Client: OS Ubuntu, git-version 2.7.4.
Server: OS Centos , git-version 2.7.4.
I have a private ssh key in my client and public key in server.
I can use shell to enter my server(no password).
But can't push origin master !
sudo ssh -i /path/to/key/ -vT git#xxx.xx.xxx.xxx
OpenSSH_7.2p2 Ubuntu-4ubuntu2.2, OpenSSL 1.0.2g 1 Mar 2016 debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to xxx.xx.xxx.xxx [xxx.xx.xxx.xxx] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /home/whj/.ssh/whjwebsite type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/whj/.ssh/whjwebsite-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1 debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000
debug1: Authenticating to xxx.xx.xxx.xxx:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256#libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:aC1Ydp+6x8IP+TV5jEl7WwqW6sEycbznbfL09qON/OA
debug1: Host 'xxx.xx.xxx.xxx' is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available
debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available
debug1: Unspecified GSS failure. Minor code may provide more information debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/whj/.ssh/whjwebsite
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-debug1: No more authentication methods to try. Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
'whjwebsite 'is my private key.
drwx------ .ssh/
-rw------- whjwebsite
server:sshd_config:
```
RSAAuthentication yes
PubkeyAuthentication yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UseDNS no
AddressFamily inet
PermitRootLogin yes
SyslogFacility AUTHPRIV
PasswordAuthentication no
ChallengeResponseAuthentication no
client:ssh_config
enter image description here
My 2 cents: on server side, disable GSSAPIAuthentication (i.e. SSO backed by Kerberos) unless you are using Active Directory authentication on Linux (with either Centrify or SSSD) inside a corporate firewall.
If you are indeed in a SSO scenario, but Single Sign-On does not work out of the box for some reason, then use client-side options to bypass Kerberos e.g.
ssh -o GSSAPIAuthentication=no -o GSSAPIKeyExchange=no
Related
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: Connecting to ec2-18-216-48-255.us-east-2.compute.amazonaws.com [10.0.15.9] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file Rifter-Test-Server.pem type -1
debug1: key_load_public: No such file or directory
debug1: identity file Rifter-Test-Server.pem-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000
debug1: Authenticating to ec2-18-216-48-255.us-east-2.compute.amazonaws.com:22 as 'ec2-user'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: kex: curve25519-sha256 need=64 dh_need=64
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:KCe1X9MVFUImH5H9q8EkV2VLJ3bSehsJbSLnlWiMM+o
debug1: Host 'ec2-18-216-48-255.us-east-2.compute.amazonaws.com' is known and matches the ECDSA host key.
debug1: Found key in /home/gitlab-runner/.ssh/known_hosts:29
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:994)
debug1: Unspecified GSS failure. Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:994)
debug1: Next authentication method: publickey
debug1: Trying private key: Rifter-Test-Server.pem
debug1: read_passphrase: can't open /dev/tty: No such device or address
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
while my gitlab yaml config's are as follows
deploy:
stage: deploy
before_script:
mkdir -p ~/.ssh
chmod 700 ~/.ssh
echo -e “$SSH_PRIVATE_KEY” > ~/.ssh/id_rsa
ssh-keyscan $EC2_IPADDRESS >> ~/.ssh/known_hosts
chmod 700 ~/.ssh/*
tags:
node
script:
- ssh -Tv -i "~/.ssh/id_rsa" ec2-user#ec2-18-216-48-255.us-east-2.compute.amazonaws.com "ll; whoami"
Tried several options for login from gitlab CI/CD to aws-ec2-linux but unable till yet if anyone can see the SSH logs and help me resolving this issue.
I made git server on digital ocean and work fine but I want to change authorization from password to SSH key.
Now it's working nice for SSH/SFTP with this server and also with my pi. But git don't want to cooperate.
I have:
/home/git/.ssh on permission 700
/home/git/.ssh/authorized_keys on 644
Shell for git: /usr/bin/git-shell
And on local machine set .ssh/config to load private key from encrypted pendrive
isaac#Isaac-Debian:~$ ssh -vT server
OpenSSH_7.4p1 Debian-10+deb9u3, OpenSSL 1.0.2l 25 May 2017
debug1: Reading configuration data /home/isaac/.ssh/config
debug1: /home/isaac/.ssh/config line 1: Applying options for git-server1.iofist.de
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to serwer ******** port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/isaac/secret/server1git type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/isaac/secret/server1git-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u3
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4p1 Debian-10+deb9u2
debug1: match: OpenSSH_7.4p1 Debian-10+deb9u2 pat OpenSSH* compat 0x04000000
debug1: Authenticating to server:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:LyaAW9P8EIqkyuf/lEuEIKWTTeu2/3XbOyxx8TmPXa8
debug1: Host 'server1.iofist.de' is known and matches the ECDSA host key.
debug1: Found key in /home/isaac/.ssh/known_hosts:3
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/isaac/secret/server1git
Enter passphrase for key '/home/isaac/secret/server1git':
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).
debug1: Trying private key: /home/isaac/secret/server1git
Enter passphrase for key '/home/isaac/secret/server1git':
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).
At first it still wants you to have public key, so you must create it too. Second make sure you run ssh as a root. It will resolve the conflicts with Permission denied (publickey).
I am setting up ssh with public key access, I think I have correctly configured sshd_config and generate id_rsa.pub and authorized_keys.
ssh-kengen -t rsa
cd .ssh
cat id_rsa.pub >> authorized_keys
I also set the permission for these files
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
When I try sudo ssh localhost, it works and no password is asked, but logged in as root.
But when I try ssh localhost, It is still asking for password.
logs generated during this are :-
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/cwei/.ssh/identity type -1
debug1: identity file /home/cwei/.ssh/identity-cert type -1
debug1: identity file /home/cwei/.ssh/id_rsa type 1
debug1: identity file /home/cwei/.ssh/id_rsa-cert type -1
debug1: identity file /home/cwei/.ssh/id_dsa type -1
debug1: identity file /home/cwei/.ssh/id_dsa-cert type -1
debug1: identity file /home/cwei/.ssh/id_ecdsa type -1
debug1: identity file /home/cwei/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'localhost' is known and matches the RSA host key.
debug1: Found key in /home/cwei/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-
with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_604' not found
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_604' not found
debug1: Unspecified GSS failure. Minor code may provide more information
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_604' not found
debug1: Next authentication method: publickey
debug1: Trying private key: /home/cwei/.ssh/identity
debug1: Offering public key: /home/cwei/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /home/cwei/.ssh/id_dsa
debug1: Trying private key: /home/cwei/.ssh/id_ecdsa
debug1: Next authentication method: password
cwei#localhost's password:
Ssh public key access is user based. The configuration may be done for the root user. It needs to be done for the local user by configuring local users local .ssh directory.
I have two servers identified as server-1 - 192.168.3.128 and server-2 - 192.168.3.130. I am setting up capifony for automatic deployment from server-1 to server-2 and this is what I have done so far:
In both servers I have created a user deploy without password since that's the user I will use for deployment.
In server-1 I setup a SSH keys by running the command: ssh-keygen and I leave without pass-phrase and default directories.
I have copied the content of /home/deploy/.ssh/id_rsa.pub at server-1 into server-2 at /home/deploy/.ssh/authorized_keys.
From server-1 I try to reach server-2 by running ssh deploy#192.168.3.130 and it's asking for a password (below is the output)
$ ssh deploy#192.168.3.130
The authenticity of host '192.168.3.130 (192.168.3.130)' can't be established.
RSA key fingerprint is 3c:81:da:7a:78:0f:b0:2f:44:3b:62:fb:c9:6f:33:86.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.3.130' (RSA) to the list of known hosts.
deploy#192.168.3.130's password:
This is the -v output of the command above:
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.3.130 [192.168.3.130] port 22.
debug1: Connection established.
debug1: identity file /home/deploy/.ssh/identity type -1
debug1: identity file /home/deploy/.ssh/identity-cert type -1
debug1: identity file /home/deploy/.ssh/id_rsa type 1
debug1: identity file /home/deploy/.ssh/id_rsa-cert type -1
debug1: identity file /home/deploy/.ssh/id_dsa type -1
debug1: identity file /home/deploy/.ssh/id_dsa-cert type -1
debug1: identity file /home/deploy/.ssh/id_ecdsa type -1
debug1: identity file /home/deploy/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '192.168.3.130' is known and matches the RSA host key.
debug1: Found key in /home/deploy/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
Cannot determine realm for numeric host address
debug1: Unspecified GSS failure. Minor code may provide more information
Cannot determine realm for numeric host address
debug1: Unspecified GSS failure. Minor code may provide more information
debug1: Unspecified GSS failure. Minor code may provide more information
Cannot determine realm for numeric host address
debug1: Next authentication method: publickey
debug1: Trying private key: /home/deploy/.ssh/identity
debug1: Offering public key: /home/deploy/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /home/deploy/.ssh/id_dsa
debug1: Trying private key: /home/deploy/.ssh/id_ecdsa
debug1: Next authentication method: password
deploy#192.168.3.130's password:
Why? What I am doing wrong?
In addition to running the client in verbose mode, start a new server instance in debug mode on another port:
server-2 as root:
# /usr/sbin/sshd -p 9999 -d
Then connect in verbose mode to that server on the same port:
server-1 as deploy
$ ssh -vvv -p 9999 server-2
9/10 it has to do with permissions.
I'm trying to start a vertica cluster on 3 ec2 instances(node1, node2, node3) which requires root login via ssh between the instances.
On node1, the main node...as a root user, I generated keys using ssh-keygen
On node2 and node3, I edited the /etc/ssh/sshd_config file with this:
RSAAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication no`
then added the id_rsa.pub key to node2 and node3 in both /root/.ssh/authorized_keys and /home/ec2-user/.ssh/authorized_keys
then did a
service sshd restart
I try to login like ssh root#node2 from node1...but I keep get this error:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
EDIT:
also changed permitrootlogin to this:
PermitRootLogin without-password
did a -v on ssh and here is what I see
[root#ip-10-205-119-236 .ssh]# ssh -v root#10.205.117.61
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 10.205.117.61 [10.205.117.61] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/identity-cert type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '10.205.117.61' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found
debug1: Unspecified GSS failure. Minor code may provide more information
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
I see its trying to use id_dsa...but I don't have that file...i have a file called node1 which is what I named my file...
SSH requires quite precise access rights on these files because if it would be different, it is security issue. You need your ~/.ssh to have accessible only by you and your authorized_keys can't be writeable by other:
chmod 700 ~/.ssh
chmod 644 ~/.ssh/authorized_keys
should fix it.