants to send id_dsa by default, but i named my key id testdsa. specifying the key like this allowed passwordless logon:

ssh -i ~/.ssh/id testdsa -vvv user@server.example.com

so either you can track down what's changed with the ssh client config, or you can specify this in your personal config file under ~/.ssh.

i'll poke around a bit and see what i can find here.

foilpan

Level 4

1,385 points

Oct 20, 2009 8:37 PM in response to foilpan

scratch my earlier test. i generated a new dsa key, copied it to the same 10.5.8 server with no other modifications, and logged in without trouble.

were you able to login before with a password when the keys failed for you?

did you check the service acl in server admin? be sure you're allowing ssh for the user in question, or at least not denying access with a sacl.

ScottMSEM Author

Level 1

5 points

Oct 20, 2009 10:08 PM in response to foilpan

I have always been able to login with a password via ssh. I only recently decided to setup keys so I could create some scripts for unattended backups. I am just not sure what was modified to screw things up. My ssh_config file is still in the default. It is very strange. I feel as though I've put enough time trying to find the problem. I know a reinstall of the OS fixes the issue, so that is where I am headed.

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

SSH without a password not working (Public Key)