OVH Community, votre nouvel espace communautaire.

SSH authentification par clef refusée


captainadmin
02/12/2014, 14h33
Bonjour,

Il faut mieux toujours utiliser le .ssh/authorized_keys (sans le 2)
Il est par default dans ta conf ssh, alors ue le 2 doit etre utilisé pour des programmes tiers.
tu devrais uniformiser les config des tes serveurs, et vérifier que le /etc/ssh/sshd_config pointe vers authorized_keys

Bonne journée
http://www.captainadmin.com
Nowwhat
01/12/2014, 17h51
T'as dit:
Citation Envoyé par elekaj34
Oui, la clé a bien été ajoutée dans le fichier .ssh/authorized_keys2.
et avant, t'as dit:
Citation Envoyé par elekaj34
Code:
AuthorizedKeysFile	%h/.ssh/authorized_keys


Bipare que ça n'a pas été mis en évidence dans tes logs.
Chez moi (tm), j'ai bien:
Dec 1 15:33:21 ns311465 sshd[13576]: Connection from 109.214.61.115 port 2436
Dec 1 15:33:21 ns311465 sshd[13576]: debug1: Client protocol version 2.0; client software version PuTTY_Release_0.60
Dec 1 15:33:21 ns311465 sshd[13576]: debug1: no match: PuTTY_Release_0.60
Dec 1 15:33:21 ns311465 sshd[13576]: debug1: Enabling compatibility mode for protocol 2.0
Dec 1 15:33:21 ns311465 sshd[13576]: debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
Dec 1 15:33:21 ns311465 sshd[13576]: debug1: permanently_set_uid: 102/65534 [preauth]
Dec 1 15:33:21 ns311465 sshd[13576]: debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256 [preauth]
Dec 1 15:33:21 ns311465 sshd[13576]: debug1: SSH2_MSG_KEXINIT sent [preauth]
Dec 1 15:33:21 ns311465 sshd[13576]: debug1: SSH2_MSG_KEXINIT received [preauth]
Dec 1 15:33:21 ns311465 sshd[13576]: debug1: kex: client->server aes256-ctr hmac-sha1 none [preauth]
Dec 1 15:33:21 ns311465 sshd[13576]: debug1: kex: server->client aes256-ctr hmac-sha1 none [preauth]
Dec 1 15:33:21 ns311465 sshd[13576]: debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received [preauth]
Dec 1 15:33:21 ns311465 sshd[13576]: debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent [preauth]
Dec 1 15:33:21 ns311465 sshd[13576]: debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT [preauth]
Dec 1 15:33:22 ns311465 sshd[13576]: debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent [preauth]
Dec 1 15:33:22 ns311465 sshd[13576]: debug1: SSH2_MSG_NEWKEYS sent [preauth]
Dec 1 15:33:22 ns311465 sshd[13576]: debug1: expecting SSH2_MSG_NEWKEYS [preauth]
Dec 1 15:33:22 ns311465 sshd[13576]: debug1: SSH2_MSG_NEWKEYS received [preauth]
Dec 1 15:33:22 ns311465 sshd[13576]: debug1: KEX done [preauth]
Dec 1 15:33:22 ns311465 sshd[13576]: debug1: userauth-request for user root service ssh-connection method none [preauth]
Dec 1 15:33:22 ns311465 sshd[13576]: debug1: attempt 0 failures 0 [preauth]
Dec 1 15:33:22 ns311465 sshd[13576]: debug1: userauth-request for user root service ssh-connection method publickey [preauth]
Dec 1 15:33:22 ns311465 sshd[13576]: debug1: attempt 1 failures 0 [preauth]
Dec 1 15:33:22 ns311465 sshd[13576]: debug1: test whether pkalg/pkblob are acceptable [preauth]
Dec 1 15:33:22 ns311465 sshd[13576]: debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-1023
Dec 1 15:33:22 ns311465 sshd[13576]: debug1: Checking blacklist file /etc/ssh/blacklist.RSA-1023
Dec 1 15:33:22 ns311465 sshd[13576]: debug1: temporarily_use_uid: 0/0 (e=0/0)
Dec 1 15:33:22 ns311465 sshd[13576]: debug1: trying public key file /root/.ssh/authorized_keys
Dec 1 15:33:22 ns311465 sshd[13576]: debug1: Could not open authorized keys '/root/.ssh/authorized_keys': No such file or directory
Dec 1 15:33:22 ns311465 sshd[13576]: debug1: restore_uid: 0/0
Dec 1 15:33:22 ns311465 sshd[13576]: debug1: temporarily_use_uid: 0/0 (e=0/0)
Dec 1 15:33:22 ns311465 sshd[13576]: debug1: trying public key file /root/.ssh/authorized_keys2
Dec 1 15:33:22 ns311465 sshd[13576]: debug1: fd 4 clearing O_NONBLOCK
Dec 1 15:33:22 ns311465 sshd[13576]: debug1: matching key found: file /root/.ssh/authorized_keys2, line 1
Dec 1 15:33:22 ns311465 sshd[13576]: Found matching RSA key: 57:dc:dd:00:f4:ee:f2:63:2e:27:13:de:cc:9c:00:5d
Dec 1 15:33:22 ns311465 sshd[13576]: debug1: restore_uid: 0/0
Dec 1 15:33:22 ns311465 sshd[13576]: Postponed publickey for root from 109.214.61.115 port 2436 ssh2 [preauth]
Dec 1 15:33:25 ns311465 sshd[13576]: debug1: userauth-request for user root service ssh-connection method publickey [preauth]
Dec 1 15:33:25 ns311465 sshd[13576]: debug1: attempt 2 failures 0 [preauth]
Dec 1 15:33:25 ns311465 sshd[13576]: debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-1023
Dec 1 15:33:25 ns311465 sshd[13576]: debug1: Checking blacklist file /etc/ssh/blacklist.RSA-1023
Dec 1 15:33:25 ns311465 sshd[13576]: debug1: temporarily_use_uid: 0/0 (e=0/0)
Dec 1 15:33:25 ns311465 sshd[13576]: debug1: trying public key file /root/.ssh/authorized_keys
Dec 1 15:33:25 ns311465 sshd[13576]: debug1: Could not open authorized keys '/root/.ssh/authorized_keys': No such file or directory !!
Dec 1 15:33:25 ns311465 sshd[13576]: debug1: restore_uid: 0/0
Dec 1 15:33:25 ns311465 sshd[13576]: debug1: temporarily_use_uid: 0/0 (e=0/0)
Dec 1 15:33:25 ns311465 sshd[13576]: debug1: trying public key file /root/.ssh/authorized_keys2 !!
Dec 1 15:33:25 ns311465 sshd[13576]: debug1: fd 4 clearing O_NONBLOCK
Dec 1 15:33:25 ns311465 sshd[13576]: debug1: matching key found: file /root/.ssh/authorized_keys2, line 1 !!
Dec 1 15:33:25 ns311465 sshd[13576]: Found matching RSA key: 57:dc:dd:00:f4:ee:f2:63:2e:27:13:de:cc:9c:00:5d !!
Dec 1 15:33:25 ns311465 sshd[13576]: debug1: restore_uid: 0/0
Dec 1 15:33:25 ns311465 sshd[13576]: debug1: ssh_rsa_verify: signature correct
Dec 1 15:33:25 ns311465 sshd[13576]: Accepted publickey for root from 109.214.61.115 port 2436 ssh2
Dec 1 15:33:25 ns311465 sshd[13576]: debug1: monitor_read_log: child log fd closed
Dec 1 15:33:25 ns311465 sshd[13576]: debug1: monitor_child_preauth: root has been authenticated by privileged process
Dec 1 15:33:25 ns311465 sshd[13576]: debug1: Entering interactive session for SSH2.
Dec 1 15:33:25 ns311465 sshd[13576]: debug1: server_init_dispatch_20
Dec 1 15:33:25 ns311465 sshd[13576]: debug1: server_input_channel_open: ctype session rchan 256 win 16384 max 16384
Dec 1 15:33:25 ns311465 sshd[13576]: debug1: input_session_request
Dec 1 15:33:25 ns311465 sshd[13576]: debug1: channel 0: new [server-session]
Dec 1 15:33:25 ns311465 sshd[13576]: debug1: session_new: session 0
Dec 1 15:33:25 ns311465 sshd[13576]: debug1: session_open: channel 0
Dec 1 15:33:25 ns311465 sshd[13576]: debug1: session_open: session 0: link with channel 0
Dec 1 15:33:25 ns311465 sshd[13576]: debug1: server_input_channel_open: confirm session
Dec 1 15:33:25 ns311465 sshd[13576]: debug1: server_input_channel_req: channel 0 request pty-req reply 1
Dec 1 15:33:25 ns311465 sshd[13576]: debug1: session_by_channel: session 0 channel 0
Dec 1 15:33:25 ns311465 sshd[13576]: debug1: session_input_channel_req: session 0 req pty-req
Dec 1 15:33:25 ns311465 sshd[13576]: debug1: Allocating pty.
Dec 1 15:33:25 ns311465 sshd[13576]: debug1: session_pty_req: session 0 alloc /dev/pts/1
Dec 1 15:33:25 ns311465 sshd[13576]: debug1: SELinux support disabled
Dec 1 15:33:25 ns311465 sshd[13576]: debug1: server_input_channel_req: channel 0 request shell reply 1
Dec 1 15:33:25 ns311465 sshd[13576]: debug1: session_by_channel: session 0 channel 0
Dec 1 15:33:25 ns311465 sshd[13576]: debug1: session_input_channel_req: session 0 req shell
Dec 1 15:33:25 ns311465 sshd[13578]: debug1: Setting controlling tty using TIOCSCTTY.
Dec 1 15:33:25 ns311465 sshd[13578]: debug1: permanently_set_uid: 0/0
Note: l’utilisation de authorized_keys2 est consideré comme "vieux".
C'est "authorized_keys" pour des installation serveur ssh plus moderne.
Dans mon log, on retrouve bien le moment où sshd fouille dans "authorized_keys" car c'est l'endroit par défaut, avant qu'il tente le "authorized_keys2", comme j'ai paramétré mon
/etc/ssh/sshd_config
elekaj34
01/12/2014, 17h13
Merci

C'est vraiment le truc ton con et agaçant :/
Ceci dit, sur tous mes autres serveurs, c'est authorized_keys2 et aucun souci ! Ça vient d'où ce changement ?
captainadmin
01/12/2014, 16h42
bonjour,

fait un cp de .ssh/authorized_keys2 en .ssh/authorized_keys

Bonne journée
http://www.captainadmin.com
elekaj34
01/12/2014, 15h34
Re,

Oui, la clé a bien été ajoutée dans le fichier .ssh/authorized_keys2.
Comme client, je suis aussi sur Debian (ou Ubuntu) et la signature du serveur est bien présente dans .ssh/known_hosts.

Actuellement, la seule méthode (opérationnelle) de login est le password, si je la désactive, j'ai bien peur de rendre mon serveur "hors de contrôle" :/ (du coup, je vais pas tenter le diable) !
De plus, là, il ne s'agit pas de se loguer en root (mais j'ai le même problème avec rooot)
InboX
01/12/2014, 14h12
salut,

PermitRootLogin without-password
la cle est bien dans le fichier ?
authorized_keys
Dans putty as tu ajouter le fichier cle aussi ?

Cordialement,
elekaj34
01/12/2014, 13h56
Bonjour,

Sur l'un de mes serveurs, sous Debian, impossible de me logguer avec une clef

Dans /etc/ssh/sshd_config (seul les commentaires ont été supprimé pour une meilleur lisibilté) :
Code:
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 768
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile	%h/.ssh/authorized_keys
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
Et quand je me loggue avec ssh -vvv elekaj34@srv.domaine.fr :
OpenSSH_6.0p1 Debian-4+deb7u2, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to srv.domaine.fr [1.2.3.4] port 22.
debug1: Connection established.
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/elekaj34/.ssh/id_rsa" as a RSA1 public key
debug1: identity file /home/elekaj34/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/elekaj34/.ssh/id_rsa-cert type -1
debug1: identity file /home/elekaj34/.ssh/id_dsa type -1
debug1: identity file /home/elekaj34/.ssh/id_dsa-cert type -1
debug1: identity file /home/elekaj34/.ssh/id_ecdsa type -1
debug1: identity file /home/elekaj34/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-6+squeeze2
debug1: match: OpenSSH_5.5p1 Debian-6+squeeze2 pat OpenSSH_5*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "srv.domain.fr" from file "/home/elekaj34/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/elekaj34/.ssh/known_hosts:42
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-v01@openssh.com,ssh-rsa...00@openssh.com,ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-rsa...00@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 133/256
debug2: bits set: 497/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 90:27:89:51:f1:ad:03:d8:a1:54:3f:90:2f:1f:88:6e
debug3: load_hostkeys: loading entries for host "srv.domaine.fr" from file "/home/elekaj34/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/elekaj34/.ssh/known_hosts:42
debug3: load_hostkeys: loaded 1 keys
debug3: load_hostkeys: loading entries for host "1.2.3.4" from file "/home/elekaj34/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/elekaj34/.ssh/known_hosts:40
debug3: load_hostkeys: loaded 1 keys
debug1: Host 'srv.domaine.fr' is known and matches the RSA host key.
debug1: Found key in /home/elekaj34/.ssh/known_hosts:42
debug2: bits set: 519/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/elekaj34/.ssh/id_rsa (0x7fe4caa0fe50)
debug2: key: /home/elekaj34/.ssh/id_dsa ((nil))
debug2: key: /home/elekaj34/.ssh/id_ecdsa ((nil))
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/elekaj34/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/elekaj34/.ssh/id_dsa
debug3: no such identity: /home/elekaj34/.ssh/id_dsa
debug1: Trying private key: /home/elekaj34/.ssh/id_ecdsa
debug3: no such identity: /home/elekaj34/.ssh/id_ecdsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
puis me demande le mot de passe de l'utilisateur !

Pour info, tant sur le client que sur le serveur, les répertoires .ssh/ sont bien en droit 700 (et les fichiers en 600 sauf id_rsa.pub en 644)
J'ai désactivé le firewall (dès fois que), cela ne résous pas le problème.

Une idée ?

Merci pour votre aide