LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 07-24-2002, 08:48 PM   #1
Half_Elf
Guru
 
Registered: Sep 2001
Location: Montreal, Canada
Distribution: Slackware; Debian; Gentoo...
Posts: 2,163

Rep: Reputation: 45
Ssh (again) and ssh key?


I'm maybe totaly wrong but I tought ssh was needing a "decryption key" in order to connect to a ssh server... But I recently discovered I can login into my sshd without any key. Worst, It never asks me for a phasepasswd, except if I delete id_rsa.pub (this is suppose to be the decryption key, isn't it?). But if I delete the id_rsa key too, I can still login without any problem (it always asks me for my real login password, of course!).

Can you tell me if this is a SSH problem (maybe I forgot to enable something else in the install?) or i'm just a total newbie who don't understand how SSH works?
 
Old 07-24-2002, 11:42 PM   #2
turnip
Member
 
Registered: Jul 2002
Posts: 143

Rep: Reputation: 15
the pub file is your public key, id_dsa or rsa is the private half. You need to have the contents of id_dsa.pub in a file called authorized_keys in ~/.ssh

Make sure these lines are in your sshd_config

DSAAuthentication yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys

From that point when you try to login it will first ask for the password for the key, then the local users pass..

adding the key to the ssh-agent will do what you are describing. No password prompt that is.

try ssh-add -l to see if your key is managed by the agent
 
Old 07-25-2002, 05:11 PM   #3
Half_Elf
Guru
 
Registered: Sep 2001
Location: Montreal, Canada
Distribution: Slackware; Debian; Gentoo...
Posts: 2,163

Original Poster
Rep: Reputation: 45
I don't want to mange my key with the agent, I want to use this key!

I have no key in my home, but still, I can login into sshd (sshd is on another computer). DSA, RSA, PubKey Authentication are at "yes", AutorizedKeyFile looks ok... I also turn Know_Hosts off.

Why sshd still accept people without key? Is there are another option I forgot?
 
Old 07-31-2002, 01:49 PM   #4
turnip
Member
 
Registered: Jul 2002
Posts: 143

Rep: Reputation: 15
turn password auth off and then you will need to login with a key.
you will also need those files in your home dir.

ssh first trys key'd auth and if no key is there it defaults to password. make the password for the account different than the key so you can test it.
 
Old 07-31-2002, 07:25 PM   #5
Half_Elf
Guru
 
Registered: Sep 2001
Location: Montreal, Canada
Distribution: Slackware; Debian; Gentoo...
Posts: 2,163

Original Poster
Rep: Reputation: 45
It doesn't works, ARRRG, I think I will start hiting my head on the wall. If I turn off password authentification, I can't log in at all. It asks me for my passphase but If I enter the right password, ssh (in verbose mode) tells me that:
Read PEM private key Done: type RSA
authentification that can continue : publickey, keyboard-interactive
try pubkey: /root/.ssh/id_rsa
authentification that can continue : publickey, keyboard-interactive
next auth method to try is: keyborad-interactive

then it tells me Authentification Failed.... but I'm SURE my key is good, I just generated a new one... If I type the wrong passphase I have 2 more chance until I get this error msg...
 
Old 07-31-2002, 08:35 PM   #6
turnip
Member
 
Registered: Jul 2002
Posts: 143

Rep: Reputation: 15
do you have id_dsa.pub or rsa.pub in your home directory?

the keys with the .pub extention are the public keys, they are the ones that go into authorized_keys.

Last edited by turnip; 07-31-2002 at 08:36 PM.
 
Old 07-31-2002, 10:47 PM   #7
DavidPhillips
Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,154

Rep: Reputation: 56
If you comment out all of the config file except the logging, it should operate with defaults.

The default is to negotiate a public key, then with a secure connection prompt for login.
 
Old 08-01-2002, 01:59 AM   #8
lopezjo49
Member
 
Registered: Jun 2002
Location: NJ
Distribution: Mainly Kubuntu 8.10
Posts: 44

Rep: Reputation: 15
'ssh-keygen -t rsa' creates identity/identity.pub and the identity.pub should be changed to authorized_keys on the host machine in ~/.ssh/authorized_keys with permissions set to 600.

Make sure it's not trying ssh2 (dsa) when you ssh to the host, run ssh with the -v option to see the step by step proccess.

If you are using SSH2, 'ssh-keygen -t dsa' creates id_dsa/id_dsa.pub and the id_dsa.pub should be changed to authorized_keys2 on the host machine in ~/.ssh/authorized_keys2 with permissions set to 600.

This page may be of some interest
http://www.puddingonline.com/~dave/p...s-HOWTO-4.html
http://www.mandrakeuser.org/docs/secure/sssh2.html

Good luck
 
Old 08-01-2002, 04:37 PM   #9
turnip
Member
 
Registered: Jul 2002
Posts: 143

Rep: Reputation: 15
Are you trying to login to a nix box using windows ssh software?
If not, post your sshd_config file here.
 
Old 08-02-2002, 11:38 AM   #10
Half_Elf
Guru
 
Registered: Sep 2001
Location: Montreal, Canada
Distribution: Slackware; Debian; Gentoo...
Posts: 2,163

Original Poster
Rep: Reputation: 45
As you can see, my AuthorizedKeysFile path is (now) ~/.ssh/ but I also tried with ~/.ssh/authorized_key , ~/.ssh/id_rsa , %h/.ssh/... etc etc...
Nothing worked

Habitually when I try to connect, I give shh client option directly (ssh -v -l root -i ~/ssh/id_rsa.pub) but I always get this non-sense error msg (saying my key is incorrect?) I posted before. I think the only thing I have not tried yet, is rm -rf /*ssh* and reinstalling.


# $OpenBSD: sshd_config,v 1.56 2002/06/20 23:37:12 markus Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 3600
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 600
#PermitRootLogin yes
#StrictModes yes

DSAAuthentication yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile ~/.ssh

# rhosts authentication should not be used
#RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
IgnoreUserKnownHosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

#AFSTokenPassing no

# Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no

# Set this to 'yes' to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt yes

#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#Compression yes

#MaxStartups 10
# no default banner path
#Banner /some/path
#VerifyReverseMapping no

# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server

Last edited by Half_Elf; 08-02-2002 at 11:44 AM.
 
Old 08-02-2002, 06:02 PM   #11
lopezjo49
Member
 
Registered: Jun 2002
Location: NJ
Distribution: Mainly Kubuntu 8.10
Posts: 44

Rep: Reputation: 15
"As you can see, my AuthorizedKeysFile path is (now) ~/.ssh/ but I also tried with ~/.ssh/authorized_key , ~/.ssh/id_rsa , %h/.ssh/... etc etc...
Nothing worked"
--The public key should be ~/.ssh/authorized_keys not key
 
Old 08-02-2002, 06:10 PM   #12
lopezjo49
Member
 
Registered: Jun 2002
Location: NJ
Distribution: Mainly Kubuntu 8.10
Posts: 44

Rep: Reputation: 15
I'm using openssh-server-3.1p1-6 and the only uncommented lines in my sshd_config

SyslogFacility AUTHPRIV # for logging
RSAAuthentication yes
PasswordAuthentication no

if you leave PasswordAuthentication commented out it will still ask you for a password if you fail to enter the correct passphrase. To avoid this uncomment it and set it to no.
 
Old 08-02-2002, 07:16 PM   #13
Half_Elf
Guru
 
Registered: Sep 2001
Location: Montreal, Canada
Distribution: Slackware; Debian; Gentoo...
Posts: 2,163

Original Poster
Rep: Reputation: 45
lopezjo49: I know but I don't want to use the (unsafe) password authentication to login! And all uncommented line have been uncommented by me.
 
Old 08-02-2002, 07:49 PM   #14
DavidPhillips
Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,154

Rep: Reputation: 56
the password isn't unsafe, once the client has the public key the fingerprint of the server is checked against the public key, and the login is secure.

allowing the key without a password is more of a risk that someoe will get the key from the client.

no one can get your password because the login is encrypted.
 
Old 08-03-2002, 04:35 PM   #15
Half_Elf
Guru
 
Registered: Sep 2001
Location: Montreal, Canada
Distribution: Slackware; Debian; Gentoo...
Posts: 2,163

Original Poster
Rep: Reputation: 45
David: are you sure? I can log in (using pass authentication) sshd no matter if I have the pub key or no (I have no pub key in the local computer, but the remote, running sshd have one). How ssh do encryption/decryption without local pub key?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh-agent, ssh-add and ssh-keygen AND CVS raylpc Linux - General 2 11-19-2008 02:50 AM
ssh Host Key ziox Linux - Networking 6 02-07-2005 02:57 PM
SSH Global Key? kuronai Linux - Networking 3 08-18-2004 12:23 AM
ssh RSA key thanat0s Linux - Security 3 09-29-2003 09:51 PM
ssh / ssh-key -- its always asking for passphrase BaerRS Linux - General 1 01-07-2003 06:21 PM


All times are GMT -5. The time now is 12:53 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration