SSH pubkey authentication

Today I found a weird problem on my systems, where one of the system was not able to use pubkey SSH authentication, although the private key and authorized keys were properly set. Also, all the permissions were correct.

After checking it several times, I was not able to ssh, and this was annoying me:

sid ➜ ~ ssh-copy-id breno@9.85.194.48
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: “/home/brenohl/.ssh/id_rsa.pub”
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed — if you are prompted now it is to install the new keys
breno@9.85.194.48’s password:

Number of key(s) added: 1

Now try logging into the machine, with: “ssh ‘breno@9.85.194.48′”
and check to make sure that only the key(s) you wanted were added.

sid ➜ ~ ssh-copy-id breno@9.85.194.48
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: “/home/brenohl/.ssh/id_rsa.pub”
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed — if you are prompted now it is to install the new keys
breno@9.85.194.48’s password:

I was also having the same issue on github authentication. Looking at the logs it just show something that does not help a lot.
Client side:

debug2: key: /home/brenohl/.ssh/id_rsa (0x1000d9ff370)
debug2: key: /home/brenohl/.ssh/id_dsa ((nil))
debug2: key: /home/brenohl/.ssh/id_ecdsa ((nil))
debug2: key: /home/brenohl/.ssh/id_ed25519 ((nil))
debug3: send packet: type 5
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/brenohl/.ssh/id_rsa
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok: fp SHA256:kA9jpmFpb7LbwIplSpr3JishbUwY/A0vH43xrKg98bY
debug3: sign_and_send_pubkey: RSA SHA256:kA9jpmFpb7LbwIplSpr3JishbUwY/A0vH43xrKg98bY
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /home/brenohl/.ssh/id_dsa

Although very verbose, I was not able to find anything useful. Then I tried to debug the server side, which was showing the following log:

Jan 08 09:45:07 debra sshd[14332]: error: RSA_public_decrypt failed: error:0407006A:lib(4):func(112):reason(106)

Looking at this 106 reason, I found something very weird, since my pubkey at the client was wrong. I was not expecting that the pubkey in the client would have any influence in the authentication with the server.

I would expect that the client uses the private key, and the server uses the pubkey, but there is a validation and if your pubkey in the client is wrong, you might face this issue.

The solution was basically removing the wrong pubkey in the client, and then I was able to ssh into the server without any issue.

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s