sftp cannot authenticate connection
Leonid Massarskiy
except for sftp. When I try to sftp to another host I am getting the following
error message:
~~~~~~~~~~~~~~~~~~~~~~
No RSA host key is known for beta1.nyc.mpaccess.com and you have requested strict checking.
Couldn't read packet: Bad file number
~~~~~~~~~~~~~~~~~~~~~~
Disabling StrictHostKeyChecking and trying sftp again produces the following output:
~~~~~~~~~~~~~~~~~~~~~~
Warning: Permanently added 'hostname,IP' (RSA) to the list of known hosts.
Permission denied (publickey).
Couldn't read packet: Bad file number
~~~~~~~~~~~~~~~~~~~~~~~
Has anybody else seen this?
Thanks,
--Leonid
Josh Willis
The 'Couldn't read packet: Bad file number' message seems to always occur
when sftp (from OpenSSH 2.5.1) is unable to complete a connection for any
reason. For example, I encountered the same error when the host I was
connecting to didn't have the correct path to sftp-server and hence
could not get further than authentication.
To see what is really causing your problem you should try:
sftp -v <host>
and see what output that produces. From the 'Permission denied (publickey)' I
would guess that the host is performing authentication, but that for whatever
reason you are failing to authenticate. Have you tried connecting with password
authentication?
Josh
Leonid Massarskiy
Turning on verbose mode produces the following:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Connecting to <hostname>...
debug: SSH args "ssh -oProtocol=2 -s -oForwardAgent=no -oForwardX11=no -v <hostname> sftp"
OpenSSH_2.5.1p1, SSH protocols 1.5/2.0, OpenSSL 0x00905100
debug: Reading configuration data /etc/ssh_config
debug: Applying options for *
debug: ssh_connect: getuid 1015 geteuid 0 anon 0
debug: Connecting to <hostname> [<IP>] port 22.
debug: Seeded RNG with 35 bytes from programs
debug: Seeded RNG with 3 bytes from system calls
debug: Allocated local port 938.
debug: Connection established.
debug: identity file /u/lmassars/.ssh/identity type 0
debug: Remote protocol version 1.99, remote software version OpenSSH_2.5.1p1
debug: match: OpenSSH_2.5.1p1 pat ^OpenSSH
Enabling compatibility mode for protocol 2.0
debug: Local version string SSH-2.0-OpenSSH_2.5.1p1
debug: send KEXINIT
debug: done
debug: wait KEXINIT
debug: got kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug: got kexinit: ssh-dss,ssh-rsa
debug: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc
,rijndael192-cbc,rijndael256-cbc,rijnda...@lysator.liu.se
debug: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc
,rijndael192-cbc,rijndael256-cbc,rijnda...@lysator.liu.se
debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160,hmac-ri...@openssh.com,hmac-sha1-96,hmac-md5-96
debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160,hmac-ri...@openssh.com,hmac-sha1-96,hmac-md5-96
debug: got kexinit: none,zlib
debug: got kexinit: none,zlib
debug: got kexinit:
debug: got kexinit:
debug: first kex follow: 0
debug: reserved: 0
debug: done
debug: kex: server->client 3des-cbc hmac-sha1 none
debug: kex: client->server 3des-cbc hmac-sha1 none
debug: Sending SSH2_MSG_KEX_DH_GEX_REQUEST.
debug: Wait SSH2_MSG_KEX_DH_GEX_GROUP.
debug: Got SSH2_MSG_KEX_DH_GEX_GROUP.
debug: bits set: 510/1024
debug: Sending SSH2_MSG_KEX_DH_GEX_INIT.
debug: Wait SSH2_MSG_KEX_DH_GEX_REPLY.
debug: Got SSH2_MSG_KEXDH_REPLY.
debug: Host '<hostname>' is known and matches the RSA host key.
debug: Found key in /u/lmassars/.ssh/known_hosts2:2
debug: bits set: 520/1024
debug: ssh_rsa_verify: signature correct
debug: Wait SSH2_MSG_NEWKEYS.
debug: GOT SSH2_MSG_NEWKEYS.
debug: send SSH2_MSG_NEWKEYS.
debug: done: send SSH2_MSG_NEWKEYS.
debug: done: KEX2.
debug: send SSH2_MSG_SERVICE_REQUEST
debug: service_accept: ssh-userauth
debug: got SSH2_MSG_SERVICE_ACCEPT
debug: authentications that can continue: publickey
debug: next auth method to try is publickey
debug: no more auth methods to try
Permission denied (publickey).
debug: Calling cleanup 0x26fbc(0x0)
debug: Calling cleanup 0x2c43c(0x0)
debug: writing PRNG seed to file /u/lmassars/.ssh/prng_seed
Couldn't read packet: Bad file number
I don't understand why it denies publickey authentication.
Thanks much,
--Leonid
On 14 Mar 2001, Josh Willis wrote:
> In article <Pine.GSO.4.30.010314...@fs1.nyc.office.mpaccess.com>,
> Leonid Massarskiy <lmas...@mediapartnerships.com> writes:
> >I recently upgraded my Solaris boxes to OpenSSH_2.5.1p1. Everything works fine
> >except for sftp. When I try to sftp to another host I am getting the following
> >error message:
> >~~~~~~~~~~~~~~~~~~~~~~
> >No RSA host key is known for <hostname> and you have requested strict checking.
Richard Silverman
>>>>> "Leonid" == Leonid Massarskiy <lmas...@mediapartnerships.com> writes:
Leonid> I don't understand why it denies publickey authentication.
Have you generated keys and put the public key you want to use on the
server? From the debug trace, it looks like the client can't even find
any local keys to try.
--
Richard Silverman
sl...@shore.net
Leonid Massarskiy
between version upgrades, it shouldn't matter though, should it?
Thank you,
--Leonid
Leonid Massarskiy
I think I solved my sftp problem, you were absolutely right, I didn't have SSH2 keys
generated. ssh and scp worked because I was still using SSH1 compatibility mode as
half of my hosts still use SSH1. As soon as I generated dsa key pair sftp started
working.
I couldn't force sftp use SSH1 authentication with '-o Protocol=1' argument.
Does sftp support SSH1?
Thanks a lot for your help,
--Leonid
Josh Willis
Which protocol of ssh do you use when connecting with 'ssh <host>'?
Namely, do you select through either command line option or ssh_config
file to use protocol version one?
On Wed, 14 Mar 2001, Leonid Massarskiy wrote:
> Password authentication seems to be working fine, RSA still does not.
> Turning on verbose mode produces the following:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Connecting to <hostname>...
> debug: SSH args "ssh -oProtocol=2 -s -oForwardAgent=no -oForwardX11=no -v <hostname> sftp"
> OpenSSH_2.5.1p1, SSH protocols 1.5/2.0, OpenSSL 0x00905100
sftp is clearly proceeding through protocol 2, however...
...
> debug: identity file /u/lmassars/.ssh/identity type 0
this is the default identity file for protocol version 1. If you were
using protocol version 2 it would be .ssh/id_dsa and would be of type 3
(if you generated the key with ssh-keygen -t dsa)
> debug: Remote protocol version 1.99, remote software version OpenSSH_2.5.1p1
> debug: match: OpenSSH_2.5.1p1 pat ^OpenSSH
> Enabling compatibility mode for protocol 2.0
> debug: Local version string SSH-2.0-OpenSSH_2.5.1p1
...
> debug: authentications that can continue: publickey
> debug: next auth method to try is publickey
> debug: no more auth methods to try
> Permission denied (publickey).
Again, as Richard has pointed out, sftp (or rather ssh, at this point) has
not found any keys to try. Have you put the public key in the correct
format in .ssh/authorized_keys2 ?
I cannot reproduce the behavior your log shows unless I do the following:
(1) Place 'IdentityFile ~/.ssh/identity' in ~/.ssh/config
(2) I do *not* add the corresponding public key to ~/.ssh/authorized_keys2
(3) I *do* add 'Protocol 1,2' to ~/.ssh/config
Then ssh will work correctly, because it will try protocol 1 first and
hence find the expected format of key; it then prompts for the passphrase.
However, sftp is still trying protocol 2; this is becuase sftp invokes ssh
with the command line argument '-oProtocol=2' as the debug trace shows.
Hence when it looks in ~/.ssh/authorized_keys2 it does not find a valid
key. You can either:
(1) Invoke sftp with protocol 1 by typing:
sftp -1 <host>
(2) Switch over to protocol 2 entirely. Generate new public keys for
protocol 2 using 'ssh-keygen -t dsa' and by default ssh-keygen will prompt
to save this in ~/.ssh/id_dsa. Then add id_dsa.pub to authorized_keys2
on the server machines. Examine /etc/ssh/ssh_config and ~/.ssh/config to
see if you are trying protocol 2 first, through a line of the form
'Protocol 2,1'. Change if you are not.
Hope this helps,
Josh
Leonid Massarskiy
On Wed, 14 Mar 2001, Josh Willis wrote:
>
> Which protocol of ssh do you use when connecting with 'ssh <host>'?
> Namely, do you select through either command line option or ssh_config
> file to use protocol version one?
I was indeed using SSH1 when connecting with ssh and scp.
>
> On Wed, 14 Mar 2001, Leonid Massarskiy wrote:
>
> > Password authentication seems to be working fine, RSA still does not.
> > Turning on verbose mode produces the following:
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > Connecting to <hostname>...
> > debug: SSH args "ssh -oProtocol=2 -s -oForwardAgent=no -oForwardX11=no -v <hostname> sftp"
> > OpenSSH_2.5.1p1, SSH protocols 1.5/2.0, OpenSSL 0x00905100
>
> sftp is clearly proceeding through protocol 2, however...
I was using '-o Protocol=1' argument with sftp but it was still trying SSH2 authentication.
I am in a process of doing it, but half of my hosts are still using SSH1.
Moreover, TTSSH which my NT clients use doesn't support SSH2.
> protocol 2 using 'ssh-keygen -t dsa' and by default ssh-keygen will prompt
> to save this in ~/.ssh/id_dsa. Then add id_dsa.pub to authorized_keys2
> on the server machines. Examine /etc/ssh/ssh_config and ~/.ssh/config to
> see if you are trying protocol 2 first, through a line of the form
> 'Protocol 2,1'. Change if you are not.
>
> Hope this helps,
It definitely did help :-) Thanks a lot!
--Leonid
>
> Josh
>