5 Replies Latest reply: May 25, 2007 5:02 PM by Gnarlodious
ScottAS2 Level 1 Level 1 (0 points)
I'm having problems ssh-ing into my Mac with an RSA or DSA key. I'm more or less following the instructions at http://www-128.ibm.com/developerworks/library/l-keyc.html, but I'm also modifying /etc/sshd_config to not allow password authentication as detailed by http://howto.diveintomark.org/remote-mac/ (a movie, unfortunately). I've tried both DSA and RSA keys (which is better, by the way?). Any time I try to log in from a the remote machine (a Linux box running Fedora Core 2) it asks me for my key's password, then says "Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).".

Everything works just fine if I use password authentication, after editing /etc/sshd_config to allow it, so it would seem it's not firewalls or something like that.

Does anyone have any idea about where I'm going wrong?

A run with the -v flag is below in case it helps someone:

-bash-3.1$ ssh -v -l [myusername] [my.Mac's.address]
OpenSSH_4.3p2, OpenSSL 0.9.8a 11 Oct 2005
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to [my.Mac's.address] [my.Mac's.I.P] port 22.
debug1: Connection established.
debug1: identity file /u1/cs2/saw4/.ssh/identity type -1
debug1: identity file /u1/cs2/saw4/.ssh/id_rsa type -1
debug1: identity file /u1/cs2/saw4/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_4.5
debug1: match: OpenSSH_4.5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug1: SSH2MSGKEXINIT sent
debug1: SSH2MSGKEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2MSG_KEX_DH_GEXREQUEST(1024<1024<8192) sent
debug1: expecting SSH2MSG_KEX_DH_GEXGROUP
debug1: SSH2MSG_KEX_DH_GEXINIT sent
debug1: expecting SSH2MSG_KEX_DH_GEXREPLY
debug1: Host '[my.Mac's.address]' is known and matches the RSA host key.
debug1: Found key in /u1/cs2/saw4/.ssh/known_hosts:1
debug1: sshrsaverify: signature correct
debug1: SSH2MSGNEWKEYS sent
debug1: expecting SSH2MSGNEWKEYS
debug1: SSH2MSGNEWKEYS received
debug1: SSH2MSG_SERVICEREQUEST sent
debug1: SSH2MSG_SERVICEACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug1: Next authentication method: gssapi-with-mic
debug1: Miscellaneous failure
No credentials cache found

debug1: Miscellaneous failure
No credentials cache found

debug1: Next authentication method: publickey
debug1: Trying private key: /u1/cs2/saw4/.ssh/identity
debug1: Trying private key: /u1/cs2/saw4/.ssh/id_rsa
debug1: PEMreadPrivateKey failed
debug1: read PEM private key done: type <unknown>
Enter passphrase for key '/u1/cs2/saw4/.ssh/id_rsa':
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug1: Trying private key: /u1/cs2/saw4/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).

MacBook Pro   Mac OS X (10.4.9)  

MacBook Pro   Mac OS X (10.4.9)  

MacBook Pro, Mac OS X (10.4.9)
  • 1. Re: SSH with RSA/DSA key permission denied
    Camelot Level 8 Level 8 (45,790 points)
    The problem clearly lies here:

    <pre class=command>debug1: PEMreadPrivateKey failed
    debug1: read PEM private key done: type <unknown></pre>

    This means that your private key is invalid for some reason. It's not possible to tell from here. One option would be to recreate the keys:

    <pre class=command>ssh-keygen -t dsa -f ~/.ssh/id_dsa -C "whatever comment"</pre>

    and re-copy the public key to the authorized_keys file on the server.
  • 2. Re: SSH with RSA/DSA key permission denied
    ScottAS2 Level 1 Level 1 (0 points)
    That doesn't do it for me, unfortunately. I've tried using both ssh-keygen on my Mac and the remote computer.
  • 3. Re: SSH with RSA/DSA key permission denied
    Gnarlodious Level 4 Level 4 (3,220 points)
    You don't need to alter the ssh config for it to work.

    This may result from a problem with DNS in your localnet. Make sure your router or modem has access to DNS on the internet.
    http://forums.macosxhints.com/showthread.php?t=54418

    Also, check the system.log on the target machine. It's possible permissions are wrong on some path component of one machine. ssh is finicky that way and no error is reported except in the system log.
  • 4. Re: SSH with RSA/DSA key permission denied
    ScottAS2 Level 1 Level 1 (0 points)
    I know I don't need to alter ssh_config; I'm merely doing that to turn password authentication off; my login password isn't good enough to stand up to an attack.

    I've added DNS servers to my Mac and router configuration (no success), but I'm not sure how that could be causing problems - it works fine with password authentication when it's turned on; it's only when I use public/private key authentication that I get problems. Although I don't have access to another computer on the local network, I've tried ssh-ing into the localhost, with identical results.

    Finally, there's not a mention of anything remotely connected to ssh in system.log.
  • 5. Re: SSH with RSA/DSA key permission denied
    Gnarlodious Level 4 Level 4 (3,220 points)
    I wonder if you should reboot to force the DNS server to activate?