LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 08-29-2007, 10:05 PM   #1
MykeV
LQ Newbie
 
Registered: Jan 2006
Location: North Carolina, Raleigh
Distribution: Ubuntu 6.10, Suse 10.2
Posts: 12

Rep: Reputation: 0
Private/Public key vs. Password authentication w/ SSH


Hey all, I run IPCop as my firewall/router on my network. I use SSH to access it from remote locations from time to time. I want to disable password authentication in the sshd_config file and go with private/public key authentication. However, on the windows laptop i use to access all my computers remotely, i have OpenSSH installed and already use a private key (id_rsa) for another linux server (serverB) i SSH into. I added the private key file from the IPCop server (ssh_host_rsa_key) into the same directory as the id_rsa key on my laptop. So i have 2 private keys for SSH authentication that reside in the same directory for 2 different SSH boxes. When i try to SSH from my laptop into the IPCop server (bubblicious) the private/public key authentication fails.

Code:
C:\Documents and Settings\MykeV>ssh -p 222 -v root@bubblicious
OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004
debug1: Connecting to bubblicious [192.168.168.1] port 222.
debug1: Connection established.
debug1: identity file /home/MykeV/.ssh/identity type -1
debug1: identity file /home/MykeV/.ssh/id_rsa type 1
debug1: identity file /home/MykeV/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.5
debug1: match: OpenSSH_4.5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'bubblicious' is known and matches the RSA host key.
debug1: Found key in /home/MykeV/.ssh/known_hosts:3
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/MykeV/.ssh/identity
debug1: Offering public key: /home/MykeV/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /home/MykeV/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password
root@bubblicious's password:
Do i need to have the private key file for IPCop renamed to id_rsa? I ask that 'cause if i do then i would effectively be overwriting the id_rsa private key for serverB. Is there a line in the sshd_config file or ssh_config file i can change to allow me to use a specific private key? I don't think it's permissible to use the private/public key files from serverB on the IPCop system 'cause the key files are specific to that system. I hope i am making sense. Anyway, your comments would be appreciated.

One more thing, connecting from my laptop to serverB using the associated private(id_rsa)/public key files works fine.
 
Old 08-30-2007, 07:05 AM   #2
MykeV
LQ Newbie
 
Registered: Jan 2006
Location: North Carolina, Raleigh
Distribution: Ubuntu 6.10, Suse 10.2
Posts: 12

Original Poster
Rep: Reputation: 0
I know someone out here has an answer. Help me please.
 
Old 09-01-2007, 11:30 PM   #3
ntubski
Senior Member
 
Registered: Nov 2005
Distribution: Debian
Posts: 2,541

Rep: Reputation: 878Reputation: 878Reputation: 878Reputation: 878Reputation: 878Reputation: 878Reputation: 878
From ssh man pages:
Code:
man ssh...

    -i identity_file
          Selects a file from which the  identity  (private  key)
          for  RSA or DSA authentication is read.  The default is
          ~/.ssh/identity   for   protocol   version    1,    and
          ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol version 2.
          Identity files may also  be  specified  on  a  per-host
          basis  in  the  configuration  file.  It is possible to
          have multiple -i options (and multiple identities spec-
          ified in configuration files).

man ssh_config...

     IdentityFile
          Specifies  a  file  from  which  the  user's RSA or DSA
          authentication  identity  is  read.   The  default   is
          ~/.ssh/identity    for    protocol   version   1,   and
          ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol version 2.
          Additionally, any identities represented by the authen-
          tication agent will be used  for  authentication.   The
          file name may use the tilde syntax to refer to a user's
          home directory.  It is possible to have multiple  iden-
          tity  files specified in configuration files; all these
          identities will be tried in sequence.
 
Old 11-25-2007, 03:37 AM   #4
devout
LQ Newbie
 
Registered: Nov 2007
Distribution: ubuntu
Posts: 2

Rep: Reputation: 0
I have tryed adding ~/.ssh/NameOfPrivateKeyFile to the /etc/ssh/ssh_config file and have changed the name of id_rsa to NameOfPrivateKeyFile as mentioned above.

When I try ssh into my server I get the message
"/etc/ssh/ssh_config: line 52: Bad configureation option: ~/.ssh/NameOfPrivateKeyFile
/etc/ssh/ssh_config: terminating, 1 bad configuration options"

Have I missed something?

Also how do I go about changing the ~/.ssh/id_rsa.pub
I mean I can change it, but where do I set it in a config file?

Any help appreciated.
 
Old 11-25-2007, 04:36 AM   #5
devout
LQ Newbie
 
Registered: Nov 2007
Distribution: ubuntu
Posts: 2

Rep: Reputation: 0
silly me...
Needed the IdentityFile in front of it.
I've changed the name of my ids_rsa.pub and it seems to work.
Any ideas how ssh knows where to look for the public key, now that I've changed it's name?
 
Old 11-25-2007, 12:49 PM   #6
ntubski
Senior Member
 
Registered: Nov 2005
Distribution: Debian
Posts: 2,541

Rep: Reputation: 878Reputation: 878Reputation: 878Reputation: 878Reputation: 878Reputation: 878Reputation: 878
The public key has to be on the host, the machine that you are ssh'ing to. All the public keys go in the .ssh/authorized_keys file on the host. So after copying the public key to the host, you would do on the host
Code:
cat id_rsa.pub >>~/.ssh/authorized_keys
which would add the public key to public key file.
 
  


Reply

Tags
keys, private, public, ssh, sshdconfig


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
need help with SSH private/public key taduser Linux - Security 2 04-02-2007 08:07 PM
SSH - trouble authenticating private/public key Micro420 Linux - Networking 5 01-23-2007 02:08 PM
SSH public / private key authentication problems thronh Linux - Security 7 06-14-2006 12:21 PM
SSH public/private key authentication with GnuPG keys? thinksincode Linux - Security 1 02-25-2005 03:33 PM
public/private key authentication with PuTTY NetAX Linux - Security 5 10-27-2004 07:00 PM


All times are GMT -5. The time now is 08:07 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration