10

A backuppc server is able to sign into remote machines as root and backup them up, but if I sign in as the backuppc user and try to ssh into these machines using the same key, the key is rejected with the following debug output:

OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /var/lib/BackupPC/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to XXX.XXXXXX.com [XX.XXX.XX.XX] port 222.
debug1: Connection established.
debug1: identity file /var/lib/BackupPC/.ssh/identity type -1
debug1: identity file /var/lib/BackupPC/.ssh/identity-cert type -1
debug3: Not a RSA1 key file /var/lib/BackupPC/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /var/lib/BackupPC/.ssh/id_rsa type 1
debug1: identity file /var/lib/BackupPC/.ssh/id_rsa-cert type -1
debug1: identity file /var/lib/BackupPC/.ssh/id_dsa type -1
debug1: identity file /var/lib/BackupPC/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.1
debug1: match: OpenSSH_6.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug3: Wrote 960 bytes for a total of 981
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug3: Wrote 24 bytes for a total of 1005
debug2: dh_gen_key: priv key bits set: 126/256
debug2: bits set: 1007/2048
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: Wrote 272 bytes for a total of 1277
debug3: put_host_port: [XX.XXX.XX.XX]:222
debug3: put_host_port: [XXX.XXXXX.com]:222
debug3: check_host_in_hostfile: host [XXX.XXXXX.com]:222 filename /var/lib/BackupPC/.ssh/known_hosts
debug3: check_host_in_hostfile: host [XXX.XXXXX.com]:222 filename /var/lib/BackupPC/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 69
debug3: check_host_in_hostfile: host [XX.XXX.XXX.XXX]:222 filename /var/lib/BackupPC/.ssh/known_hosts
debug3: check_host_in_hostfile: host [XX.XXX.XXX.XXX]:222 filename /var/lib/BackupPC/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 69
debug1: Host '[XXX.XXXXX.com]:222' is known and matches the RSA host key.
debug1: Found key in /var/lib/BackupPC/.ssh/known_hosts:69
debug2: bits set: 1045/2048
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: Wrote 16 bytes for a total of 1293
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug3: Wrote 48 bytes for a total of 1341
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /var/lib/BackupPC/.ssh/identity ((nil))
debug2: key: /var/lib/BackupPC/.ssh/id_rsa (0x7fdc6b7a4330)
debug2: key: /var/lib/BackupPC/.ssh/id_dsa ((nil))
debug3: Wrote 64 bytes for a total of 1405
Connection closed by XX.XXX.XXX.XXX

I know that it is a good idea to check the permissions of ~/.ssh on the machine I'm logging into but my problem is that I cannot access it. On the machine I'm trying to log into the remote one with here are the permission in the .ssh directory which is set to 600.

drwx------ 2 backuppc backuppc  115 Jul 18 09:50 .
drwxr-x--- 9 backuppc root      125 May 12 19:23 ..
-rw------- 1 backuppc backuppc    0 Jul 17 14:24 authorized_keys
-rw-r--r-- 1 backuppc backuppc  199 May 12 18:30 config
-rw------- 1 backuppc backuppc 1.7K Oct  7  2012 id_rsa
-rw------- 1 backuppc backuppc  413 Oct  7  2012 id_rsa.pub
-rw-r--r-- 1 backuppc backuppc  28K Jul 17 14:18 known_hosts

/etc/hosts.allow and /etc/hosts.deny have not been altered.

The key should never have been changed either since it was created and was not stored in the incorrect format as it's been used for years by this machine without issue. So far I have rebooted the system in the hopes that would help fix it but don't really know what else to do as generating a new key isn't really an option since these machines are far away. Does anyone know what I should do?

Any advice would be very much appreciated. Thanks in advance.

HAL9000
  • 139
  • 1
  • 3
  • 8
  • You say that your key is at ~/.ssh. The Error message is complaining about /var/lib/BackupPC/.ssh/id_rsa. Is your home folder located at /var/lib/BackupPC? – Safado Jul 18 '14 at 14:11
  • Yes it is. This is the way backuppc works. So ~/.ssh is the same as /var/lib/BackupPC/.ssh when signed in as the backuppc user. – HAL9000 Jul 18 '14 at 14:27
  • Ok, just asking. I've never seen an account have their home folder in /var/lib is all. – Safado Jul 18 '14 at 14:37
  • 1
    FWIW, the "unknown key type '-----BEGIN'" message and the ones following it aren't error messages. ssh is just checking to see if the key file is in a particular format, and it's being verbose because you asked it to be verbose. – Kenster Jul 20 '14 at 19:38

3 Answers3

2

Additional information in case anyone finds it useful.

This error can be caused by using a private key generated by a recent version of ssh-keygen with a much older version of the ssh client.

I generated a new keypair on OpenSSH_8.3p1, deployed the public key, and tried to use the private key with a version 5.3p1 client, and got this same error, followed by a prompt for a passphrase on a key that had no passphrase.

I had to generate and deploy a keypair using the old version of ssh in order to successfully log in from the old client.

Ex Umbris
  • 804
  • 7
  • 24
  • 1
    OpenSSH 7.8 up ssh-keygen _defaults_ to 'new' (dashed BEGIN OPENSSH PRIVATE KEY) format which is not readable by versions below 6.5, but you can use `-m pem` to create or convert to 'old' (dashed BEGIN RSA/DSA/EC PRIVATE KEY) format which is; see the man page. – dave_thompson_085 Jul 07 '20 at 02:07
  • WARNING what the man page doesn't tell you is that `-p -m PEM` will OVERWRITE the private key with the old format, so if you still need the new format for any reason, MAKE A BACKUP COPY. – Jeff Oct 24 '21 at 22:39
1

The related answer might be applicable here. Namely, you don't just need to check the permissions on your ~/.ssh directory, but on your home as well. I can't help but notice that you have 750 perms on your home, whereas the default is normally 700. Try changing that, and see if it helps?

Christopher Karel
  • 6,442
  • 1
  • 26
  • 34
0

Sorry guys it turns out that some place else in the backuppc config it was using a different name to log into the remote servers. All I did was use the correct username and I was able to sign in.

:)

HAL9000
  • 139
  • 1
  • 3
  • 8