PDA

View Full Version : SSH with RSA2 Keys (Putty) "Server refused our key"



nase1337
03-Dec-2014, 13:18
Hi Guys,
I tried to log in to my server with the public/private keys. But all I tried - it failed :confused:


Client: Windows 8
Server: SLES11
Putty and Puttygen



On my Windows Client, I generated my public and private keys with puttygen and copied the public key into the authorized_keys file in my home directory

/home/user/.ssh/authorized_keys

This is my public key:

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "rsa-key-20141203"
AAAAB3NzaC1yc2EAAAABJQAAAIEAmQrj3yGt8FhgRmcYhPc1lq VEmAPFT+7ifc5X
EeG2IWRhsNIJVSDcHJXBSPborrvFZHEZwggMVZZBzXH63MlxCM hb2CcYc6ck3Co7
kmStXV4ov28w4uDEe60t0qFCyQkqyy/dyrnBngSezS9lz7nCPstotZhkfKlGcJd0
LVgDEIc=
---- END SSH2 PUBLIC KEY ----


So, I read that I have to remove the first two lines and the last one and add on the first line a "ssh-rsa "

That is what I have now:

ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAmQrj3yGt8FhgRmcYhPc1lq VEmAPFT+7ifc5XEeG2IWRhsNIJVSDcHJXBSPborrvFZHEZwggM VZZBzXH63MlxCMhb2CcYc6ck3Co7kmStXV4ov28w4uDEe60t0q FCyQkqyy/dyrnBngSezS9lz7nCPstotZhkfKlGcJd0LVgDEIc=

All in one line.
And I did this changes:

chmod 700 /.ssh
chmod 600 /.ssh/authorized_keys

In Putty I select my private key file and try to login, but the server send a "Server refused our key" and i don't know what I have to do......

I took a look at my sshd_config and try to change some options:

The SSHD_config:

# $OpenBSD: sshd_config,v 1.89 2013/02/06 00:20:42 dtucker Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

RSAAuthentication yes
PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile ~/.ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable support for the deprecated 'gssapi' authentication
# mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included
# in this release. The use of 'gssapi' is deprecated due to the presence of
# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
#GSSAPIEnableMITMAttack no


# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem sftp /usr/lib64/ssh/sftp-server

# This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5).
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL

# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server




A reload/restart of sshd doesn't change something. What can I do? Where is my fault? I have no idea..

Thank you in advance :)

ab
03-Dec-2014, 13:43
Get debug output from Putty to perhaps help; point #4 on this page:

http://www.thegeekstuff.com/2009/07/10-practical-putty-tips-and-tricks-you-probably-didnt-know/

For convenience:
<quote>
PuTTY Trick 4: View PuTTY Event log

When you are logged-in to a PuTTY SSH session, right mouse-click on the
PuTTY window title, which will display PuTTY menu. Select ‘Event Log’
menu-item, which will display the following PuTTY event log window.

This will be very helpful to debug any PuTTY SSH session issues.
</quote>

It may also be useful to do a simple test on the server itself to ensure
that public key authentication works on that side; as some user on the
system (non-root preferably):



ssh-keygen -t rsa
#press [enter] a bunch of times; ignore the passphrase for now

#Copy new key to the "server", even though it's this same box
ssh-copy-id -i ~/.ssh/id_rsa localhost

#Try to login with the key
ssh -i ~/.ssh/id_rsa localhost


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

smflood
03-Dec-2014, 13:55
On 03/12/2014 12:24, nase1337 wrote:

> I tried to log in to my server with the public/private keys. But all I
> tried - it failed :confused:
>
>
> - Client: Windows 8
> - Server: SLES11
> - Putty and Puttygen
>
>
>
> On my Windows Client, I generated my public and private keys with
> puttygen and copied the public key into the authorized_keys file in my
> home directory
>
> Code:
> --------------------
> /home/user/.ssh/authorized_keys
> --------------------
>
>
> This is my public key:
>
> Code:
> --------------------
> ---- BEGIN SSH2 PUBLIC KEY ----
> Comment: "rsa-key-20141203"
> AAAAB3NzaC1yc2EAAAABJQAAAIEAmQrj3yGt8FhgRmcYhPc1lq VEmAPFT+7ifc5X
> EeG2IWRhsNIJVSDcHJXBSPborrvFZHEZwggMVZZBzXH63MlxCM hb2CcYc6ck3Co7
> kmStXV4ov28w4uDEe60t0qFCyQkqyy/dyrnBngSezS9lz7nCPstotZhkfKlGcJd0
> LVgDEIc=
> ---- END SSH2 PUBLIC KEY ----
> --------------------
>
>
>
> So, I read that I have to remove the first two lines and the last one
> and add on the first line a "ssh-rsa "
>
> That is what I have now:
>
> Code:
> --------------------
> ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAmQrj3yGt8FhgRmcYhPc1lq VEmAPFT+7ifc5XEeG2IWRhsNIJVSDcHJXBSPborrvFZHEZwggM VZZBzXH63MlxCMhb2CcYc6ck3Co7kmStXV4ov28w4uDEe60t0q FCyQkqyy/dyrnBngSezS9lz7nCPstotZhkfKlGcJd0LVgDEIc=
> --------------------
>
>
> All in one line.

The above all sounds and looks okay. Which type of key did you choose to
generate? Depending on the version of PuTTYgen you're using (latest is
0.63) the default is either SSH-1 (RSA) or SSH-2 (RSA).

> And I did this changes:
>
> Code:
> --------------------
> chmod 700 /.ssh
> chmod 600 /.ssh/authorized_keys
> --------------------

As written, the above would not do anything to
/home/user/.ssh/authorized_keys as it would deal with the .ssh directory
in / not /home/user/ or ~.

> In Putty I select my private key file and try to login, but the server
> send a "Server refused our key" and i don't know what I have to
> do......

If the key was copied to the .ssh directory within the home directory of
the user you're trying to log in as that should still be okay despite
your two odd chmod commands above.

> I took a look at my sshd_config and try to change some options:

I'm guessing (hoping) that you've written changed things in UPPERCASE to
highlight them here but that's not actually the case with the actual
/etc/ssh/sshd_config file itself?!

> The SSHD_config:
>
> Code:
> --------------------
> # $OpenBSD: sshd_config,v 1.89 2013/02/06 00:20:42 dtucker Exp $
>
> # This is the sshd server system-wide configuration file. See
> # sshd_config(5) for more information.
>
> # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
>
> # The strategy used for options in the default sshd_config shipped with
> # OpenSSH is to specify options with their default value where
> # possible, but leave them commented. Uncommented options override the
> # default value.
>
> #Port 22
> #AddressFamily any
> #ListenAddress 0.0.0.0
> #ListenAddress ::
>
> # The default requires explicit activation of protocol 1
> PROTOCOL 2

This is the default.

> # HostKey for protocol version 1
> #HostKey /etc/ssh/ssh_host_key
> # HostKeys for protocol version 2
> #HostKey /etc/ssh/ssh_host_rsa_key
> #HostKey /etc/ssh/ssh_host_dsa_key
> #HostKey /etc/ssh/ssh_host_ecdsa_key
>
> # Lifetime and size of ephemeral version 1 server key
> #KeyRegenerationInterval 1h
> #ServerKeyBits 1024
>
> # Logging
> # obsoletes QuietMode and FascistLogging
> #SyslogFacility AUTH
> #LogLevel INFO
>
> # Authentication:
>
> #LoginGraceTime 2m
> #PermitRootLogin yes
> #StrictModes yes
> #MaxAuthTries 6
> #MaxSessions 10
>
> RSAAUTHENTICATION YES
> PUBKEYAUTHENTICATION YES

These are the defaults.

> # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
> # but this is overridden so installations will only check .ssh/authorized_keys
> AUTHORIZEDKEYSFILE ~/.SSH/AUTHORIZED_KEYS

If this is as written then it's looking for a file called
AUTHORIZED_KEYS (not authorized_keys) within .SSH (not .ssh) directory
of user's home directory - case is important.

> #AuthorizedPrincipalsFile none
>
> #AuthorizedKeysCommand none
> #AuthorizedKeysCommandUser nobody
>
> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
> #RhostsRSAAuthentication no
> # similar for protocol version 2
> #HostbasedAuthentication no
> # Change to yes if you don't trust ~/.ssh/known_hosts for
> # RhostsRSAAuthentication and HostbasedAuthentication
> #IgnoreUserKnownHosts no
> # Don't read the user's ~/.rhosts and ~/.shosts files
> #IgnoreRhosts yes
>
> # To disable tunneled clear text passwords, change to no here!
> PasswordAuthentication no
> #PermitEmptyPasswords no
>
> # Change to no to disable s/key passwords
> #ChallengeResponseAuthentication yes
>
> # Kerberos options
> #KerberosAuthentication no
> #KerberosOrLocalPasswd yes
> #KerberosTicketCleanup yes
> #KerberosGetAFSToken no
>
> # GSSAPI options
> #GSSAPIAuthentication no
> #GSSAPICleanupCredentials yes
> #GSSAPIStrictAcceptorCheck yes
> #GSSAPIKeyExchange no
>
> # Set this to 'yes' to enable support for the deprecated 'gssapi' authentication
> # mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included
> # in this release. The use of 'gssapi' is deprecated due to the presence of
> # potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
> #GSSAPIEnableMITMAttack no
>
>
> # Set this to 'yes' to enable PAM authentication, account processing,
> # and session processing. If this is enabled, PAM authentication will
> # be allowed through the ChallengeResponseAuthentication and
> # PasswordAuthentication. Depending on your PAM configuration,
> # PAM authentication via ChallengeResponseAuthentication may bypass
> # the setting of "PermitRootLogin without-password".
> # If you just want the PAM account and session checks to run without
> # PAM authentication, then enable this but set PasswordAuthentication
> # and ChallengeResponseAuthentication to 'no'.
> UsePAM yes
>
> #AllowAgentForwarding yes
> #AllowTcpForwarding yes
> #GatewayPorts no
> X11Forwarding yes
> #X11DisplayOffset 10
> #X11UseLocalhost yes
> #PrintMotd yes
> #PrintLastLog yes
> #TCPKeepAlive yes
> #UseLogin no
> UsePrivilegeSeparation sandbox # Default for new installations.
> #PermitUserEnvironment no
> #Compression delayed
> #ClientAliveInterval 0
> #ClientAliveCountMax 3
> #UseDNS yes
> #PidFile /var/run/sshd.pid
> #MaxStartups 10:30:100
> #PermitTunnel no
> #ChrootDirectory none
> #VersionAddendum none
>
> # no default banner path
> #Banner none
>
> # override default of no subsystems
> Subsystem sftp /usr/lib64/ssh/sftp-server
>
> # This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5).
> AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
> AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
> AcceptEnv LC_IDENTIFICATION LC_ALL
>
> # Example of overriding settings on a per-user basis
> #Match User anoncvs
> # X11Forwarding no
> # AllowTcpForwarding no
> # ForceCommand cvs server
>
> --------------------
>
>
> Code:
> --------------------
>
> --------------------
>
>
> A reload/restart of sshd doesn't change something. What can I do? Where
> is my fault? I have no idea..

How I use SSH keys to authenticate to servers is generate a public key
and copy it to .ssh/authorized_key (as you've done) with private key
saved on workstation. I then run Pageant at startup against that private
key which prompts me for my passphrase which unlocks the key. After that
I can SSH to any server I've copied my public key to as a particular user.

HTH.
--
Simon
SUSE Knowledge Partner

------------------------------------------------------------------------
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.
------------------------------------------------------------------------