Re: SSH RSA Key Authentication to IBM - Server refuses key -- MIDRANGE-L

You can disable RSAAuthentication, it's only used with SSH v1 protocol,
which should not be used anymore (and is in the process of being removed).

How did you edit the authorized_keys file? Did you use a PASE editor or
EDTF or mapped drive from Windows? It must be in ASCII with LF endings,
otherwise you're going to have issues.

"MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx> wrote on 10/05/2016
08:58:08 AM:

From: dan lanza <d.lanza38@xxxxxxxxx>
To: midrange-l@xxxxxxxxxxxx
Date: 10/05/2016 09:16 AM
Subject: SSH RSA Key Authentication to IBM - Server refuses key
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>

Hello, I'm trying to set up SSH RSA Key Authentication to an IBM i from

Windows machine using Putty. I'd like to specify a password with the

key,

but since I've been running into issues I decided to keep it simple and

without until I get it working. Currently the server refuses the key

with

the message "Server refused our key" with everything I have tried.

I started by following the steps here:
http://club.alanseiden.com/learninghall/article/locking-down-ssh-on-
the-ibm-i-with-public-keys/

Generated the keys using the steps from here:
https://help.github.com/articles/generating-a-new-ssh-key-and-
adding-it-to-the-ssh-agent/#generating-a-new-ssh-key

Then converted the private key for use with PUTTY according to here:
https://devops.profitbricks.com/tutorials/use-ssh-keys-with-putty-
on-windows/#use-existing-public-and-private-keys

sshd_config location (I've confirmed this is the correct location on my
system) = /QOpenSys/QIBM/UserData/SC1/OpenSSH/etc/sshd_config

As far as I can tell the relevant entries in my sshd_config file are
correct:
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

For testing purposes I've removed restrictions as to which IPs the

server

listens on and all entries for DenyUsers, AllowUsers, DenyGroups and
AllowGroups have been commented out. Still no luck.

I then tried to get more meaningful error messages by following this

wiki:

http://wiki.midrange.com/index.php/SSH#Diagnosing_Problems but the

output

doesn't mean much to me. I'm hoping it means more to someone else.

Also,

my sshd file is in a different location than this wiki
(/QOpenSys/QIBM/ProdData/SC1/OpenSSH/sbin/sshd -d). I'm not sure why,

but

I chalked it up to the article not being updated.

The output is below which covers this sequence of events:

1. SSH session asks for user, I enter the user
2. SSH session reports "Server refused our key"
3. SSH session asks for password.
4. I provide the user account password (there is no password

currently

associated with the SSH keys)
5. Successful login

I substituted usernames/IPs/encrypted text:

debug1: sshd version OpenSSH_6.9, OpenSSL 1.0.2i 22 Sep 2016

debug1: private host key #0: ssh-rsa SHA256:<ENCRYPTED TEXT>
debug1: private host key #1: ssh-dss SHA256:<ENCRYPTED TEXT>
debug1: private host key #2: ecdsa-sha2-nistp256 SHA256:<ENCRYPTED TEXT>
debug1: private host key #3: ssh-ed25519 SHA256:<ENCRYPTED TEXT>
debug1: rexec_argv[0]='/QOpenSys/QIBM/ProdData/SC1/OpenSSH/sbin/sshd'

debug1: rexec_argv[1]='-d'

debug1: sshd QWTCHGJB: rc=0 avail=0 msgid=

debug1: Bind to port 22 on 0.0.0.0.

Server listening on 0.0.0.0 port 22.

debug1: Server will not fork when running in debugging mode.

debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7
debug1: sshd QWTCHGJB: rc=0 avail=0 msgid=

debug1: inetd sockets after dupping: 3, 3

Connection from <CLIENT IP> port 57747 on <SERVER IP> port 22

debug1: Client protocol version 2.0; client software version
PuTTY_Release_0.66
debug1: no match: PuTTY_Release_0.66

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_6.9

debug1: list_hostkey_types:

ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: client->server aes256-ctr hmac-sha2-256 none

debug1: kex: server->client aes256-ctr hmac-sha2-256 none

debug1: expecting SSH2_MSG_KEX_DH_GEX_REQUEST

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received

debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT

debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user <CLIENT USERNAME> service

ssh-connection

method none
debug1: attempt 0 failures 0
Failed none for <CLIENT USERNAME> from <CLIENT IP> port 57747 ssh2

debug1: userauth-request for user <CLIENT USERNAME> service

ssh-connection

method publickey
debug1: attempt 1 failures 0
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: GetPH *current rc=0 avail=0 msgid=
debug1: temporarily_use_uid: GetPH pw_name dl rc=0 avail=0 msgid=
debug1: temporarily_use_uid: SetPH rc=0 avail=0 msgid=
debug1: trying public key file <USER HOME DIR>/.ssh/authorized_keys

debug1: fd 4 clearing O_NONBLOCK
Authentication refused: Please type 'yes' or 'no'.

debug1: restore_uid: SetPH rc=0 avail=0 msgid=
debug1: restore_uid: ReleasePH prevHandle rc=0 avail=0 msgid=

debug1: restore_uid: ReleasePH profileHandle rc=0 avail=0 msgid=

Failed publickey for <CLIENT USERNAME> from <CLIENT IP> port 57747 ssh2

debug1: userauth-request for user <CLIENT USERNAME> service

ssh-connection

method keyboard-interactive
debug1: attempt 2 failures 1

debug1: keyboard-interactive devs

debug1: auth2_challenge: user=<CLIENT USERNAME> devs=

debug1: kbdint_alloc: devices ''

Failed keyboard-interactive for <CLIENT USERNAME> from <CLIENT IP> port
57747 ssh2
debug1: userauth-request for user <CLIENT USERNAME> service

ssh-connection

method password
debug1: attempt 3 failures 2

debug1: auth_password: GetPH pw->pw_name=<CLIENT USERNAME> rc=0 avail=0
msgid=

debug1: auth_password: ReleasePH rc=0 avail=0 msgid=

Accepted password for <CLIENT USERNAME> from <CLIENT IP> port 57747 ssh2

debug1: Entering interactive session for SSH2.

debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 256 win 16384 max
16384
debug1: input_session_request

debug1: channel 0: new [server-session]

debug1: session_new: session 0

debug1: session_open: channel 0

debug1: session_open: session 0: link with channel 0

debug1: server_input_channel_open: confirm session

debug1: server_input_channel_req: channel 0 request pty-req reply 1

debug1: session_by_channel: session 0 channel 0

debug1: session_input_channel_req: session 0 req pty-req

debug1: Allocating pty.

debug1: session_pty_req: session 0 alloc /dev/pts/0

debug1: server_input_channel_req: channel 0 request shell reply 1

debug1: session_by_channel: session 0 channel 0

debug1: session_input_channel_req: session 0 req shell

Starting session: shell on pts/0 for <CLIENT USERNAME> from <CLIENT IP>
port 57747

Any insight would be greatly appreciated. Many thanks in advance!
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing

list

To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related

questions.