Total Pageviews

Thursday, 15 October 2009

SSH "postponed publickey" error Debugging process RHEL 5.4

In order to debug SSH, see what is causing the slow key exchange, and therefore the " postponed publickey " error message we will need to do the following.

Start debugging SSH :

1) On the server side

a) Enable port 2222 udp and tcp access for ssh in the server side

b) Execute the command script on the shell, in order to capture
some output

#script /tmp/SSHserver

c) Start sshd listening on port 2222

# /usr/sbin/sshd -d -p 2222

d) Let this command to run on the server side until the client connection
has been finished

2) From the client we will need to :

a) Execute the command script on the shell, in order to capture
some output

#script /tmp/SSHclient

b) Start the connection to the remote server on port 2222 with the
same user that has the public key

ssh -v -v -v user@remoteserver -p 2222

c) Once the connection is established we can close the connection and
exit script.

# Control + c to close the connection .
# enter exit on the client to stop logging with script.
# enter exit on the server to stop logging with script.

3) We will find /tmp/SSHclient in the client and /tmp/SSHserver in the

4) Also we will need to tail -f /var/log/audit/audit.log while we do steps 3
and 4

I finally received the log messages

As we can see, in the logs the user Oracle is continuously accessing the server via SSH, but before the Public Key is accepted it tries with other methods of authentication ( publickey,gssapi-with-mic,password)

1) First tries with gssapi-with-mic then will try "public key", and eventually keyboard-interactive, and password

debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password

2) But gssapi-with-mic fails creating a delay on using public key, therefore we get a message on the logs

debug3: authmethod_lookup gssapi-with-mic
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug3: Trying to reverse map address 192.xx.xx.xx
debug2: we sent a gssapi-with-mic packet, wait for reply
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug2: we did not send a packet, disable method

3) Finally the right method is allowed

debug3: authmethod_lookup publickey
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /opt/oracle/.ssh/id_rsa
debug3: no such identity: /opt/oracle/.ssh/id_rsa
debug1: Offering public key: /opt/oracle/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-dss
debug2: input_userauth_pk_ok: fp
debug3: sign_and_send_pubkey
debug1: read PEM private key done: type DSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Entering interactive session.

.................... and the session starts

You could eliminate the messages "postponed public key " by identifying the unwanted auth type(s) being tried before publickey and disable them, either form the client side or the server side.
In this case the unwanted method is GSSAPIAuthentication as Oracle uses a public key to authenticate, therefore we should disable the parameter on the client side.

From /etc/ssh/ssh_config from one of the clients disable

Host *
GSSAPIAuthentication yes


Host *
GSSAPIAuthentication no

By disabling the GSSAPIAuthentication method the public will not be postponed therefore the "postponed public key " will dissapwear.

Jesus Bustos

Super Blog Directory

No comments: