I have a dnssec zone and want to publish ssh keys in, using sshfp.
So, on the host which holds the keys, I run :
ssh-keygen -r localhost
which gives me the results :
localhost IN SSHFP 1 1 223458a4e3f4cae23a2365a127a9fc5dbfc4df0b
localhost IN SSHFP 1 2 cf04e11c129c465e90afc3fc68b0a9c6f256e7c3dc2f0ef0d61557f5848cc2bb
then I placed it in my dnssec zone (which the correct hostname obviously), resign the zone and check by a dig query. Everything is fine.
And then, a ssh query says the thing is wrong :
stephane#luciole:~$ ssh -v -o VerifyHostKeyDNS=yes host
OpenSSH_6.6.1, OpenSSL 1.0.1i 6 Aug 2014
debug1: Reading configuration data /home/stephane/.ssh/config
debug1: /home/stephane/.ssh/config line 1: Applying options for host
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to host [2001:16d8:d0:205::5]
debug1: Connection established.
debug1: identity file /home/stephane/.ssh/id_rsa type 1
debug1: identity file /home/stephane/.ssh/id_rsa-cert type -1
debug1: identity file /home/stephane/.ssh/id_dsa type -1
debug1: identity file /home/stephane/.ssh/id_dsa-cert type -1
debug1: identity file /home/stephane/.ssh/id_ecdsa type -1
debug1: identity file /home/stephane/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/stephane/.ssh/id_ed25519 type -1
debug1: identity file /home/stephane/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Debian-7
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6
debug1: match: OpenSSH_6.6 pat OpenSSH_6.5*,OpenSSH_6.6* compat 0x14000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5-etm#openssh.com none
debug1: kex: client->server aes128-ctr hmac-md5-etm#openssh.com none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 4d:57:c1:77:2d:cf:6b:46:d4:83:24:3c:b7:d4:0d:67
debug1: found 4 insecure fingerprints in DNS
debug1: mismatching host key fingerprint found in DNS
###########################################################
# WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! #
###########################################################
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
4d:57:c1:77:2d:cf:6b:46:d4:83:24:3c:b7:d4:0d:67.
Please contact your system administrator.
Update the SSHFP RR in DNS with the new host key to get rid of this message.
debug1: checking without port identifier
The authenticity of host '[host] ([2001:16d8:d0:205::5])' can't be established.
ECDSA key fingerprint is 4d:57:c1:77:2d:cf:6b:46:d4:83:24:3c:b7:d4:0d:67.
No matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)?
So why am I having ?
I am now working in safe environnement, local network with direct access to the server. There's no MITM possible.
when creating the dns sshfp, I didn't noticed I had only four sshfp RR whereas I have three ssh keys (two sshfp per key).
So I return and generated one by one the sshfp in the ssh directory, and compaired with what I had in dns. It appeared I didn't have the ecdsa key.
So I specifically generate the sshfp with this key. Registered it in the zone, and signed it. After that, when I tried a ssh connection with VerifyHostKeyDNS and verbose, ssh said well it founded the correct ssh fingerprints !
cd /etc/ssh
ls
ssh_config
ssh_dsa_key
ssh_dsa_key.pub
...
ssh-keygen -r host -f ssh_host_ecdsa_key
Related
I am trying to ssh to the remote client using a public key but I keep getting the permission denied (publickey) error and can't solve it. I have tried all the other solutions online, but it still won't work. I have replaced some information with * and ip_add. How do I resolve this issue?
PS C:\WINDOWS\system32> ssh -v -i C:/Users/*/.ssh/id_rsa administrator#ip_add
OpenSSH_for_Windows_7.6p1, LibreSSL 2.6.4
debug1: Connecting to ip_add [ip_add] port 22.
debug1: Connection established.
debug1: identity file C:/Users/*/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory
debug1: identity file C:/Users/*/.ssh/id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_7.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_for_Windows_8.1
debug1: match: OpenSSH_for_Windows_8.1 pat OpenSSH* compat 0x04000000
debug1: Authenticating to ip_add:22 as 'administrator'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:qjxnj9GZZ6kvey+qvHsEoJYnLTz4N82DtnmFMjRlrq8
debug1: Host '192.168.1.135' is known and matches the ECDSA host key.
debug1: Found key in C:\\Users\\*/.ssh/known_hosts:2
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: pubkey_prepare: ssh_get_authentication_socket: No such file or directory
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:+ymSxB9gd+AJe9wYj0WgW70Qk+x4fWxEQhk1JCQyKWE C:/Users/*/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
administrator#ip_add: Permission denied (publickey).
