The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SSH keys Permission denied (publickey,gssapi-keyex,gssapi-with-mic)

Discussion in 'General Discussion' started by darrencperry, Oct 3, 2012.

  1. darrencperry

    darrencperry Registered

    Joined:
    Oct 3, 2012
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I've been troubleshooting this since yesterday afternoon.

    I have a centos server running whm and I had ssh access working with a key. SSH Password Authorization Tweak is Disabled.

    My SSH key had a passphrase and I was working on a backup solution for which I wanted to try using a key with no passphrase. WHM doesn't allow null password keys it seems so I created one locally on my mac with ssh-keygen, uploaded the public key and this didn't work.

    I ended up removing the working ssh key from the server, not a big problem I thought as I can just make a new one.

    Now I can't get any keys working for ssh access. Here are the steps I've been taking for the last few hours:

    1) Manage root’s SSH Keys > Generate a new key
    2) I have copied and pasted the text from the private key into a key on my computer
    2 a) I have also used scp (by enabling ssh password authorization temporarily) to retrieve the private key
    3) Manage Authorization > Enable
    4) Attempt login > ssh -i <id_dsa/id_rsa> root@<server>
    type key password

    Code:
    Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
    5) chmod 600 <id_dsa/id_rsa>

    Code:
    Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
    OK. Next.

    On mac
    1) ssh-keygen -t id_dsa
    1 a) I have also tried ssh-keygen -t id_rsa, the difference is not significant i know.
    1 b) I've done this with a password and without a password, neither work
    2) copy id_dsa.pub/id_rsa.pub to remote server through Manage root’s SSH Keys > Import Key
    2 a) I've also used scp (by enabling ssh password authorization temporarily) to copy the key to the server
    3) Manage Authorization > Enable
    4) Attempt login > ssh -i <id_dsa/id_rsa> root@<server>
    type key password

    Code:
    Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
    5) chmod 600 <id_dsa/id_rsa>

    Code:
    Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
    OK. Permissions.

    on server in /root/.ssh
    Code:
    -rw-------.  1 root root  422 Oct  3 10:57 authorized_keys
    -rw-------.  1 root root  422 Oct  3 10:57 authorized_keys2
    -rw-r--r--.  1 root root  422 Oct  3 10:57 id_rsa.pub
    and from /root
    Code:
    drwx------.  2 root root     4096 Oct  3 10:57 .ssh/
    on mac in ~/
    Code:
    drwx------   3 darrencperry  staff    102  3 Oct 00:54 .ssh
    and in ~/.ssh
    Code:
    -rw-r--r--   1 darrencperry  staff  418  3 Oct 00:54 known_hosts
    my private key permissions
    Code:
    -rw-------   1 darrencperry  staff   1675  3 Oct 10:56 id_rsa
    Firewall:

    I've made sure port 22 is open on my server and am using port 22 for SSH.


    read out from ssh -vvv -i <id_dsa/id_rsa> root@<server>

    (I've hidden addresses and IPs)

    Code:
    OpenSSH_5.9p1, OpenSSL 0.9.8r 8 Feb 2011
    debug1: Reading configuration data /etc/ssh_config
    debug1: /etc/ssh_config line 20: Applying options for *
    debug2: ssh_connect: needpriv 0
    debug1: Connecting to myserver.co.uk [my.ip.address] port 22.
    debug1: Connection established.
    debug3: Incorrect RSA1 identifier
    debug3: Could not load "id_rsa" as a RSA1 public key
    debug1: identity file id_rsa type 1
    debug1: identity file id_rsa-cert type -1
    debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
    debug1: match: OpenSSH_5.3 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_5.9
    debug2: fd 3 setting O_NONBLOCK
    debug3: load_hostkeys: loading entries for host "myserver.co.uk" from file "/Users/darrencperry/.ssh/known_hosts"
    debug3: load_hostkeys: found key type RSA in file /Users/darrencperry/.ssh/known_hosts:1
    debug3: load_hostkeys: loaded 1 keys
    debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
    debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa,ssh-dss-cert-v01@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-dss
    debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
    debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
    debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
    debug2: kex_parse_kexinit: 
    debug2: kex_parse_kexinit: 
    debug2: kex_parse_kexinit: first_kex_follows 0 
    debug2: kex_parse_kexinit: reserved 0 
    debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
    debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
    debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
    debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: none,zlib@openssh.com
    debug2: kex_parse_kexinit: none,zlib@openssh.com
    debug2: kex_parse_kexinit: 
    debug2: kex_parse_kexinit: 
    debug2: kex_parse_kexinit: first_kex_follows 0 
    debug2: kex_parse_kexinit: reserved 0 
    debug2: mac_setup: found hmac-md5
    debug1: kex: server->client aes128-ctr hmac-md5 none
    debug2: mac_setup: found hmac-md5
    debug1: kex: client->server aes128-ctr hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug2: dh_gen_key: priv key bits set: 128/256
    debug2: bits set: 493/1024
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug1: Server host key: RSA hi:dd:en:so:me:of:th:is:42:b2:0b:10:10:25:4f:3f
    debug3: load_hostkeys: loading entries for host "myserver.co.uk" from file "/Users/darrencperry/.ssh/known_hosts"
    debug3: load_hostkeys: found key type RSA in file /Users/darrencperry/.ssh/known_hosts:1
    debug3: load_hostkeys: loaded 1 keys
    debug3: load_hostkeys: loading entries for host "my.ip.address" from file "/Users/darrencperry/.ssh/known_hosts"
    debug3: load_hostkeys: found key type RSA in file /Users/darrencperry/.ssh/known_hosts:1
    debug3: load_hostkeys: loaded 1 keys
    debug1: Host 'myserver.co.uk' is known and matches the RSA host key.
    debug1: Found key in /Users/darrencperry/.ssh/known_hosts:1
    debug2: bits set: 507/1024
    debug1: ssh_rsa_verify: signature correct
    debug2: kex_derive_keys
    debug2: set_newkeys: mode 1
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug2: set_newkeys: mode 0
    debug1: SSH2_MSG_NEWKEYS received
    debug1: Roaming not allowed by server
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug2: service_accept: ssh-userauth
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug2: key: id_rsa (0x7fe2f241d220)
    debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
    debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic
    debug3: preferred publickey,keyboard-interactive,password
    debug3: authmethod_lookup publickey
    debug3: remaining preferred: keyboard-interactive,password
    debug3: authmethod_is_enabled publickey
    debug1: Next authentication method: publickey
    debug1: Offering RSA public key: id_rsa
    debug3: send_pubkey_test
    debug2: we sent a publickey packet, wait for reply
    debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
    debug2: we did not send a packet, disable method
    debug1: No more authentication methods to try.
    Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
    

    I've also run:

    tail -f /var/log/secure

    on the server and all that's logged when I attempt and fail to login with the SSH key is this:

    Code:
    Oct  3 11:31:52 host-my-server-ip sshd[13261]: Connection closed by <my.ip>
    I've also tried to ssh in from another machine using the same methods...

    Any help would be GREATLY appreciated!!

    Thanks!
     
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    19
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Hello,

    I'm not seeing anything obvious that's causing this to occur. Could you try opening up a ticket for us to test adding a public key to the machine ourselves to test it? You'll need to provide WHM root access for us to try adding the key to the machine.

    Thanks!
     
Loading...

Share This Page