Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

SSH with RSA/DSA key permission denied

I'm having problems ssh-ing into my Mac with an RSA or DSA key. I'm more or less following the instructions at http://www-128.ibm.com/developerworks/library/l-keyc.html, but I'm also modifying /etc/sshd_config to not allow password authentication as detailed by http://howto.diveintomark.org/remote-mac/ (a movie, unfortunately). I've tried both DSA and RSA keys (which is better, by the way?). Any time I try to log in from a the remote machine (a Linux box running Fedora Core 2) it asks me for my key's password, then says "Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).".

Everything works just fine if I use password authentication, after editing /etc/sshd_config to allow it, so it would seem it's not firewalls or something like that.

Does anyone have any idea about where I'm going wrong?

A run with the -v flag is below in case it helps someone:

-bash-3.1$ ssh -v -l [myusername] [my.Mac's.address]
OpenSSH_4.3p2, OpenSSL 0.9.8a 11 Oct 2005
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to [my.Mac's.address] [my.Mac's.I.P] port 22.
debug1: Connection established.
debug1: identity file /u1/cs2/saw4/.ssh/identity type -1
debug1: identity file /u1/cs2/saw4/.ssh/id_rsa type -1
debug1: identity file /u1/cs2/saw4/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_4.5
debug1: match: OpenSSH_4.5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug1: SSH2 MSGKEXINIT sent
debug1: SSH2 MSGKEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2 MSG_KEX_DH_GEXREQUEST(1024<1024<8192) sent
debug1: expecting SSH2 MSG_KEX_DH_GEXGROUP
debug1: SSH2 MSG_KEX_DH_GEXINIT sent
debug1: expecting SSH2 MSG_KEX_DH_GEXREPLY
debug1: Host '[my.Mac's.address]' is known and matches the RSA host key.
debug1: Found key in /u1/cs2/saw4/.ssh/known_hosts:1
debug1: ssh rsaverify: signature correct
debug1: SSH2 MSGNEWKEYS sent
debug1: expecting SSH2 MSGNEWKEYS
debug1: SSH2 MSGNEWKEYS received
debug1: SSH2 MSG_SERVICEREQUEST sent
debug1: SSH2 MSG_SERVICEACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug1: Next authentication method: gssapi-with-mic
debug1: Miscellaneous failure
No credentials cache found

debug1: Miscellaneous failure
No credentials cache found

debug1: Next authentication method: publickey
debug1: Trying private key: /u1/cs2/saw4/.ssh/identity
debug1: Trying private key: /u1/cs2/saw4/.ssh/id_rsa
debug1: PEM readPrivateKey failed
debug1: read PEM private key done: type <unknown>
Enter passphrase for key '/u1/cs2/saw4/.ssh/id_rsa':
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug1: Trying private key: /u1/cs2/saw4/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).

MacBook Pro Mac OS X (10.4.9)

MacBook Pro Mac OS X (10.4.9)

MacBook Pro, Mac OS X (10.4.9)

Posted on May 17, 2007 3:48 PM

Reply
5 replies

May 18, 2007 12:45 AM in response to ScottAS2

The problem clearly lies here:

<pre class=command>debug1: PEM readPrivateKey failed
debug1: read PEM private key done: type <unknown></pre>

This means that your private key is invalid for some reason. It's not possible to tell from here. One option would be to recreate the keys:

<pre class=command>ssh-keygen -t dsa -f ~/.ssh/id_dsa -C "whatever comment"</pre>

and re-copy the public key to the authorized_keys file on the server.

May 25, 2007 9:40 AM in response to ScottAS2

You don't need to alter the ssh config for it to work.

This may result from a problem with DNS in your localnet. Make sure your router or modem has access to DNS on the internet.
http://forums.macosxhints.com/showthread.php?t=54418

Also, check the system.log on the target machine. It's possible permissions are wrong on some path component of one machine. ssh is finicky that way and no error is reported except in the system log.

May 25, 2007 10:20 AM in response to Gnarlodious

I know I don't need to alter ssh_config; I'm merely doing that to turn password authentication off; my login password isn't good enough to stand up to an attack.

I've added DNS servers to my Mac and router configuration (no success), but I'm not sure how that could be causing problems - it works fine with password authentication when it's turned on; it's only when I use public/private key authentication that I get problems. Although I don't have access to another computer on the local network, I've tried ssh-ing into the localhost, with identical results.

Finally, there's not a mention of anything remotely connected to ssh in system.log.

SSH with RSA/DSA key permission denied

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.