LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   ssh public/private keys (https://www.linuxquestions.org/questions/linux-newbie-8/ssh-public-private-keys-377781/)

lord_darkhelmet 10-28-2005 11:48 AM
ssh public/private keys
 
sorry if this question has been asked a million times


I'm using FC4 linux and I want to ssh into it from a windows machine using a private key.

Here is what I did:

set up ~/.ssh directory
chmod 600 .ssh

using putty I generated a dsa key set. the dsa.pub key was moved to the linux box in ~/.ssh/authorized_keys

the private key (dsa.ppk) was kept on the windows machine and putty was set to use it with my profile.

when I ssh into the linux box it says the server refused my key and falls back to password authentication

I tried generating new keys on the linux machine using ssh-keygen -t dsa
again the id_dsa.pub was added to ~/.ssh/authorized_keys and the private key was moved to the windows machine as dsa.ppk.

This time when I tried to ssh I get the error that it is unable to use my key (open ssh dsa key) and falls back to password authentication

Ffrom what i have been reading, what I wish to do is not that hard and I think I followed it to the letter.

The linux machine is running openssh 4.0p1-3

my sshd_config file is as follows:

Port 22
Protocol 2

LoginGraceTime 30s
PermitRootLogin no
#StrictModes yes
MaxAuthTries 3

#HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

UsePAM yes

X11Forwarding no

AllowUsers myusername
DenyUsers root

#ClientAliveInterval 180
#KeepAlive yes

# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server

Hangdog42 10-28-2005 12:41 PM
Quote:
using putty I generated a dsa key set. the dsa.pub key was moved to the linux box in ~/.ssh/authorized_keys
That is the right way of doing this, however I bet the authorized_keys files wasn't quite right. Each key has to be on a single line, and if it isn't, the key isn't recognized. I know that Putty generates a key file on several lines, so you need to take a text editor to your authorized_keys file and put everything on one line.

lord_darkhelmet 10-29-2005 04:30 AM
thanks for the info. I still get the error "server refused our key"
in /var/log/messages there is now an error "Authentication refused: bad ownership or modes for file /home/gimpy/.ssh/authorized_keys"

The permissions for ~/.ssh drwx------
~/.ssh/authorized_keys -rw-------

By all accounts this should be working now. Any ideas?

Thanks.

Hangdog42 10-29-2005 08:55 AM
I think that the .ssh directory and the authorized_keys files have to be readable, but not writable, by someone other than the owners. Try using permissioons of 744 on the directory (rwxr--r--) and 644 on the authorized_keys (rw-r--r--).

lord_darkhelmet 10-29-2005 01:09 PM
Hmmm, I tried the file permissions as you suggested, I still get the "server refused our key" but the bad ownership error is gone from the messages log.

I wonder if there is a problem with the TCP/IP settings or something silly.

Hangdog42 10-29-2005 01:56 PM
Hm. Two things come to mind. First, check the permissions on the home directory of the user. It should be writable ONLY by the user (rwxr-xr-x). SSH is really picky about this, so it could be causing the trouble.

The second thing is to make sure that there are no extra characters in the authorized keys file. Mine looks something like this:

ssh-dss KEyTexTOnOneLine
ssh-dss AnotherKeyTextOnOneLine

If you have any text in there that is NOT part of the key (Putty throws a lot of crap into the file both before and after the key for some reason), it has to go. In fact it might not be a bad idea to trash the existing authorized_keys file and re-create it from a fresh copy of the dsa.pub key. If a key character got deleted when you were putting your key onto a single line, that would also cause this problem.

I'm assuming from what you've posted so far that even though your key is rejected, you can log in with your username and password. If that is true, then there isn't some odd connectivity problem going on.

leandean 10-29-2005 02:35 PM
I'm not sure about dsa, but using an rsa key the dir permission is 700, the key file is authorized_keys2 and set to 600. In a text editor your key should look like this: ssh-dsa 'space' fhg;oh...= 'space' name. Check to make sure it is all one line. You can do ths by using the 'home' and 'end' keys.

Dean

lord_darkhelmet 10-29-2005 03:02 PM
First off, thanks for taking the time to give me a hand, its most appreciated.

ok, I dumped the default install of openssh (4.0) and installed version 4.2p1-fc4.1

I still had the key located in ~/.ssh/authorized_keys and the private key on my windows box

After installing the new verison of openshh I figured what the hell and tried signing in. This time I didn't get the "server refused our key" I was greeted with "Authenticating with public key"
"Passphrase for key "


OK, so it works with the new version and a default config file so I tested it with my simplified config file and it works fine to.

Whatever was messed up was corrected by re-installing. Kinda sounds like windows :(

anomie 10-29-2005 03:14 PM
I will second the call for making ~/.ssh with 700 permissions. A directory with 600 does not do much good as it can not be listed or traversed.

Glad it's fixed though.


All times are GMT -5. The time now is 09:08 PM.