LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 10-28-2005, 11:48 AM   #1
lord_darkhelmet
LQ Newbie
 
Registered: Oct 2005
Posts: 12

Rep: Reputation: 0
ssh public/private keys


sorry if this question has been asked a million times


I'm using FC4 linux and I want to ssh into it from a windows machine using a private key.

Here is what I did:

set up ~/.ssh directory
chmod 600 .ssh

using putty I generated a dsa key set. the dsa.pub key was moved to the linux box in ~/.ssh/authorized_keys

the private key (dsa.ppk) was kept on the windows machine and putty was set to use it with my profile.

when I ssh into the linux box it says the server refused my key and falls back to password authentication

I tried generating new keys on the linux machine using ssh-keygen -t dsa
again the id_dsa.pub was added to ~/.ssh/authorized_keys and the private key was moved to the windows machine as dsa.ppk.

This time when I tried to ssh I get the error that it is unable to use my key (open ssh dsa key) and falls back to password authentication

Ffrom what i have been reading, what I wish to do is not that hard and I think I followed it to the letter.

The linux machine is running openssh 4.0p1-3

my sshd_config file is as follows:

Port 22
Protocol 2

LoginGraceTime 30s
PermitRootLogin no
#StrictModes yes
MaxAuthTries 3

#HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

UsePAM yes

X11Forwarding no

AllowUsers myusername
DenyUsers root

#ClientAliveInterval 180
#KeepAlive yes

# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
 
Old 10-28-2005, 12:41 PM   #2
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,778
Blog Entries: 1

Rep: Reputation: 412Reputation: 412Reputation: 412Reputation: 412Reputation: 412
Quote:
using putty I generated a dsa key set. the dsa.pub key was moved to the linux box in ~/.ssh/authorized_keys
That is the right way of doing this, however I bet the authorized_keys files wasn't quite right. Each key has to be on a single line, and if it isn't, the key isn't recognized. I know that Putty generates a key file on several lines, so you need to take a text editor to your authorized_keys file and put everything on one line.
 
Old 10-29-2005, 04:30 AM   #3
lord_darkhelmet
LQ Newbie
 
Registered: Oct 2005
Posts: 12

Original Poster
Rep: Reputation: 0
thanks for the info. I still get the error "server refused our key"
in /var/log/messages there is now an error "Authentication refused: bad ownership or modes for file /home/gimpy/.ssh/authorized_keys"

The permissions for ~/.ssh drwx------
~/.ssh/authorized_keys -rw-------

By all accounts this should be working now. Any ideas?

Thanks.
 
Old 10-29-2005, 08:55 AM   #4
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,778
Blog Entries: 1

Rep: Reputation: 412Reputation: 412Reputation: 412Reputation: 412Reputation: 412
I think that the .ssh directory and the authorized_keys files have to be readable, but not writable, by someone other than the owners. Try using permissioons of 744 on the directory (rwxr--r--) and 644 on the authorized_keys (rw-r--r--).
 
Old 10-29-2005, 01:09 PM   #5
lord_darkhelmet
LQ Newbie
 
Registered: Oct 2005
Posts: 12

Original Poster
Rep: Reputation: 0
Hmmm, I tried the file permissions as you suggested, I still get the "server refused our key" but the bad ownership error is gone from the messages log.

I wonder if there is a problem with the TCP/IP settings or something silly.
 
Old 10-29-2005, 01:56 PM   #6
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,778
Blog Entries: 1

Rep: Reputation: 412Reputation: 412Reputation: 412Reputation: 412Reputation: 412
Hm. Two things come to mind. First, check the permissions on the home directory of the user. It should be writable ONLY by the user (rwxr-xr-x). SSH is really picky about this, so it could be causing the trouble.

The second thing is to make sure that there are no extra characters in the authorized keys file. Mine looks something like this:

ssh-dss KEyTexTOnOneLine
ssh-dss AnotherKeyTextOnOneLine

If you have any text in there that is NOT part of the key (Putty throws a lot of crap into the file both before and after the key for some reason), it has to go. In fact it might not be a bad idea to trash the existing authorized_keys file and re-create it from a fresh copy of the dsa.pub key. If a key character got deleted when you were putting your key onto a single line, that would also cause this problem.

I'm assuming from what you've posted so far that even though your key is rejected, you can log in with your username and password. If that is true, then there isn't some odd connectivity problem going on.
 
Old 10-29-2005, 02:35 PM   #7
leandean
Member
 
Registered: Oct 2005
Location: Burley, WA
Distribution: Sabayon
Posts: 276

Rep: Reputation: Disabled
I'm not sure about dsa, but using an rsa key the dir permission is 700, the key file is authorized_keys2 and set to 600. In a text editor your key should look like this: ssh-dsa 'space' fhg;oh...= 'space' name. Check to make sure it is all one line. You can do ths by using the 'home' and 'end' keys.

Dean
 
Old 10-29-2005, 03:02 PM   #8
lord_darkhelmet
LQ Newbie
 
Registered: Oct 2005
Posts: 12

Original Poster
Rep: Reputation: 0
First off, thanks for taking the time to give me a hand, its most appreciated.

ok, I dumped the default install of openssh (4.0) and installed version 4.2p1-fc4.1

I still had the key located in ~/.ssh/authorized_keys and the private key on my windows box

After installing the new verison of openshh I figured what the hell and tried signing in. This time I didn't get the "server refused our key" I was greeted with "Authenticating with public key"
"Passphrase for key "


OK, so it works with the new version and a default config file so I tested it with my simplified config file and it works fine to.

Whatever was messed up was corrected by re-installing. Kinda sounds like windows
 
Old 10-29-2005, 03:14 PM   #9
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
I will second the call for making ~/.ssh with 700 permissions. A directory with 600 does not do much good as it can not be listed or traversed.

Glad it's fixed though.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
CVS & SSH & Public/private keys guideweb Linux - Software 15 09-09-2005 01:06 PM
SSH public / private keys problem guideweb Linux - Software 7 08-27-2005 09:49 PM
SSH public/private key authentication with GnuPG keys? thinksincode Linux - Security 1 02-25-2005 02:33 PM
How to delete public & private keys for SSH? TrulyTessa Linux - Security 2 11-18-2004 12:27 PM
Help with SSH and public/private keys stodge Linux - Security 5 05-14-2003 01:22 PM


All times are GMT -5. The time now is 06:31 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration