# SSH Public Key Problems



## svoltmer (Oct 25, 2006)

Hi,
I am using Terminal to generate a public SSH2 key for a Unix machine running Apache. The Unix machine is with my web hosting company Aplus.net. I have requested SSH access to the server for configuring some pearl scripts for website statistics.

My problem is after generating the public key using "ssh-keygen -d -C <username>@<website.com> to generate the keys and copying and pasting the key into the Aplus.net SSH control pannel, I am still unable to log in using terminal and "ssh <username>@<website.com>.

I get the error: "Permission Denied (publickey)"


----------



## lurk (Oct 25, 2006)

Are your permissions right on your .ssh directory.


----------



## svoltmer (Oct 25, 2006)

lurk,
call me stupid, but I can't actually see a directory named ".ssh", but I can "cd" to "/Users/steve/.ssh" and there I am. What's up?


----------



## bluedevils (Oct 25, 2006)

the . in front of the ssh represents a hidden object.  I believe you want your private key in there and your public key at Aplus.net.


----------



## svoltmer (Oct 25, 2006)

this is the listing of ".ssh".

authorized_keys                         
id_dsa                      
id_dsa.pub
known_hosts

The ssh-keygen -d created the id_dsa and the id_dsa.pub keys and I have copied the id_dsa.pub key from pico to the Aplus.net SSH control pannel. With no luck.


----------



## lurk (Oct 25, 2006)

try 'ssh -vvv me@the.place.im.going' and see if that helps.  It will print out lots of debug info that may help identify the error.


----------



## svoltmer (Oct 25, 2006)

OpenSSH_4.2p1, OpenSSL 0.9.7i 14 Oct 2005
debug1: Reading configuration data /etc/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to crosst.org [66.226.88.136] port 22.
debug1: Connection established.
debug1: identity file /Users/steve/.ssh/identity type -1
debug1: identity file /Users/steve/.ssh/id_rsa type -1
debug3: Not a RSA1 key file /Users/steve/.ssh/id_dsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /Users/steve/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.2p1 FreeBSD-20050903
debug1: match: OpenSSH_4.2p1 FreeBSD-20050903 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.2
debug2: fd 3 setting O_NONBLOCK
debug1: Miscellaneous failure
No credentials cache found

debug1: Miscellaneous failure
No credentials cache found

debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 139/256
debug2: bits set: 541/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /Users/steve/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug3: check_host_in_hostfile: filename /Users/steve/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host 'crosst.org' is known and matches the DSA host key.
debug1: Found key in /Users/steve/.ssh/known_hosts:1
debug2: bits set: 505/1024
debug1: ssh_dss_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /Users/steve/.ssh/identity (0x0)
debug2: key: /Users/steve/.ssh/id_rsa (0x0)
debug2: key: /Users/steve/.ssh/id_dsa (0x300ce0)
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/steve/.ssh/identity
debug3: no such identity: /Users/steve/.ssh/identity
debug1: Trying private key: /Users/steve/.ssh/id_rsa
debug3: no such identity: /Users/steve/.ssh/id_rsa
debug1: Offering public key: /Users/steve/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).


----------



## svoltmer (Nov 1, 2006)

Any Help with the server log that I posted?


----------



## lurk (Nov 1, 2006)

Which key do you expect to have work?  It looks like you id_dsa kkey is not the private key but might be a public key instead.  It need to be a private key tto work.


----------



## svoltmer (Nov 1, 2006)

I am pasting the id_dsa.pub key from vi in Terminal into a control pannel from my web hosting company (Aplus.net).

I have noticed that the Aplus.net server is checking the private key on my machine but doesn't like the format "-----BEGIN PRIVATE KEY-----" bla bla bla. So I have tryed taking everyting out except the actual ssh key in the private file. This seems to get me a little further, but near the end of the log there is some other conflict and I am ultimately denied. 

Also, I have noticed that the public key is shorter in the web control pannel then the key that I copy from vi in Terminal. 

Thanks For You Help


----------



## lurk (Nov 1, 2006)

How are you generating these keys? I know that the textual key format between ssh implementations, like openssh and putty for example, is different.


----------



## svoltmer (Nov 1, 2006)

I am using OSX Terminal from prompt; ssh-keygen


----------



## bbolin (Nov 1, 2006)

Look at your debugging output.  "debug3: key_read: missing whitespace"

Don't believe you can copy and past ssh keys.  They don't format correctly.  Try to scp or ftp the key.


----------



## svoltmer (Nov 2, 2006)

Where would I FTP to? I only have access to my websites directory on the server. That is one reason I am trying to get SSH access, its impossible to setup or configure any scripts easily without ssh to the server.


----------



## bbolin (Nov 2, 2006)

pwd will tell you where your home directory is.  ftp might not be an option if the server is not configured for you to place things in your home directory.  If you do have ssh access to the system which I assume you do because your tring to install ssh keys in your .ssh directory then use scp.  It will prompt you for your password when you login.

To copy files using scp the syntax is as follows -

scp foo username@foobar.com:/home/username

When you are done coping your keys to the website hosting sytsem write or append them to your autorized_keys file.

cop foo authorized_keys
cat foo >> authorized_keys


----------



## svoltmer (Nov 2, 2006)

I tried scp to the home directory on the remote server with no luck.
The only way Aplus.net has it set up is via a web browser control pannel. They want you to paste the public key in a field.

Any other suggestions? I appreciate your help!!


----------



## bbolin (Nov 2, 2006)

can you ssh into the server ?


----------



## lurk (Nov 2, 2006)

Open the file in a real text editor ;-)  I just like the oppertunity to dig at vi.  But seriously, when you cut and past from the terminal allsorts of funky stuff can happen with line ending and word wrap.  Open it in Text Edit.app and tr the cut and past from there.


----------



## svoltmer (Nov 2, 2006)

bbolin,
No, I can't ssh into the server that is the problem.


----------



## svoltmer (Nov 2, 2006)

I copied the id_dsa.pub key in Text Editor into the web control ssh field for my hosting company and tried to ssh into the server again and was denied again with this debug log:


----------



## bbolin (Nov 2, 2006)

I'm a little confused.  Have you ever ssh into the server ?

Do you have any kind of shell access ?

If you have then ssh is running.  Your authorized_keys file is corrupting your attemps.  Remove your authorized_keys file and try to ssh into the server again.  If that is successful then scp the file with your public keys to the server and then copy it to your authorized_keys file.


----------



## svoltmer (Nov 2, 2006)

bbolin,

I have been granted shell access and was told that I needed to generate my keys and paste the public key into the webhosts browser interface then I would be able to ssh into the server. 

I have never been successfull in loggin in using ssh because something is happening with my public key or my private key.

I removed my authorized_keys file and was still denied:


----------



## bbolin (Nov 2, 2006)

You do NOT need ANY keys to login via ssh

The keys allow you to login without a password.  You need to get ssh working interactivley b4 trying any keys. 

Where is this directory ? your server or the hosting company ? 

/Users/steve/.ssh/id_dsa

What was the command you used to generate your keys ?


----------



## svoltmer (Nov 2, 2006)

that directory is on my local machine.

I used "ssh-keygen -t dsa" to generate the keys

Should I contact my hosting co? I could never log in just by "ssh username@domain.org"


----------



## bbolin (Nov 2, 2006)

The local syntax you used should be good to create the keys on your side.

Verify ssh is running on port 22 with a port scanner like nmap on your webhost servers.

And yes talk to the hosting company to find out any details.


----------



## svoltmer (Nov 6, 2006)

Just thought I would let everyone know that the login problem is solved!! Hallelujah!! 
My web host failed to mention that the SSH2 key needed to be rsa not dsa. Works great now. Thanks for all your help guys!


----------



## lurk (Nov 6, 2006)

Glad to hear it works!


----------



## rubaix (Mar 19, 2009)

Svoltmer,   You said you solved the problem with RSA thats great.

But will you please put exactly how you enterered the the ssh-keygen parameters and also anything you did locally.


Did you have to rename the file(s) in .ssh locally ??

Thanks dude.


----------

