Bug 870911

Summary: Public Key authentication fails on ssh
Product: Red Hat Enterprise Linux 6 Reporter: Mitesh Shah <Mr.Miteshah>
Component: opensshAssignee: Petr Lautrbach <plautrba>
Status: CLOSED WORKSFORME QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.3   
Target Milestone: rc   
Target Release: ---   
Hardware: i386   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-10-29 11:05:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mitesh Shah 2012-10-29 07:29:53 UTC 
Description of problem: I'm just setup RHEL 6.3 server with openssh-server and copy my pub key using ssh-copy-id to RHEL server and whenever i'm try to login RHEL, The RHEL server ask me password to login (Don't accept my ssh keys) while i'm configure same thing to test on CentOS 6.3 and its works just fine


Version-Release number of selected component (if applicable):OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010


How reproducible:
RHEL Server IP 192.168.0.120
[Mitesh@localhost:] ssh -v root.0.120
OpenSSH_5.3p1 Debian-3ubuntu7, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.0.120 [192.168.0.120] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
The authenticity of host '192.168.0.120 (192.168.0.120)' can't be established.
RSA key fingerprint is 6e:c0:bc:9f:1a:df:b5:35:82:5a:37:79:fe:fa:64:d4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.120' (RSA) to the list of known hosts.
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: An invalid name was supplied
Cannot determine realm for numeric host address

debug1: An invalid name was supplied
Cannot determine realm for numeric host address

debug1: An invalid name was supplied


debug1: Next authentication method: publickey
debug1: Offering public key: /root/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Next authentication method: password
root.0.120's password: 

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:
The RHEL accept my rsa key and i'm able to login 

Additional info:
Comment 2 Petr Lautrbach 2012-10-29 09:05:16 UTC 
Thank you for taking the time to enter a bug report with us. We appreciate the feedback and look to use reports such as this to guide our efforts at improving our products. That being said, this bug tracking system is not a mechanism for requesting support, and we are not able to  guarantee the timeliness or suitability of a resolution.

If this issue is critical or in any way time sensitive, please raise a ticket through your regular Red Hat support channels to make certain  it receives the proper attention and prioritization to assure a timely resolution. 

For information on how to contact the Red Hat production support team, please visit: https://www.redhat.com/support/process/production/#howto
Comment 3 Mitesh Shah 2012-10-29 10:45:34 UTC 
@Petr

I'm just want to report bug so in next release some other users don't face the same problem that is occurred in current release :)

I'm check available guide in Google but don't work for me so i hope in next release some end users don't face this problem again.
Comment 4 Petr Lautrbach 2012-10-29 11:05:13 UTC 
I use this feature every day. It is most probably not a bug, but a misconfigured system. You should check /var/log/secure on the server, ~/.ssh directory permissins and SELinux context, a content of ~/.ssh/authorized_keys, ... 


$ ssh-copy-id localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is b7:d0:2f:39:b3:e6:6c:80:a2:c9:a6:92:18:86:ce:0b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
plautrba@localhost's password:
Now try logging into the machine, with "ssh 'localhost'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

$ ls -ldZ .ssh
drwx------. plautrba plautrba unconfined_u:object_r:ssh_home_t:s0 .ss
$ ls -lZ .ssh/authorized_keys
-rw-------. plautrba plautrba unconfined_u:object_r:ssh_home_t:s0 .ssh/authorized_keys
$ ssh localhost
Host key fingerprint is b7:d0:2f:39:b3:e6:6c:80:a2:c9:a6:92:18:86:ce:0b
Last login: Mon Oct 29 11:58:44 2012 from localhost.localdomain
$
Comment 5 Mitesh Shah 2012-10-29 13:40:30 UTC 
Problem is solved but wonder what is the issue i'm run the following commands and after that my problem is solved


[root@RHEL ~]# ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
f4:46:f0:c8:32:32:9a:1b:db:f8:ed:1a:b8:8f:f6:00 root@RHEL
The key's randomart image is:
+--[ RSA 2048]----+
|        .        |
|       . +       |
|    o o + o      |
|   o o + o       |
|E +     S o      |
| . B     .       |
|  * o            |
|  .= o           |
| .oo=oo          |
+-----------------+
[root@RHEL ~]# ssh-copy-id localhost
The authenticity of host 'localhost (::1)' can't be established.
RSA key fingerprint is 58:99:8e:f1:75:3a:25:99:fb:f7:60:6c:98:21:73:11.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
root@localhost's password: 
Now try logging into the machine, with "ssh 'localhost'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

[root@RHEL ~]# ssh localhost
Last login: Mon Oct 29 16:21:51 2012 from 192.168.0.90
[root@RHEL ~]# logout




Now able to login without password from another system can any one explain what the issue is?