As a footnote to this, I generated the key pair on the client, forwarded
the public key to the server and included in the Authorized_keys file.
However, when I ran: ssh -T serveruid@somehost, the password prompt still
appeared indicating Public-key authentication failure.
Turned out there 2 issues on the ssh server:
1. sshd_config file had the RSA parameters commented out: these were
2. CCSID incorrect on Authorized_keys file created via: cat
/home/userID/.ssh/id_rsa.pub >> /home/userID/.ssh/authorized_keys CCSIS was
37 but should have been 819 (like the key and known_hosts files). CCSD
set to 819
After applying these amendments, ssh -T serveruid@somehost ran fine with no
Thanks again for your comments,
On 16 June 2014 22:31, Keith McCully <keithmccully@xxxxxxxxx> wrote:
Absolutely right! I was generating the key pair on the server under the
belief that was the location of the private key but, based on your comments
above, I can now see that was a misconception. So instead I'll generate the
keys on the client and then ship the .pub file.
On 16 June 2014 20:31, Scott Klement <midrange-l@xxxxxxxxxxxxxxxx> wrote:
I think you might be copying the keys backward. The keys should be
generated on the _client_ box. the .pub file should be copied to the
server and installed in the authorized_keys file there.
It sounds like you are doing the opposite (putting the public key on the
client, and adding it to the client's authorized_keys file) which is
Since the client is where you're running the commands, you're already
authenticated (signed-on) before you run SSH there. You don't need to
authenticate to the client... so that's why you must install the public
key into the "authorized keys" file on the server.
On 6/16/2014 2:13 PM, Keith McCully wrote:
This is part of a proof of concept exercise aimed transferring a fileThis is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
the IBM i to a windows server via SSH (SFTP). However, as a first stage,
want to run some SSH tests between 2 IBM i LPARS residing in the same
enclosure so as to avoid firewall issues for now.
So far I’ve done the following:
1. Created 2 user profiles: one on the client and the other on the
server – both 6 characters in length.
2. Created /home/UserProfile/.ssh folders on both client and server
using profile name in each case
3. Amended permissions on UserProfile and .ssh folders to exclude
4. Set home directories to /home/UserProfile for client and server
5. Within Qshell, generate an RSA key pair using: : ssh-keygen -t
6. Copy the public key, id_rsa.pub, from server to client .ssh
7. On the client, add the public key to the authorized_keys file in
directory using: using: cat /home/userprofile/.ssh/id_rsa.pub >>
Next I attempt to authenticate the public key which is where it fails …
Within Qshell on the client and logged on as the ClientUser
ssh –T ServerUser@serverHost
I get the first-time enquiry message regarding the authenticity of the
but when I respond ‘yes’, I get prompted for the password indicating that
the key authentication has failed.
If I key the password, the known_hosts file gets created and I can log on
via SSH ok but I want to use certificates instead of passwords.
Also, I get the following SFTP log (part displayed below) :
sftp -vvv sshxxx@xxxxxxxxxxxxx
Connecting to xx.xx.xxx.xxx
debug1: Connecting to xxx.xxx.xxx.xxx ^xxx.xxx.xxx.xxx] port 22.
debug1: Connection established.
debug1: identity file /home/sshxxx/.ssh/id_rsa type 1
debug2: key: /home/sshxxx/.ssh/id_rsa
debug2: key: /home/sshxxx/.ssh/id_dsa
debug1: Authentications that can continue:
debug3: start over, passed a different list
debug3: remaining preferred:
debug1: Next authentication method:
debug1: Offering public key:
debug2: we sent a publickey packet, wait for
Connection closed by
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives