Re: authentication problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 04/15/2010 11:49 AM, Rick Sewill wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 04/15/2010 11:51 AM, jack craig wrote:
>    
>> Hi Folks,
>>
>> I have an authentication issue with ssh that i'd like to ask for clues
>> on solving?
>>
>> i have created a local host key, id_rsa.pub.
>>
>> i have copied that to the remote host, .ssh/authorized_keys,
>> and checked the perms for both ~/.ssh&  .ssh/authorized_keys.
>>
>> yet i get the below, ...
>>
>>
>> ssh -v -l jackc sby1.extraview.com
>> OpenSSH_5.2p1, OpenSSL 0.9.8k-fips 25 Mar 2009
>>      
> ...
>    
>> publickey,gssapi-with-mic,password<---- !!!!!
>>      
> ...
>    
>> No credentials cache found
>>
>>      
> ...
>    
>> No credentials cache found
>>
>>      
> ...
>    
>> debug1: Next authentication method: publickey
>> debug1: Offering public key: /home/jackc/.ssh/id_rsa
>> debug1: Server accepts key: pkalg ssh-rsa blen 277
>> Agent admitted failure to sign using the key.
>> debug1: Next authentication method: password
>> jackc@xxxxxxxxxxxxxxxxxx's password:
>>
>> my naive reading of the above looks like it fulfilled
>> one authentication method, but then goes on to ask for another,
>> in this case, a password.
>>
>> my wag is that there is an /etc/pam.d config that is wrong,
>> but this isn't my strong suite and i don't want to guess/mess around.
>>
>> also, this phrase, ...
>>
>> debug1: Unspecified GSS failure.  Minor code may provide more information
>> No credentials cache found
>>
>>      
> I wouldn't worry about GSS failure.  You haven't set it up.
> - From URL:
> http://www.ssh.com/support/documentation/online/ssh/adminguide/53/userauth-gssapi.html
> it explains the idea behind GSS.  I tend to think of GSS as Kerberos.
>
>    
>> where do i find the minor code its referring to?
>>
>> any ssh guru's out there to provide  a clue?
>>
>>      
> Not sure.
>
> When it says, "Agent admitted failure to sign using the key.",
> is it referring to ssh-agent?
>
> There is a program, ssh-add, which talks to ssh-agent.
> I haven't used ssh-add or ssh-agent in a long time.
>
> Before I take us down this path which might be a wild good chase,
> I better ask are you using these?
>
> Whenever I have publickey authentication problems,
> it usually is file and directory permissions.
> You indicated you checked ~/.ssh and ~/.ssh/authorized_keys
>    
both the client & server have the 700 for .ssh and 600 for all .ssh/*

note also that i have the same access to different hosts in our domain.
my client is fc11, but the remote hosts are centos 4 & 5.

> As a test, could you make certain your $HOME directories,
> on both the local and remote machine, are not writable by anyone,
> but owner?
>
> Could you make sure ~/.ssh on both machines is only read/write
> by owner?
>
> Could you make sure the files in ~/.ssh, such as authorized_keys,
> config, id_rsa, known_hosts, are only read/write by owner?
>
> For me, anything in ~/.ssh should only be read/write by owner.
> Call me paranoid but only owner should have access to these files.
>
> The one kicker, I'm asking you to do, is make sure both
> $HOME directories are, at most, readable, by others, and not writable.
>
> If you want someone to put files in your $HOME directory area,
> can you set up $HOME/droparea and give them read/write access
> to $HOME/droparea?
>    

in this case i am just building a backup system for my client host to 
back up to he server.
i have accts on both so i got jackc@client writing to jackc@server

Thx for you time, suggestions beyond perms?

> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkvHX68ACgkQyc8Kn0p/AZSq7gCfemQ7xhl7GwPnlC1Hcrj+XlI0
> dREAn16BFmZbHBeQ8ZvcX2Hp+iCVoBy3
> =l5hs
> -----END PGP SIGNATURE-----
>    


-- 
Jack Craig
Software Engineer
831.461.7100 x120
www.extraview.com

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux