Ssh key doesn't match

black_fender · February 18, 2016, 6:42am

I'm loged on server A as user infa8. I want to login via ssh key on server B as user ussdsc.

destination server (B) is a redHat 6.2.
Permissions for ussdsc@B for home, ssh and authorized_keys:

[ussdsc@ussdpos:/home]$ ls -ltr | grep ussdsc
drwxr-xr-x. 29 ussdsc    mobifon     4096 Feb 18 11:43 ussdsc
[ussdsc@ussdpos:/home]$ getfacl ussdsc
# file: ussdsc
# owner: ussdsc
# group: mobifon
user::rwx
group::r-x
other::r-x

[ussdsc@B:/home]$ cd ussdsc
[ussdsc@B:~]$ ls -altr | grep ssh
-rw-------.  1 ussdsc grup      86 Feb  2 10:41 .lesshst
drwxr-xr-x.  2 ussdsc grup  4096 Feb 18 11:43 .ssh
[ussdsc@B:~]$
[ussdsc@B:~]$ getfacl .ssh
# file: .ssh
# owner: ussdsc
# group: grup
user::rwx
group::r-x
other::r-x

[ussdsc@B:~]$ cd .ssh
[ussdsc@B:~/.ssh]$ ls -altr auth*
-rw-r--r--. 1 ussdsc grup 395 Feb 18 11:43 authorized_keys
[ussdsc@B:~/.ssh]$ getfacl authorized_keys
# file: authorized_keys
# owner: ussdsc
# group: grup
user::rw-
group::r--
other::r--

ssh -vvv logs:

bash-4.3$ ssh -vvv ussdsc@ussdpos
OpenSSH_5.5p1+sftpfilecontrol-v1.3-hpn13v7, OpenSSL 0.9.8k 25 Mar 2009
HP-UX Secure Shell-A.05.50.015, HP-UX Secure Shell version
debug1: Reading configuration data /infa8/home/.ssh/config
debug1: Reading configuration data /opt/ssh/etc/ssh_config
debug3: RNG is ready, skipping seeding
debug2: ssh_connect: needpriv 0
debug1: Connecting to ussdpos [10.134.1.38] port 22.
debug1: Connection established.
debug1: identity file /infa8/home/.ssh/identity type -1
debug1: identity file /infa8/home/.ssh/identity-cert type -1
debug3: Not a RSA1 key file /infa8/home/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /infa8/home/.ssh/id_rsa type 1
debug1: identity file /infa8/home/.ssh/id_rsa-cert type -1
debug3: Not a RSA1 key file /infa8/home/.ssh/id_dsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /infa8/home/.ssh/id_dsa type 2
debug1: identity file /infa8/home/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Remote is NON-HPN aware
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.5p1+sftpfilecontrol-v1.3-hpn13v7
debug2: fd 3 setting O_NONBLOCK
debug3: RNG is ready, skipping seeding
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: AUTH STATE IS 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: REQUESTED ENC.NAME is 'aes128-ctr'
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: REQUESTED ENC.NAME is 'aes128-ctr'
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 112/256
debug2: bits set: 492/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: host ussdpos filename /infa8/home/.ssh/known_hosts
debug3: check_host_in_hostfile: host ussdpos filename /infa8/home/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 118
debug3: check_host_in_hostfile: host 10.134.1.38 filename /infa8/home/.ssh/known_hosts
debug3: check_host_in_hostfile: host 10.134.1.38 filename /infa8/home/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 117
debug1: Host 'ussdpos' is known and matches the RSA host key.
debug1: Found key in /infa8/home/.ssh/known_hosts:118
debug2: bits set: 536/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /infa8/home/.ssh/identity (0)
debug2: key: /infa8/home/.ssh/id_rsa (4003e6a0)
debug2: key: /infa8/home/.ssh/id_dsa (4003e6d0)
debug3: input_userauth_banner
The  access  to  this  system  is  restricted  and  is  granted  based  only
on individual  and  authorized  user  ID  and  password.  Any  access  to  the
system  using  an  ID  and  a  password  which  have  not  been  alocated  to
you  under  a  contract  or  by  law,  or  any  other  unauthorized  access on
this  system,  forcing  or  avoiding  access  restrictions  is  considered  a
crime  and  shall  be  prosecuted  according  to  the  Romanian  criminal law.

Continuing  the  access  procedure  is  considered  as  an  understanding  of
the  above  warning  and  of  the  consequences  of  not  respecting  it.

debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug1: Miscellaneous failure
No credentials cache found

debug1: Miscellaneous failure
No credentials cache found

debug1:


debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /infa8/home/.ssh/identity
debug3: no such identity: /infa8/home/.ssh/identity
debug1: Offering public key: /infa8/home/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Offering public key: /infa8/home/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
ussdsc@B's password:

and logs from /var/log/secure (ssh log level: DEBUG):

Feb 18 11:35:36 B sshd[12391]: debug1: Forked child 12593.
Feb 18 11:35:36 B sshd[12593]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
Feb 18 11:35:36 B sshd[12593]: debug1: inetd sockets after dupping: 3, 3
Feb 18 11:35:36 B sshd[12593]: Connection from <ip>  port 55604
Feb 18 11:35:36 B sshd[12593]: debug1: Client protocol version 2.0; client software version OpenSSH_5.5p1+sftpfilecontrol-v1.3-hpn13v7
Feb 18 11:35:36 B sshd[12593]: debug1: match: OpenSSH_5.5p1+sftpfilecontrol-v1.3-hpn13v7 pat OpenSSH*
Feb 18 11:35:36 B sshd[12593]: debug1: Enabling compatibility mode for protocol 2.0
Feb 18 11:35:36 B sshd[12593]: debug1: Local version string SSH-2.0-OpenSSH_5.3
Feb 18 11:35:36 B sshd[12595]: debug1: permanently_set_uid: 74/74
Feb 18 11:35:36 B sshd[12595]: debug1: list_hostkey_types: ssh-rsa,ssh-dss
Feb 18 11:35:36 B sshd[12595]: debug1: SSH2_MSG_KEXINIT sent
Feb 18 11:35:36 B sshd[12595]: debug1: SSH2_MSG_KEXINIT received
Feb 18 11:35:36 B sshd[12595]: debug1: kex: client->server aes128-ctr hmac-md5 none
Feb 18 11:35:36 B sshd[12595]: debug1: kex: server->client aes128-ctr hmac-md5 none
Feb 18 11:35:36 B sshd[12595]: debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
Feb 18 11:35:36 B sshd[12595]: debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
Feb 18 11:35:36 B sshd[12595]: debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
Feb 18 11:35:36 B sshd[12595]: debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
Feb 18 11:35:36 ussdpos sshd[12595]: debug1: SSH2_MSG_NEWKEYS sent
Feb 18 11:35:36 B sshd[12595]: debug1: expecting SSH2_MSG_NEWKEYS
Feb 18 11:35:36 B sshd[12595]: debug1: SSH2_MSG_NEWKEYS received
Feb 18 11:35:36 B sshd[12595]: debug1: KEX done
Feb 18 11:35:36 B sshd[12595]: debug1: userauth-request for user ussdsc service ssh-connection method none
Feb 18 11:35:36 B sshd[12595]: debug1: attempt 0 failures 0
Feb 18 11:35:36 B sshd[12593]: debug1: PAM: initializing for "ussdsc"
Feb 18 11:35:36 B sshd[12593]: debug1: PAM: setting PAM_RHOST to "serpens.connex.ro"
Feb 18 11:35:36 B sshd[12593]: debug1: PAM: setting PAM_TTY to "ssh"
Feb 18 11:35:36 B sshd[12595]: debug1: userauth_send_banner: sent
Feb 18 11:35:36 B sshd[12595]: debug1: userauth-request for user ussdsc service ssh-connection method publickey
Feb 18 11:35:36 B sshd[12595]: debug1: attempt 1 failures 0
Feb 18 11:35:36 B sshd[12595]: debug1: test whether pkalg/pkblob are acceptable
Feb 18 11:35:36 B sshd[12593]: debug1: temporarily_use_uid: 501/501 (e=0/0)
Feb 18 11:35:36 B sshd[12593]: debug1: trying public key file /home/ussdsc/.ssh/authorized_keys
Feb 18 11:35:36 B sshd[12593]: debug1: restore_uid: 0/0
Feb 18 11:35:36 B sshd[12593]: debug1: temporarily_use_uid: 501/501 (e=0/0)
Feb 18 11:35:36 B sshd[12593]: debug1: trying public key file /home/ussdsc/.ssh/authorized_keys
Feb 18 11:35:36 B sshd[12593]: debug1: restore_uid: 0/0
Feb 18 11:35:36 B sshd[12593]: Failed publickey for ussdsc from 10.230.169.55 port 55604 ssh2
Feb 18 11:35:36 B sshd[12595]: debug1: userauth-request for user ussdsc service ssh-connection method publickey
Feb 18 11:35:36 B sshd[12595]: debug1: attempt 2 failures 1
Feb 18 11:35:36 B sshd[12595]: debug1: test whether pkalg/pkblob are acceptable
Feb 18 11:35:36 B sshd[12593]: debug1: temporarily_use_uid: 501/501 (e=0/0)
Feb 18 11:35:36 B sshd[12593]: debug1: trying public key file /home/ussdsc/.ssh/authorized_keys
Feb 18 11:35:36 B sshd[12593]: debug1: restore_uid: 0/0
Feb 18 11:35:36 B sshd[12593]: debug1: temporarily_use_uid: 501/501 (e=0/0)
Feb 18 11:35:36 B sshd[12593]: debug1: trying public key file /home/ussdsc/.ssh/authorized_keys
Feb 18 11:35:36 B sshd[12593]: debug1: restore_uid: 0/0
Feb 18 11:35:36 B sshd[12593]: Failed publickey for ussdsc from <ip>  port 55604 ssh2
Feb 18 11:35:41 B sshd[12595]: debug1: userauth-request for user ussdsc service ssh-connection method password
Feb 18 11:35:41 B sshd[12595]: debug1: attempt 3 failures 2
Feb 18 11:35:41 B sshd[12593]: Failed none for ussdsc from 10.230.169.55 port 55604 ssh2
Feb 18 11:35:41 B sshd[12595]: Connection closed by <ip>
Feb 18 11:35:41 B sshd[12595]: debug1: do_cleanup
Feb 18 11:35:41 B sshd[12593]: debug1: do_cleanup
Feb 18 11:35:41 B sshd[12593]: debug1: PAM: cleanup

For comparison purposes, I will show the corresponding logs (ssh -vvv & /var/log/secure) for anothe SUCCESSFUL login with ssh key FROM the same user/server: infa8@A towards the same server, but as a different user: opc_op@B

ssh -vvv

bash-4.3$ ssh -vvv opc_op@B
OpenSSH_5.5p1+sftpfilecontrol-v1.3-hpn13v7, OpenSSL 0.9.8k 25 Mar 2009
HP-UX Secure Shell-A.05.50.015, HP-UX Secure Shell version
debug1: Reading configuration data /infa8/home/.ssh/config
debug1: Reading configuration data /opt/ssh/etc/ssh_config
debug3: RNG is ready, skipping seeding
debug2: ssh_connect: needpriv 0
debug1: Connecting to ussdpos [<ip>] port 22.
debug1: Connection established.
debug1: identity file /infa8/home/.ssh/identity type -1
debug1: identity file /infa8/home/.ssh/identity-cert type -1
debug3: Not a RSA1 key file /infa8/home/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /infa8/home/.ssh/id_rsa type 1
debug1: identity file /infa8/home/.ssh/id_rsa-cert type -1
debug3: Not a RSA1 key file /infa8/home/.ssh/id_dsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /infa8/home/.ssh/id_dsa type 2
debug1: identity file /infa8/home/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Remote is NON-HPN aware
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.5p1+sftpfilecontrol-v1.3-hpn13v7
debug2: fd 3 setting O_NONBLOCK
debug3: RNG is ready, skipping seeding
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: AUTH STATE IS 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: REQUESTED ENC.NAME is 'aes128-ctr'
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: REQUESTED ENC.NAME is 'aes128-ctr'
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 130/256
debug2: bits set: 522/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: host ussdpos filename /infa8/home/.ssh/known_hosts
debug3: check_host_in_hostfile: host ussdpos filename /infa8/home/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 118
debug3: check_host_in_hostfile: host <ip> filename /infa8/home/.ssh/known_hosts
debug3: check_host_in_hostfile: host <ip> filename /infa8/home/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 117
debug1: Host 'ussdpos' is known and matches the RSA host key.
debug1: Found key in /infa8/home/.ssh/known_hosts:118
debug2: bits set: 518/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /infa8/home/.ssh/identity (0)
debug2: key: /infa8/home/.ssh/id_rsa (4003e6a0)
debug2: key: /infa8/home/.ssh/id_dsa (4003e6d0)
debug3: input_userauth_banner
<message>

debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug1: Miscellaneous failure
No credentials cache found

debug1: Miscellaneous failure
No credentials cache found

debug1:


debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /infa8/home/.ssh/identity
debug3: no such identity: /infa8/home/.ssh/identity
debug1: Offering public key: /infa8/home/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok: fp <fingerprint>
debug3: sign_and_send_pubkey
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).

and /var/log/messages:

Feb 18 11:36:33 B sshd[12391]: debug1: Forked child 12753.
Feb 18 11:36:33 B sshd[12753]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
Feb 18 11:36:34 B sshd[12753]: debug1: inetd sockets after dupping: 3, 3
Feb 18 11:36:34 B sshd[12753]: Connection from <ip> port 61384
Feb 18 11:36:34 B sshd[12753]: debug1: Client protocol version 2.0; client software version OpenSSH_5.5p1+sftpfilecontrol-v1.3-hpn13v7
Feb 18 11:36:34 B sshd[12753]: debug1: match: OpenSSH_5.5p1+sftpfilecontrol-v1.3-hpn13v7 pat OpenSSH*
Feb 18 11:36:34 B sshd[12753]: debug1: Enabling compatibility mode for protocol 2.0
Feb 18 11:36:34 B sshd[12753]: debug1: Local version string SSH-2.0-OpenSSH_5.3
Feb 18 11:36:34 B sshd[12758]: debug1: permanently_set_uid: 74/74
Feb 18 11:36:34 B sshd[12758]: debug1: list_hostkey_types: ssh-rsa,ssh-dss
Feb 18 11:36:34 B sshd[12758]: debug1: SSH2_MSG_KEXINIT sent
Feb 18 11:36:34 B sshd[12758]: debug1: SSH2_MSG_KEXINIT received
Feb 18 11:36:34 B sshd[12758]: debug1: kex: client->server aes128-ctr hmac-md5 none
Feb 18 11:36:34 B sshd[12758]: debug1: kex: server->client aes128-ctr hmac-md5 none
Feb 18 11:36:34 B sshd[12758]: debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
Feb 18 11:36:34 B sshd[12758]: debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
Feb 18 11:36:34 B sshd[12758]: debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
Feb 18 11:36:34 B sshd[12758]: debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
Feb 18 11:36:34 B sshd[12758]: debug1: SSH2_MSG_NEWKEYS sent
Feb 18 11:36:34 B sshd[12758]: debug1: expecting SSH2_MSG_NEWKEYS
Feb 18 11:36:34 B sshd[12758]: debug1: SSH2_MSG_NEWKEYS received
Feb 18 11:36:34 B sshd[12758]: debug1: KEX done
Feb 18 11:36:34 B sshd[12758]: debug1: userauth-request for user opc_op service ssh-connection method none
Feb 18 11:36:34 B sshd[12758]: debug1: attempt 0 failures 0
Feb 18 11:36:34 B sshd[12753]: debug1: PAM: initializing for "opc_op"
Feb 18 11:36:34 B sshd[12753]: debug1: PAM: setting PAM_RHOST to "serpens.connex.ro"
Feb 18 11:36:34 B sshd[12753]: debug1: PAM: setting PAM_TTY to "ssh"
Feb 18 11:36:34 B sshd[12758]: debug1: userauth_send_banner: sent
Feb 18 11:36:34 B sshd[12758]: debug1: userauth-request for user opc_op service ssh-connection method publickey
Feb 18 11:36:34 B sshd[12758]: debug1: attempt 1 failures 0
Feb 18 11:36:34 B sshd[12758]: debug1: test whether pkalg/pkblob are acceptable
Feb 18 11:36:34 B sshd[12753]: debug1: temporarily_use_uid: 777/177 (e=0/0)
Feb 18 11:36:34 B sshd[12753]: debug1: trying public key file /home/opc_op/.ssh/authorized_keys
Feb 18 11:36:34 B sshd[12753]: debug1: fd 7 clearing O_NONBLOCK
Feb 18 11:36:34 B sshd[12753]: debug1: matching key found: file /home/opc_op/.ssh/authorized_keys, line 1
Feb 18 11:36:34 B sshd[12753]: Found matching RSA key: <key>
Feb 18 11:36:34 B sshd[12753]: debug1: restore_uid: 0/0
Feb 18 11:36:34 B sshd[12758]: Postponed publickey for opc_op from 10.230.169.55 port 61384 ssh2
Feb 18 11:36:34 B sshd[12758]: debug1: userauth-request for user opc_op service ssh-connection method publickey
Feb 18 11:36:34 B sshd[12758]: debug1: attempt 2 failures 0
Feb 18 11:36:34 B sshd[12753]: debug1: temporarily_use_uid: 777/177 (e=0/0)
Feb 18 11:36:34 B sshd[12753]: debug1: trying public key file /home/opc_op/.ssh/authorized_keys
Feb 18 11:36:34 B sshd[12753]: debug1: fd 7 clearing O_NONBLOCK
Feb 18 11:36:34 B sshd[12753]: debug1: matching key found: file /home/opc_op/.ssh/authorized_keys, line 1
Feb 18 11:36:34 B sshd[12753]: Found matching RSA key: <key>
Feb 18 11:36:34 B sshd[12753]: debug1: restore_uid: 0/0
Feb 18 11:36:34 B sshd[12753]: debug1: ssh_rsa_verify: signature correct
Feb 18 11:36:34 B sshd[12753]: debug1: do_pam_account: called
Feb 18 11:36:34 B sshd[12753]: Accepted publickey for opc_op from 10.230.169.55 port 61384 ssh2
Feb 18 11:36:34 B sshd[12753]: debug1: monitor_child_preauth: opc_op has been authenticated by privileged process
Feb 18 11:36:34 B sshd[12753]: debug1: temporarily_use_uid: 777/177 (e=0/0)
Feb 18 11:36:34 B sshd[12753]: debug1: ssh_gssapi_storecreds: Not a GSSAPI mechanism
Feb 18 11:36:34 B sshd[12753]: debug1: restore_uid: 0/0
Feb 18 11:36:34 B sshd[12753]: debug1: SELinux support enabled
Feb 18 11:36:34 B sshd[12753]: debug1: PAM: establishing credentials
Feb 18 11:36:34 B sshd[12753]: pam_unix(sshd:session): session opened for user opc_op by (uid=0)
Feb 18 11:36:34 B sshd[12753]: User child is on pid 12784
Feb 18 11:36:34 B sshd[12784]: debug1: PAM: establishing credentials
Feb 18 11:36:34 B sshd[12784]: debug1: permanently_set_uid: 777/177
Feb 18 11:36:34 B sshd[12784]: debug1: Entering interactive session for SSH2.
Feb 18 11:36:34 B sshd[12784]: debug1: server_init_dispatch_20
Feb 18 11:36:34 B sshd[12784]: debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384
Feb 18 11:36:34 B sshd[12784]: debug1: input_session_request
Feb 18 11:36:34 B sshd[12784]: debug1: channel 0: new [server-session]
Feb 18 11:36:34 B sshd[12784]: debug1: session_new: session 0
Feb 18 11:36:34 B sshd[12784]: debug1: session_open: channel 0
Feb 18 11:36:34 B sshd[12784]: debug1: session_open: session 0: link with channel 0
Feb 18 11:36:34 B sshd[12784]: debug1: server_input_channel_open: confirm session
Feb 18 11:36:34 B sshd[12784]: debug1: server_input_global_request: rtype no-more-sessions@openssh.com want_reply 0
Feb 18 11:36:34 B sshd[12784]: debug1: server_input_channel_req: channel 0 request pty-req reply 1
Feb 18 11:36:34 B sshd[12784]: debug1: session_by_channel: session 0 channel 0
Feb 18 11:36:34 B sshd[12784]: debug1: session_input_channel_req: session 0 req pty-req
Feb 18 11:36:34 B sshd[12784]: debug1: Allocating pty.
Feb 18 11:36:34 B sshd[12753]: debug1: session_new: session 0
Feb 18 11:36:34 B sshd[12784]: debug1: session_pty_req: session 0 alloc /dev/pts/2
Feb 18 11:36:34 B sshd[12784]: debug1: Ignoring unsupported tty mode opcode 11 (0xb)
Feb 18 11:36:34 B sshd[12784]: debug1: Ignoring unsupported tty mode opcode 16 (0x10)
Feb 18 11:36:34 B sshd[12784]: debug1: server_input_channel_req: channel 0 request shell reply 1
Feb 18 11:36:34 B sshd[12784]: debug1: session_by_channel: session 0 channel 0
Feb 18 11:36:34 B sshd[12784]: debug1: session_input_channel_req: session 0 req shell
Feb 18 11:36:34 B sshd[12785]: debug1: Setting controlling tty using TIOCSCTTY.

home, .ssh and authorized_keys have identical permissions for both users. authorized_keys have the same content:

[ussdsc@ussdpos:~/.ssh]$ ls -ltr /home/opc_op/.ssh/authorized_keys
-rw-r--r--. 1 opc_op opc_grup395 Feb 18 10:20 /home/opc_op/.ssh/authorized_keys
[ussdsc@B:~/.ssh]$
[ussdsc@B:~/.ssh]$ ls -ltr /home/ussdsc/.ssh/authorized_keys
-rw-r--r--. 1 ussdsc grup 395 Feb 18 11:43 /home/ussdsc/.ssh/authorized_keys
[ussdsc@B:~/.ssh]$
[ussdsc@B:~/.ssh]$ diff /home/opc_op/.ssh/authorized_keys /home/ussdsc/.ssh/authorized_keys

any idea why I cannot connect with ssh key as ussdsc@B ?
It seems that the key simply doesn;t match with ussdc's authorized_keys but the same key matches to opc_op's authorized_keys (which has the same content/permissions etc..)

jim_mcnamara · February 18, 2016, 7:13am

Your public key (the external account connecting to the ussdsc user) has to exist in the remote authorized_keys file. Can you find it there? Since obviously you can login over there and look at things in that remote directory.

black_fender · February 18, 2016, 7:23am

hi Jim,

yes, the public key infa8@A /infa8/home/.ssh/id_rsa.pub exists in both /home/opc_op/.ssh/authorized_keys and /home/ussdsc/.ssh/authorized_keys as I pointed earlier I can login as user opc_op@B but not as ussdsc@B (starting from the same point infa8@A)

As a side note: I do have direct root access on both servers, I just to solve this issue for the users.

disedorgue · February 18, 2016, 8:28am

Hi,
your policies of ".ssh" directory of user ussdsc in server B is rwxr-xr-x.
Can you change these with rwx------ and retry ?

Regards.

black_fender · February 18, 2016, 8:30am

hi disedorgue,

yes, tried that too with the same result.

disedorgue · February 18, 2016, 8:47am

Ok,
Why group of /home/ussdsc is "mobifon" and group of ".ssh" and "authorized_keys" is "grup" and not "mobifon" ?

black_fender · February 18, 2016, 8:56am

I edited mobifon to 'grup' but missed some instances
there are the same user:group ownerships for homedir, .ssh and auth_keys file.

black_fender · June 13, 2016, 5:44am

I deactivated SELINUX and everything worked fine.

gexacor · July 6, 2016, 5:14am

Did you tried a new generated SSH keys? Maybe it have wrong format?