Mailing List Archive: SSH Public Key Authorization

SSH Public Key Authorization

Jun 2, 2010, 7:11 PM

Post #1 of 8 (5456 views)

So I was playing around with SSH tonight. Password authentication works just fine, but when I attempt publickey authentication, I get the following in the sshd log of the destination server:

Found matching RSA key:
debug1: restore_uid: 0/0
debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa
Postponed publickey for rolfm from xxx.xxx.xxx.xxx port 63241 ssh2

Then it tries to log me in with password authentication, which isn't being accepted by the server. I get the "postponed" message even when I hard code the Net::SSH2 method in the SFTP mover file to auth_publickey like Gossamer Threads did a couple months ago before the SFTP mover got patched.

Just wanted to see if Greg or anyone from Gossamer Threads ran into the same issue when they were hacking on the SFTP mover, and if anyone might have an idea of how I might fix this.

-Matt

Re: SSH Public Key Authorization [ In reply to ]

Jun 2, 2010, 10:09 PM

Post #2 of 8 (5371 views)

I did come across one server during testing that wouldn't work with public keys. A bit of googling suggested trying a DSA key or a smaller-sized (1024 bits) RSA key, and the DSA key ended up working. I didn't have access to the server's logs though, so I'm not sure if it's the same issue.

Also, your corresponding private key doesn't have a password on it?

On 2 Jun 2010, at 10:11 PM, Matthew Rolf wrote:

> Found matching RSA key:
> debug1: restore_uid: 0/0
> debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa
> Postponed publickey for rolfm from xxx.xxx.xxx.xxx port 63241 ssh2
>
> Just wanted to see if Greg or anyone from Gossamer Threads ran into the same issue when they were hacking on the SFTP mover, and if anyone might have an idea of how I might fix this.
>
> -Matt

---
Greg Heo
software developer
416.826.7630

Re: SSH Public Key Authorization [ In reply to ]

Jun 3, 2010, 4:55 AM

Post #3 of 8 (5372 views)

On Jun 3, 2010, at 1:09 AM, Greg Heo wrote:

> I did come across one server during testing that wouldn't work with public keys. A bit of googling suggested trying a DSA key or a smaller-sized (1024 bits) RSA key, and the DSA key ended up working. I didn't have access to the server's logs though, so I'm not sure if it's the same issue.

I'm a little concerned that there's something going on between the SSH version on the bricolage box and the version on the web server. I might try to upgrade one or the other. In the meantime, maybe I'll try a DSA key.

> Also, your corresponding private key doesn't have a password on it?

That is correct. And this server (had) password authentication and challenge response authentication disabled.

-Matt

>
>
> On 2 Jun 2010, at 10:11 PM, Matthew Rolf wrote:
>
>> Found matching RSA key:
>> debug1: restore_uid: 0/0
>> debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa
>> Postponed publickey for rolfm from xxx.xxx.xxx.xxx port 63241 ssh2
>>
>> Just wanted to see if Greg or anyone from Gossamer Threads ran into the same issue when they were hacking on the SFTP mover, and if anyone might have an idea of how I might fix this.
>>
>> -Matt
>
> ---
> Greg Heo
> software developer
> 416.826.7630
>

Re: SSH Public Key Authorization [ In reply to ]

Jun 3, 2010, 5:34 PM

Post #4 of 8 (5376 views)

On Jun 3, 2010, at 7:55 AM, Matthew Rolf wrote:

> I'm a little concerned that there's something going on between the SSH version on the bricolage box and the version on the web server. I might try to upgrade one or the other. In the meantime, maybe I'll try a DSA key.

For what it's worth, I tried upgrading ssh and that didn't work. I still think it might be an issue with the install, but I have no idea. The "postponed publickey" is just weird.

-Matt

Re: SSH Public Key Authorization [ In reply to ]

Jun 3, 2010, 5:53 PM

Post #5 of 8 (5371 views)

Sweet, now I'm getting temp files with every letter escaped on the server that things get moved to. This is how they are transmitted, but SFTP mover is supposed to rewrite them back to their original name.

Very odd. I'm wondering if the peoples at Denison or elsewhere who are using this module could chime in with what SSH/SSHD versions they are using. Both of my machines are on some iteration of 5. I know Denison has been using the SFTP mover in production without issue for a couple years now, and I'm assuming Gossamer Threads hasn't had an issue either. Or Canada Sports Net.

Thanks,

Matt

Re: SSH Public Key Authorization [ In reply to ]

Jun 4, 2010, 9:41 PM

Post #6 of 8 (5355 views)

On Jun 3, 2010, at 8:53 PM, Matthew Rolf wrote:

> Sweet, now I'm getting temp files with every letter escaped on the server that things get moved to. This is how they are transmitted, but SFTP mover is supposed to rewrite them back to their original name.

I've done some more tests on this with a new install, and it doesn't look like the SFTP mover is finishing up with the files. It will just leave them with every letter escaped on the server.

I'll take a closer look at the SFTP mover tomorrow and try and figure out why it is doing such a thing.

-Matt

Re: SSH Public Key Authorization [ In reply to ]

Jun 5, 2010, 8:00 AM

Post #7 of 8 (5358 views)

On Jun 5, 2010, at 12:41 AM, Matthew Rolf wrote:

> I've done some more tests on this with a new install, and it doesn't look like the SFTP mover is finishing up with the files. It will just leave them with every letter escaped on the server.

I just sent a fix for this to be committed. It was pretty simple. SFTP.pm line 216 needed to be altered like so:

$sftp->rename($tmp_dest_esc, $dest_file);

-Matt

Re: SSH Public Key Authorization [ In reply to ]

Jun 5, 2010, 8:40 AM

Post #8 of 8 (5361 views)

On Jun 3, 2010, at 7:55 AM, Matthew Rolf wrote:

> I'm a little concerned that there's something going on between the SSH version on the bricolage box and the version on the web server. I might try to upgrade one or the other. In the meantime, maybe I'll try a DSA key.

As for this original issue, publickey authentication worked without issue on my latest clean install. The original install was on my Mac, and I now think the problem might have arisen from conflicts between compilation flags and/or library versions on the Mac somewhere among libssh2 and ssh. I'll admit I haven't quite figured out how to reliably compile certain things on Snow Leopard given the way pre-installed libraries and apps are compiled.

In that Bricolage seems to love *everything* to be compiled from source in a happy manner, I continue to be a fan of NetBSD+pkgsrc or something like it that allows you to do so in an efficient manner.

-Matt