Hello,

yesterday we got a problem with publickey authentication. Keys are
distributed to the server as it should be, file access rights are set,
the key is found, see the log excerpt, but it is Postponed, and
Password authentication will be tried.

Aug 14 17:01:28 myhost sshd[13679]: debug1: matching key found:
file /home/foobar/.ssh/authorized_keys, line 1
Aug 14 17:01:28 myhost sshd[13679]: Found matching DSA key: <...>
Aug 14 17:01:28 myhost sshd[13679]: debug1: restore_uid: 0/0
Aug 14 17:01:28 myhost sshd[13679]: debug2: userauth_pubkey:
authenticated 0 pkalg ssh-dss
Aug 14 17:01:28 myhost sshd[13679]: Postponed publickey for foobar from
<....> port 11421 ssh2
Aug 14 17:01:32 myhost sshd[13679]: debug1: userauth-request for user
foobar service ssh-connection method password

I have tried with other key pairs, e.g. a version 2 RSA key, and it
works.

Does anybody have a clue, what might go wrong here? I'm guessing that
"debug2: userauth_pubkey: authenticated 0 pkalg ssh-ds" tells me, that
the key did not work, but that particular key has been identified to
have the right fingerprint, before ("Found matching DSA key"). I had
success in the LAN with an RSA key, and over WAN with DSA keys
failures. What could be the reason?

The client is some 4.x Ubuntu, the server some 3.x SuSE.

Bernd Strieder

X-No-Archive: Yes

Try disabling password authentication and enable only publickey
authentication.
What version of SSH are you using?
If that doesn't work and you should (either way) very much consider
upgrading your client and server.

X-No-Archive: Yes

Try disabling password authentication and enable only publickey
authentication.
What version of SSH are you using?
If that doesn't work and you should (either way) very much consider
upgrading your client and server.

Hello,

purpmint008@gmail.com wrote:

> X-No-Archive: Yes
>
> Try disabling password authentication and enable only publickey
> authentication.

That would be possible only as a temporary workaround, I have to keep
password authentication possible for some users not wanting to mess
around with key files. That should not prevent others from using
publickey.

> What version of SSH are you using?

It is nominally openssh 3.7.1 on the server, possibly with patches and
bugfixes from SuSE, and possibly openssh 4.4 on the client, some recent
Ubuntu.

> If that doesn't work and you should (either way) very much consider
> upgrading your client and server.

That means, that supposedly there are changes in key handling in
different versions of openssh, changes that might cause it to fail. Can
anybody confirm such things? The key formats should not have changed,
the algorithms are the same during all the time, so there must have
been causes to change something. IMO it would be scary, if this has
happened without any clear message about reasons of the failure.

Short of reading the sources myself, which I do not really have the time
for, is there any documentation about reasons to Postpone a publickey
authentication. Google did not turn up anything reasonable in that
direction, any keywords turning up some information would be
sufficient.

Upgrading the server is currently not an option.

Bernd Strieder

Hello,

Bernd Strieder wrote:

> Aug 14 17:01:28 myhost sshd[13679]: Postponed publickey for foobar
> from <....> port 11421 ssh2

According to the sources this means that the server verified that the
client has the matching public key only, but did not send a test
message signed by the private key, to really check the public key
against. Openssh seems to just record this, for added trust, or
whatever, but no authentication is happening.

So it seems like the client not trying to do real publickey
authentication. Could anybody confirm?

Since the client with problems is a foreign machine, I have to see to
get their logs. I have not been able to reproduce on the local
machines. Hopefully this is just some bad default configuration.

Bernd Strieder

X-No-Archive: Yes

>>What version of SSH are you using?
>It is nominally openssh 3.7.1 on the server, possibly with patches and
>bugfixes from SuSE, and possibly openssh 4.4 on the client, some recent
>Ubuntu.

WOW
You should really take the time and inconvenience to upgrade,
authorize, and teach
users into publickey authentication. Password authentication is like
asking to be brute forced
It will pay off! In terms of security, compatibility, etc.
OpenSSH is in version 4.6 (compatible with almost all OSs as well)
right now.
Ubuntu will be coming out with 7.10 soon.

That's all pretty much anyone can tell you right now. If your not
running the latest software then there is no point in asking for
(no offense).

Again, seriously consider revamping your server (backup, reformat,
install, install properly, teach, regulate, update, etc.).

X-No-Archive: Yes

>>What version of SSH are you using?
>It is nominally openssh 3.7.1 on the server, possibly with patches and
>bugfixes from SuSE, and possibly openssh 4.4 on the client, some recent
>Ubuntu.

WOW
You should really take the time and inconvenience to upgrade,
authorize, and teach
users into publickey authentication. Password authentication is like
asking to be brute forced
It will pay off! In terms of security, compatibility, etc.
OpenSSH is in version 4.6 (compatible with almost all OSs as well)
right now.
Ubuntu will be coming out with 7.10 soon.

That's all pretty much anyone can tell you right now. If your not
running the latest software then there is no point in asking for
(no offense).

Again, seriously consider revamping your server (backup, reformat,
install, install properly, teach, regulate, update, etc.).

X-No-Archive: Yes

> > What version of SSH are you using?

What I meant was: what version of the PROTOCOL are your running
(client and server)?
Version 2 is much more secure and compatible (these days).
Also, you can turn off Protocol version 1 to ensure that its
vulnerabilities aren't exploited.
Sorry for going off-topic.