LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 01-04-2007, 11:25 AM   #1
Xiiph
LQ Newbie
 
Registered: May 2004
Distribution: Ubuntu Server, Xubuntu, Fedora Core, Debian
Posts: 14

Rep: Reputation: 0
Open SSH authentication using public keys


I got a problem with my Open SSH server, I want the authentication to be made using
a public key file and password.

When I generated keys using SSH-KEYGEN and adding a passphrase, the server couldnt read the keys.
I got the error: "Could not open host key" or such.

I now generated keys without a passphrase and the server starts properly, i can also connect using the public key file and user name + password. Although it doesnt matter if i connect using the public key or not, not specifying the public key still allows me access using username and password, I want it to require both. Also I would like to get it working with a passphrase on my keys.

Any ideas?

Running Ubuntu Server, 6.10 "Edgy Eft", thanks in advance!
 
Old 01-04-2007, 11:54 AM   #2
raskin
Senior Member
 
Registered: Sep 2005
Location: Russia
Distribution: NixOS (http://nixos.org)
Posts: 1,893

Rep: Reputation: 68
Usual just-in-case question: you added passphrase to private key only?
 
Old 01-04-2007, 12:35 PM   #3
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
the server couldnt read the keys.
I got the error: "Could not open host key" or such.
Maybe we could revisit that. Can you recreate the problem and post the exact message?

Quote:
Although it doesnt matter if i connect using the public key or not, not specifying the public key still allows me access using username and password, I want it to require both.
I don't think it is possible to require both (well, maybe it is using some custom PAM configuration, but I don't know how). You're referring to two different types of authentication. 1. If you enable password authentication or challengeresponse authentication, users will be able to authenticate using their username and password on the *nix system; 2. If you enable pubkey authentication, users will be able to authenticate using the generated keys.

If you only want pubkey authentication (+ a passphrase), then you will want to disable both authentication forms in point #1. Make sense?
 
Old 01-04-2007, 07:19 PM   #4
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
Quote:
Originally Posted by Xiiph
When I generated keys using SSH-KEYGEN and adding a passphrase, the server couldnt read the keys.
I got the error: "Could not open host key" or such.
Did you use ssh-keygen to create the host keys or user keys? Or both?
 
Old 01-04-2007, 07:39 PM   #5
Xiiph
LQ Newbie
 
Registered: May 2004
Distribution: Ubuntu Server, Xubuntu, Fedora Core, Debian
Posts: 14

Original Poster
Rep: Reputation: 0
I used ssh-keygen in this way:

ssh-keygen -t dsa -b 1024
Location: /etc/ssh/ssh_host_dsa_key
Enter passphrase:

ssh-keygen -t rsa -b 2048
Location: /etc/ssh/ssh_host_rsa_key
Enter passphrase:

I feel completely confused regarding whats private and public. I read that the first file it creates, the ssh_host_dsa_key, contain both the public and private key, and shouldnt be protected by a passphrase, but with file permissions 0700.

But i guess the ssh_host_dsa_key.pub file is the public key which should be distributed to users?

Thing is if I try to change the password using ssh-keygen, it want a private key, and even if i specify the .pub file, it whine it hasnt strict permissions enough. Also afaik the public key can without worry be world readable since its supposed to be protected by a passphrase?

I guess the error stated in my first post comes due to the host key being protected by a passphrase when creating a pair of keys like stated above in this post? (if i enter a key and not just press enter for an empty?)

Light shedding requested! Thanks
 
Old 01-04-2007, 10:00 PM   #6
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
Most common distros create the host keys if they don't exist. You could try deleting them and restart your daemon. Otherwise you could use the keys that you generated.

Drop all four of those files in /etc/ssh on your server. The private keys should be 600, and the pub keys should be 644. Make sure that the file names match what is in your sshd_config file. Restart your sshd daemon.

On your client, run the ssh-keygen to create an RSA key. Copy the pub key to ~/.ssh/authorized_keys on your server. Test your ssh connection.
 
Old 01-04-2007, 10:07 PM   #7
Xiiph
LQ Newbie
 
Registered: May 2004
Distribution: Ubuntu Server, Xubuntu, Fedora Core, Debian
Posts: 14

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by stickman
Most common distros create the host keys if they don't exist. You could try deleting them and restart your daemon. Otherwise you could use the keys that you generated.

Drop all four of those files in /etc/ssh on your server. The private keys should be 600, and the pub keys should be 644. Make sure that the file names match what is in your sshd_config file. Restart your sshd daemon.

On your client, run the ssh-keygen to create an RSA key. Copy the pub key to ~/.ssh/authorized_keys on your server. Test your ssh connection.
So basically, I create all host keys without a passphrase, and then I create the authentication keys, with a passphrase, copying those to the authorized_keys file and using it on the client to authenticate?

But what use do the host keys private and public have then?
 
Old 01-04-2007, 11:44 PM   #8
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
The host keys are necessary for the clients to identify the server.

For users to authenticate using public/private keys, you need to generate a different set of keys for each user. ssh-keygen creates both a private and a public key. It asks you for the name of the private key, and automatically creates a public key with the same name and .pub appended to it.

The user's private key is their authentication token, which they use in place of a password. The user supplies their passphrase to "unlock" the private key so that they can send it as authentication. In this way the actual passphrase isn't sent over the wire, only the private key is. In order for the private key to be accepted for authentication, the public portion needs to be in the user's ~/.ssh/authorized_keys file on the machine that they're logging in to. Each user has their own authorized_keys file that tells the ssh daemon (server) running on that machine which private keys should be allowed to login as that user. Ideally a user should generate a different private key for each machine they will be logging in from. That allows them to revoke only that public key out of authorized_keys if a machine or private key is compromised.

Assume you have a machine, "host1", that you want to be able to ssh from to login to another machine, "host2". Here are the steps to enable public/private key authentication.
Code:
host1 ~# ssh-keygen -t rsa
host1 ~# scp .ssh/id_rsa.pub user@host2:host1_id_rsa.pub
host1 ~# ssh user@host2
host2 ~$ mkdir .ssh
host2 ~$ chmod 700 .ssh
host2 ~$ cd .ssh
host2 .ssh$ mv ../host1_id_rsa.pub ./
host2 .ssh$ cat host1_id_rsa >> authorized_keys
host2 .ssh$ chmod 600 authorized_keys
If you want to connect to host2 from host3, host4, etc, then repeat the steps above, only substituting host[34] in place of host1. Also, you don't have to create the .ssh directory and change the permissions on host2 for each public key after the original.
 
Old 01-05-2007, 08:58 AM   #9
Xiiph
LQ Newbie
 
Registered: May 2004
Distribution: Ubuntu Server, Xubuntu, Fedora Core, Debian
Posts: 14

Original Poster
Rep: Reputation: 0
Thumbs up

Thanks alot! I got it working finally, and that also helped me clear out some question marks about how it all worked.

Thanks for all fast replies
 
  


Reply

Tags
authentication, key, keys, openssh, passphrase, public, ssh


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH allow public keys only GATTACA Linux - Security 4 11-18-2006 02:34 PM
SSH public keys not working - RH 7.3 menator Linux - Newbie 7 11-03-2005 03:55 AM
ssh public/private keys lord_darkhelmet Linux - Newbie 8 10-29-2005 03:14 PM
SSH public/private key authentication with GnuPG keys? thinksincode Linux - Security 1 02-25-2005 02:33 PM
Help with SSH and public/private keys stodge Linux - Security 5 05-14-2003 01:22 PM


All times are GMT -5. The time now is 11:42 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration