1

I'm having a problem with the authentication of SSH on one of our test servers. I have configured the sshd_config correctly yet the Authentication method shows only password auth.

[root@[client] ~]# ssh -v [server]  
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010  
debug1: Reading configuration data /etc/ssh/ssh_config  
debug1: Applying options for *  
debug1: Connecting to [server] [xxx.xx.xx.xxx] port 22.  
debug1: Connection established.  
debug1: permanently_set_uid: 0/0  
debug1: identity file /root/.ssh/identity type -1  
debug1: identity file /root/.ssh/identity-cert type -1  
debug1: identity file /root/.ssh/id_rsa type 1  
debug1: identity file /root/.ssh/id_rsa-cert type -1  
debug1: identity file /root/.ssh/id_dsa type -1  
debug1: identity file /root/.ssh/id_dsa-cert type -1  
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.6  
debug1: match: OpenSSH_4.6 pat OpenSSH_4*  
debug1: Enabling compatibility mode for protocol 2.0  
debug1: Local version string SSH-2.0-OpenSSH_5.3  
debug1: SSH2_MSG_KEXINIT sent  
debug1: SSH2_MSG_KEXINIT received  
debug1: kex: server->client aes128-ctr hmac-md5 none  
debug1: kex: client->server aes128-ctr hmac-md5 none  
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent  
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP  
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent  
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY  
debug1: Host '[server]' is known and matches the RSA host key.  
debug1: Found key in /root/.ssh/known_hosts:5  
debug1: ssh_rsa_verify: signature correct  
debug1: SSH2_MSG_NEWKEYS sent  
debug1: expecting SSH2_MSG_NEWKEYS  
debug1: SSH2_MSG_NEWKEYS received  
debug1: SSH2_MSG_SERVICE_REQUEST sent  
debug1: SSH2_MSG_SERVICE_ACCEPT received  
debug1: **Authentications that can continue: password,**  
debug1: Next authentication method: password  
root@[server] password:

What I'm expecting:

debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password because I have set this on my sshd_config:

Some relevant lines from my sshd_config file:

PermitRootLogin yes  
PermitRootLogin without-password  
RSAAuthentication yes  
PubkeyAuthentication yes

I don't know if this is a firewall issue or server side

My sshd_config file:

ListenAddress 199.xx.xx.xx 
Protocol 2 
SyslogFacility AUTHPRIV 
PermitRootLogin yes 
PermitRootLogin without-password 
RSAAuthentication yes 
PubkeyAuthentication yes 
AuthorizedKeysFile .ssh/authorized_keys 
PasswordAuthentication yes 
ChallengeResponseAuthentication no 
GSSAPIAuthentication yes 
GSSAPICleanupCredentials yes 
UsePAM yes

Also, some relevant permissions:

drwx------.  2 root root     4096 Sep  1 09:12 .ssh  
-rw-r--r--.  1 root root      235 Aug 12 16:00 .ssh/authorized_keys

Even tried to forcefully use publickey authentication but is still user password as authentication

ssh -2 -vvv -o PubkeyAuthentication=yes -o RSAAuthentication=yes -o   PasswordAuthentication=yes -o PreferredAuthentications=publickey [server]  




debug3: Wrote 64 bytes for a total of 1277  
debug1: Authentications that can continue: password,  
debug3: start over, passed a different list password,  
debug3: preferred publickey  
debug1: No more authentication methods to try.




var/log/secure  
Sep  3 10:43:09 crewtest sshd[47353]: Connection closed by xx.xx.xx.xx
Gryu
  • 499
  • 1
  • 6
  • 14
Kevin Michael Beñales
  • 21
  • 1
  • 3
  • 1
    Did you reload SSH after making the edits? – womble Sep 03 '15 at 02:14
  • yes I have the sshd service reloaded and restarted as well – Kevin Michael Beñales Sep 03 '15 at 02:14
  • We will need more info. Is that the entire contents of the sshd_config on the server? Permissions on ~/.ssh dir on client and server. How about the ssh_config (or ~/.ssh/config) on the client? – Chad Huneycutt Sep 03 '15 at 02:15
  • I'm kinda thinking you're not connecting to the machine you think you're connecting to. Does the version of SSH installed on the server match what is listed in the ssh client output? – womble Sep 03 '15 at 02:19
  • I'm wondering if it's a permissions issue. `tail -f` your server's security log (`/var/log/secure' or `/var/log/auth.log` or whatever it may be on your system) while attempting a connection and see what it says. – Gene Sep 03 '15 at 02:27
  • @KevinMichaelBeñales, update your question with that information. Don't post it in the comment section. – Gene Sep 03 '15 at 02:28
  • Hi Womble, thanks for the comment. Yes Im connecting on the correct machine for I can login with it's password and both their Openssh version is the same – Kevin Michael Beñales Sep 03 '15 at 02:30
  • @Gene I dont think there is and permissions issue. Here's what I got on /var/log/secure when I entered password Sep 3 10:35:15 [server] sshd[47278]: Accepted password for root from xx.xx.xx.xx port 30106 ssh2 Sep 3 10:35:15 [server] sshd[47278]: pam_unix(sshd:session): session opened for user root by (uid=0) – Kevin Michael Beñales Sep 03 '15 at 02:37
  • Again, update your question with that kind of information :). Also, isn't it the key authentication method you're troubleshooting? Knowing that it accepts the password doesn't help anything. – Gene Sep 03 '15 at 02:40
  • Start with the original `sshd_config` file and then make any desired changes to it (though you shouldn't need any). – Michael Hampton Jul 30 '21 at 01:08

2 Answers2

0

It looks like you're running CentOS or RHEL (based on the fact your security file is /var/log/secure, as indicated in the comments on the question). By default OpenSSH under CentOS has very restrictive permissions requirements on the ~/.ssh directory and authorized_keys file.

Set the mode to on .ssh/authorized_keys to 600 (-rw-------) and try the connection again.

 chmod 600 .ssh/authorized_keys
Gene
  • 3,663
  • 20
  • 39
0

I am not sure but i think the AuthorizedKeysFile option in your sshd_config is wrong.

Try changging it to:

AuthorizedKeysFile ~/.ssh/authorized_keys
eKKiM
  • 1,540
  • 9
  • 23