DISCUSSION: Public key authentication with ssh

riteshsarraf · 09-29-2005, 02:21 PM

Excellent step-by-step articles. Got it working in the first shot.
Thank You.

anomie · 09-29-2005, 02:29 PM

omlex, atomicx,

On the client side, what does

Code:

cat /etc/ssh/ssh_config | grep 'IdentityFile'

show you?

On the server side, what does

Code:

cat /etc/ssh/sshd_config | grep 'Authorized'

show you?

These entries must coincide with what you're trying to name the files as. (Note that you may have to adjust these commands based on the file paths/names for your distro.)

Nawar · 11-11-2005, 11:35 PM

One more step that I take in my work, is that I use multiple keys to get from one system to another.

If I want to do an interactive shell, I use a passphrase with the key.

If I want to automate a task, I generate a key-pair for that specific task.

On the <receiver> system, I modify the "authorized_keys" or "authorized_keys2" file to restrict a key to a specific command.

The format for this follows....

command="/path/to/script.sh" ssh-dss keystring

I then create a new line for each key and script that I want to run remotely.

From there, when I want to execute one of the commands, I use the following.

echo "parameter list" | ssh -i /path/to/identity/file remotesystem

This then connects to the remote system, executes the command determined by the authorized_keys file, and then said script, reads it's input from the "echo" command output stream.

The script runs, then exits.

It's simple, effective, and very secure.

sc24 · 05-23-2006, 12:12 AM

Quote:

Originally Posted by omlex

pls. help.

I'm having problem with puttygen. Everytime i tried to login my Linux box is still asking me for my password. Here's what i did

1. Generated a public key from puttygen. I used ssh v2
2. Saved the private and public key in my Win2k desktop.
3. Copied the public key to my $HOME/.ssh/authorized_keys2 directory
4. Added the private key to puttgen for remote connection.

what else did i forget?

In my setup authorized_keys was a file.

Also after you've generated the key pair in puttygen make sure you copy and paste from the OpenSSH Text Area into the authorized_keys file instead of using the "Save Public Key" button.

That worked for me.

tidww01 · 09-05-2006, 04:16 PM

I had a similar problem and it turned out to be a line in the sshd_config file. One that said UsePAM yes. Comment that out and restart the ssh daemon.

sysconfig · 09-11-2006, 03:38 PM

You could find the same guide at:

http://forums.linuxwebadmin.info/ind...opic,65.0.html

sysconfig · 09-11-2006, 03:39 PM

Duplicate entry so edited:

Sukhwinder Singh · 09-18-2006, 03:33 AM

i have solve the problem. i just used
client:
Use the command: /usr/bin/ssh-keygen -t dsa

Generating public/private rsa key pair.
Enter file in which to save the key (/home/user-id/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user-id/.ssh/id_dsa.
Your public key has been saved in /home/user-id/.ssh/id_dsa.pub.
The key fingerprint is:
XXXblablablaXXXaf:90:8f:dc:65:0d:XXXXXXXXXXXXXX user-id@node-name

Files generated:

$HOME/.ssh/id_dsa - binary
$HOME/.ssh/id_dsa.pub - ssh-dsa ...223564257432 email address - Multiple keys/lines allowd.

Server:
o FTP the file $HOME/.ssh/id_dsa.pub to the server
o cd $HOME/.ssh/
o cat id_dsa.pub >>authorized_keys

MikeAtVillage · 05-30-2007, 04:51 AM

Hi,

I've successfully set this up on my main server to access all my sub-servers which are all running Slackware Linux.

But, I'm now trying to set up access to my mail server which is running Fedora Core 4 and I'm getting an error message when I try

cat ~/.ssh/id_dsa.pub | ssh user@server "cat - >> ~/.ssh/authorized_keys"

It tells me that the directory does not exist ! I've looked on the FC4 server and indeed there is no root/.ssh/ directory.

What do I do ?

TIA

Mike

MikeAtVillage · 05-30-2007, 04:58 AM

Silly me. I just created the .ssh directory under root and it all works now.

Harlin · 07-09-2007, 10:47 AM

One of the finest howto's I've ever seen for any software... if only every one of them were done in this fashion and perfect amount of detail (not too much and not too little). Kudos!

mohdshakir · 09-04-2008, 12:46 AM

I guess it's better to use ssh-copy-id to transfer the key to the server as described here

charlesdef · 04-16-2010, 05:19 AM

Quote:

Originally Posted by gointomexico

I had to do this for a class project. I found this information extreemly infomrative, and helpful, thanks!

I had the same problem trying to get mine to work. I did a chmod on the server: <chmod 600 authorized_keys>
and then it started working. no password required!

hope this helps.

P.S. This was a debian to debian connection following the steps outlined in the guide.

Thanks I got same pb with Fedora 11, it was 660 I changed 600 and it worked. In fact the file must only be written by the owner, 644 works too.

HuMan-BiEnG · 06-13-2010, 07:33 AM

Quote:

Originally Posted by atomicx

I'm still not able to connect without a password.

Here is my debug notes when I run -vv

Code:

[trichard@testserv110 trichard]$ ssh -vv trichard@ftpserv111
OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090701f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug2: ssh_connect: needpriv 0
debug1: Connecting to ftpserv111 [192.168.0.111] port 22.
debug1: Connection established.
debug1: identity file /home/trichard/.ssh/identity type -1
debug1: identity file /home/trichard/.ssh/id_rsa type -1
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /home/trichard/.ssh/id_dsa type 2
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.6.1p2
debug1: match: OpenSSH_3.6.1p2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 127/256
debug2: bits set: 1623/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'ftpserv111' is known and matches the RSA host key.
debug1: Found key in /home/trichard/.ssh/known_hosts:1
debug2: bits set: 1592/3191
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/trichard/.ssh/identity
debug1: Trying private key: /home/trichard/.ssh/id_rsa
debug1: Offering public key: /home/trichard/.ssh/id_dsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
trichard@ftpserv111's password:

I have checked and the ~/.ssh/authorized_keys" exists on the server and contains a line the same as "~/.ssh/id_dsa.pub"

Any one know how to solve this,

Thanks
Troy

,,,,,,,,,,,,,,,,

i think that you have to make the remote host
ssh protocol to be set to version 2

vi /etc/sshd/sshd_config
change protocol to 2 instead of 1

& retry to connect again ,
hope this fix the problem

Yoyoda · 08-10-2010, 05:55 AM

SSH doesn't like it if your home directory has group write access, change to 750.