LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-06-2004, 08:03 AM   #1
linuxnube
Member
 
Registered: Oct 2003
Location: US
Distribution: Fedora C1 & C2
Posts: 81

Rep: Reputation: 15
ssh connection with key


I can connect to my system via ssh remotely but I need to make it more secure. Currently, I they key pairs I am created are not required. I would like to recitfy that security hole.


I have tried to correct this by adding the following lines in my /etc/ssh/sshd_config file:

Protocol 2
PAMAuthenticationViaKbdInt no
PubkeyAuthentication yes
PasswordAuthentication no
AllowUsers testssh

I added my public key to /home/testssh/.ssh/authorized_keys and chmod the file with 400.

I see the public key in the authorized_keys file ends in =. Should it have my user name afterwards?

However, my ssh client window (Putty - private key is in Pageant) ends as soon as I type in the user name. I cannot locate any log file, so I stopped sshd and restarted it in debug mode which produced the following.

Can you tell me why the authentication is failing?
Is there a log file for sshd?

Thanks in advance!


[root@gateway .ssh]# /usr/sbin/sshd -d
debug1: sshd version OpenSSH_3.6.1p2
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
socket: Address family not supported by protocol
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: Server will not fork when running in debugging mode.
Connection from <real remote ip> port 4176
debug1: Client protocol version 2.0; client software version PuTTY-Release-0.53b
debug1: no match: PuTTY-Release-0.53b
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2
debug1: permanently_set_uid: 74/74
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes256-cbc hmac-sha1 zlib
debug1: kex: server->client aes256-cbc hmac-sha1 zlib
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: Enabling compression at level 6.
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user testssh service ssh-connection method none
debug1: attempt 0 failures 0
Failed none for testssh from <real remote ip> port 4176 ssh2
debug1: Starting up PAM with username "teshssh"
debug1: PAM setting rhost to "systranfederal.donet.com"
debug1: userauth-request for user testssh service ssh-connection method publickey
debug1: attempt 1 failures 1
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 500/500 (e=0/0)
debug1: trying public key file /home/testssh/.ssh/authorized_keys
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 500/500 (e=0/0)
debug1: trying public key file /home/testssh/.ssh/authorized_keys2
debug1: restore_uid: 0/0
Failed publickey for testssh from <real remote ip> port 4176 ssh2
debug1: userauth-request for user testssh service ssh-connection method keyboard-interactive
debug1: attempt 2 failures 2
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=testssh devs=
debug1: kbdint_alloc: devices ''
Failed keyboard-interactive for testssh from <real remote ip> port 4176 ssh2
debug1: userauth-request for user testssh service ssh-connection method password
debug1: attempt 3 failures 3
debug1: PAM password authentication accepted for testssh
Accepted password for testssh from <real remote ip> port 4176 ssh2
debug1: monitor_child_preauth: testssh has been authenticated by privileged process
Accepted password for testssh from <real remote ip> port 4176 ssh2
debug1: PAM establishing creds
debug1: permanently_set_uid: 500/500
debug1: Entering interactive session for SSH2.
debug1: fd 7 setting O_NONBLOCK
debug1: fd 8 setting O_NONBLOCK
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 256 win 16384 max 16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: init
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_channel_req: channel 0 request pty-req reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: lastlog_openseek: Couldn't open /var/log/lastlog: Permission denied
debug1: Allocating pty.
debug1: session_new: init
debug1: session_new: session 0
debug1: session_pty_req: session 0 alloc /dev/pts/4
debug1: server_input_channel_req: channel 0 request shell reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req shell
debug1: PAM setting tty to "/dev/pts/4"
debug1: PAM establishing creds
debug1: Setting controlling tty using TIOCSCTTY.
debug1: channel 0: rfd 10 isatty
debug1: fd 10 setting O_NONBLOCK
debug1: Received SIGCHLD.
debug1: session_by_pid: pid 5641
debug1: session_exit_message: session 0 channel 0 pid 5641
debug1: channel 0: request exit-status
debug1: session_exit_message: release channel 0
debug1: channel 0: write failed
debug1: channel 0: close_write
debug1: channel 0: output open -> closed
debug1: session_close: session 0 pid 5641
debug1: channel 0: read<=0 rfd 10 len -1
debug1: channel 0: read failed
debug1: channel 0: close_read
debug1: channel 0: input open -> drain
debug1: channel 0: ibuf empty
debug1: channel 0: send eof
debug1: channel 0: input drain -> closed
debug1: channel 0: send close
debug1: session_by_tty: session 0 tty /dev/pts/4
debug1: session_pty_cleanup: session 0 release /dev/pts/4
debug1: channel 0: rcvd close
debug1: channel 0: is dead
debug1: channel 0: garbage collecting
debug1: channel_free: channel 0: server-session, nchannels 1
Connection closed by <real remote ip>
debug1: krb5_cleanup_proc called
Closing connection to <real remote ip>
 
Old 02-07-2004, 08:37 AM   #2
linuxnube
Member
 
Registered: Oct 2003
Location: US
Distribution: Fedora C1 & C2
Posts: 81

Original Poster
Rep: Reputation: 15
suggestions on where I can go for help on this?
 
Old 02-09-2004, 02:55 PM   #3
linuxnube
Member
 
Registered: Oct 2003
Location: US
Distribution: Fedora C1 & C2
Posts: 81

Original Poster
Rep: Reputation: 15
I was able to resolve this by creating a new pair of keys. Since I do not know what the problem was, I'll assume I had an invalid key.
 
Old 02-25-2005, 02:48 PM   #4
edafe
Member
 
Registered: Feb 2005
Posts: 44

Rep: Reputation: 15
Step-by-step instructions on how to use public key authentication with SSH:

http://www.edafe.org/slackware/index...authentication

Regards,
Edafe
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh using public key jkmartha Linux - Networking 1 05-04-2005 02:52 AM
ssh Host Key ziox Linux - Networking 6 02-07-2005 02:57 PM
SSH Global Key? kuronai Linux - Networking 3 08-18-2004 12:23 AM
upgraded ssh, now can't make public key connection BrianK Linux - Networking 0 04-10-2004 05:06 PM
ssh / ssh-key -- its always asking for passphrase BaerRS Linux - General 1 01-07-2003 06:21 PM


All times are GMT -5. The time now is 09:42 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration