Unable to complete the last part of Lab 5.3

fortisvir · July 2016

Hi there,

I am unable to complete the last part of Lab 5.3.

I have editied /etc/ssh/sshd_config and made sure this line is present: PermitRootLogin without-password

I have copied the authorized_keys to /root/.ssh/authorized_keys and checked user and group permissions.

# cat /home/student/.ssh/authorized_keys >> /root/.ssh/authorized_keys

# chown root.root /root/.ssh/authorized_keys

# chmod 640 /root/.ssh/authorized_keys

I receive permission denied when attempting to log into host garply again.

$ ssh garply

I could ssh to garply up until PermitRootLogin is changed to without-password in /etc/ssh/sshd_config.

I can ssh to garply but I receive permission denied.

I can ssh to localhost and connect with a password.

For my lab machine I am using CentOS 7 (Build 1511).

I verified that the authorized_keys copied to /root/.ssh folder and that the permissions and owner is set according to the lab notes.

I verified that the ssh config file in $HOME/.ssh/ contains input from exercise 5.2:

host garply

hostname localhost

user root

host *

ForwardX11 yes

Can you please help me?

lee42x · July 2016

Hello, Let's see if we can get his lab functioning for you. It sounds like the ssh keys are not being used when ssh is run. We use the keys created in step 5.1 in step 5.3.

Can you verify that in step 5.1-2 after copying student's public key to the authorized_keys fle with ssh-copy-id that you were able to "ssh [email protected]" without providing a password? If you have to provide a password there is a problem. Additional information is available from ssh using the "-v or -vv" option.

fortisvir · August 2016

Hi lee42x,

I have reviewed the steps in lab 5.1 again.

The first ssh session does not prompt for a password.

It prompts for a password in substequent connections after the first session is exited.

Below is the output from lab 5.1. I used script to record output to log files.

/* $ ssh-keygen -t rsa -f $HOME/.ssh/id-rsa */

[[email protected] ~]$ ssh-keygen -t rsa -f |[K£[K$HOME//,[K[K.ssh.[K/id-rsa[C[[email protected] [[email protected][[email protected]

Generating public/private rsa key pair.

Created directory '/home/student/.ssh'.

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /home/student/.ssh/id-rsa.

Your public key has been saved in /home/student/.ssh/id-rsa.pub.

The key fingerprint is:

e3:42:e1:bf:9b:dc:de:b3:29:43:93:16:11:e0:7b:da [email protected]

The key's randomart image is:

+--[ RSA 2048]----+

| .... |

| . . |

| . . . |

| . . .. |

| o S .o |

| . o == |

| . +oE. |

| o +o... |

| =ooo+o |

+-----------------+

/* eval $(ssh-agent) */

[[email protected] ~]$ eval $()s)s)h)-)a)g)e)n)t)

Agent pid 2453

/* ssh-add $HOME/.ssh/id-rsa */

[[email protected] ~]$ ssh-add $HOME/.ssh/id-rsa

Identity added: /home/student/.ssh/id-rsa (/home/student/.ssh/id-rsa)

/* ssh-copy-id [email protected] */

[[email protected] ~]$ ssh-copy-id student"[[email protected]

The authenticity of host 'localhost (::1)' can't be established.

ECDSA key fingerprint is fa:5a:6b:81:76:3a:36:c1:6e:8d:4f:7b:f1:2d:a7:12.

Are you sure you want to continue connecting (yes/no)? yes

/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed

/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

[email protected]'s password:

Number of key(s) added: 1

Now try logging into the machine, with: "ssh '[email protected]'"

and check to make sure that only the key(s) you wanted were added.

/* ssh [email protected] (first connection - no prompt received for password) */

[[email protected] ~]$ ssh -vv /[Kstudent"[[email protected]

OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: /etc/ssh/ssh_config line 56: Applying options for *

debug2: ssh_connect: needpriv 0

debug1: Connecting to localhost [::1] port 22.

debug1: Connection established.

debug1: identity file /home/student/.ssh/id_rsa type -1

debug1: identity file /home/student/.ssh/id_rsa-cert type -1

debug1: identity file /home/student/.ssh/id_dsa type -1

debug1: identity file /home/student/.ssh/id_dsa-cert type -1

debug1: identity file /home/student/.ssh/id_ecdsa type -1

debug1: identity file /home/student/.ssh/id_ecdsa-cert type -1

debug1: identity file /home/student/.ssh/id_ed25519 type -1

debug1: identity file /home/student/.ssh/id_ed25519-cert type -1

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_6.6.1

debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1

debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000

debug2: fd 3 setting O_NONBLOCK

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ssh-rsa,ssh-dss

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]

debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,zl[email protected],zlib

debug2: kex_parse_kexinit: none,[email protected],zlib

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit: first_kex_follows 0

debug2: kex_parse_kexinit: reserved 0

debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]

debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,[email protected]

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit: first_kex_follows 0

debug2: kex_parse_kexinit: reserved 0

debug2: mac_setup: setup [email protected]

debug1: kex: server->client aes128-ctr [email protected] none

debug2: mac_setup: setup [email protected]

debug1: kex: client->server aes128-ctr [email protected] none

debug1: kex: [email protected] need=16 dh_need=16

debug1: sending SSH2_MSG_KEX_ECDH_INIT

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

debug1: Server host key: ECDSA fa:5a:6b:81:76:3a:36:c1:6e:8d:4f:7b:f1:2d:a7:12

debug1: Host 'localhost' is known and matches the ECDSA host key.

debug1: Found key in /home/student/.ssh/known_hosts:1

debug1: ssh_ecdsa_verify: signature correct

debug2: kex_derive_keys

debug2: set_newkeys: mode 1

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug2: set_newkeys: mode 0

debug1: SSH2_MSG_NEWKEYS received

debug1: Roaming not allowed by server

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug2: key: /home/student/.ssh/id-rsa (0x7f8d08e7e8f0),

debug2: key: /home/student/.ssh/id_rsa ((nil)),

debug2: key: /home/student/.ssh/id_dsa ((nil)),

debug2: key: /home/student/.ssh/id_ecdsa ((nil)),

debug2: key: /home/student/.ssh/id_ed25519 ((nil)),

debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password

debug1: Next authentication method: gssapi-keyex

debug1: No valid Key exchange context

debug2: we did not send a packet, disable method

debug1: Next authentication method: gssapi-with-mic

debug1: Unspecified GSS failure. Minor code may provide more information

No Kerberos credentials available

debug1: Unspecified GSS failure. Minor code may provide more information

debug1: Unspecified GSS failure. Minor code may provide more information

No Kerberos credentials available

debug2: we did not send a packet, disable method

debug1: Next authentication method: publickey

debug1: Offering RSA public key: /home/student/.ssh/id-rsa

debug2: we sent a publickey packet, wait for reply

debug1: Server accepts key: pkalg ssh-rsa blen 279

debug2: input_userauth_pk_ok: fp e3:42:e1:bf:9b:dc:de:b3:29:43:93:16:11:e0:7b:da

debug1: Authentication succeeded (publickey).

Authenticated to localhost ([::1]:22).

debug1: channel 0: new [client-session]

debug2: channel 0: send open

debug1: Requesting [email protected]

debug1: Entering interactive session.

debug2: callback start

debug2: fd 3 setting TCP_NODELAY

debug2: client_session2_setup: id 0

debug2: channel 0: request pty-req confirm 1

debug1: Sending environment.

debug1: Sending env LANG = en_GB.UTF-8

debug2: channel 0: request env confirm 0

debug2: channel 0: request shell confirm 1

debug2: callback done

debug2: channel 0: open confirm rwindow 0 rmax 32768

debug2: channel_input_status_confirm: type 99 id 0

debug2: PTY allocation request accepted on channel 0

debug2: channel 0: rcvd adjust 2097152

debug2: channel_input_status_confirm: type 99 id 0

debug2: shell request accepted on channel 0

Last login: Thu Aug 4 12:59:27 2016

/* id */

[[email protected] ~]$ id

uid=1000(student) gid=1000(student) groups=1000(student),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

/* exit */

[[email protected] ~]$ exitdebug1: client_input_channel_req: channel 0 rtype exit-status reply 0

debug1: client_input_channel_req: channel 0 rtype [email protected] reply 0

debug2: channel 0: rcvd eow

debug2: channel 0: close_read

debug2: channel 0: input open -> closed

debug2: channel 0: rcvd eof

debug2: channel 0: output open -> drain

debug2: channel 0: rcvd close

logout

debug2: channel 0: obuf empty

debug2: channel 0: close_write

debug2: channel 0: output drain -> closed

debug2: channel 0: almost dead

debug2: channel 0: gc: notify user

debug2: channel 0: gc: user detached

debug2: channel 0: send close

debug2: channel 0: is dead

debug2: channel 0: garbage collecting

debug1: channel 0: free: client-session, nchannels 1

Connection to localhost closed.

Transferred: sent 2924, received 2648 bytes, in 2.3 seconds

Bytes per second: sent 1252.8, received 1134.6

debug1: Exit status 0

/* ssh [email protected] (subsequent connections - Prompt received for password) */

[[email protected] ~]$ ssh -vv student"[[email protected]

OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: /etc/ssh/ssh_config line 56: Applying options for *

debug2: ssh_connect: needpriv 0

debug1: Connecting to localhost [::1] port 22.

debug1: Connection established.

debug1: identity file /home/student/.ssh/id_rsa type -1

debug1: identity file /home/student/.ssh/id_rsa-cert type -1

debug1: identity file /home/student/.ssh/id_dsa type -1

debug1: identity file /home/student/.ssh/id_dsa-cert type -1

debug1: identity file /home/student/.ssh/id_ecdsa type -1

debug1: identity file /home/student/.ssh/id_ecdsa-cert type -1

debug1: identity file /home/student/.ssh/id_ed25519 type -1

debug1: identity file /home/student/.ssh/id_ed25519-cert type -1

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_6.6.1

debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1

debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000

debug2: fd 3 setting O_NONBLOCK

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ssh-rsa,ssh-dss

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]

debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,[email protected],zlib

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit: first_kex_follows 0

debug2: kex_parse_kexinit: reserved 0

debug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]

debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,[email protected]

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit: first_kex_follows 0

debug2: kex_parse_kexinit: reserved 0

debug2: mac_setup: setup [email protected]

debug1: kex: server->client aes128-ctr [email protected] none

debug2: mac_setup: setup [email protected]

debug1: kex: client->server aes128-ctr [email protected] none

debug1: kex: [email protected] need=16 dh_need=16

debug1: sending SSH2_MSG_KEX_ECDH_INIT

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

debug1: Server host key: ECDSA fa:5a:6b:81:76:3a:36:c1:6e:8d:4f:7b:f1:2d:a7:12

debug1: Host 'localhost' is known and matches the ECDSA host key.

debug1: Found key in /home/student/.ssh/known_hosts:1

debug1: ssh_ecdsa_verify: signature correct

debug2: kex_derive_keys

debug2: set_newkeys: mode 1

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug2: set_newkeys: mode 0

debug1: SSH2_MSG_NEWKEYS received

debug1: Roaming not allowed by server

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug2: key: /home/student/.ssh/id_rsa ((nil)),

debug2: key: /home/student/.ssh/id_dsa ((nil)),

debug2: key: /home/student/.ssh/id_ecdsa ((nil)),

debug2: key: /home/student/.ssh/id_ed25519 ((nil)),

debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password

debug1: Next authentication method: gssapi-keyex

debug1: No valid Key exchange context

debug2: we did not send a packet, disable method

debug1: Next authentication method: gssapi-with-mic

debug1: Unspecified GSS failure. Minor code may provide more information

No Kerberos credentials available

debug1: Unspecified GSS failure. Minor code may provide more information

debug1: Unspecified GSS failure. Minor code may provide more information

No Kerberos credentials available

debug2: we did not send a packet, disable method

debug1: Next authentication method: publickey

debug1: Trying private key: /home/student/.ssh/id_rsa

debug1: Trying private key: /home/student/.ssh/id_dsa

debug1: Trying private key: /home/student/.ssh/id_ecdsa

debug1: Trying private key: /home/student/.ssh/id_ed25519

debug2: we did not send a packet, disable method

debug1: Next authentication method: password

[email protected]'s password:

debug2: we sent a password packet, wait for reply

debug1: Authentication succeeded (password).

Authenticated to localhost ([::1]:22).

debug1: channel 0: new [client-session]

debug2: channel 0: send open

debug1: Requesting [email protected]

debug1: Entering interactive session.

debug2: callback start

debug2: fd 3 setting TCP_NODELAY

debug2: client_session2_setup: id 0

debug2: channel 0: request pty-req confirm 1

debug1: Sending environment.

debug1: Sending env LANG = en_GB.UTF-8

debug2: channel 0: request env confirm 0

debug2: channel 0: request shell confirm 1

debug2: callback done

debug2: channel 0: open confirm rwindow 0 rmax 32768

debug2: channel_input_status_confirm: type 99 id 0

debug2: PTY allocation request accepted on channel 0

debug2: channel 0: rcvd adjust 2097152

debug2: channel_input_status_confirm: type 99 id 0

debug2: shell request accepted on channel 0

Last login: Thu Aug 4 13:03:25 2016 from localhost

lee42x · August 2016

I was able to duplicate the issue.

Please examine the last 20 (or so) lines of the /var/log/secure file, I believe the answer should be there.

$ sudo grep ssh /var/log/secure | tail -n20

Look for "Authentication Refused", it should indicate the permissions are incorrect on the $HOME/.ssh directory.

Check & change the permissions on the .ssh directory

$ chmod 700 $HOME/.ssh

And it should function.

Thanks, keep us posted.

fortisvir · August 2016

Hi lee42x,

I changed the permissions but It still appears to be prompting for a password after the system is rebooted.

I have been able to resolve the issue by removing the custom file location parameter from ssh-keygen. The prompt for a password after the sshd service is restarted or when the system is rebooted no longer appears.

$ ssh-keygen -t rsa (instead of $ ssh-keygen -t rsa -f $HOME/.ssh/id-rsa)

$ eval $(ssh-agent)

$ ssh-add $HOME/.ssh/id-rsa

$ ssh-copy-id [email protected]

$ ssh [email protected]

$ id

$ exit

The permissions on $HOME/.ssh are 700

The permissions on files contained in $HOME/.ssh are:

authorised_keys 600

id_rsa 600

id_rsa.pub 644

known_hosts 644

Thank you for your help.

fortisvir · August 2016

Exercise 5.2 asks you to change the default username and create a host alias using the config file in $HOME/.ssh.

On CentOS 7 the config file does not exist and has to be created. - sudo vi $HOME/.ssh/config

When you ssh garply it will request a user password and authentication will fail becasue the root user (set in the config file) does not have a .ssh directory configured with authorisation_keys present. Removing user root from the config file allows ssh garply to connect.

host garply

hostname localhost

host *

ForwardX11 yes

fortisvir · August 2016

In exercise 5.3 user root can be added back to $HOME/.ssh/config

host garply

hostname localhost

user root

host *

ForwardX11 yes

Copying only the authorized_keys file from /home/student/.ssh/ to /root/.ssh/ is not enough . The public key file ($HOME/.ssh/id_rsa.pub) is required to be copied to /root/.ssh/ in order for the ssh connection to work.

Unable to complete the last part of Lab 5.3

Comments