Hello

I have setup ssh but it's not working...looking for some advise.

Here is what I have done

On the first Red Hat box

Step 1 su to test_user

Step 2 run ssh-keygen -t rsa

Step 3 Enter defaults file location/path

Step 4 Enter the pass phrase - testing

The keys generated now

2b:ba:5b:af:ec:06:4b:bb:10:8e:27:e6:b3:6f:75:0f test@test.com

Step 5 run chmod 755 ~/.ssh

Step 6 Run the same steps above on the Remote Linux box

Step 7 copied the first linux box keys to the /tmp folder on the second linux box and then copied and renamed it to the ~/.ssh/authorized_key file.

Step 8 tried to use scp, but I still get prompted for a password from the second linux box ..

I dont know where I have gone wrong, tried several times and same issue.

If any one has any ideas that would be great, I'm also not sure if I should be configuring the ssh_config file for any settings?


rgds

D

the directory permissions are wrong, they are usually 700, with the files inside, 600. by having 755 it means that anyone can access that directory, making it massively insecure, and therefore ssh sees this and refuses to use it.

See here and here

Remember:

ssh is very fussy about file permissions.

You can see what is (not) happening when you ssh -vvv user@host

You are generating a key with a passphrase. I prefer not to use one, then I don't get asked for it. If you get the file permissions on your private keys right, you shouldn't need a passphrase.

Hmm... here's some clue:
If you want to set-up a password-less authentication, you should leave the pass-phrase empty, otherwise you will be prompted for the pass-phrase at every login.
Nope. Leave the permission of the .ssh directory untouched. They should be 700, otherwise some SSH server may refuse connections.
You need this if you want to set-up a two-way password-less connection (maybe not useful). In any case, better to set-up a one-way connection FROM your local machine TO the remote server and test it in the first instance.
What key did you copied in authorized_key file? The private or the public one? On your local machine, where you have generated the key pair, you should have ended up with two files: id_rsa (the private key) and id_rsa.pub (the public key). Never (and I mean never) share or copy the private key to another machine: it is like your fingerprints (it is yours, it should stay in your local .ssh directory with no r/w permissions for other users and no-one should have access to it in one way or another). This means you have just to copy (append) the content of the public key into the authorized_keys file on the remote machine.

If something still goes wrong (and you're still prompted for password) use the -v option of ssh and check the dialog between the local and the remote machine. It should give you some useful information on what's going on.

A passphrase protects the private key on the client side and has nothing to do with the server you are trying to connect to. It prevents a lost client's key from being used to attack the server.

You can use:
eval $(ssh-agent)
ssh-add

Then you don't need to enter the pass phrase more than once in that session. You can set it up so your system asks for the pass phrase when you log in as well.

You also need to check the permissions of your HOME directory. It can't allow others read access. Sometimes a "users" group access is allowed so regular users can share directories easily using samba. It also has the effect that other uses can read files in your HOME directory which I wouldn't recommend.

Also read the comments in the /etc/ssh/sshd_config file (on the ssh server side). Just above the "UsePAM Yes" line. It explains two options to disable if you want to use public key authentication.

I would also recommend disabling root logins, and using the "AllowUsers <your_username>" option in sshd_config.
That will only allow logins from yourself and reject all attempts to log in as a system user. (e.g. http, postfix)

Thanks very much all for your comments,

I will run through and see how I go....and yes its very fussy to setup, but I guess it has a ssh has security conscience

Cheers

Dee