Ok, I have some good news on the ssh front as I managed to finally ssh from my local machine to a remote machine on the network.
The user "sshovas" on the remote machine needs to be setup with a password in order to authenticate certain stages in the ssh setup and rename the public and private keys as shown below:
$ ssh-keygen -t rsa -f ~/.ssh/id_rsa -C "OpenVASLocalSecurityChecksKey"
$ openssl pkcs8 -topk8 -v2 des3 -in ~/.ssh/id_rsa -out id_rsa.p8
Setup user "sshovas"
# adduser --disabled-password sshovas
Name: OpenVAS Local Security Checks
# su - sshovas
$ mkdir .ssh
$ cp /some/path/id_rsa.pub .ssh/authorized_keys
$ chmod 500 .ssh
$ chmod 400 .ssh/authorized_keys
I had to make changes to this as the user "sshovas" requires a password for authentication as shown later (may impact on the sladinstaller though?)
On the remote machine add the this:
root@remote:~$ sudo visudo
# User privilege specification
root ALL=(ALL) ALL
sshovas ALL=(ALL) ALL
Enable the "sshovas" account and create a password in System/Administration/Users and Groups and add other privileges.
During previous ssh attempts, I got the error:
ssh: connect to host 192.168.100.200 port 22: Connection refused
Check if openssh-server is installed and if not install it:
root@remote:~$ apt-get install openssh-server
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
rssh molly-guard openssh-blacklist openssh-blacklist-extra
The following NEW packages will be installed:
openssh-server
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
........................................
Creating SSH2 RSA key; this may take some time ...
Creating SSH2 DSA key; this may take some time ...
ssh start/running, process 14458
Check that it is running:
root@remote:/home/user# ps -eaf|grep sshd
root 14458 1 0 14:15 ? 00:00:00 /usr/sbin/sshd -D
root 14612 9274 0 14:16 pts/0 00:00:00 grep --color=auto sshd
root@remote:/home/user# netstat -nav|grep :22
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp6 0 0 :::22 :::* LISTEN
Before debugging the ssh server on the remote machine, first check the permissions on the directories and files are as follows:
On local machine:
user@local:~$ sudo chmod 700 /home/user/.ssh/
drw-r--r-- 1 user user 411 2012-02-24 12:54 /home/user/.ssh/
user@local:~$ sudo chmod 600 /home/user/.ssh/id_rsa
-rw-r--r-- 1 user user 411 2012-02-24 12:54 /home/user/.ssh/id_rsa
user@local:~$ sudo chmod 644 /home/user/.ssh/id_rsa.pub
-rw-r--r-- 1 user user 411 2012-02-24 12:54 /home/user/.ssh/id_rsa.pub
user@local:~$ sudo chmod 644 /home/user/.ssh/known_hosts
-rw-r--r-- 1 user user 411 2012-02-24 12:54 /home/user/.ssh/known_hosts
On remote machine:
sshovas@remote:~$ sudo chmod 644 /home/sshovas/.ssh/authorized_keys
-rw-r--r-- 1 sshovas sshovas 411 2012-02-24 12:54 /home/sshovas/.ssh/authorized_keys
sshovas@remote:~$ sudo chmod 700 /home/sshovas/.ssh/
drwx------ 2 sshovas sshovas 4096 2012-02-24 12:54 /home/sshovas/.ssh/
Debug the ssh server:
sshovas@remote:~$ ssh -vvv localhost uptime
OpenSSH_5.5p1 Debian-4ubuntu6, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to localhost [::1] port 22.
debug1: Connection established.
debug1: identity file /home/sshovas/.ssh/id_rsa type -1
debug1: identity file /home/sshovas/.ssh/id_rsa-cert type -1
debug1: identity file /home/sshovas/.ssh/id_dsa type -1
debug1: identity file /home/sshovas/.ssh/id_dsa-cert type -1
...............................................................
The authenticity of host 'localhost (::1)' can't be established.
RSA key fingerprint is XX:XX:XX:XX.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
............................................................
debug1: Next authentication method: publickey
debug1: Trying private key: /home/sshovas/.ssh/id_rsa
debug3: no such identity: /home/sshovas/.ssh/id_rsa
debug1: Trying private key: /home/sshovas/.ssh/id_dsa
debug3: no such identity: /home/sshovas/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
..................................
debug3: channel 0: close_fds r -1 w -1 e 6
Transferred: sent 1496, received 2056 bytes, in 1.2 seconds
Bytes per second: sent 1278.3, received 1756.7
debug1: Exit status 0
No private key is stored on the remote machine only on the local machine that you ssh from.
running sshd in debug mode on the destination server/remote machine:
sshovas@remote:~$ sudo /usr/sbin/sshd -p1234 -d
[sudo] password for sshovas:
debug1: sshd version OpenSSH_5.5p1 Debian-4ubuntu6
debug1: read PEM private key done: type RSA
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-p1234'
debug1: rexec_argv[2]='-d'
Set /proc/self/oom_adj from 0 to -17
debug1: Bind to port 1234 on 0.0.0.0.
Server listening on 0.0.0.0 port 1234.
debug1: Bind to port 1234 on ::.
Server listening on :: port 1234.
On local machine, Then attempt to connect to that specific port, no debugging options required:
user@local:~$ ssh -p1234 sshovas@192.168.100.200 uptime
Here if it a successful connection you will get prompted in a window to enter the private key password
Environment:
LANG=en_IE.UTF-8
USER=sshovas
LOGNAME=sshovas
HOME=/home/sshovas
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
MAIL=/var/mail/sshovas
SHELL=/bin/bash
SSH_CLIENT=192.168.20.150 59361 1234
SSH_CONNECTION=192.168.100.150 59361 192.168.20.200 1234
http_proxy=http:///
ftp_proxy=ftp:///
https_proxy=https:///
XDG_SESSION_COOKIE=
15:38:51 up 2 days, 23:46, 2 users, load average: 0.22, 0.16, 0.22
On the remote machine a successful ssh connection appears as:
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: temporarily_use_uid: 1002/1002 (e=0/0)
debug1: trying public key file /home/sshovas/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug1: matching key found: file /home/sshovas/.ssh/authorized_keys, line 1
Found matching RSA key: X:X:X:X:X:X:X:X
debug1: restore_uid: 0/0
Postponed publickey for sshovas from 192.168.100.150 port 59504 ssh2
This is successful however, sladinstaller still gives the same error message on the local machine:
user@local:~$ sudo /usr/bin/sladinstaller
Installation was not successfull. Could not login via SSH. If you don't have a public key installed be sure to set the following options in the sshd_config file:
PermitRootLogin yes
PasswordAuthentication yes
The permissions were set as follows
http://www.noah.org/wiki/SSH_public_keys
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub
chmod 644 ~/.ssh/authorized_keys
chmod 644 ~/.ssh/known_hosts
Changed the sshd_config file:
---------------------------------------------
sshovas@local:~$ sudo nano /etc/ssh/sshd_config
#AuthorizedKeysFile /home/sshovas/.ssh/authorized_keys
PermitRootLogin no
PasswordAuthentication no
-----------------------------------------------
Not sure how to resolve the SLAD installer issue after all this, any ideas?