On 13 March 2011 08:37, Michael Thompson <maverickapo...@gmail.com> wrote: > I've got a slight issue with logging into my server using public keys. > > It was working fine, until I had to rebuild my desktop machine. I had > the key copied to the server, and passwordless logins where fine. > > However now I have rebuilt my desktop, I cant get to the login. > > So heres whats happend. > > Rebuilt id_rsa.pub, server will not allow login. Remove id_rsa.pub and > the server allows password based login. > > On the server, removed authorized_keys and known_hosts. makes no > difference. Server still disallows keyfile, but will allow password > when id_rsa is not present on the client.
On the server to get key based auth working you must: 1)Have the correct permissions on .ssh/* 2) have your public key in authorized_keys On the client you need to have your key decripted for use either by: 1) using agent 2) having an empty password string in your private key. 3) correct .ssh/* permissions. How many keys are in your server authorized_keys file? can you trim it down to just one for testing? What sort of changes have you made to the default sshd.conf file on the server and ssh.conf file on the client. Adrian > Heres a -v of the login chat with keyfile > > Code: > > michael@eve:~$ ssh -v server > OpenSSH_5.5p1 Debian-6, OpenSSL 0.9.8o 01 Jun 2010 > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Applying options for * > debug1: Connecting to server [ser.ver.ip] port 22. > debug1: Connection established. > debug1: identity file /home/michael/.ssh/id_rsa type 1 > debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048 > debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048 > debug1: identity file /home/michael/.ssh/id_rsa-cert type -1 > debug1: identity file /home/michael/.ssh/id_dsa type -1 > debug1: identity file /home/michael/.ssh/id_dsa-cert type -1 > debug1: Remote protocol version 2.0, remote software version > OpenSSH_5.1p1 Debian-5 > debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH* > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-6 > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug1: kex: server->client aes128-ctr hmac-md5 none > debug1: kex: client->server aes128-ctr hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > debug1: Host 'host' is known and matches the RSA host key. > debug1: Found key in /home/michael/.ssh/known_hosts:1 > debug1: ssh_rsa_verify: signature correct > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug1: SSH2_MSG_NEWKEYS received > debug1: Roaming not allowed by server > debug1: SSH2_MSG_SERVICE_REQUEST sent > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug1: Authentications that can continue: publickey,password > debug1: Next authentication method: publickey > debug1: Offering public key: /home/michael/.ssh/id_rsa > Received disconnect from ser.ver.ip: 2: Too many authentication > failures for michael > > And without > > Code: > > michael@eve:~/.ssh$ ssh -v server > OpenSSH_5.5p1 Debian-6, OpenSSL 0.9.8o 01 Jun 2010 > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Applying options for * > debug1: Connecting to server [ser.ver.ip] port 22. > debug1: Connection established. > debug1: identity file /home/michael/.ssh/id_rsa type -1 > debug1: identity file /home/michael/.ssh/id_rsa-cert type -1 > debug1: identity file /home/michael/.ssh/id_dsa type -1 > debug1: identity file /home/michael/.ssh/id_dsa-cert type -1 > debug1: Remote protocol version 2.0, remote software version > OpenSSH_5.1p1 Debian-5 > debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH* > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-6 > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug1: kex: server->client aes128-ctr hmac-md5 none > debug1: kex: client->server aes128-ctr hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > debug1: Host 'server' is known and matches the RSA host key. > debug1: Found key in /home/michael/.ssh/known_hosts:1 > debug1: ssh_rsa_verify: signature correct > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug1: SSH2_MSG_NEWKEYS received > debug1: Roaming not allowed by server > debug1: SSH2_MSG_SERVICE_REQUEST sent > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug1: Authentications that can continue: publickey,password > debug1: Next authentication method: publickey > debug1: Trying private key: /home/michael/.ssh/id_rsa > debug1: Trying private key: /home/michael/.ssh/id_dsa > debug1: Next authentication method: password > michael@server's password: > debug1: Authentication succeeded (password). > debug1: channel 0: new [client-session] > debug1: Requesting no-more-sessi...@openssh.com > debug1: Entering interactive session. > debug1: Sending environment. > debug1: Sending env LANG = en_GB.UTF-8 > Linux s15433632 2.6.18-028stab070.4 #1 SMP Tue Aug 17 18:32:47 MSD 2010 x86_64 > > So, is there anyway of getting the server to forget the previous keys, > it is remembering, As previousily said, I have completly removed the > contents of ~/.ssh/ on both the clients and the server. > __________________ > > -- > Michael > http://photography.thompsonm.me.uk > > To see a World in a Grain of Sand > And a Heaven in a Wild Flower, > Hold Infinity in the palm of your hand > And Eternity in an hour. > --William Blake > > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: > http://lists.debian.org/AANLkTi=ew4oizdgzkm9gs9-t6mg8582ecdhq7qnce...@mail.gmail.com > > -- 24x7x365 != 24x7x52 Stupid or bad maths? <erno> hm. I've lost a machine.. literally _lost_. it responds to ping, it works completely, I just can't figure out where in my apartment it is. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/AANLkTiktS3LhfdVzbeQc-VGryDy45==v63vgqsqap...@mail.gmail.com
