We're setting up with a hosting company, and I suspect they are a small local company (our design company are engaging them to host the site they are writing for us) so while it's nice to support our local economy I think (to be diplomatic about it) they maybe can't afford the calibre of sysadmins they ideally should have.

We're asking for SSH access to our area in the server (we currently seem to be on a shared hosting plan - don't even go there - but we may be moving to a dedicated server) and have this via password authentication, but as I'm wanting to do some automated uploads I wanted to set up public key authentication. After much um-ing and ah-ing with their tech support it turns out that there's "only password authentication allowed, and they don't have any timescales on enabling it". Now, as far as I was aware this should be quite a simple modification to the ssh daemon's config file, so it shouldn't be difficult? Are there any technical reasons why this couldn't be enabled? Not sure what server, exactly, they're using (they don't want people poking around too much), but it's Kernel version 2.6.32-279.19.1.el6.x86_64 and it looks like they're using OpenSSH_5.3.

Thanks - MH

Good choice.


Even more if you look at a stock /etc/ssh/sshd_config or read 'man sshd_config' you'll find PubkeyAuthentication=yes is the default. (Unfortunately so is PasswordAuthentication so you'll be asked for the pass if pubkey auth fails.)


Given the situation I'd suggest you just generate keys, configure pubkey auth and see if it works without using "support".

You probably want to use dedicated hosting, from them or from someone else. If you're simply wanting to exchange information, consider a Dropbox or Google Docs. And if what you ultimately want is a web-site, look at places like "weebly.com."

Way ahead of you - already tried it and found it isn't working (as you said, I was sure it was configured, by default). Unfortunately I have no admin rights on the server and in the T&Cs are "if you attempt to look outside your home directory, your account will be suspended" so I can't even try to check the SSH server config. I queried this with them, via our design company (that's my only communication method, at the moment) and was told it wasn't enabled - hence my question regarding whether there is a technical reason why it wouldn't/couldn't be enabled.
I'm somewhat dubious as to the hosting company's technical abilities, and this (unless there's some issue of which I am unaware) compounds this suspicion. They also mentioned, in their SSH T&C that it's more secure to not have it enabled and to use their web interface - well, technically one less point of entry _is_ more secure, if you're not using it, but their servers should, surely, be properly hardened against brute force attacks, and the like, so it shouldn't, really, be an issue?

I'm not directly involved with the project, I'm just responsible for getting records from our DB into the DB on the server, so I only have a limited say on who and which service we use. It needs to run from a script that's called from a data changing event, on the web server (again, not ideal from my point of view) so I'm currently working on using Cygwin to SCP the data over, then remotely run a script on the SSH connection to import the data into the database. I'm figuring that's the best way to get the data over, as the data is being updated on a Windows web server, so I have to get creative to get the data imported - unless there's a better way for Windows to interact with a remote Linux server, on which I only have user-level credentials. It's not insurmountable as I am testing using "expect" to get over the password input, but this is obviously far from ideal.

No way you are. You just forgot to mention it in your OP.


Can't think of any.


That's an understatement.


Pubkey auth is a security best practice. Any SSH tutorial worth something should point that out. So let's classify their stance as what it is: sheer unadulterated male bovine excrement.


From what you posted your provider doesn't exactly have the "we're taking care of business" kind of vibe. Pubkey auth never should be an issue.


That should be a separate thread, preferably in a forum like Newbie, Server or Linux General.

Sorry, thought I had, hehe - typing in a bit of a hurry



Glad there wasn't anything obvious I was missing


I suspect my server at home is more secure than theirs.....
Personally, if I was adminning their server and was concerned about SSH access I'd disable password authentication, enable public key authentication and say "if you want SSH access in, send us your public and and we'll install it, if you don't know how to do that then you shouldn't be using SSH" (a bit BOFH, but it maintains security).


as you can probably see, I'm 100% with you on this.

Yes, sorry, was going to do that later, just thought I would pop it in, in case there was a quick alternative - but yes, I'm a bad boy for encouraging thread-diversion =8)