[Bug 236931] Re: openssh-server does not find dsa keys authorized_keys file

PJO paul at onolan.net
Thu Sep 25 01:22:53 BST 2008 

I thought I had the same problem, with

Server: Ubuntu server 8.04.1

and either/both of

Client1: Ubuntu-eee 8.04.1 (slimmed down version of Ubuntu for Asus EEE PC; ssh client only installed)
Client2: Ubuntu server 8.04.1

file and directory permissions are correct (& setting StrictModes to
'no' didn't help --I tried it just in case)

I tried to follow instructions here:
https://help.ubuntu.com/8.04/serverguide/C/openssh-server.html which are
not entirely consistent with what I've since read elsewhere (e.g., here
http://www.debian-administration.org/articles/152) when trying to
understand why this wasn't working as expected.

Why authorized_keys2?

ssh-copy-id -i uses "authorized_keys" regardless of whether RSA or DSA
is selected, not authorized_keys2. (hello?)

(I learned about ssh-copy-id here http://principialabs.com/beginning-
ssh-on-ubuntu where it's specifically referred to with Ubuntu)

I tried copying authorized_keys to authorized_keys2, which didn't make
any difference.

The private key files have wrapped lines (@ 64 characters). Both ID_RSA
and ID_DSA..Does it matter?

Just tried RSA; this didn't work for me.

ssh -v paul at wiki yields (wiki is the server)

OpenSSH 4.7p1 Debian-8ubuntu1.2, OpenSSL 0.9.8g 19 Oct 2007
Reading configuration data /home/paul/.ssh/config
Applying options for wiki
Reading configuration data for /etc/ssh/ssh_config
Applying options for *
Connecting to 192.168.1.83 [192.168.1.83] port 22.
Connection established
identify file /home/paul/.ssh/identity type -1
identify file /home/paul/.ssh/id_rsa type -1
identify file /home/paul/.ssh/id_dsa type -1
Remote protocol version 2.0, remote software version OpenSSH_4.7p1 Debian-8ubuntu1.2
match: OpenSSH_4.7p1 Debian-8ubuntu1.2 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
Local version string SSH-20-OpenSSH_4.7p1 Debian-8ubuntu1.2
SSH2_MSG_KEXINIT sent
expecting SSH2_MSG_NEWKEYS
SSH2_MSG_NEWKEYS received
SSH2_MSG_SERVICE_REQUEST sent
SSH2_MSG_SERVICE_REQUEST received
Authentications that can continue: publickey,password
Next authentication method: publickey
Trying private key: /home/paul/.ssh/identity
Offering public key: /home/paul/id_rsa
Authentications that can continue: publickey,password
Trying private key: /home/paul/.ssh/id_dsa
Next authentication method: password
paul at 192.168.1.83's password:

I'm about to try a desktop version of 8.04.1 (keys are generated on
Ubuntu server version only so far) but thought I'd post this in the
meantime. If it's not a bug then it may be that the installation docs
need some revision (for dummies / victims of Murphy' law).

OK. Just tried with Ubuntu desktop running on an old laptop (LPC); I
installed the OpenSSH server software, generated keys, copied the public
key to the EEE pc (to ~/.ssh -- same account name). I renamed the
existing authorized_keys in case there was anything wrong with it and
then renamed the public key file (first DSA; then repeated this for RSA)
and set permissions to 600 (advice in OpenSSH FAQ).

I made no changes to the sshd_config or ssh_config files.

captured debug follows

paul at eeepc:~/.ssh$ ssh -v paul at lpc
OpenSSH_4.7p1 Debian-8ubuntu1.2, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /home/paul/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to lpc [192.168.1.64] port 22.
debug1: Connection established.
debug1: identity file /home/paul/.ssh/identity type -1
debug1: identity file /home/paul/.ssh/id_rsa type 1
debug1: identity file /home/paul/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version
OpenSSH_4.7p1 Debian-8ubuntu1.2
debug1: match: OpenSSH_4.7p1 Debian-8ubuntu1.2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1.2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'lpc' is known and matches the RSA host key.
debug1: Found key in /home/paul/.ssh/known_hosts:3
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/paul/.ssh/identity
debug1: Offering public key: /home/paul/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/paul/.ssh/id_dsa
debug1: Next authentication method: password
paul at lpc's password: 

<pause>

Re-reads https://help.ubuntu.com/8.04/serverguide/C/openssh-server.html

> the host
> between hosts
> remote host

So, it's all perfectly clear which is which here? (small lightbulb
illuminates; why are private keys being tried?)

I assumed that the remote machine with the public key would be the one
initiating communication, which is not entirely illogical:

Reasoning:

1 server 
many clients

1 private key
shareable public key

client-server communication is called client-server not server-client
communication.

Naive expectation: client with public key initiates communication (I'm
looking at this so I can rsync over ssh; the remote device is the client
from a storage perspective)

Reality: client with private key initiates communication with servers:

1 client
many servers

At a minimum, the doc (https://help.ubuntu.com/8.04/serverguide/C
/openssh-server.html) should read

You should now be able to SSH to the remote host without being prompted for a password. 
                                                        =====

The word remote is missing and the word "to" could usefully be
emphasised. A diagram for added clarity would be even better.

My guess as to why one key failed and one worked for Max is that he
changed ends, so to speak, but I may be wrong.

I subsequently found this
http://ubuntuforums.org/showthread.php?t=238672 which I find clearer
than the original write-up.

I think you can close this one. However, I hope the docs can be expanded
a little (in time for 8.10 would be good) to keep others from falling
into the same trap.

-- 
openssh-server does not find dsa keys authorized_keys file
https://bugs.launchpad.net/bugs/236931
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openssh in ubuntu.

More information about the Ubuntu-server-bugs mailing list