Hallöchen,
ich habe gerade auf unserem Webserver (Linux) sshd geconft und wollte nun das selbe mit unserem Router (OpenBSD 4.2) machen. Leider funktioniert da ssh per pubkey überhaupt nicht. Die Schlüssel sind soweit okay, weil diese unter Linux ssh problemlos funktionieren.
Hier mal das -ddd vom sshd. Vielleicht lest ihr mehr heraus als ich:
Werd einfach nicht schlau draus.
Das Schlüsselpaar wurde per
ssh-keygen -t rsa -b 4096 -f router
erzeugt.
Und hier der Verbose Output vom ssh login
ich habe gerade auf unserem Webserver (Linux) sshd geconft und wollte nun das selbe mit unserem Router (OpenBSD 4.2) machen. Leider funktioniert da ssh per pubkey überhaupt nicht. Die Schlüssel sind soweit okay, weil diese unter Linux ssh problemlos funktionieren.
Hier mal das -ddd vom sshd. Vielleicht lest ihr mehr heraus als ich:
Code:
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 631
debug2: parse_server_config: config /etc/ssh/sshd_config len 631
debug3: /etc/ssh/sshd_config:11 setting Port 22
debug3: /etc/ssh/sshd_config:20 setting Protocol 2
debug3: /etc/ssh/sshd_config:25 setting HostKey /etc/ssh/ssh_host_rsa_key
debug3: /etc/ssh/sshd_config:26 setting HostKey /etc/ssh/ssh_host_dsa_key
debug3: /etc/ssh/sshd_config:27 setting UsePrivilegeSeparation yes
debug3: /etc/ssh/sshd_config:30 setting KeyRegenerationInterval 1h
debug3: /etc/ssh/sshd_config:31 setting ServerKeyBits 768
debug3: /etc/ssh/sshd_config:35 setting SyslogFacility AUTH
debug3: /etc/ssh/sshd_config:36 setting LogLevel INFO
debug3: /etc/ssh/sshd_config:39 setting LoginGraceTime 60
debug3: /etc/ssh/sshd_config:40 setting PermitRootLogin no
debug3: /etc/ssh/sshd_config:41 setting StrictModes yes
debug3: /etc/ssh/sshd_config:44 setting RSAAuthentication yes
debug3: /etc/ssh/sshd_config:45 setting PubkeyAuthentication yes
debug3: /etc/ssh/sshd_config:46 setting AuthorizedKeysFile %h/.ssh/authorized_keys
debug3: /etc/ssh/sshd_config:49 setting RhostsRSAAuthentication no
debug3: /etc/ssh/sshd_config:51 setting HostbasedAuthentication no
debug3: /etc/ssh/sshd_config:56 setting IgnoreRhosts yes
debug3: /etc/ssh/sshd_config:59 setting PasswordAuthentication no
debug3: /etc/ssh/sshd_config:60 setting PermitEmptyPasswords no
debug3: /etc/ssh/sshd_config:63 setting ChallengeResponseAuthentication no
debug3: /etc/ssh/sshd_config:77 setting X11Forwarding no
debug3: /etc/ssh/sshd_config:98 setting Subsystem sftp /usr/libexec/sftp-server
debug1: sshd version OpenSSH_4.7
debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-ddd'
debug2: fd 4 setting O_NONBLOCK
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug2: fd 5 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: fd 6 clearing O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 9 config len 631
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 6 out 6 newsock 6 pipe -1 sock 9
debug1: inetd sockets after dupping: 4, 4
Connection from 192.168.1.102 port 47919
debug1: Client protocol version 2.0; client software version OpenSSH_4.7p1 Debian-2
debug1: match: OpenSSH_4.7p1 Debian-2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.7
debug2: fd 4 setting O_NONBLOCK
debug2: Network child is on pid 13262
debug3: privsep user:group 27:27
debug3: preauth child monitor started
debug1: permanently_set_uid: 27/27
debug3: mm_request_receive entering
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug3: mm_request_send entering: type 0
debug3: monitor_read: checking request 0
debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI
debug3: mm_answer_moduli: got parameters: 1024 1024 8192
debug3: mm_request_receive_expect entering: type 1
debug3: mm_request_receive entering
debug3: mm_request_send entering: type 1
debug3: mm_choose_dh: remaining 0
debug2: monitor_read: 0 used once, disabling now
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug3: mm_request_receive entering
debug2: dh_gen_key: priv key bits set: 115/256
debug2: bits set: 505/1024
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug2: bits set: 505/1024
debug3: mm_key_sign entering
debug3: mm_request_send entering: type 4
debug3: monitor_read: checking request 4
debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN
debug3: mm_answer_sign
debug3: mm_request_receive_expect entering: type 5
debug3: mm_answer_sign: signature 0x80827a00(271)
debug3: mm_request_receive entering
debug3: mm_request_send entering: type 5
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug2: monitor_read: 4 used once, disabling now
debug2: kex_derive_keys
debug3: mm_request_receive entering
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user xxxxxxxx service ssh-connection method none
debug1: attempt 0 failures 0
debug3: mm_getpwnamallow entering
debug3: mm_request_send entering: type 6
debug3: monitor_read: checking request 6
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
debug3: mm_answer_pwnamallow
debug3: mm_request_receive_expect entering: type 7
debug3: Trying to reverse map address 192.168.1.102.
debug3: mm_request_receive entering
debug2: parse_server_config: config reprocess config len 631
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send entering: type 7
debug2: monitor_read: 6 used once, disabling now
debug2: input_userauth_request: setting up authctxt for xxxxxxxx
debug3: mm_request_receive entering
debug3: mm_inform_authserv entering
debug3: mm_request_send entering: type 3
debug3: monitor_read: checking request 3
debug2: input_userauth_request: try method none
debug3: mm_answer_authserv: service=ssh-connection, style=
debug2: monitor_read: 3 used once, disabling now
debug3: mm_request_receive entering
debug1: userauth-request for user xxxxxxxx service ssh-connection method publickey
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method publickey
debug3: mm_key_allowed entering
debug3: mm_request_send entering: type 20
debug3: monitor_read: checking request 20
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
debug3: mm_answer_keyallowed entering
debug3: mm_request_receive_expect entering: type 21
debug3: mm_answer_keyallowed: key_from_blob: 0x7f5c37f0
debug3: mm_request_receive entering
debug1: temporarily_use_uid: 1001/1001 (e=0/0)
debug1: trying public key file /home/xxxxxxxx/.ssh/authorized_keys
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 1001/1001 (e=0/0)
debug1: trying public key file /home/xxxxxxxx/.ssh/authorized_keys
debug1: restore_uid: 0/0
Failed publickey for xxxxxxxx from 192.168.1.102 port 47919 ssh2
debug3: mm_answer_keyallowed: key 0x7f5c37f0 is disallowed
debug3: mm_request_send entering: type 21
debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa
debug3: mm_request_receive entering
Connection closed by 192.168.1.102
debug1: do_cleanup
debug1: do_cleanup
#
Werd einfach nicht schlau draus.
Das Schlüsselpaar wurde per
ssh-keygen -t rsa -b 4096 -f router
erzeugt.
Und hier der Verbose Output vom ssh login
Code:
ssh -v -i router xxxxxx@router.intranet
OpenSSH_4.7p1 Debian-2, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to router.intranet [192.168.1.1] port 22.
debug1: Connection established.
debug1: identity file router type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.7
debug1: match: OpenSSH_4.7 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.7p1 Debian-2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'router.intranet' is known and matches the RSA host key.
debug1: Found key in /home/xxxxxxxx/.ssh/known_hosts:12
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: router
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Enter passphrase for key 'router':
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).
Zuletzt bearbeitet: