MIDRANGE dot COM Mailing List Archive



Home » MIDRANGE-L » June 2014

Re: SSH: unsuccessful public key authentication



fixed

Hi Keith,

I think you might be copying the keys backward. The keys should be generated on the _client_ box. the .pub file should be copied to the server and installed in the authorized_keys file there.

It sounds like you are doing the opposite (putting the public key on the client, and adding it to the client's authorized_keys file) which is backward.

Since the client is where you're running the commands, you're already authenticated (signed-on) before you run SSH there. You don't need to authenticate to the client... so that's why you must install the public key into the "authorized keys" file on the server.

-SK


On 6/16/2014 2:13 PM, Keith McCully wrote:
This is part of a proof of concept exercise aimed transferring a file from
the IBM i to a windows server via SSH (SFTP). However, as a first stage, I
want to run some SSH tests between 2 IBM i LPARS residing in the same
enclosure so as to avoid firewall issues for now.



So far I’ve done the following:



1. Created 2 user profiles: one on the client and the other on the
server – both 6 characters in length.
2. Created /home/UserProfile/.ssh folders on both client and server
using profile name in each case
3. Amended permissions on UserProfile and .ssh folders to exclude public
access
4. Set home directories to /home/UserProfile for client and server user
profiles
5. Within Qshell, generate an RSA key pair using: : ssh-keygen -t rsa -N
""
6. Copy the public key, id_rsa.pub, from server to client .ssh directory
7. On the client, add the public key to the authorized_keys file in .ssh
directory using: using: cat /home/userprofile/.ssh/id_rsa.pub >>
/home/userprofile/.ssh/authorized_keys



Next I attempt to authenticate the public key which is where it fails …



Within Qshell on the client and logged on as the ClientUser



ssh –T ServerUser@serverHost



I get the first-time enquiry message regarding the authenticity of the host
but when I respond ‘yes’, I get prompted for the password indicating that
the key authentication has failed.

If I key the password, the known_hosts file gets created and I can log on
via SSH ok but I want to use certificates instead of passwords.



Also, I get the following SFTP log (part displayed below) :



sftp -vvv sshxxx@xxxxxxxxxxxxx

Connecting to xx.xx.xxx.xxx

---------------



debug1: Connecting to xxx.xxx.xxx.xxx ^xxx.xxx.xxx.xxx] port 22.

debug1: Connection established.

debug1: identity file /home/sshxxx/.ssh/id_rsa type 1





----------





debug1: SSH2_MSG_SERVICE_ACCEPT
received

debug2: key: /home/sshxxx/.ssh/id_rsa
(200381f0)

debug2: key: /home/sshxxx/.ssh/id_dsa
(0)

debug1: Authentications that can continue:
publickey,password,keyboard-interactive

debug3: start over, passed a different list
publickey,password,keyboard-interactive

debug3: preferred
publickey,keyboard-interactive,password

debug3: authmethod_lookup
publickey

debug3: remaining preferred:
keyboard-interactive,password

debug3: authmethod_is_enabled
publickey

debug1: Next authentication method:
publickey

debug1: Offering public key:
/home/sshxxx/.ssh/id_rsa

debug3:
send_pubkey_test

debug2: we sent a publickey packet, wait for
reply

Connection closed by
xx.xxx.xxx.xxx

Connection closed







Any thoughts?






Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2014 by MIDRANGE dot COM and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available here. If you have questions about this, please contact