I broke SSH Key authentication :(


#1

I’ve been authenticating to the Dreamhost shell with a public key for months now, and it is really convenient not to enter your password every time you get kicked off your flaky connection.

Unfortunately, while moving some folders around (which shouldn’t have had any effect on this, but who knows), I broke something. Since that time, I have been unable to authenticate with my key and forced to use my password.

Putty says “Server refused our key”.

The usual suspects (which I found on Google) are ruled out:

  • ~/.ssh and ~/.ssh/authorized_keys are both 700 and owned by my user (I’ve also tried setting them to 755 just in case);
  • I have generated a new key several times (PuttyGen) and variously pasted the OpenSSH public key directly into authorized_keys, uploaded the normal public key file and then used ssh_keygen -i -f on the server,
  • replaced authorized_keys with an entirely new file,
  • even generated a keypair on the server and then downloaded the private key.

None of these have worked, and I am stumped…


#2

Try getting rid of Known Hosts. Sometimes I do that if the server has changed keys.

Keys actually require more than just authorized_keys. Locally, you need id_rsa, and remotely, you need authorized_keys. A better way to troubleshoot is to use the -v flag for a verbose output to what’s going on. Then read the output very carefully.

-Scott


#3

Wait, that refers to using the ssh binary on a Unix machine, right? I’m using Putty in Windows, so I don’t have an .ssh folder locally. I can only suppose Putty takes care of all the local stuff on its own, since it worked before.

Thanks, I’ll try emptying the remote known_hosts file.


#4

Nope, didn’t work.

I have now tried to use one of the shell accounts to ssh into the other, since I don’t have any working Unix system at home. So I generated a private key, moved it to my other users id_rsa file, moved the public key to my own authorized_keys file, then su’d to the other user and tried to ssh back to the first user.

The output using -v is this:

debug1: Authentications that can continue: publickey,password,keyboard-interactive debug1: Next authentication method: publickey debug1: Trying private key: /home/USER/.ssh/identity debug1: Trying private key: /home/USER/.ssh/id_rsa Enter passphrase for key '/home/USER/.ssh/id_rsa': debug1: Trying private key: /home/USER/.ssh/id_dsa debug1: Next authentication method: keyboard-interactive Password:
Edit: Note that it does check the passphrase properly, so the last three lines of output only occur when the correct passphrase is entered.


#5

Hmm. Whenever I’ve had problems like this it has almost always been me screwing up the line endings on my public key between windows and linux.

Did you:

  1. Copy the public key directly from the puttygen window into authorized_keys on the dreamhost machine? Either in vi or your remote file editor (I use the one in WinSCP). Oh, I always strip out the comment but I think you can leave it in. (udpate: I’ve successfully tested both with and without comment)
  2. Save the private key on your local machine using “Save private key”?
  3. Use a 1024 bit ssh-2 RSA key? I think other types will work, but that happens to be the one I just tested out now.

Use the [color=#CC0000]3DOM50[/color] promo code for 3 extra lifetime domains and $50 off
More Dreamhost coupons here!


#6

Thanks. I’ve tried copying the string out of the Puttygen window into authorized_keys in vi, and uploading the public key and then using ssh-keygen on it for conversion.

With and without comments - and I used to have a 4096 bit key on one computer, and a 1024 on the other (RSA2 both); both worked. I think I’ll try the official support next.


#7

Hmm. Let us know what the problem was.

BTW, I should mention for completeness that my authorized_keys file is 600, not 700.

You might also try generating the keys over on the server andd importing them into putty like this guy suggests:
http://www.andremolnar.com/how_to_set_up_ssh_keys_with_putty_and_not_get_server_refused_our_key

Use the [color=#CC0000]3DOM50[/color] promo code for 3 extra lifetime domains and $50 off
More Dreamhost coupons here!