A file or directory with a name that starts with '.' in Unix/Linux is hidden, but in Windows it is not. .ssh is a regular file or directory name. It may be hidden, but then you have to set the hidden attribute, for instance with the command attrib +h .ssh
Also, there is no need to specify -i identityfilename as it defaults to C:\users\<user>\.ssh\known_hosts
The log you show also confirms the host "ip_add" is found in that file. I would say the keys don't match. Easiest way to solve is to remove the line with the host name or IP address "ip_add" (with notepad or any text editor) and just repeat ssh -v administrator#ip_add.
Provided the host with that name or address exists, this will prompt you
The authenticity of host 'ip_add (192.168.1.135)' can't be established.
ECDSA key fingerprint is SHA256:JxuqbzMam5Mgpa52B+xUsSd/3F6kb+yghZKnDX6ipQU.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
and when you respond with yes the host will be added to the known_hosts file again, this time with a correct fingerprint. And the connection should be established.
this is a late answer but I had the same issue
Windows can't see hidden things
First thing (but has nothing to do with the problem) : avoid the Power Shell(it is too powerful), use a simply CMD or best use the Git Bash (https://gitforwindows.org/)
Second, your syntax is almost OK, but you placed the keys in hidden folder
C:\Users\yourname\.ssh\id_rsa and you should place it in a folder that is not hidden like this C:\Users\yourname\ssh\id_rsa and then you can access it like this :
C:\WINDOWS\system32> cd C:\Users\yourname\
C:\Users\yourname/> ssh <user>#<ssh_server> -p 22 -i ~/ssl/id_rsa
Where do you know?
debug1: No more authentication methods to try.
means definitively that you have not the same keys on your host and on remote , or there is a key here and no key there (or combinations of this) it has checked them all and says that "there are NO MORE keys to try".
You must place the same keys on both places in a way the system can read them. You pay attention to this 2 lines:
debug1: identity file C:/Users/*/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory
he was not able to read the key in the local hidden folder. So ... by moving it in a not hidden folder it will work.
I recently encountered a similar problem on Windows 10 and found the root cause (sort of) and the solution.
My tool chain involved was:
Visual Studio 2019 with git using ssh protocol and a key pair
Sourcetree also using git
A private bitbucket server.
My scenario was this: I installed Visual Studio 2019 with git using ssh protocol with my key pairs and was using it successfully, and then I installed Sourcetree (to get hunk commits instead of whole file commits) and Sourcetree worked but Visual Studio no longer could use git sync/commits.
The key to solving the problem was adding this environment variable: GIT_SSH_COMMAND=ssh -vvv
After restarting Visual Studio I could then get verbose information about the ssh failure using git.
The important debug output was this:
debug1: send_pubkey_test: no mutual signature algorithm
This is when I realized that something was incompatible between my key pair and bitbucket server ssh algorithm. I did not diagnose the exact problem (which I believe is due to obsolete RSA keys) but instead I simply created a new key pair using:
ssh-keygen -t ed25519
then uploaded to the bitbucket server and "bob's your uncle"
12 hours to find, 2 minutes to fix.
I got this same error and searched around for quite a while, changed the permission on my private key, created a new non-admin user to connect with, tried a few other things. Followed these links (among others):
https://geekrewind.com/how-to-set-up-ssh-key-login-with-windows-11/
https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_keymanagement
For me, the issue was I had created my keypair using puttygen and OpenSSH on Windows didn't like the format of my PUBLIC key (I had already exported the private key to .pem format).
In my authorized_keys file, the original format was:
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "xxxx"
xxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxx
---- END SSH2 PUBLIC KEY ----
changed it to:
ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
all on one line, no line breaks, no comment, and everything worked fine.
I know this is an old thread, but hopefully this helps someone.
"Nothing has changed since Friday." But see below. This morning(!), Bitbucket.org rejects my ssh attempt with:
Connection blocked because server only allows public key authentication.
Please contact your network administrator.
I followed another suggestion here and tried ssh -Tv git#bitbucket.org (this being the userid shown by git remote -v and in the output saw this oddity:
Edit: Here is the complete output:
$ ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-F8PhcLGt2yVB/agent.11836; export SSH_AUTH_SOCK;
SSH_AGENT_PID=11837; export SSH_AGENT_PID;
echo Agent pid 11837;
$ ssh -Tv git#bitbucket.org
OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to bitbucket.org [18.205.93.0] port 22.
debug1: Connection established.
debug1: identity file /home/mike/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory
debug1: identity file /home/mike/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mike/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mike/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mike/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mike/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mike/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mike/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
debug1: Remote protocol version 2.0, remote software version conker_31073e5a11 app-191
debug1: no match: conker_31073e5a11 app-191
debug1: Authenticating to bitbucket.org:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256#libssh.org
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:6tASx4IX+FSngemFsQuAIyt0aQ/+fMAyzXBRWRajoBM
###########################################################
# WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! #
###########################################################
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:6tASx4IX+FSngemFsQuAIyt0aQ/+fMAyzXBRWRajoBM.
Please contact your system administrator.
Add correct host key in /home/mike/.ssh/known_hosts to get rid of this message.
Offending RSA key in /home/mike/.ssh/known_hosts:2
remove with:
ssh-keygen -f "/home/mike/.ssh/known_hosts" -R "bitbucket.org"
RSA host key for bitbucket.org has changed and you have requested strict checking.
Host key verification failed.
However: the .ssh directory does exist, its permissions are -r--------, the id_rsa (and id_rsa.pub) files both exist, and their permissions likewise are correct. ssh-agent was restarted.
ls -ld /home/mike/.ssh/id_rsa
-r-------- 1 mike mike 1679 Oct 24 10:41 /home/mike/.ssh/id_rsa
(notice the date ... many months ago ... correct)
cat /home/mike/.ssh/id_rsa
(the correct private key is displayed ...) (ditto public-key)
Again: "nothing has changed since Friday." I think I've thought of everything! So, what the heck could still be wrong? And why did this suddenly start happening, both to me and to colleagues, today? (Nothing in /etc/ssh has changed in many months. Likewise the certificates in ~/.ssh, which as previously noted does have correct permissions.)
Another Edit: Here's what happens when I remove the known_hosts entry:
$ ssh-keygen -f "/home/mike/.ssh/known_hosts" -R "bitbucket.org"
# Host bitbucket.org found: line 2
/home/mike/.ssh/known_hosts updated.
Original contents retained as /home/mike/.ssh/known_hosts.old
$ ssh -Tv git#bitbucket.org
OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to bitbucket.org [18.205.93.1] port 22.
debug1: Connection established.
debug1: identity file /home/mike/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory
debug1: identity file /home/mike/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mike/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mike/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mike/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mike/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mike/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/mike/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
debug1: Remote protocol version 2.0, remote software version conker_31073e5a11 app-155
debug1: no match: conker_31073e5a11 app-155
debug1: Authenticating to bitbucket.org:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256#libssh.org
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:6tASx4IX+FSngemFsQuAIyt0aQ/+fMAyzXBRWRajoBM
The authenticity of host 'bitbucket.org (18.205.93.1)' can't be established.
RSA key fingerprint is SHA256:6tASx4IX+FSngemFsQuAIyt0aQ/+fMAyzXBRWRajoBM.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'bitbucket.org' (RSA) to the list of known hosts.
Warning: the RSA host key for 'bitbucket.org' differs from the key for the IP address '18.205.93.1'
Offending key for IP in /home/mike/.ssh/known_hosts:3
Are you sure you want to continue connecting (yes/no)? yes
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_SERVICE_ACCEPT received
Received disconnect from 18.205.93.1 port 22:2: Connection blocked because server only allows public key authentication. Please contact your network administrator.
Disconnected from 18.205.93.1 port 22
What my immediately zeros-in on is a message that I have not previously encountered when working with ssh:
Warning: the RSA host key for 'bitbucket.org' differs from the key
for the IP address '18.205.93.1'
... this must be significant ...
I think that this situation has been explained, therefore [SOLVED], based on information which I found by pursuing this page here on SO:
Connection blocked because server only allows public key authentication
... where a cryptic comment by "ALuViAn" led me to this page:
https://superuser.com/questions/1466177/connection-blocked-because-server-only-allows-public-key-authentication-putty-f
... whose "Answer #1" does appear to relate directly to this issue.
That Answer referred to these two external pages:
https://community.atlassian.com/t5/Bitbucket-questions/Cannot-use-public-key-with-bitbucket-cloud/qaq-p/934114
and:
https://www.reddit.com/r/aws/comments/a4xzrs/key_based_auth_broken_for_all_instances_even_new/
The conclusion appears to be that "there's a man in the middle" (within the company's network security infrastructure). Overly-enthusiastic network defense software. This also seems to be confirmed by the fact that (a) offices in other cities don't experience the problem, and (b) I don't experience it either if I turn on the VPN Client, thus sending all the traffic through a VPN tunnel that emerges "somewhere else."
Hope this helps someone ...
My goal is to copy files programatically from remote server to local computer. Both running Windows with Cygwin (server) and computer Cygwin 64.
Before I create rsa or dsa keys I can copy files by entering Password
But after creation of these files, I have "connection closed by remote host. lost connection" error
I gave following rights: "chmod 600 .ssh/id_rsa" (on local computer) and chmod 600 ".ssh/authorized_keys2". What is the problem who can answer to me?
$ ssh login#hiddenhost
Connection to hiddenhost closed by remote host.
Connection to hiddenhost closed.
PC003370+procserver#ATMPROCSERVER ~
$ ssh -v login#hiddenhost
OpenSSH_7.2p2, OpenSSL 1.0.2g 1 Mar 2016
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to hiddenhost [hiddenhost] port 22.
debug1: Connection established.
debug1: identity file /home/procserver/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/procserver/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/procserver/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/procserver/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/procserver/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/procserver/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/procserver/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/procserver/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.1
debug1: match: OpenSSH_7.1 pat OpenSSH* compat 0x04000000
debug1: Authenticating to hiddenhost:22 as 'login'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256#libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305#openssh.com MAC: <implicit
> compression: none
debug1: kex: client->server cipher: chacha20-poly1305#openssh.com MAC: <implicit
> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:TS6tXfpxXyW/KeIWFnvxCsmEhHy8
8NyoBA3DdOHzjFw
debug1: Host 'hiddenhost' is known and matches the ECDSA host key.
debug1: Found key in /home/procserver/.ssh/known_hosts:1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interacti
ve
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/procserver/.ssh/id_rsa
debug1: Authentication succeeded (publickey).
Authenticated to hiddenhost ([hiddenhost]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions#openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: channel 0: free: client-session, nchannels 1
Connection to hiddenhost closed by remote host.
Connection to hiddenhost closed.
Transferred: sent 1944, received 1312 bytes, in 0.0 seconds
Bytes per second: sent 647995.5, received 437330.3
debug1: Exit status -1
PC003370+procserver#ATMPROCSERVER ~
$
HURRAY!!!!
We found a solution.
All the reason was in owning /var/empty/ folder. We tried to start server in debuggin mode... and then found this article:
"
If you are debugging a SSH connection, you may need to run sshd by hand (instead of as a service) and enable debugging output. Doing so allows you to track exactly why a connection is failing to establish. However, if you try to run sshd by hand, you may get the following message.
% cygrunsrv.exe --stop sshd
% /usr/sbin/sshd.exe -D
Could not load host key: /etc/ssh_host_ecdsa_key
/var/empty must be owned by root and not group or world-writable.
To fix this, make the user starting the sshd service the owner of /var/empty.
% ls -ld /var/empty
drwxr-xr-x+ 1 cyg_server root 0 May 7 2010 empty
% chown /var/empty
Now, start sshd again.
% /usr/sbin/sshd.exe -D
When you are done debugging and are ready to run sshd again as a service, change the owner of /var/empty to cyg_server.
% chown cyg_server /var/empty
% cygrunsrv.exe --start sshd
Note: you must have administrator privileges to run
"
I've got the same problem. The root cause is directory /var/empty is not the correct owner, so i've done this:
chown $uid.$gid /var/empty
The problem is fixed.
Here's what fixed the issue for me.
Run sshd in debug mode using below command
/usr/sbin/sshd.exe -D -dd
This gave me the below warnings
> $ /usr/sbin/sshd.exe -D -dd debug2: load_server_config: filename
> /etc/sshd_config debug2: load_server_config: done config len = 285
> debug2: parse_server_config: config /etc/sshd_config len 285 debug1:
> sshd version OpenSSH_7.5, OpenSSL 1.0.2k 26 Jan 2017
> ########################################################### #
> WARNING: UNPROTECTED PRIVATE KEY FILE! #
> ###########################################################
> Permissions 0770 for '/etc/ssh_host_rsa_key' are too open. It is
> required that your private key files are NOT accessible by others.
> This private key will be ignored. key_load_private: bad permissions
> Could not load host key: /etc/ssh_host_rsa_key
> ########################################################### #
> WARNING: UNPROTECTED PRIVATE KEY FILE! #
> ###########################################################
> Permissions 0770 for '/etc/ssh_host_dsa_key' are too open. It is
> required that your private key files are NOT accessible by others.
> This private key will be ignored. key_load_private: bad permissions
> Could not load host key: /etc/ssh_host_dsa_key
> ########################################################### #
> WARNING: UNPROTECTED PRIVATE KEY FILE! #
> ###########################################################
> Permissions 0770 for '/etc/ssh_host_ecdsa_key' are too open. It is
> required that your private key files are NOT accessible by others.
> This private key will be ignored. key_load_private: bad permissions
> Could not load host key: /etc/ssh_host_ecdsa_key
> ########################################################### #
> WARNING: UNPROTECTED PRIVATE KEY FILE! #
> ###########################################################
> Permissions 0770 for '/etc/ssh_host_ed25519_key' are too open. It is
> required that your private key files are NOT accessible by others.
> This private key will be ignored. key_load_private: bad permissions
> Could not load host key: /etc/ssh_host_ed25519_key sshd: no hostkeys
> available -- exiting.
So I changed the permissions of the above files to 600
$ chmod 0600 /etc/ssh_host*
Then the debug command again.
SHA256:4yqAb/GiMfMJPmIXfKz+Zw4fWOCVN7E6vUDHEtokdHk
/var/empty must be owned by root and not group or world-writable.
Then change the permission of this folder to 600.
$ chmod 600 /var/empty
This fixed the issue.
I am trying to setup password-less login into my localhost for a distributed computing tutorial. (I've set it up successfully for multiple remote hosts.) I went through the normal steps of generating an rsa key and appending the public key to authorized_keys but I am still prompted for a password. I've also enabled RSAAuthentication and PubKeyAuthentication in /etc/ssh_config. Following other suggestions I've seen, I tried:
chmod go-w ~/
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
But the problem persists.
Here is the output from ssh -v localhost:
(tutorial)bnels21-2:tutorial bnels21$ ssh -v localhost
OpenSSH_5.9p1, OpenSSL 0.9.8r 8 Feb 2011
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: Connecting to localhost [::1] port 22.
debug1: Connection established.
debug1: identity file /Users/bnels21/.ssh/id_rsa type 1
debug1: identity file /Users/bnels21/.ssh/id_rsa-cert type -1
debug1: identity file /Users/bnels21/.ssh/id_dsa type -1
debug1: identity file /Users/bnels21/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9
debug1: match: OpenSSH_5.9 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 1c:31:0e:56:93:45:dc:f0:77:6c:bd:90:27:3b:c6:43
debug1: Host 'localhost' is known and matches the RSA host key.
debug1: Found key in /Users/bnels21/.ssh/known_hosts:11
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/bnels21/.ssh/id_rsa
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Offering RSA public key: id_rsa3
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Trying private key: /Users/bnels21/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
Password:
Any suggestions? I'm running OSX 10.8.
Since you seem to have multiple keys I would assign the specific key to a specific connection in ~/.ssh/config.
Example:
Host local
HostName 127.0.0.1
Port 22
User your_username
IdentityFile ~/.ssh/your_key-id_rsa
Then just try to ssh local.
I had same problem. I checked the system passwd and group files, and discovered that my user and group was not present. To build this files (my user was a domain user) I need to run two commands at cygwin shell:
mkpasswd -l -d > /etc/passwd
mkgroup -l -d > /etc/group
After that, ssh works fine!
Elvys Borges
It looks like you are using protocol version 2.0 when connecting to localhost, so try moving authorized_keys to authorized_keys2.
Source: this post explains the difference between the two keys files.
I was at my wits end... I was under the mistaken impression ssh-copy-id was a Linux-only utility. Finally I just swallowed my pride and typed the command is the macOS Terminal and it worked!
ssh-copy-id me#sshd-server
I don't know what magic ssh-copy-id does, but it just worked. I was able to log in without a password successfully with the simple command:
ssh me#sshd-server
I had zero luck with cat id_rsa.pub >> ~/.ssh/authorized_hosts. Every time I tried ssh'ing to the server it just kept asking me for the passphrase. This is with the correct 600 permission on authorized_hosts and 700 on ~/.ssh.
So, I'm going through this tutorial (Running Hadoop on windows using cygwin...) to setup hadoop on my WINDOWS (please don't ask why I would use Linux). So I got to this point that I need to SSH to my localhost and test the SSH using Cygwin, but it closes the connection and says:
Connection closed by 127.0.0.1
I've googled a lot but couldn't find any proper answer for my problem.
P.S.: I'm running cygwin on Windows 7 professional x64
any idea?
BTW, Here is a sample run:
$ ssh -v localhost
OpenSSH_6.0p1, OpenSSL 1.0.1c 10 May 2012
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/Soroush/.ssh/id_rsa type 1
debug1: identity file /home/Soroush/.ssh/id_rsa-cert type -1
debug1: identity file /home/Soroush/.ssh/id_dsa type -1
debug1: identity file /home/Soroush/.ssh/id_dsa-cert type -1
debug1: identity file /home/Soroush/.ssh/id_ecdsa type -1
debug1: identity file /home/Soroush/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0
debug1: match: OpenSSH_6.0 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 19:2d:f6:84:4d:e5:0d:d4:5e:e6:e5:a4:6a:3c:ea:8b
debug1: Host 'localhost' is known and matches the ECDSA host key.
debug1: Found key in /home/Soroush/.ssh/known_hosts:1
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/Soroush/.ssh/id_rsa
Connection closed by 127.0.0.1
When you installed Cygwin and ran ssh-host-config, you might have created user cyg_server. So when you are connecting to ssh, you need to use the user cyg_server#localhost.
When you run ssh with that user, it will ask you for the password that you provided when you ran ssh-host-config.
$ ssh cyg_server#localhost
cyg_server#localhost's password:
Last login: Mon Dec 31 01:14:44 2012 from ::1
cyg_server#polorumpus ~
$
I hope it will be useful.
It looks like the key isn't being accepted. Check that /home/Soroush/.ssh/id_rsa.pub has been added to /home/Soroush/.ssh/authorized_keys
I would also check that
RSAAuthentication yes is set in /etc/ssh/sshd_config
I had to do these to fix the problem:
chown <USERNAME> /var/log/sshd.log
chown -R <USERNAME> /var/empty
chown <USERNAME> /etc/ssh*
chmod 755 /var/empty
chmod 644 /var/log/sshd.log
Note that the is my desired user name, not cyg_server.
I Found this post relating to my issue, but it turned out that my cyg_server account did not have administrator privilege.
I had the same problem, and it was generated by Putty authentication agent (Pageant): it was running with a private key. For some reason, it tried to use it to connect to localhost. If I closed Pageant (or removed the key), I could ssh to localhost.
But as I wanted to have Pageant running (to be a client of other ssh servers), I managed to modify the local sshd service, so that it 'ignored' in some way Pageant, to accept connections:
Modify /etc/ssh/sshd_config:
PubkeyAuthentication no
Now, it works
I had to use the 64-bit version of Cygwin to get this to work.