LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (http://www.linuxquestions.org/questions/linux-software-2/)
-   -   Open SSH authentication using public keys (http://www.linuxquestions.org/questions/linux-software-2/open-ssh-authentication-using-public-keys-516285/)

Xiiph 01-04-2007 11:25 AM

Open SSH authentication using public keys
 
I got a problem with my Open SSH server, I want the authentication to be made using
a public key file and password.

When I generated keys using SSH-KEYGEN and adding a passphrase, the server couldnt read the keys.
I got the error: "Could not open host key" or such.

I now generated keys without a passphrase and the server starts properly, i can also connect using the public key file and user name + password. Although it doesnt matter if i connect using the public key or not, not specifying the public key still allows me access using username and password, I want it to require both. Also I would like to get it working with a passphrase on my keys.

Any ideas?

Running Ubuntu Server, 6.10 "Edgy Eft", thanks in advance!

raskin 01-04-2007 11:54 AM

Usual just-in-case question: you added passphrase to private key only?

anomie 01-04-2007 12:35 PM

Quote:

the server couldnt read the keys.
I got the error: "Could not open host key" or such.
Maybe we could revisit that. Can you recreate the problem and post the exact message?

Quote:

Although it doesnt matter if i connect using the public key or not, not specifying the public key still allows me access using username and password, I want it to require both.
I don't think it is possible to require both (well, maybe it is using some custom PAM configuration, but I don't know how). You're referring to two different types of authentication. 1. If you enable password authentication or challengeresponse authentication, users will be able to authenticate using their username and password on the *nix system; 2. If you enable pubkey authentication, users will be able to authenticate using the generated keys.

If you only want pubkey authentication (+ a passphrase), then you will want to disable both authentication forms in point #1. Make sense?

stickman 01-04-2007 07:19 PM

Quote:

Originally Posted by Xiiph
When I generated keys using SSH-KEYGEN and adding a passphrase, the server couldnt read the keys.
I got the error: "Could not open host key" or such.

Did you use ssh-keygen to create the host keys or user keys? Or both?

Xiiph 01-04-2007 07:39 PM

I used ssh-keygen in this way:

ssh-keygen -t dsa -b 1024
Location: /etc/ssh/ssh_host_dsa_key
Enter passphrase:

ssh-keygen -t rsa -b 2048
Location: /etc/ssh/ssh_host_rsa_key
Enter passphrase:

I feel completely confused regarding whats private and public. I read that the first file it creates, the ssh_host_dsa_key, contain both the public and private key, and shouldnt be protected by a passphrase, but with file permissions 0700.

But i guess the ssh_host_dsa_key.pub file is the public key which should be distributed to users?

Thing is if I try to change the password using ssh-keygen, it want a private key, and even if i specify the .pub file, it whine it hasnt strict permissions enough. Also afaik the public key can without worry be world readable since its supposed to be protected by a passphrase?

I guess the error stated in my first post comes due to the host key being protected by a passphrase when creating a pair of keys like stated above in this post? (if i enter a key and not just press enter for an empty?)

Light shedding requested! Thanks :D

stickman 01-04-2007 10:00 PM

Most common distros create the host keys if they don't exist. You could try deleting them and restart your daemon. Otherwise you could use the keys that you generated.

Drop all four of those files in /etc/ssh on your server. The private keys should be 600, and the pub keys should be 644. Make sure that the file names match what is in your sshd_config file. Restart your sshd daemon.

On your client, run the ssh-keygen to create an RSA key. Copy the pub key to ~/.ssh/authorized_keys on your server. Test your ssh connection.

Xiiph 01-04-2007 10:07 PM

Quote:

Originally Posted by stickman
Most common distros create the host keys if they don't exist. You could try deleting them and restart your daemon. Otherwise you could use the keys that you generated.

Drop all four of those files in /etc/ssh on your server. The private keys should be 600, and the pub keys should be 644. Make sure that the file names match what is in your sshd_config file. Restart your sshd daemon.

On your client, run the ssh-keygen to create an RSA key. Copy the pub key to ~/.ssh/authorized_keys on your server. Test your ssh connection.

So basically, I create all host keys without a passphrase, and then I create the authentication keys, with a passphrase, copying those to the authorized_keys file and using it on the client to authenticate?

But what use do the host keys private and public have then? :confused:

chort 01-04-2007 11:44 PM

The host keys are necessary for the clients to identify the server.

For users to authenticate using public/private keys, you need to generate a different set of keys for each user. ssh-keygen creates both a private and a public key. It asks you for the name of the private key, and automatically creates a public key with the same name and .pub appended to it.

The user's private key is their authentication token, which they use in place of a password. The user supplies their passphrase to "unlock" the private key so that they can send it as authentication. In this way the actual passphrase isn't sent over the wire, only the private key is. In order for the private key to be accepted for authentication, the public portion needs to be in the user's ~/.ssh/authorized_keys file on the machine that they're logging in to. Each user has their own authorized_keys file that tells the ssh daemon (server) running on that machine which private keys should be allowed to login as that user. Ideally a user should generate a different private key for each machine they will be logging in from. That allows them to revoke only that public key out of authorized_keys if a machine or private key is compromised.

Assume you have a machine, "host1", that you want to be able to ssh from to login to another machine, "host2". Here are the steps to enable public/private key authentication.
Code:

host1 ~# ssh-keygen -t rsa
host1 ~# scp .ssh/id_rsa.pub user@host2:host1_id_rsa.pub
host1 ~# ssh user@host2
host2 ~$ mkdir .ssh
host2 ~$ chmod 700 .ssh
host2 ~$ cd .ssh
host2 .ssh$ mv ../host1_id_rsa.pub ./
host2 .ssh$ cat host1_id_rsa >> authorized_keys
host2 .ssh$ chmod 600 authorized_keys

If you want to connect to host2 from host3, host4, etc, then repeat the steps above, only substituting host[34] in place of host1. Also, you don't have to create the .ssh directory and change the permissions on host2 for each public key after the original.

Xiiph 01-05-2007 08:58 AM

Thanks alot! I got it working finally, and that also helped me clear out some question marks about how it all worked. :D

Thanks for all fast replies :)


All times are GMT -5. The time now is 04:09 AM.