LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Fedora
User Name
Password
Fedora This forum is for the discussion of the Fedora Project.

Notices


Reply
  Search this Thread
Old 08-24-2005, 04:08 AM   #1
cruiser252
LQ Newbie
 
Registered: Aug 2005
Posts: 3

Rep: Reputation: 0
sshd rsa authentification propblems


Hello together,

I am trying to secure my ssh service. So I decided to use certificates and switch to rsa-authentification.
I generated a key-pair with
$ ssh-keygen -t rsa and password.
I put the file via "cat id_rsa.pub >>~/user/.ssh/authorisezed_keys" in the file
and enabled the rsa authentification in /etc/ssh/sshd_config.
There I also disabled PAM and disabled Hostbased authentification. The deamon runs only protocol 2.
I also made a chmod 0700 on the .ssh directory and the certificate...

Now when I try to connect the certificate is offered by the client, but the sshd just switches to the next option: password authentification.
It even doesn' t ask for a password.
I enabled debuging and started the client with -vvv, but nothing useful information.
I checked the the keypair and it matches...

I use Fedora Core 2.

Thank you for your help.

Best Regards,

Sven
 
Old 08-24-2005, 05:15 AM   #2
|2ainman
Member
 
Registered: Mar 2004
Distribution: Slackware current, DSL 0.9.2
Posts: 133

Rep: Reputation: 15
First off, they arent certificates , they're keys.
Based on your post, it seems you put the key on your localhost. This will only work if you want to ssh into localhost without password authentication (Try it! ssh localhost)
What you really want to do is copy that public key over to ~/.ssh/authorized_keys on the server you want to log into.
To do this
cat ~/.ssh/id_dsa.pub | ssh user@server "cat - >> ~/.ssh/authorized_keys"

I found this from a linux questions answer!
http://www.linuxquestions.org/questi...ticle&artid=79
Remember the handy search feature!
 
Old 08-24-2005, 03:34 PM   #3
cruiser252
LQ Newbie
 
Registered: Aug 2005
Posts: 3

Original Poster
Rep: Reputation: 0
Thank you for your answer and the hint, but I did the same things.
Of course I added my public key to the authorized_keys file on the server...

Then I try to connect from a second machine like this:

$ ssh -vv -i .ssh/id_rsa bigloisel

and get
...
debug1: Host 'bigloisel' is known and matches the RSA host key.
debug1: Found key in /home/swo/.ssh/known_hosts:2
debug2: bits set: 525/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/swo/.ssh/id_rsa (0x8a81898)
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/swo/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
swo@bigloisel's password:

The server just ignores my key, even it matches the pub-key...

Regards,

Sven
 
Old 08-24-2005, 10:33 PM   #4
|2ainman
Member
 
Registered: Mar 2004
Distribution: Slackware current, DSL 0.9.2
Posts: 133

Rep: Reputation: 15
hmmm maybe post ur sshd_config
Also, are you running a firewall on either end?
I'm not familiar with the debugging statements for ssh, but it said that it did not SEND a packet, so maybe its a problem client side.
 
Old 08-25-2005, 02:28 AM   #5
cruiser252
LQ Newbie
 
Registered: Aug 2005
Posts: 3

Original Poster
Rep: Reputation: 0
Thank you for your reply!

Well, but the client says "offering public key"...
I also tried it on different machines and even with Putty on Windows.
The server is behind a NAT-Router/Firewall and has either SELinux nor a firewall enabled.

Here is my sshd_config:

# $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

Port 22
Protocol 2
ListenAddress 192.168.0.101
#ListenAddress ::

# HostKey for protocol version 1
HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 3600
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

LoginGraceTime 5m
PermitRootLogin no
StrictModes yes
MaxStartups 5
AllowUsers swo

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

# rhosts authentication should not be used
RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
IgnoreUserKnownHosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no

# Change to no to disable s/key passwords
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

#AFSTokenPassing no

# Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no

# Set this to 'yes' to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
PAMAuthenticationViaKbdInt no

#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
UsePrivilegeSeparation yes
#PermitUserEnvironment no
Compression yes

#MaxStartups 10
# no default banner path
#Banner /some/path
#VerifyReverseMapping no

# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server

Regards,

Sven
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Authentification squid airnicofr Linux - Networking 1 02-07-2004 04:32 PM
authentification proftpd aracna Linux - Software 0 01-14-2004 01:35 PM
Enabling SSH in mandrake 9.2 - sshd vs. sshd-xinetd DogTags Linux - Newbie 7 11-25-2003 01:17 PM
server for authentification abd_bela Linux - Networking 1 09-03-2003 07:31 AM
Sshd Rsa Authentication! Help! ryanstrayer Linux - General 0 01-24-2002 12:35 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Fedora

All times are GMT -5. The time now is 02:16 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration