Failing SSH Certs

scottalanmiller

We just implemented several new CentOS 7 boxes on CloudatCost and one of them is our new Jump server. It works great except for one little thing, SSH keys are failing. I've tried everything that I can think of but it still makes me put in a password every time. Argh.

Anyone have any ideas?

A Former User

What's the log's say? /var/log/auth.log

scottalanmiller

Here is the setup from the Jump Server side:

-bash-4.2$ cd ~
-bash-4.2$ pwd
/home/scott
-bash-4.2$ ll
total 4
-rw-rw-r--. 1 scott scott 69 Feb 27 13:54 cclist
-bash-4.2$ cd .ssh
-bash-4.2$ ll
total 12
-rw-------. 1 scott scott 1679 Feb 27 14:53 id_rsa
-rw-r--r--. 1 scott scott  399 Feb 27 14:53 id_rsa.pub
-rw-r--r--. 1 scott scott  569 Mar  3 15:43 known_hosts

scottalanmiller

And one of the clients:

-bash-4.2$ pwd
/home/scott/.ssh
-bash-4.2$ ll
total 4
-rwx------. 1 scott scott 399 Feb 27 16:21 authorized_keys

scottalanmiller

This is what /var/log/secure produces when it fails:

Mar  3 17:28:10 cc-lnx-dev1 sshd[11656]: Connection closed by 168.235.144.189 [preauth]
Mar  3 17:29:52 cc-lnx-dev1 sshd[11662]: reverse mapping checking getaddrinfo for c1115753-27900.cloudatcost.com    [168.235.144.189] failed - POSSIBLE BREAK-IN ATTEMPT!

A Former User

@scottalanmiller said:

This is what /var/log/secure produces when it fails:

Mar  3 17:28:10 cc-lnx-dev1 sshd[11656]: Connection closed by 168.235.144.189 [preauth]
Mar  3 17:29:52 cc-lnx-dev1 sshd[11662]: reverse mapping checking getaddrinfo for c1115753-27900.cloudatcost.com    [168.235.144.189] failed - POSSIBLE BREAK-IN ATTEMPT!

Wow. That doesn't tell much. You might try SSH in Verbose mode (ssh -v)

scottalanmiller

Here is the output.

   -bash-4.2$ ssh -v cc-lnx-dev1
OpenSSH_6.4, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 51: Applying options for *
debug1: Connecting to cc-lnx-dev1 [168.235.145.186] port 22.
debug1: Connection established.
debug1: identity file /home/scott/.ssh/id_rsa type 1
debug1: identity file /home/scott/.ssh/id_rsa-cert type -1
debug1: identity file /home/scott/.ssh/id_dsa type -1
debug1: identity file /home/scott/.ssh/id_dsa-cert type -1
debug1: identity file /home/scott/.ssh/id_ecdsa type -1
debug1: identity file /home/scott/.ssh/id_ecdsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.4
debug1: match: OpenSSH_6.4 pat OpenSSH*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none
debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 7a:56:bb:86:38:e6:e0:f7:ef:2b:7a:d3:68:f2:ad:48
debug1: Host 'cc-lnx-dev1' is known and matches the ECDSA host key.
debug1: Found key in /home/scott/.ssh/known_hosts:2
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available

debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available

debug1: Unspecified GSS failure.  Minor code may provide more information


debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available

debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/scott/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /home/scott/.ssh/id_dsa
debug1: Trying private key: /home/scott/.ssh/id_ecdsa
debug1: Next authentication method: password

A Former User

@scottalanmiller Turn off GSSAPIAuthentication ( GSSAPIAuthentication no) in the SSH Config (/etc/ssh/sshd_config) as that's for Kerberos.

Also try restorecon -R ~/.ssh to make sure the SELinux is setup for proper security context for the keys.

scottalanmiller

@thecreativeone91 said:

@scottalanmiller Turn off GSSAPIAuthentication ( GSSAPIAuthentication no) in the SSH Config (/etc/ssh/sshd_config) as that's for Kerberos.

Also try restorecon -R ~/.ssh to make sure the SELinux is setup for proper security context for the keys.

Awesome, that did it!

scottalanmiller

For reference, it was only the SELinux portion that was needed...

restorecon -R ~/.ssh

thanksajdotcom

Unrelated question but how do you indent all your code lines four spaces manually or how do you do it automatically?

scottalanmiller

@thanksajdotcom said:

Unrelated question but how do you indent all your code lines four spaces manually or how do you do it automatically?

If it is one line, like that one there, I just hit the space bar four times. When it is a large code block, I copy into Notepad++, Ctrl-A, Tab, and copy into here.

thanksajdotcom

@scottalanmiller said:

@thanksajdotcom said:

Unrelated question but how do you indent all your code lines four spaces manually or how do you do it automatically?

If it is one line, like that one there, I just hit the space bar four times. When it is a large code block, I copy into Notepad++, Ctrl-A, Tab, and copy into here.
...
I figured you must