A solaris server is attempting to connect to the mainframe sftp/coz and is failing during the key exchange (I think). Once it fails he is prompted to enter the userid password and he can connect. On the mainframe side I see: Failed publickey for ftp001
I had the user on the solaris issue a debug command when trying to connect and below is the output:
sftp -vvv -oPort=2222 -oIdentityFile=./id_rsa ftp001@plexdev
Connecting to plexdev...
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to plexdev [156.36.137.9] port 2222.
debug1: Connection established.
debug3: Not a RSA1 key file ./id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file ./id_rsa type 1
debug1: loaded 1 keys
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.0
debug1: match: OpenSSH_5.0 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 129/256
debug2: bits set: 513/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/pdarmor/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1868
debug3: check_host_in_hostfile: filename /home/pdarmor/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1868
debug1: Host 'plexdev' is known and matches the RSA host key.
debug1: Found key in /home/pdarmor/.ssh/known_hosts:1868
debug2: bits set: 525/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: ./id_rsa (0x2b8a68fb05f0)
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: ./id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
ftp001@plexdev's password:
Here is the log from the mainframe side:
debug1: fd 4 clearing O_NONBLOCK
debug1: Forked child 67175243.
debug3: send_rexec_state: entering fd = 8 config len 308,
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 4 out 4 newsock 4 pipe 7 sock 8
debug1: inetd sockets after dupping: 3, 3
debug1: cipher_init: none from source OpenSSL
debug1: cipher_init: none from source OpenSSL
Connection from 10.42.225.133 port 47534
debug1: zsshSmfSetConnSmfStatus: SMF status is 0
debug1: zsshSmfTestRecord: SMF is collecting type 119, subtype 98 records
debug3: zsshSmfSetCommonData: SMF type 119 subtype 98
debug1: Client protocol version 2.0; client software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.0
debug2: fd 3 setting O_NONBLOCK
debug2: Network child is on pid 16842850
debug3: Current IBM Release level: 23
debug3: MLS: seclabel of AS: uid:0 pid:67175243
debug3: MLS: peer socket: rc:0 t:0 seclabel: terminal:0A2AE185 poe_profile:
Port of Entry information retained for uid:0 pid:67175243.
debug3: MLS: seclabel of AS: uid:0 pid:67175243
debug3: MLS: peer socket: rc:0 t:0 seclabel: terminal:0A2AE185 poe_profile:
debug3: MLS: /var/empty: rc:0 t:1 seclabel: terminal: poe_profile:
debug3: preauth child monitor started
debug3: mm_request_receive entering
debug3: monitor_read: checking request 0
debug3: mm_answer_moduli: got parameters: 1024 1024 8192
debug3: mm_request_send entering: type 1
debug2: monitor_read: 0 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 4
debug3: mm_answer_sign
debug3: mm_answer_sign: signature 2C9132E0(271)
debug3: mm_request_send entering: type 5
debug2: monitor_read: 4 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 6
debug3: mm_answer_pwnamallow
debug3: get_pwnamallow: input user name ftp001, user database name FTP001
debug3: Trying to reverse map address 10.42.225.133.
debug2: parse_server_config: config reprocess config len 308
debug2: parse_server_config: config reprocess config len 70
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send entering: type 7
debug2: monitor_read: 6 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 3
debug3: mm_answer_authserv: service=ssh-connection, style=
debug2: monitor_read: 3 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 10
debug3: mm_answer_authpassword: sending result 0
debug3: mm_request_send entering: type 11
debug3: auth_log: authenticated 0, valid 1, failures 0, max 6, half 3, method none
Failed none for ftp001 from 10.42.225.133 port 47534 ssh2
debug3: mm_request_receive entering
debug3: monitor_read: checking request 20
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 2C91C2A0
debug1: temporarily_use_uid: 1001/1000000 (e=0/1)
debug1: trying public key file /u/ftp001/./PLEXDEV/etc/coz/FTP001.authorized_keys
debug1: restore_uid: 0/1
debug1: temporarily_use_uid: 1001/1000000 (e=0/1)
debug1: trying public key file /u/ftp001/./PLEXDEV/etc/coz/FTP001.authorized_keys
debug1: restore_uid: 0/1
debug3: auth_log: authenticated 0, valid 1, failures 0, max 6, half 3, method publickey
Failed publickey for ftp001 from 10.42.225.133 port 47534 ssh2
debug3: mm_answer_keyallowed: key 2C91C2A0 is disallowed
debug3: mm_request_send entering: type 21
debug3: mm_request_receive entering
debug1: do_cleanup
Can anyone help determine what may be wrong?
Authentication Failed publickey for ftp001
Re: Authentication Failed publickey for ftp001
It seems to be looking in /u/ftp001/./PLEXDEV/etc/coz/FTP001.authorized_keys
for the authorized_keys file.
I assume that you really want it to look in /PLEXDEV/etc/coz/FTP001.authorized_keys, right?
what do you have in /etc/ssh/sshd_config for AuthorizedKeysFile ?
It should be:
AuthorizedKeysFile /PLEXDEV/etc/coz/%u.authorized_keys
It appears to me that you left off the leading /, which would make it relative to the user's home directory
for the authorized_keys file.
I assume that you really want it to look in /PLEXDEV/etc/coz/FTP001.authorized_keys, right?
what do you have in /etc/ssh/sshd_config for AuthorizedKeysFile ?
It should be:
AuthorizedKeysFile /PLEXDEV/etc/coz/%u.authorized_keys
It appears to me that you left off the leading /, which would make it relative to the user's home directory
Re: Authentication Failed publickey for ftp001
This is what I have coded in the sshd_config file: AuthorizedKeysFile ./PLEXDEV/etc/coz/%u.authorized_keys
So, I should remove the '.' from in front of ./PLEXDEV?
So, I should remove the '.' from in front of ./PLEXDEV?
Re: Authentication Failed publickey for ftp001
Yes, remove the leading ".".
If the file path starts with a /, it will be absolute. Otherwise, it will be relative to the user's current working directory.
If the file path starts with a /, it will be absolute. Otherwise, it will be relative to the user's current working directory.