Failing SSH Certs
-
And one of the clients:
-bash-4.2$ pwd /home/scott/.ssh -bash-4.2$ ll total 4 -rwx------. 1 scott scott 399 Feb 27 16:21 authorized_keys
-
This is what /var/log/secure produces when it fails:
Mar 3 17:28:10 cc-lnx-dev1 sshd[11656]: Connection closed by 168.235.144.189 [preauth] Mar 3 17:29:52 cc-lnx-dev1 sshd[11662]: reverse mapping checking getaddrinfo for c1115753-27900.cloudatcost.com [168.235.144.189] failed - POSSIBLE BREAK-IN ATTEMPT!
-
@scottalanmiller said:
This is what /var/log/secure produces when it fails:
Mar 3 17:28:10 cc-lnx-dev1 sshd[11656]: Connection closed by 168.235.144.189 [preauth] Mar 3 17:29:52 cc-lnx-dev1 sshd[11662]: reverse mapping checking getaddrinfo for c1115753-27900.cloudatcost.com [168.235.144.189] failed - POSSIBLE BREAK-IN ATTEMPT!
Wow. That doesn't tell much. You might try SSH in Verbose mode (ssh -v)
-
Here is the output.
-bash-4.2$ ssh -v cc-lnx-dev1 OpenSSH_6.4, OpenSSL 1.0.1e-fips 11 Feb 2013 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 51: Applying options for * debug1: Connecting to cc-lnx-dev1 [168.235.145.186] port 22. debug1: Connection established. debug1: identity file /home/scott/.ssh/id_rsa type 1 debug1: identity file /home/scott/.ssh/id_rsa-cert type -1 debug1: identity file /home/scott/.ssh/id_dsa type -1 debug1: identity file /home/scott/.ssh/id_dsa-cert type -1 debug1: identity file /home/scott/.ssh/id_ecdsa type -1 debug1: identity file /home/scott/.ssh/id_ecdsa-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.4 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.4 debug1: match: OpenSSH_6.4 pat OpenSSH* debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr [email protected] none debug1: kex: client->server aes128-ctr [email protected] none debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ECDSA 7a:56:bb:86:38:e6:e0:f7:ef:2b:7a:d3:68:f2:ad:48 debug1: Host 'cc-lnx-dev1' is known and matches the ECDSA host key. debug1: Found key in /home/scott/.ssh/known_hosts:2 debug1: ssh_ecdsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available debug1: Unspecified GSS failure. Minor code may provide more information debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/scott/.ssh/id_rsa debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Trying private key: /home/scott/.ssh/id_dsa debug1: Trying private key: /home/scott/.ssh/id_ecdsa debug1: Next authentication method: password
-
@scottalanmiller Turn off GSSAPIAuthentication ( GSSAPIAuthentication no) in the SSH Config (/etc/ssh/sshd_config) as that's for Kerberos.
Also try restorecon -R ~/.ssh to make sure the SELinux is setup for proper security context for the keys.
-
@thecreativeone91 said:
@scottalanmiller Turn off GSSAPIAuthentication ( GSSAPIAuthentication no) in the SSH Config (/etc/ssh/sshd_config) as that's for Kerberos.
Also try restorecon -R ~/.ssh to make sure the SELinux is setup for proper security context for the keys.
Awesome, that did it!
-
For reference, it was only the SELinux portion that was needed...
restorecon -R ~/.ssh
-
Unrelated question but how do you indent all your code lines four spaces manually or how do you do it automatically?
-
@thanksajdotcom said:
Unrelated question but how do you indent all your code lines four spaces manually or how do you do it automatically?
If it is one line, like that one there, I just hit the space bar four times. When it is a large code block, I copy into Notepad++, Ctrl-A, Tab, and copy into here.
-
@scottalanmiller said:
@thanksajdotcom said:
Unrelated question but how do you indent all your code lines four spaces manually or how do you do it automatically?
If it is one line, like that one there, I just hit the space bar four times. When it is a large code block, I copy into Notepad++, Ctrl-A, Tab, and copy into here.
...
I figured you must