Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
i want to access server via SSH without need to enter password, so i thought i will generate public key and share it with server from which i will be accessing, but it do not works. Says: "# ssh -l root localhost -p 7000
Permission denied (publickey)."
why i am connecting localhost? because i set port forwarding from localhost to destination LAN/firewalled by executing command ssh -fN -R 7000:localhost:22 username@PublicServerIPhere on the server i want to connect. It should work, password access worked, but not public key, returns "Permission denied (publickey)."
Error appears even after i logged in server i want to connect and executed ssh-keygen and then ssh-copy-id IPOfTheServerFromWhichINeedPasswordLesAccess
it worked and when i re-run, it says: "All keys were skipped because they already exist on the remote system."
So key should be coppied.
Where is the problem please? This is sshd_config of the server i am trying to connect (one that refuse ssh pub. key connection and allows password connection):
Quote:
cat /etc/ssh/sshd_config|grep -v "#"|grep " "
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 1024
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
PasswordAuthentication no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM no
source server (from which i am connecting) is CentOS(redhat), destination server which refusing pub.key access is Debian.
The configuration PermitRootLogin without-password means that you can connect root if you have keys set up, password authenticatin is blocked. You also need a public - private key pair for the root account and then place the public key on the remote server in the root account.
As smallpond points out, allowing root login is a hazard, even if using keys mitigates that some. Which problem are you trying to solve?
On the client system, as root, you'll need to create a key pair for root to use.
Then you'll need to connect to the remote machine as a regular user and use "sudo" or "su" to add the public key to the file /root/.ssh/authorized_keys. For example,
Code:
sudoedit /root/.ssh/authorized_keys
That's because you need two key pairs. One to create the tunnel, the other to connect to root. It seems you have the first key pair, if you can log in already as a normal user using the key.
Thank you for help. Indeed it seems that i have to share the key both ways in this case, not only from server to the client but vice versa too (clients key to the server).
Probably the most-common mistake is to fail to set the permissions of the .ssh directory (in the target user's home directory) to 700 = rwx------. If this is not the case, the contents of the directory (and therefore, your keys) will be ignored.
You do not have to restart sshd after making any such change.
When you attempt a password-free login, sshd looks for .ssh/authorized_keys in the target user's home, and checks that directory's permissions-mask.
You must also ensure that the connecting client is running a "ssh-agent" daemon, which actually supplies your key to the remote when you attempt to connect.
Last edited by sundialsvcs; 11-11-2016 at 08:16 AM.
then after such change no one is prompted for password and only keys in server's authorized_keys file are allowed.
That is what i wanted. Thx
Great. By the way you can use more than one key and give each one a special purpose so they cannot be used for general login. See the "AUTHORIZED_KEYS FILE FORMAT" section in the manual page for "sshd". The part you would look for there is command="command"
If you don't mind telling, why are you using remote root access? There is often a better way.
Great. By the way you can use more than one key and give each one a special purpose so they cannot be used for general login. See the "AUTHORIZED_KEYS FILE FORMAT" section in the manual page for "sshd". The part you would look for there is command="command"
If you don't mind telling, why are you using remote root access? There is often a better way.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
