× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. October 2016

SSH RSA Key Authentication to IBM - Server refuses key

Hello, I'm trying to set up SSH RSA Key Authentication to an IBM i from a
Windows machine using Putty. I'd like to specify a password with the key,
but since I've been running into issues I decided to keep it simple and do
without until I get it working. Currently the server refuses the key with
the message "Server refused our key" with everything I have tried.

I started by following the steps here:
http://club.alanseiden.com/learninghall/article/locking-down-ssh-on-the-ibm-i-with-public-keys/

Generated the keys using the steps from here:
https://help.github.com/articles/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent/#generating-a-new-ssh-key

Then converted the private key for use with PUTTY according to here:
https://devops.profitbricks.com/tutorials/use-ssh-keys-with-putty-on-windows/#use-existing-public-and-private-keys

sshd_config location (I've confirmed this is the correct location on my
system) = /QOpenSys/QIBM/UserData/SC1/OpenSSH/etc/sshd_config

As far as I can tell the relevant entries in my sshd_config file are
correct:
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

For testing purposes I've removed restrictions as to which IPs the server
listens on and all entries for DenyUsers, AllowUsers, DenyGroups and
AllowGroups have been commented out. Still no luck.

I then tried to get more meaningful error messages by following this wiki:
http://wiki.midrange.com/index.php/SSH#Diagnosing_Problems but the output
doesn't mean much to me. I'm hoping it means more to someone else. Also,
my sshd file is in a different location than this wiki
(/QOpenSys/QIBM/ProdData/SC1/OpenSSH/sbin/sshd -d). I'm not sure why, but
I chalked it up to the article not being updated.

The output is below which covers this sequence of events:

1. SSH session asks for user, I enter the user
2. SSH session reports "Server refused our key"
3. SSH session asks for password.
4. I provide the user account password (there is no password currently
associated with the SSH keys)
5. Successful login

I substituted usernames/IPs/encrypted text:

debug1: sshd version OpenSSH_6.9, OpenSSL 1.0.2i 22 Sep 2016

debug1: private host key #0: ssh-rsa SHA256:<ENCRYPTED TEXT>
debug1: private host key #1: ssh-dss SHA256:<ENCRYPTED TEXT>
debug1: private host key #2: ecdsa-sha2-nistp256 SHA256:<ENCRYPTED TEXT>
debug1: private host key #3: ssh-ed25519 SHA256:<ENCRYPTED TEXT>
debug1: rexec_argv[0]='/QOpenSys/QIBM/ProdData/SC1/OpenSSH/sbin/sshd'

debug1: rexec_argv[1]='-d'

debug1: sshd QWTCHGJB: rc=0 avail=0 msgid=

debug1: Bind to port 22 on 0.0.0.0.

Server listening on 0.0.0.0 port 22.

debug1: Server will not fork when running in debugging mode.

debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7
debug1: sshd QWTCHGJB: rc=0 avail=0 msgid=

debug1: inetd sockets after dupping: 3, 3

Connection from <CLIENT IP> port 57747 on <SERVER IP> port 22

debug1: Client protocol version 2.0; client software version
PuTTY_Release_0.66
debug1: no match: PuTTY_Release_0.66

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_6.9

debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: client->server aes256-ctr hmac-sha2-256 none

debug1: kex: server->client aes256-ctr hmac-sha2-256 none

debug1: expecting SSH2_MSG_KEX_DH_GEX_REQUEST

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received

debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT

debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user <CLIENT USERNAME> service ssh-connection
method none
debug1: attempt 0 failures 0
Failed none for <CLIENT USERNAME> from <CLIENT IP> port 57747 ssh2

debug1: userauth-request for user <CLIENT USERNAME> service ssh-connection
method publickey
debug1: attempt 1 failures 0
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: GetPH *current rc=0 avail=0 msgid=
debug1: temporarily_use_uid: GetPH pw_name dl rc=0 avail=0 msgid=
debug1: temporarily_use_uid: SetPH rc=0 avail=0 msgid=
debug1: trying public key file <USER HOME DIR>/.ssh/authorized_keys

debug1: fd 4 clearing O_NONBLOCK
Authentication refused: Please type 'yes' or 'no'.

debug1: restore_uid: SetPH rc=0 avail=0 msgid=
debug1: restore_uid: ReleasePH prevHandle rc=0 avail=0 msgid=

debug1: restore_uid: ReleasePH profileHandle rc=0 avail=0 msgid=

Failed publickey for <CLIENT USERNAME> from <CLIENT IP> port 57747 ssh2

debug1: userauth-request for user <CLIENT USERNAME> service ssh-connection
method keyboard-interactive
debug1: attempt 2 failures 1

debug1: keyboard-interactive devs

debug1: auth2_challenge: user=<CLIENT USERNAME> devs=

debug1: kbdint_alloc: devices ''

Failed keyboard-interactive for <CLIENT USERNAME> from <CLIENT IP> port
57747 ssh2
debug1: userauth-request for user <CLIENT USERNAME> service ssh-connection
method password
debug1: attempt 3 failures 2

debug1: auth_password: GetPH pw->pw_name=<CLIENT USERNAME> rc=0 avail=0
msgid=


debug1: auth_password: ReleasePH rc=0 avail=0 msgid=

Accepted password for <CLIENT USERNAME> from <CLIENT IP> port 57747 ssh2

debug1: Entering interactive session for SSH2.

debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 256 win 16384 max
16384
debug1: input_session_request

debug1: channel 0: new [server-session]

debug1: session_new: session 0

debug1: session_open: channel 0

debug1: session_open: session 0: link with channel 0

debug1: server_input_channel_open: confirm session

debug1: server_input_channel_req: channel 0 request pty-req reply 1

debug1: session_by_channel: session 0 channel 0

debug1: session_input_channel_req: session 0 req pty-req

debug1: Allocating pty.

debug1: session_pty_req: session 0 alloc /dev/pts/0

debug1: server_input_channel_req: channel 0 request shell reply 1

debug1: session_by_channel: session 0 channel 0

debug1: session_input_channel_req: session 0 req shell

Starting session: shell on pts/0 for <CLIENT USERNAME> from <CLIENT IP>
port 57747


Any insight would be greatly appreciated. Many thanks in advance!

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.