Shravan Mishra
2010-08-20 23:41:19 UTC
Hi Guys,
I'm using sun's hardware token sca6000 to act as keystore and I'm trying to
use openssh with x509 such that client authentication fetches the
certificates/keys from the hardware token.
System Info:
OpenSSH_5.3p1, OpenSSL 0.9.8l-fips 5 Nov 2009
2.6.29.6-0.6.smp.gcc4.1.x86_64 #1 SMP
I have applied Roumen Petrov's x509 patch - openssh-5.3p1+x509-6.2.2.diff
and Alon's pkcs11 patch openssh-5.2pkcs11-0.26.tar.bz2 (also openssh-5.3).
I'm following http://www.roumenpetrov.info/openssh/x509-6.2.2/README.x509v3to
configure my client and server.
On the server:
===========
cat ~/.ssh/authorized_keys
=====
x509v3-sign-rsa subject= /C=US/O=Trustwave/OU=dev/CN=root
====
/usr/sbin/sshd -ddd
========
debug2: load_server_config: filename /usr/local/etc/sshd_config
debug2: load_server_config: done config len = 301
debug2: parse_server_config: config /usr/local/etc/sshd_config len 301
debug3: /usr/local/etc/sshd_config:21 setting Protocol 2
debug3: /usr/local/etc/sshd_config:46 setting RSAAuthentication yes
debug3: /usr/local/etc/sshd_config:47 setting PubkeyAuthentication yes
debug3: /usr/local/etc/sshd_config:113 setting Subsystem sftp
/usr/libexec/openssh/sftp-server
debug3: /usr/local/etc/sshd_config:122 setting AllowedCertPurpose sslclient
debug3: /usr/local/etc/sshd_config:127 setting X509KeyAlgorithm
x509v3-sign-rsa,rsa-sha1
debug2: hash dir '/usr/local/etc/ca/crt' added to x509 store
debug2: file '/usr/local/etc/ca/ca-bundle.crt' added to x509 store
debug2: hash dir '/usr/local/etc/ca/crl' added to x509 revocation store
debug1: ssh_set_validator: ignore responder url
debug1: sshd version OpenSSH_5.3p1
debug3: Not a RSA1 key file /usr/local/etc/ssh_host_rsa_key.
debug1: read PEM private key begin
debug1: read X.509 certificate begin
debug3: x509key_load_cert: PEM_read_X509 fail
error:0906D06C:lib(9):func(109):reason(108)
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug3: Not a RSA1 key file /usr/local/etc/ssh_host_dsa_key.
debug1: read PEM private key begin
debug1: read X.509 certificate begin
debug3: x509key_load_cert: PEM_read_X509 fail
error:0906D06C:lib(9):func(109):reason(108)
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-ddd'
debug2: fd 4 setting O_NONBLOCK
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug2: fd 5 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug3: fd 6 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 9 config len 301
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 6 out 6 newsock 6 pipe -1 sock 9
debug1: inetd sockets after dupping: 3, 3
Connection from 172.30.0.144 port 47460
debug1: Client protocol version 2.0; client software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug2: Network child is on pid 31066
debug3: preauth child monitor started
debug3: mm_request_receive entering
debug3: privsep user:group 74:74
debug1: permanently_set_uid: 74/74
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug3: Wrote 784 bytes for a total of 805
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-***@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-***@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-***@openssh.com
,hmac-ripemd160,hmac-***@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-***@openssh.com
,hmac-ripemd160,hmac-***@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,***@openssh.com
debug2: kex_parse_kexinit: none,***@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-***@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-***@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-***@openssh.com
,hmac-ripemd160,hmac-***@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-***@openssh.com
,hmac-ripemd160,hmac-***@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,***@openssh.com,zlib
debug2: kex_parse_kexinit: none,***@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug3: mm_request_send entering: type 0
debug3: monitor_read: checking request 0
debug3: mm_answer_moduli: got parameters: 1024 1024 8192
debug3: mm_request_send entering: type 1
debug2: monitor_read: 0 used once, disabling now
debug3: mm_request_receive entering
debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI
debug3: mm_request_receive_expect entering: type 1
debug3: mm_request_receive entering
debug3: mm_choose_dh: remaining 0
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug3: Wrote 280 bytes for a total of 1085
debug2: dh_gen_key: priv key bits set: 131/256
debug2: bits set: 1044/2048
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug2: bits set: 1034/2048
debug3: mm_key_sign entering
debug3: mm_request_send entering: type 4
debug3: monitor_read: checking request 4
debug3: mm_answer_sign
debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN
debug3: mm_request_receive_expect entering: type 5
debug3: mm_request_receive entering
debug3: mm_answer_sign: signature 0x6a0450(271)
debug3: mm_request_send entering: type 5
debug2: monitor_read: 4 used once, disabling now
debug3: mm_request_receive entering
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: Wrote 848 bytes for a total of 1933
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug3: Wrote 48 bytes for a total of 1981
debug1: userauth-request for user root service ssh-connection method none
debug1: attempt 0 failures 0
debug3: mm_getpwnamallow entering
debug3: mm_request_send entering: type 6
debug3: monitor_read: checking request 6
debug3: mm_answer_pwnamallow
debug3: Trying to reverse map address 172.30.0.144.
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
debug3: mm_request_receive_expect entering: type 7
debug3: mm_request_receive entering
debug2: parse_server_config: config reprocess config len 301
debug3: auth_shadow_acctexpired: today 14841 sp_expire -1 days left -14842
debug3: account expiration disabled
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send entering: type 7
debug2: monitor_read: 6 used once, disabling now
debug3: mm_request_receive entering
debug2: input_userauth_request: setting up authctxt for root
debug3: mm_inform_authserv entering
debug3: mm_request_send entering: type 3
debug3: monitor_read: checking request 3
debug3: mm_answer_authserv: service=ssh-connection, style=
debug2: monitor_read: 3 used once, disabling now
debug3: mm_request_receive entering
debug2: input_userauth_request: try method none
debug3: mm_auth_password entering
debug3: mm_request_send entering: type 10
debug3: monitor_read: checking request 10
debug3: mm_answer_authpassword: sending result 0
debug3: mm_request_send entering: type 11
Failed none for root from 172.30.0.144 port 47460 ssh2
debug3: mm_request_receive entering
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
debug3: mm_request_receive_expect entering: type 11
debug3: mm_request_receive entering
debug3: mm_auth_password: user not authenticated
debug3: Wrote 80 bytes for a total of 2061
debug1: userauth-request for user root service ssh-connection method
publickey
debug1: attempt 1 failures 0
debug2: input_userauth_request: try method publickey
debug3: key_from_blob(..., 279)
debug3: x509key_from_blob: We have 279 bytes available in BIO
debug3: x509key_from_blob: read X509 from BIO fail
error:0D0680A8:lib(13):func(104):reason(168)
debug3: key_from_blob(..., ...) ktype=ssh-rsa
debug1: test whether pkalg/pkblob are acceptable
debug3: mm_key_allowed entering
debug3: mm_request_send entering: type 20
debug3: monitor_read: checking request 20
debug3: mm_answer_keyallowed entering
debug3: key_from_blob(..., 279)
debug3: x509key_from_blob: We have 279 bytes available in BIO
debug3: x509key_from_blob: read X509 from BIO fail
error:0D0680A8:lib(13):func(104):reason(168)
debug3: key_from_blob(..., ...) ktype=ssh-rsa
debug3: mm_answer_keyallowed: key_from_blob: 0x69f7e0
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: trying public key file /root/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug3: secure_filename: checking '/root/.ssh'
debug3: secure_filename: checking '/root'
debug3: secure_filename: terminating check at '/root'
debug3: key_read: type mismatch
debug2: user_key_allowed: check options: 'x509v3-sign-rsa subject=
/C=US/O=Trustwave/OU=dev/CN=root
'
debug2: key_type_from_name: unknown key type 'subject='
debug3: key_read: missing keytype
debug2: user_key_allowed: advance: 'subject=
/C=US/O=Trustwave/OU=dev/CN=root
'
debug1: restore_uid: 0/0
debug2: key not found
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: trying public key file /root/.ssh/authorized_keys2
debug1: restore_uid: 0/0
Failed publickey for root from 172.30.0.144 port 47460 ssh2
debug3: mm_answer_keyallowed: key 0x69f7e0 is not allowed
debug3: mm_request_send entering: type 21
debug3: mm_request_receive entering
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
debug3: mm_request_receive_expect entering: type 21
debug3: mm_request_receive entering
debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa
debug3: Wrote 80 bytes for a total of 2141
debug1: userauth-request for user root service ssh-connection method
publickey
debug1: attempt 2 failures 1
debug2: input_userauth_request: try method publickey
debug3: key_from_blob(..., 279)
debug3: x509key_from_blob: We have 279 bytes available in BIO
debug3: x509key_from_blob: read X509 from BIO fail
error:0D0680A8:lib(13):func(104):reason(168)
debug3: key_from_blob(..., ...) ktype=ssh-rsa
debug1: test whether pkalg/pkblob are acceptable
debug3: mm_key_allowed entering
debug3: mm_request_send entering: type 20
debug3: monitor_read: checking request 20
debug3: mm_answer_keyallowed entering
debug3: key_from_blob(..., 279)
debug3: x509key_from_blob: We have 279 bytes available in BIO
debug3: x509key_from_blob: read X509 from BIO fail
error:0D0680A8:lib(13):func(104):reason(168)
debug3: key_from_blob(..., ...) ktype=ssh-rsa
debug3: mm_answer_keyallowed: key_from_blob: 0x69f680
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: trying public key file /root/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug3: secure_filename: checking '/root/.ssh'
debug3: secure_filename: checking '/root'
debug3: secure_filename: terminating check at '/root'
debug3: key_read: type mismatch
debug2: user_key_allowed: check options: 'x509v3-sign-rsa subject=
/C=US/O=Trustwave/OU=dev/CN=root
'
debug2: key_type_from_name: unknown key type 'subject='
debug3: key_read: missing keytype
debug2: user_key_allowed: advance: 'subject=
/C=US/O=Trustwave/OU=dev/CN=root
'
debug1: restore_uid: 0/0
debug2: key not found
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: trying public key file /root/.ssh/authorized_keys2
debug1: restore_uid: 0/0
Failed publickey for root from 172.30.0.144 port 47460 ssh2
debug3: mm_answer_keyallowed: key 0x69f680 is not allowed
debug3: mm_request_send entering: type 21
debug3: mm_request_receive entering
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
debug3: mm_request_receive_expect entering: type 21
debug3: mm_request_receive entering
debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa
debug3: Wrote 80 bytes for a total of 2221
debug1: userauth-request for user root service ssh-connection method
keyboard-interactive
debug1: attempt 3 failures 2
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=root devs=
debug1: kbdint_alloc: devices ''
debug2: auth2_challenge_start: devices
debug3: Wrote 80 bytes for a total of 2301
======
On the client:
==========
ssh -vv -# /usr/lib64/opencryptoki/PKCS11_API.so:1:0:1 ***@172.30.0.104
OpenSSH_5.3p1, OpenSSL 0.9.8l-fips 5 Nov 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: PKCS#11: Adding PKCS#11 provider
'/usr/lib64/opencryptoki/PKCS11_API.so'
debug2: PKCS#11: Adding provider
'/usr/lib64/opencryptoki/PKCS11_API.so'-'/usr/lib64/opencryptoki/PKCS11_API.so'
debug2: PKCS#11: Provider '/usr/lib64/opencryptoki/PKCS11_API.so' added
rv=0-'CKR_OK'
debug2: ssh_connect: needpriv 0
debug1: Connecting to 172.30.0.104 [172.30.0.104] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug2: PKCS#11: Creating a new session
debug2: PKCS#11: Get certificate attributes failed:
179:'CKR_SESSION_HANDLE_INVALID'
debug2: PKCS#11: Calling pin_prompt hook for 'trustwave-ks'
Please enter PIN for token 'trustwave-ks':
debug2: PKCS#11: pin_prompt hook return rv=0
debug2: PKCS#11: Calling pin_prompt hook for 'trustwave-ks'
Please enter PIN for token 'trustwave-ks':
debug2: PKCS#11: pin_prompt hook return rv=0
debug2: PKCS#11: Using cached session
debug2: PKCS#11: Using cached session
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 6 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-***@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-***@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-***@openssh.com
,hmac-ripemd160,hmac-***@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-***@openssh.com
,hmac-ripemd160,hmac-***@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,***@openssh.com,zlib
debug2: kex_parse_kexinit: none,***@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-***@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-***@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-***@openssh.com
,hmac-ripemd160,hmac-***@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-***@openssh.com
,hmac-ripemd160,hmac-***@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,***@openssh.com
debug2: kex_parse_kexinit: none,***@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 995/2048
debug2: bits set: 1034/2048
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '172.30.0.104' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug2: bits set: 1044/2048
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /C=CA/ST=ON/L=Cambridge/O=Trustwave/CN=c709.e-lab.itactics.comon
trustwave-ks (0x6813a0)
debug2: key: /C=US/O=Trustwave/OU=dev/CN=root on trustwave-ks (0x67f220)
debug2: key: /root/.ssh/identity ((nil))
debug2: key: /root/.ssh/id_rsa ((nil))
debug2: key: /root/.ssh/id_dsa ((nil))
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /C=CA/ST=ON/L=Cambridge/O=Trustwave/CN=
c709.e-lab.itactics.com on trustwave-ks
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Offering public key: /C=US/O=Trustwave/OU=dev/CN=root on
trustwave-ks
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Trying private key: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
***@172.30.0.104's password:
==========
I don't understand the reason for key mismatch if the same keys are being
sent by the client as they are in the authorized_keys file on the server.
Any help will be appreciated.
Thanks
Shravan
I'm using sun's hardware token sca6000 to act as keystore and I'm trying to
use openssh with x509 such that client authentication fetches the
certificates/keys from the hardware token.
System Info:
OpenSSH_5.3p1, OpenSSL 0.9.8l-fips 5 Nov 2009
2.6.29.6-0.6.smp.gcc4.1.x86_64 #1 SMP
I have applied Roumen Petrov's x509 patch - openssh-5.3p1+x509-6.2.2.diff
and Alon's pkcs11 patch openssh-5.2pkcs11-0.26.tar.bz2 (also openssh-5.3).
I'm following http://www.roumenpetrov.info/openssh/x509-6.2.2/README.x509v3to
configure my client and server.
On the server:
===========
cat ~/.ssh/authorized_keys
=====
x509v3-sign-rsa subject= /C=US/O=Trustwave/OU=dev/CN=root
====
/usr/sbin/sshd -ddd
========
debug2: load_server_config: filename /usr/local/etc/sshd_config
debug2: load_server_config: done config len = 301
debug2: parse_server_config: config /usr/local/etc/sshd_config len 301
debug3: /usr/local/etc/sshd_config:21 setting Protocol 2
debug3: /usr/local/etc/sshd_config:46 setting RSAAuthentication yes
debug3: /usr/local/etc/sshd_config:47 setting PubkeyAuthentication yes
debug3: /usr/local/etc/sshd_config:113 setting Subsystem sftp
/usr/libexec/openssh/sftp-server
debug3: /usr/local/etc/sshd_config:122 setting AllowedCertPurpose sslclient
debug3: /usr/local/etc/sshd_config:127 setting X509KeyAlgorithm
x509v3-sign-rsa,rsa-sha1
debug2: hash dir '/usr/local/etc/ca/crt' added to x509 store
debug2: file '/usr/local/etc/ca/ca-bundle.crt' added to x509 store
debug2: hash dir '/usr/local/etc/ca/crl' added to x509 revocation store
debug1: ssh_set_validator: ignore responder url
debug1: sshd version OpenSSH_5.3p1
debug3: Not a RSA1 key file /usr/local/etc/ssh_host_rsa_key.
debug1: read PEM private key begin
debug1: read X.509 certificate begin
debug3: x509key_load_cert: PEM_read_X509 fail
error:0906D06C:lib(9):func(109):reason(108)
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug3: Not a RSA1 key file /usr/local/etc/ssh_host_dsa_key.
debug1: read PEM private key begin
debug1: read X.509 certificate begin
debug3: x509key_load_cert: PEM_read_X509 fail
error:0906D06C:lib(9):func(109):reason(108)
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-ddd'
debug2: fd 4 setting O_NONBLOCK
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug2: fd 5 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug3: fd 6 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 9 config len 301
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 6 out 6 newsock 6 pipe -1 sock 9
debug1: inetd sockets after dupping: 3, 3
Connection from 172.30.0.144 port 47460
debug1: Client protocol version 2.0; client software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug2: Network child is on pid 31066
debug3: preauth child monitor started
debug3: mm_request_receive entering
debug3: privsep user:group 74:74
debug1: permanently_set_uid: 74/74
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug3: Wrote 784 bytes for a total of 805
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-***@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-***@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-***@openssh.com
,hmac-ripemd160,hmac-***@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-***@openssh.com
,hmac-ripemd160,hmac-***@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,***@openssh.com
debug2: kex_parse_kexinit: none,***@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-***@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-***@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-***@openssh.com
,hmac-ripemd160,hmac-***@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-***@openssh.com
,hmac-ripemd160,hmac-***@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,***@openssh.com,zlib
debug2: kex_parse_kexinit: none,***@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug3: mm_request_send entering: type 0
debug3: monitor_read: checking request 0
debug3: mm_answer_moduli: got parameters: 1024 1024 8192
debug3: mm_request_send entering: type 1
debug2: monitor_read: 0 used once, disabling now
debug3: mm_request_receive entering
debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI
debug3: mm_request_receive_expect entering: type 1
debug3: mm_request_receive entering
debug3: mm_choose_dh: remaining 0
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug3: Wrote 280 bytes for a total of 1085
debug2: dh_gen_key: priv key bits set: 131/256
debug2: bits set: 1044/2048
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug2: bits set: 1034/2048
debug3: mm_key_sign entering
debug3: mm_request_send entering: type 4
debug3: monitor_read: checking request 4
debug3: mm_answer_sign
debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN
debug3: mm_request_receive_expect entering: type 5
debug3: mm_request_receive entering
debug3: mm_answer_sign: signature 0x6a0450(271)
debug3: mm_request_send entering: type 5
debug2: monitor_read: 4 used once, disabling now
debug3: mm_request_receive entering
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: Wrote 848 bytes for a total of 1933
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug3: Wrote 48 bytes for a total of 1981
debug1: userauth-request for user root service ssh-connection method none
debug1: attempt 0 failures 0
debug3: mm_getpwnamallow entering
debug3: mm_request_send entering: type 6
debug3: monitor_read: checking request 6
debug3: mm_answer_pwnamallow
debug3: Trying to reverse map address 172.30.0.144.
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
debug3: mm_request_receive_expect entering: type 7
debug3: mm_request_receive entering
debug2: parse_server_config: config reprocess config len 301
debug3: auth_shadow_acctexpired: today 14841 sp_expire -1 days left -14842
debug3: account expiration disabled
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send entering: type 7
debug2: monitor_read: 6 used once, disabling now
debug3: mm_request_receive entering
debug2: input_userauth_request: setting up authctxt for root
debug3: mm_inform_authserv entering
debug3: mm_request_send entering: type 3
debug3: monitor_read: checking request 3
debug3: mm_answer_authserv: service=ssh-connection, style=
debug2: monitor_read: 3 used once, disabling now
debug3: mm_request_receive entering
debug2: input_userauth_request: try method none
debug3: mm_auth_password entering
debug3: mm_request_send entering: type 10
debug3: monitor_read: checking request 10
debug3: mm_answer_authpassword: sending result 0
debug3: mm_request_send entering: type 11
Failed none for root from 172.30.0.144 port 47460 ssh2
debug3: mm_request_receive entering
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
debug3: mm_request_receive_expect entering: type 11
debug3: mm_request_receive entering
debug3: mm_auth_password: user not authenticated
debug3: Wrote 80 bytes for a total of 2061
debug1: userauth-request for user root service ssh-connection method
publickey
debug1: attempt 1 failures 0
debug2: input_userauth_request: try method publickey
debug3: key_from_blob(..., 279)
debug3: x509key_from_blob: We have 279 bytes available in BIO
debug3: x509key_from_blob: read X509 from BIO fail
error:0D0680A8:lib(13):func(104):reason(168)
debug3: key_from_blob(..., ...) ktype=ssh-rsa
debug1: test whether pkalg/pkblob are acceptable
debug3: mm_key_allowed entering
debug3: mm_request_send entering: type 20
debug3: monitor_read: checking request 20
debug3: mm_answer_keyallowed entering
debug3: key_from_blob(..., 279)
debug3: x509key_from_blob: We have 279 bytes available in BIO
debug3: x509key_from_blob: read X509 from BIO fail
error:0D0680A8:lib(13):func(104):reason(168)
debug3: key_from_blob(..., ...) ktype=ssh-rsa
debug3: mm_answer_keyallowed: key_from_blob: 0x69f7e0
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: trying public key file /root/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug3: secure_filename: checking '/root/.ssh'
debug3: secure_filename: checking '/root'
debug3: secure_filename: terminating check at '/root'
debug3: key_read: type mismatch
debug2: user_key_allowed: check options: 'x509v3-sign-rsa subject=
/C=US/O=Trustwave/OU=dev/CN=root
'
debug2: key_type_from_name: unknown key type 'subject='
debug3: key_read: missing keytype
debug2: user_key_allowed: advance: 'subject=
/C=US/O=Trustwave/OU=dev/CN=root
'
debug1: restore_uid: 0/0
debug2: key not found
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: trying public key file /root/.ssh/authorized_keys2
debug1: restore_uid: 0/0
Failed publickey for root from 172.30.0.144 port 47460 ssh2
debug3: mm_answer_keyallowed: key 0x69f7e0 is not allowed
debug3: mm_request_send entering: type 21
debug3: mm_request_receive entering
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
debug3: mm_request_receive_expect entering: type 21
debug3: mm_request_receive entering
debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa
debug3: Wrote 80 bytes for a total of 2141
debug1: userauth-request for user root service ssh-connection method
publickey
debug1: attempt 2 failures 1
debug2: input_userauth_request: try method publickey
debug3: key_from_blob(..., 279)
debug3: x509key_from_blob: We have 279 bytes available in BIO
debug3: x509key_from_blob: read X509 from BIO fail
error:0D0680A8:lib(13):func(104):reason(168)
debug3: key_from_blob(..., ...) ktype=ssh-rsa
debug1: test whether pkalg/pkblob are acceptable
debug3: mm_key_allowed entering
debug3: mm_request_send entering: type 20
debug3: monitor_read: checking request 20
debug3: mm_answer_keyallowed entering
debug3: key_from_blob(..., 279)
debug3: x509key_from_blob: We have 279 bytes available in BIO
debug3: x509key_from_blob: read X509 from BIO fail
error:0D0680A8:lib(13):func(104):reason(168)
debug3: key_from_blob(..., ...) ktype=ssh-rsa
debug3: mm_answer_keyallowed: key_from_blob: 0x69f680
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: trying public key file /root/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug3: secure_filename: checking '/root/.ssh'
debug3: secure_filename: checking '/root'
debug3: secure_filename: terminating check at '/root'
debug3: key_read: type mismatch
debug2: user_key_allowed: check options: 'x509v3-sign-rsa subject=
/C=US/O=Trustwave/OU=dev/CN=root
'
debug2: key_type_from_name: unknown key type 'subject='
debug3: key_read: missing keytype
debug2: user_key_allowed: advance: 'subject=
/C=US/O=Trustwave/OU=dev/CN=root
'
debug1: restore_uid: 0/0
debug2: key not found
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: trying public key file /root/.ssh/authorized_keys2
debug1: restore_uid: 0/0
Failed publickey for root from 172.30.0.144 port 47460 ssh2
debug3: mm_answer_keyallowed: key 0x69f680 is not allowed
debug3: mm_request_send entering: type 21
debug3: mm_request_receive entering
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
debug3: mm_request_receive_expect entering: type 21
debug3: mm_request_receive entering
debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa
debug3: Wrote 80 bytes for a total of 2221
debug1: userauth-request for user root service ssh-connection method
keyboard-interactive
debug1: attempt 3 failures 2
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=root devs=
debug1: kbdint_alloc: devices ''
debug2: auth2_challenge_start: devices
debug3: Wrote 80 bytes for a total of 2301
======
On the client:
==========
ssh -vv -# /usr/lib64/opencryptoki/PKCS11_API.so:1:0:1 ***@172.30.0.104
OpenSSH_5.3p1, OpenSSL 0.9.8l-fips 5 Nov 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: PKCS#11: Adding PKCS#11 provider
'/usr/lib64/opencryptoki/PKCS11_API.so'
debug2: PKCS#11: Adding provider
'/usr/lib64/opencryptoki/PKCS11_API.so'-'/usr/lib64/opencryptoki/PKCS11_API.so'
debug2: PKCS#11: Provider '/usr/lib64/opencryptoki/PKCS11_API.so' added
rv=0-'CKR_OK'
debug2: ssh_connect: needpriv 0
debug1: Connecting to 172.30.0.104 [172.30.0.104] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug2: PKCS#11: Creating a new session
debug2: PKCS#11: Get certificate attributes failed:
179:'CKR_SESSION_HANDLE_INVALID'
debug2: PKCS#11: Calling pin_prompt hook for 'trustwave-ks'
Please enter PIN for token 'trustwave-ks':
debug2: PKCS#11: pin_prompt hook return rv=0
debug2: PKCS#11: Calling pin_prompt hook for 'trustwave-ks'
Please enter PIN for token 'trustwave-ks':
debug2: PKCS#11: pin_prompt hook return rv=0
debug2: PKCS#11: Using cached session
debug2: PKCS#11: Using cached session
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 6 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-***@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-***@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-***@openssh.com
,hmac-ripemd160,hmac-***@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-***@openssh.com
,hmac-ripemd160,hmac-***@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,***@openssh.com,zlib
debug2: kex_parse_kexinit: none,***@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-***@lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
rijndael-***@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-***@openssh.com
,hmac-ripemd160,hmac-***@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-***@openssh.com
,hmac-ripemd160,hmac-***@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,***@openssh.com
debug2: kex_parse_kexinit: none,***@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 995/2048
debug2: bits set: 1034/2048
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '172.30.0.104' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug2: bits set: 1044/2048
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /C=CA/ST=ON/L=Cambridge/O=Trustwave/CN=c709.e-lab.itactics.comon
trustwave-ks (0x6813a0)
debug2: key: /C=US/O=Trustwave/OU=dev/CN=root on trustwave-ks (0x67f220)
debug2: key: /root/.ssh/identity ((nil))
debug2: key: /root/.ssh/id_rsa ((nil))
debug2: key: /root/.ssh/id_dsa ((nil))
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /C=CA/ST=ON/L=Cambridge/O=Trustwave/CN=
c709.e-lab.itactics.com on trustwave-ks
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Offering public key: /C=US/O=Trustwave/OU=dev/CN=root on
trustwave-ks
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Trying private key: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
***@172.30.0.104's password:
==========
I don't understand the reason for key mismatch if the same keys are being
sent by the client as they are in the authorized_keys file on the server.
Any help will be appreciated.
Thanks
Shravan