Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've a problem setting up a working public key authentication between my windows machine and the linux box. I was able to get the thing working between the windows machine and a different unix server.
I'm running OpenSSH 3 on my Debian (running 2.4.18 kernel) with an sshd-server. On the windows machine (W2K Professional) I am using SSH Secure Shell -client.
Here is what I have done so far:
I ran ssh-keygen2 -t dsa on the windows machine and generated the keypair. I then added the keyname to the ....\Application Data\SSH\identification -file. The key itself is located in the ....\UserKeys\ -directory where the SSH Secure Shell -client automatically puts it. I then uploaded the id_dsa_2048_d.pub -file to the linux box to the ~/.ssh directory. Then I ran "cat id_dsa_2048_d.pub >> authorized_keys" in the ~/.ssh -directory. The ~/.ssh/authorized_keys -file now contains the exact contents of the *.pub -file.
So that should do it, right? The server configuration as PubkeyAuthentication enabled and the similar has worked with a unix server. Although in that case the server was also the "official" ssh server which used a bitting different system.
Anyways, here are my server configurations and other data. Perhaps you can find out something I've missed.
***** THE sshd_config *****
# Package generated configuration file
# See the sshd(8) manpage for defails
# What ports, IPs and protocols we listen for
Port 22
Port 60022
#Port 65022
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# ...but breaks Pam auth via kbdint, so we have to turn it off
# Use PAM authentication via keyboard-interactive so PAM modules can
# properly interface with the user (off due to PrivSep)
PAMAuthenticationViaKbdInt no
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# rhosts authentication should not be used
RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Uncomment to disable s/key passwords
#ChallengeResponseAuthentication no
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no
# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes
X11Forwarding no
X11DisplayOffset 10
PrintMotd no
#PrintLastLog no
KeepAlive yes
#UseLogin no
-rw-r--r-- 1 gameon gameon 1265 Jan 1 14:55 authorized_keys
-rw-r--r-- 1 gameon gameon 834 Dec 29 14:35 known_hosts
******DEBUG FROM THE ssh-command. I've highlighted some noteworthy lines. I can't decipher the anyhow. ************
debug: Connecting to babylon, port 22... (SOCKS not used)
debug: Ssh2/ssh2.c:2297: Entering event loop.
debug: Ssh2Client/sshclient.c:1421: Creating transport protocol.
debug: SshAuthMethodClient/sshauthmethodc.c:85: Added "publickey" to usable methods.
debug: SshAuthMethodClient/sshauthmethodc.c:85: Added "password" to usable methods.
debug: Ssh2Client/sshclient.c:1462: Creating userauth protocol.
debug: client supports 2 auth methods: 'publickey,password'
debug: Ssh2Common/sshcommon.c:530: local ip = 192.168.0.2, local port=1732
debug: Ssh2Common/sshcommon.c:532: remote ip = 192.168.0.1, remote port = 22
debug: SshConnection/sshconn.c:1945: Wrapping...
debug: Remote version: SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3
debug: OpenSSH: Major: 3 Minor: 4 Revision: 0
***debug: Ssh2Transport/trcommon.c:1518: All versions of OpenSSH handle kex guesses incorrectly.***
debug: Ssh2Transport/trcommon.c:1901: lang s to c: `', lang c to s: `'
debug: Ssh2Transport/trcommon.c:1967: c_to_s: cipher 3des-cbc, mac hmac-sha1, compression none
debug: Ssh2Transport/trcommon.c:1970: s_to_c: cipher 3des-cbc, mac hmac-sha1, compression none
debug: Remote host key found from database.
debug: Ssh2Common/sshcommon.c:331: Received SSH_CROSS_STARTUP packet from connection protocol.
debug: Ssh2Common/sshcommon.c:381: Received SSH_CROSS_ALGORITHMS packet from connection protocol.
debug: server offers auth methods 'publickey,password,keyboard-interactive'.
***debug: SshConfig/sshconfig.c:2764: Version not found on first line, assuming configuration to be old style.***
debug: Ssh2AuthPubKeyClient/authc-pubkey.c:1591: adding keyfile "C:/Documents and Settings/Administrator/Application Data/SSH/UserKeys/id_dsa_2048_b" to candidates
debug: Ssh2AuthPubKeyClient/authc-pubkey.c:1591: adding keyfile "C:/Documents and Settings/Administrator/Application Data/SSH/UserKeys/id_dsa_2048_d" to candidates
debug: server offers auth methods 'publickey,password,keyboard-interactive'.
debug: server offers auth methods 'publickey,password,keyboard-interactive'.
***debug: Ssh2AuthClient/sshauthc.c:319: Method 'publickey' disabled.***
debug: server offers auth methods 'publickey,password,keyboard-interactive'.
debug: Ssh2AuthPasswdClient/authc-passwd.c:105: Starting password query...
And then it asks me for the password...
************
The ***b.pub -file is a second key that I use to connect to the unix-server. It works just fine so the problem really can't be on the client side, right.
I hope someone can shed some light into this. Thanks for any help!
Well I finally solved it. How stupid can this thing get, really?
The problem was that the SSH Secure Shell -client generated a public key file which is completely incompatible with the OpenSSH -server as such.
The key I generated with the SSH client contained several lines of comments and other data which were not accepted by the OpenSSH -server. I had to remove ALL those lines, leaving only the actual key remaining in the file. In addition to that, I has to add the string "ssh-dss" to the beginning of the key and then remove all the line breaks, that were generated on the windows side. So in the end I had a file that had a one large line with "ssh-dss" at the beginning, a whitespace and then the actual key in a one large block. Then I just appended the whole deal to the authorized_keys -file. Worked like a charm on the first try.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.