-   Linux - General (
-   -   Ssh (again) and ssh key? (

Half_Elf 07-24-2002 08:48 PM

Ssh (again) and ssh key?
I'm maybe totaly wrong but I tought ssh was needing a "decryption key" in order to connect to a ssh server... But I recently discovered I can login into my sshd without any key. Worst, It never asks me for a phasepasswd, except if I delete (this is suppose to be the decryption key, isn't it?). But if I delete the id_rsa key too, I can still login without any problem (it always asks me for my real login password, of course!).

Can you tell me if this is a SSH problem (maybe I forgot to enable something else in the install?) or i'm just a total newbie who don't understand how SSH works? :confused:

turnip 07-24-2002 11:42 PM

the pub file is your public key, id_dsa or rsa is the private half. You need to have the contents of in a file called authorized_keys in ~/.ssh

Make sure these lines are in your sshd_config

DSAAuthentication yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys

From that point when you try to login it will first ask for the password for the key, then the local users pass..

adding the key to the ssh-agent will do what you are describing. No password prompt that is.

try ssh-add -l to see if your key is managed by the agent

Half_Elf 07-25-2002 05:11 PM

I don't want to mange my key with the agent, I want to use this key!

I have no key in my home, but still, I can login into sshd (sshd is on another computer). DSA, RSA, PubKey Authentication are at "yes", AutorizedKeyFile looks ok... I also turn Know_Hosts off.

Why sshd still accept people without key? Is there are another option I forgot?

turnip 07-31-2002 01:49 PM

turn password auth off and then you will need to login with a key.
you will also need those files in your home dir.

ssh first trys key'd auth and if no key is there it defaults to password. make the password for the account different than the key so you can test it.

Half_Elf 07-31-2002 07:25 PM

It doesn't works, ARRRG, I think I will start hiting my head on the wall. If I turn off password authentification, I can't log in at all. It asks me for my passphase but If I enter the right password, ssh (in verbose mode) tells me that:
Read PEM private key Done: type RSA
authentification that can continue : publickey, keyboard-interactive
try pubkey: /root/.ssh/id_rsa
authentification that can continue : publickey, keyboard-interactive
next auth method to try is: keyborad-interactive

then it tells me Authentification Failed.... but I'm SURE my key is good, I just generated a new one... If I type the wrong passphase I have 2 more chance until I get this error msg...

turnip 07-31-2002 08:35 PM

do you have or in your home directory?

the keys with the .pub extention are the public keys, they are the ones that go into authorized_keys.

DavidPhillips 07-31-2002 10:47 PM

If you comment out all of the config file except the logging, it should operate with defaults.

The default is to negotiate a public key, then with a secure connection prompt for login.

lopezjo49 08-01-2002 01:59 AM

'ssh-keygen -t rsa' creates identity/ and the should be changed to authorized_keys on the host machine in ~/.ssh/authorized_keys with permissions set to 600.

Make sure it's not trying ssh2 (dsa) when you ssh to the host, run ssh with the -v option to see the step by step proccess.

If you are using SSH2, 'ssh-keygen -t dsa' creates id_dsa/ and the should be changed to authorized_keys2 on the host machine in ~/.ssh/authorized_keys2 with permissions set to 600.

This page may be of some interest

Good luck

turnip 08-01-2002 04:37 PM

Are you trying to login to a nix box using windows ssh software?
If not, post your sshd_config file here.

Half_Elf 08-02-2002 11:38 AM

As you can see, my AuthorizedKeysFile path is (now) ~/.ssh/ but I also tried with ~/.ssh/authorized_key , ~/.ssh/id_rsa , %h/.ssh/... etc etc...
Nothing worked

Habitually when I try to connect, I give shh client option directly (ssh -v -l root -i ~/ssh/ but I always get this non-sense error msg (saying my key is incorrect?) I posted before. I think the only thing I have not tried yet, is rm -rf /*ssh* and reinstalling.

# $OpenBSD: sshd_config,v 1.56 2002/06/20 23:37:12 markus Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

#Port 22
#Protocol 2,1
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 3600
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 600
#PermitRootLogin yes
#StrictModes yes

DSAAuthentication yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile ~/.ssh

# rhosts authentication should not be used
#RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
IgnoreUserKnownHosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

#AFSTokenPassing no

# Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no

# Set this to 'yes' to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt yes

#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#Compression yes

#MaxStartups 10
# no default banner path
#Banner /some/path
#VerifyReverseMapping no

# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server

lopezjo49 08-02-2002 06:02 PM

"As you can see, my AuthorizedKeysFile path is (now) ~/.ssh/ but I also tried with ~/.ssh/authorized_key , ~/.ssh/id_rsa , %h/.ssh/... etc etc...
Nothing worked"
--The public key should be ~/.ssh/authorized_keys not key

lopezjo49 08-02-2002 06:10 PM

I'm using openssh-server-3.1p1-6 and the only uncommented lines in my sshd_config

SyslogFacility AUTHPRIV # for logging
RSAAuthentication yes
PasswordAuthentication no

if you leave PasswordAuthentication commented out it will still ask you for a password if you fail to enter the correct passphrase. To avoid this uncomment it and set it to no.

Half_Elf 08-02-2002 07:16 PM

lopezjo49: I know but I don't want to use the (unsafe) password authentication to login! And all uncommented line have been uncommented by me. :(

DavidPhillips 08-02-2002 07:49 PM

the password isn't unsafe, once the client has the public key the fingerprint of the server is checked against the public key, and the login is secure.

allowing the key without a password is more of a risk that someoe will get the key from the client.

no one can get your password because the login is encrypted.

Half_Elf 08-03-2002 04:35 PM

David: are you sure? I can log in (using pass authentication) sshd no matter if I have the pub key or no (I have no pub key in the local computer, but the remote, running sshd have one). How ssh do encryption/decryption without local pub key?

All times are GMT -5. The time now is 02:13 PM.