Discussion:
net::ssh2 problem
(too old to reply)
Bernie Cosell
2018-12-13 01:39:41 UTC
Permalink
I don't know if this is a host problem, net_ssh2 problem or what. I have a
perfectly working script that does:

my $ssh2 = Net::SSH2->new() ;
$ssh2->connect(HOST) or $ssh2->die_with_error ;
$ssh2->check_hostkey(tofu => HOSTKEY)
or $ssh2->die_with_error ;
$ssh2->auth_publickey(USER, PUBLICKEY, PRIVATEKEY)
or $ssh2->die_with_error ;
$ssh2->auth_ok() ;
print "connected!\n" ;

When the *only* change I make is to change the HOST and the USER to a
different host [one I can SSH into with an SSH client using the same SSH
keys] I get

Username/PublicKey combination invalid (-18
LIBSSH2_ERROR_PUBLICKEY_UNRECOGNIZED
) at D:\Perl\ondreamhost.pl line 26.

And I'm a bit perplexed. Perhaps I just don't understand how ssh keys
work: Does the private key somehow encode the username? In my SSH client
I'm using the same SSH key profile for both hosts. Why would a
username/publickey combination be invalid?

Thanks /bernie\
--
Bernie Cosell Fantasy Farm Fibers
***@fantasyfarm.com Pearisburg, VA
--> Too many people, too few sheep <--
Zebee Johnstone
2018-12-13 03:07:23 UTC
Permalink
In comp.lang.perl.misc on Wed, 12 Dec 2018 20:39:41 -0500
Post by Bernie Cosell
I don't know if this is a host problem, net_ssh2 problem or what. I have a
my $ssh2 = Net::SSH2->new() ;
$ssh2->connect(HOST) or $ssh2->die_with_error ;
$ssh2->check_hostkey(tofu => HOSTKEY)
or $ssh2->die_with_error ;
$ssh2->auth_publickey(USER, PUBLICKEY, PRIVATEKEY)
or $ssh2->die_with_error ;
$ssh2->auth_ok() ;
print "connected!\n" ;
When the *only* change I make is to change the HOST and the USER to a
different host [one I can SSH into with an SSH client using the same SSH
keys] I get
Username/PublicKey combination invalid (-18
LIBSSH2_ERROR_PUBLICKEY_UNRECOGNIZED
) at D:\Perl\ondreamhost.pl line 26.
And I'm a bit perplexed. Perhaps I just don't understand how ssh keys
work: Does the private key somehow encode the username? In my SSH client
I'm using the same SSH key profile for both hosts. Why would a
username/publickey combination be invalid?
Have you ssh'd in to the new host as the user the script is running
as? So that the script user has the host key in its known_hosts?

Zebee
Rainer Weikusat
2018-12-13 15:25:53 UTC
Permalink
Post by Bernie Cosell
I don't know if this is a host problem, net_ssh2 problem or what. I have a
my $ssh2 = Net::SSH2->new() ;
$ssh2->connect(HOST) or $ssh2->die_with_error ;
$ssh2->check_hostkey(tofu => HOSTKEY)
or $ssh2->die_with_error ;
$ssh2->auth_publickey(USER, PUBLICKEY, PRIVATEKEY)
or $ssh2->die_with_error ;
$ssh2->auth_ok() ;
print "connected!\n" ;
When the *only* change I make is to change the HOST and the USER to a
different host [one I can SSH into with an SSH client using the same SSH
keys] I get
Username/PublicKey combination invalid (-18
LIBSSH2_ERROR_PUBLICKEY_UNRECOGNIZED
) at D:\Perl\ondreamhost.pl line 26.
And I'm a bit perplexed. Perhaps I just don't understand how ssh keys
work: Does the private key somehow encode the username?
ssh stores the username alongside the public key:

***@doppelsaurus:~$ cd .ssh/
***@doppelsaurus:~/.ssh$ cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDiEdgoAFeXxoUzQMXZ2RTS4eTIWGWL+vNqNPp29S3VqhzUwaM3e8bXOdpOdfYeM/Jk8o6Uyec1Un46XpsF4pHnKatjiSeK+0pbrtmD1kXlQfMhlgYvGp0BMVzNAI9R/MTmWfS7xMUFn6u/3xtyYDqMyaxw9YXUzwy3r32zjpWtOob97b/ioDIeB3LrqXxEZlnMhvkfFzMscRNv0D/gQj/nIxkqhgofliFqam3mDU5/rritPVOW2E0JdFlBHm2QHBNOPP4MFV5fFbnxYX1LUlcLMnUqZpX/YVGKlhangq3ks8/LiRudmczBiy23Ooz0AbhfbLg1VnsTa8guGmmGXwZz ***@doppelsaurus

[this is obviously a throwaway key I created for posting it here]
Eli the Bearded
2018-12-13 20:33:54 UTC
Permalink
Post by Rainer Weikusat
Post by Bernie Cosell
$ssh2->auth_publickey(USER, PUBLICKEY, PRIVATEKEY)
or $ssh2->die_with_error ;
...
Post by Rainer Weikusat
Post by Bernie Cosell
When the *only* change I make is to change the HOST and the USER to a
different host [one I can SSH into with an SSH client using the same SSH
keys] I get
Username/PublicKey combination invalid (-18
LIBSSH2_ERROR_PUBLICKEY_UNRECOGNIZED
) at D:\Perl\ondreamhost.pl line 26.
Really does sound like the user/key pair isn't right.
Post by Rainer Weikusat
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDiEdgoAFeXxoUzQMXZ2RTS4eTIWGWL+vNqNPp29S3VqhzUwaM3e8bXOdpOdfYeM/Jk8o6Uyec1Un46XpsF4pHnKatjiSeK+0pbrtmD1kXlQfMhlgYvGp0BMVzNAI9R/MTmWfS7xMUFn6u/3xtyYDqMyaxw9YXUzwy3r32zjpWtOob97b/ioDIeB3LrqXxEZlnMhvkfFzMscRNv0D/gQj/nIxkqhgofliFqam3mDU5/rritPVOW2E0JdFlBHm2QHBNOPP4MFV5fFbnxYX1LUlcLMnUqZpX/YVGKlhangq3ks8/LiRudmczBiy23Ooz0AbhfbLg1VnsTa8guGmmGXwZz
That third column is meaningless to ssh, it's a comment for humans:

Taken from "man sshd":

AUTHORIZED_KEYS FILE FORMAT
AuthorizedKeysFile specifies the files containing public keys for public
key authentication; if none is specified, the default is
~/.ssh/authorized_keys and ~/.ssh/authorized_keys2. Each line of the
file contains one key (empty lines and lines starting with a `#' are
ignored as comments). Protocol 1 public keys consist of the following
space-separated fields: options, bits, exponent, modulus, comment.
Protocol 2 public key consist of: options, keytype, base64-encoded key,
comment. The options field is optional; its presence is determined by
whether the line starts with a number or not (the options field never
starts with a number). The bits, exponent, modulus, and comment fields
give the RSA key for protocol version 1; the comment field is not used
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
for anything (but may be convenient for the user to identify the key).
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
For protocol version 2 the keytype is ``ecdsa-sha2-nistp256'',
``ecdsa-sha2-nistp384'', ``ecdsa-sha2-nistp521'', ``ssh-ed25519'',
``ssh-dss'' or ``ssh-rsa''.

(Note that different versions of sshd list different allowed keytypes
for version 2 keys.)

When you have ten (eg) people allowed to log in to a single account
having the owner of a key in the public key is very handy for knowing
which line to delete to remove access.

(When you have 100 people (eg), you should probably stop trusting the
comments and come up with a better key management system.)

Elijah
------
did the keeper of the keys job for a while
Rainer Weikusat
2018-12-13 20:56:28 UTC
Permalink
Post by Eli the Bearded
Post by Rainer Weikusat
Post by Bernie Cosell
$ssh2->auth_publickey(USER, PUBLICKEY, PRIVATEKEY)
or $ssh2->die_with_error ;
...
Post by Rainer Weikusat
Post by Bernie Cosell
When the *only* change I make is to change the HOST and the USER to a
different host [one I can SSH into with an SSH client using the same SSH
keys] I get
Username/PublicKey combination invalid (-18
LIBSSH2_ERROR_PUBLICKEY_UNRECOGNIZED
) at D:\Perl\ondreamhost.pl line 26.
Really does sound like the user/key pair isn't right.
Post by Rainer Weikusat
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDiEdgoAFeXxoUzQMXZ2RTS4eTIWGWL+vNqNPp29S3VqhzUwaM3e8bXOdpOdfYeM/Jk8o6Uyec1Un46XpsF4pHnKatjiSeK+0pbrtmD1kXlQfMhlgYvGp0BMVzNAI9R/MTmWfS7xMUFn6u/3xtyYDqMyaxw9YXUzwy3r32zjpWtOob97b/ioDIeB3LrqXxEZlnMhvkfFzMscRNv0D/gQj/nIxkqhgofliFqam3mDU5/rritPVOW2E0JdFlBHm2QHBNOPP4MFV5fFbnxYX1LUlcLMnUqZpX/YVGKlhangq3ks8/LiRudmczBiy23Ooz0AbhfbLg1VnsTa8guGmmGXwZz
Excerpt from libssh2 NEWS file:

This patch changes error code -18 to LIBSSH2_ERROR_AUTHENTICATION_FAILED
and makes LIBSSH2_ERROR_PUBLICKEY_UNRECOGNIZED an alias for
LIBSSH2_ERROR_AUTHENTICATION_FAILED.
[2010/01/28]

IOW, the error above just means "authentication failed".
Bernie Cosell
2018-12-13 21:04:21 UTC
Permalink
Eli the Bearded <*@eli.users.panix.com> wrote:

} In comp.lang.perl.misc, Rainer Weikusat <***@talktalk.net> wrote:
} > Bernie Cosell <***@fantasyfarm.com> writes:
} >> $ssh2->auth_publickey(USER, PUBLICKEY, PRIVATEKEY)
} >> or $ssh2->die_with_error ;
} ...
} >> When the *only* change I make is to change the HOST and the USER to a
} >> different host [one I can SSH into with an SSH client using the same SSH
} >> keys] I get
} >>
} >> Username/PublicKey combination invalid (-18
} >> LIBSSH2_ERROR_PUBLICKEY_UNRECOGNIZED
} >> ) at D:\Perl\ondreamhost.pl line 26.
}
} Really does sound like the user/key pair isn't right.

I've checked a bunch more -- I turned on logging in my SSH client and,
indeed, it, too, fails. Now I'm not sure why -- I *thought* [perhaps
incorrectly??] that SSH key pairs were server agnostic. That is, if my
public/private key work on server A they'll work on server B. Apparently
that is not the case [and at the moment I have no clue why]. So not a perl
problem, which I might have had a chance of dealing with, but SSH key
exchange problem about which I have no clue. Off to try to understand it..

/Bernie\
--
Bernie Cosell Fantasy Farm Fibers
***@fantasyfarm.com Pearisburg, VA
--> Too many people, too few sheep <--
Rainer Weikusat
2018-12-13 21:27:53 UTC
Permalink
Post by Bernie Cosell
} >> $ssh2->auth_publickey(USER, PUBLICKEY, PRIVATEKEY)
} >> or $ssh2->die_with_error ;
} ...
} >> When the *only* change I make is to change the HOST and the USER to a
} >> different host [one I can SSH into with an SSH client using the same SSH
} >> keys] I get
} >>
} >> Username/PublicKey combination invalid (-18
} >> LIBSSH2_ERROR_PUBLICKEY_UNRECOGNIZED
} >> ) at D:\Perl\ondreamhost.pl line 26.
}
} Really does sound like the user/key pair isn't right.
I've checked a bunch more -- I turned on logging in my SSH client and,
indeed, it, too, fails. Now I'm not sure why -- I *thought* [perhaps
incorrectly??] that SSH key pairs were server agnostic. That is, if my
public/private key work on server A they'll work on server B. Apparently
that is not the case
This is definitely not the case. I'm using a single key pair to log into
a dozen of different hosts (roughly)
Eli the Bearded
2018-12-13 21:56:48 UTC
Permalink
Post by Rainer Weikusat
Post by Bernie Cosell
I've checked a bunch more -- I turned on logging in my SSH client and,
indeed, it, too, fails. Now I'm not sure why -- I *thought* [perhaps
incorrectly??] that SSH key pairs were server agnostic. That is, if my
public/private key work on server A they'll work on server B.
This is mostly the case but not all servers support all keytypes. I have
one sshd handy that says:

ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521
ssh-dss ssh-rsa

And another that says

ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521
ssh-ed25519 ssh-dss ssh-rsa

And I can remember when ssh-dsa was a broadly allowed key type. I think
it's also possible for keytypes to be supported on both ends and still
get a rejection if the server thinks a key is too weak. ssh-rsa is
required to be 768 bits minimum typically but it's not too hard to
change that:

https://serverfault.com/questions/201327/setting-minimum-size-of-accepted-rsa-key
Post by Rainer Weikusat
Post by Bernie Cosell
Apparently
that is not the case
This is definitely not the case. I'm using a single key pair to log into
a dozen of different hosts (roughly)
Rainer, you appear to both be agreeing and disagreeing with Bernie.

Elijah
------
thought there was a sshd_config entry for that but apparently no
Bernie Cosell
2018-12-14 00:50:05 UTC
Permalink
Bernie Cosell <***@fantasyfarm.com> wrote:

} Username/PublicKey combination invalid (-18
} LIBSSH2_ERROR_PUBLICKEY_UNRECOGNIZED
} ) at D:\Perl\ondreamhost.pl line 26.
}
} And I'm a bit perplexed.

Problem solved thanks to a friend more familiar with the Unix side than I
am. The problem is that the Unix ssh daemon won't tolerate a writable
authorized_keys file. I just copied mine over from my Win7 system to .ssh
on my server and didn't give it a thought. Changing the file to read-only
fixed the problem.

[and yes, I then copied it to a few other Unix systems that I have access
to and when I set the permissions correctly the same key pair just works]

/Bernie\
--
Bernie Cosell Fantasy Farm Fibers
***@fantasyfarm.com Pearisburg, VA
--> Too many people, too few sheep <--
Loading...