authentication problem
Rick Sewill
rsewill at gmail.com
Thu Apr 15 18:49:20 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/15/2010 11:51 AM, jack craig wrote:
> Hi Folks,
>
> I have an authentication issue with ssh that i'd like to ask for clues
> on solving?
>
> i have created a local host key, id_rsa.pub.
>
> i have copied that to the remote host, .ssh/authorized_keys,
> and checked the perms for both ~/.ssh & .ssh/authorized_keys.
>
> yet i get the below, ...
>
>
> ssh -v -l jackc sby1.extraview.com
> OpenSSH_5.2p1, OpenSSL 0.9.8k-fips 25 Mar 2009
...
> publickey,gssapi-with-mic,password <---- !!!!!
...
> No credentials cache found
>
...
> No credentials cache found
>
...
> debug1: Next authentication method: publickey
> debug1: Offering public key: /home/jackc/.ssh/id_rsa
> debug1: Server accepts key: pkalg ssh-rsa blen 277
> Agent admitted failure to sign using the key.
> debug1: Next authentication method: password
> jackc at sby1.extraview.com's password:
>
> my naive reading of the above looks like it fulfilled
> one authentication method, but then goes on to ask for another,
> in this case, a password.
>
> my wag is that there is an /etc/pam.d config that is wrong,
> but this isn't my strong suite and i don't want to guess/mess around.
>
> also, this phrase, ...
>
> debug1: Unspecified GSS failure. Minor code may provide more information
> No credentials cache found
>
I wouldn't worry about GSS failure. You haven't set it up.
- From URL:
http://www.ssh.com/support/documentation/online/ssh/adminguide/53/userauth-gssapi.html
it explains the idea behind GSS. I tend to think of GSS as Kerberos.
> where do i find the minor code its referring to?
>
> any ssh guru's out there to provide a clue?
>
Not sure.
When it says, "Agent admitted failure to sign using the key.",
is it referring to ssh-agent?
There is a program, ssh-add, which talks to ssh-agent.
I haven't used ssh-add or ssh-agent in a long time.
Before I take us down this path which might be a wild good chase,
I better ask are you using these?
Whenever I have publickey authentication problems,
it usually is file and directory permissions.
You indicated you checked ~/.ssh and ~/.ssh/authorized_keys
As a test, could you make certain your $HOME directories,
on both the local and remote machine, are not writable by anyone,
but owner?
Could you make sure ~/.ssh on both machines is only read/write
by owner?
Could you make sure the files in ~/.ssh, such as authorized_keys,
config, id_rsa, known_hosts, are only read/write by owner?
For me, anything in ~/.ssh should only be read/write by owner.
Call me paranoid but only owner should have access to these files.
The one kicker, I'm asking you to do, is make sure both
$HOME directories are, at most, readable, by others, and not writable.
If you want someone to put files in your $HOME directory area,
can you set up $HOME/droparea and give them read/write access
to $HOME/droparea?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkvHX68ACgkQyc8Kn0p/AZSq7gCfemQ7xhl7GwPnlC1Hcrj+XlI0
dREAn16BFmZbHBeQ8ZvcX2Hp+iCVoBy3
=l5hs
-----END PGP SIGNATURE-----
More information about the users
mailing list