authentication problem
jack craig
jcraig at extraview.com
Fri Apr 16 15:38:38 UTC 2010
On 04/15/2010 11:49 AM, Rick Sewill wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 04/15/2010 11:51 AM, jack craig wrote:
>
>> Hi Folks,
>>
>> I have an authentication issue with ssh that i'd like to ask for clues
>> on solving?
>>
>> i have created a local host key, id_rsa.pub.
>>
>> i have copied that to the remote host, .ssh/authorized_keys,
>> and checked the perms for both ~/.ssh& .ssh/authorized_keys.
>>
>> yet i get the below, ...
>>
>>
>> ssh -v -l jackc sby1.extraview.com
>> OpenSSH_5.2p1, OpenSSL 0.9.8k-fips 25 Mar 2009
>>
> ...
>
>> publickey,gssapi-with-mic,password<---- !!!!!
>>
> ...
>
>> No credentials cache found
>>
>>
> ...
>
>> No credentials cache found
>>
>>
> ...
>
>> debug1: Next authentication method: publickey
>> debug1: Offering public key: /home/jackc/.ssh/id_rsa
>> debug1: Server accepts key: pkalg ssh-rsa blen 277
>> Agent admitted failure to sign using the key.
>> debug1: Next authentication method: password
>> jackc at sby1.extraview.com's password:
>>
>> my naive reading of the above looks like it fulfilled
>> one authentication method, but then goes on to ask for another,
>> in this case, a password.
>>
>> my wag is that there is an /etc/pam.d config that is wrong,
>> but this isn't my strong suite and i don't want to guess/mess around.
>>
>> also, this phrase, ...
>>
>> debug1: Unspecified GSS failure. Minor code may provide more information
>> No credentials cache found
>>
>>
> I wouldn't worry about GSS failure. You haven't set it up.
> - From URL:
> http://www.ssh.com/support/documentation/online/ssh/adminguide/53/userauth-gssapi.html
> it explains the idea behind GSS. I tend to think of GSS as Kerberos.
>
>
>> where do i find the minor code its referring to?
>>
>> any ssh guru's out there to provide a clue?
>>
>>
> Not sure.
>
> When it says, "Agent admitted failure to sign using the key.",
> is it referring to ssh-agent?
>
> There is a program, ssh-add, which talks to ssh-agent.
> I haven't used ssh-add or ssh-agent in a long time.
>
> Before I take us down this path which might be a wild good chase,
> I better ask are you using these?
>
> Whenever I have publickey authentication problems,
> it usually is file and directory permissions.
> You indicated you checked ~/.ssh and ~/.ssh/authorized_keys
>
> As a test, could you make certain your $HOME directories,
> on both the local and remote machine, are not writable by anyone,
> but owner?
>
> Could you make sure ~/.ssh on both machines is only read/write
> by owner?
>
> Could you make sure the files in ~/.ssh, such as authorized_keys,
> config, id_rsa, known_hosts, are only read/write by owner?
>
> For me, anything in ~/.ssh should only be read/write by owner.
> Call me paranoid but only owner should have access to these files.
>
> The one kicker, I'm asking you to do, is make sure both
> $HOME directories are, at most, readable, by others, and not writable.
>
> If you want someone to put files in your $HOME directory area,
> can you set up $HOME/droparea and give them read/write access
> to $HOME/droparea?
>
the plot thickens, i switch to the dsa (from rsa key) and my sessions
now work fine.
But!!! when i put the sme command line in a cron job, i am back to
passwd prompting!!!
i guess my only choice is a deep dive into ssh protocols?
tia, jackc...
--
Jack Craig
Software Engineer
831.461.7100 x120
www.extraview.com
More information about the users
mailing list