Hello together,

I am trying to secure my ssh service. So I decided to use certificates and switch to rsa-authentification.
I generated a key-pair with
$ ssh-keygen -t rsa and password.
I put the file via "cat id_rsa.pub >>~/user/.ssh/authorisezed_keys" in the file
and enabled the rsa authentification in /etc/ssh/sshd_config.
There I also disabled PAM and disabled Hostbased authentification. The deamon runs only protocol 2.
I also made a chmod 0700 on the .ssh directory and the certificate...

Now when I try to connect the certificate is offered by the client, but the sshd just switches to the next option: password authentification.
It even doesn' t ask for a password.
I enabled debuging and started the client with -vvv, but nothing useful information.
I checked the the keypair and it matches...

I use Fedora Core 2.

Thank you for your help.

Best Regards,

Sven

First off, they arent certificates , they're keys.
Based on your post, it seems you put the key on your localhost. This will only work if you want to ssh into localhost without password authentication (Try it! ssh localhost)
What you really want to do is copy that public key over to ~/.ssh/authorized_keys on the server you want to log into.
To do this
cat ~/.ssh/id_dsa.pub | ssh user@server "cat - >> ~/.ssh/authorized_keys"

I found this from a linux questions answer!
http://www.linuxquestions.org/questi...ticle&artid=79
Remember the handy search feature!

Thank you for your answer and the hint, but I did the same things.
Of course I added my public key to the authorized_keys file on the server...

Then I try to connect from a second machine like this:

$ ssh -vv -i .ssh/id_rsa bigloisel

and get
...
debug1: Host 'bigloisel' is known and matches the RSA host key.
debug1: Found key in /home/swo/.ssh/known_hosts:2
debug2: bits set: 525/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/swo/.ssh/id_rsa (0x8a81898)
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/swo/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
swo@bigloisel's password:

The server just ignores my key, even it matches the pub-key...

Regards,

Sven

hmmm maybe post ur sshd_config
Also, are you running a firewall on either end?
I'm not familiar with the debugging statements for ssh, but it said that it did not SEND a packet, so maybe its a problem client side.

Thank you for your reply!

Well, but the client says "offering public key"...
I also tried it on different machines and even with Putty on Windows.
The server is behind a NAT-Router/Firewall and has either SELinux nor a firewall enabled.

Here is my sshd_config:

# $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

Port 22
Protocol 2
ListenAddress 192.168.0.101
#ListenAddress ::

# HostKey for protocol version 1
HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 3600
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

LoginGraceTime 5m
PermitRootLogin no
StrictModes yes
MaxStartups 5
AllowUsers swo

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

# rhosts authentication should not be used
RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
IgnoreUserKnownHosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no

# Change to no to disable s/key passwords
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

#AFSTokenPassing no

# Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no

# Set this to 'yes' to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
PAMAuthenticationViaKbdInt no

#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
UsePrivilegeSeparation yes
#PermitUserEnvironment no
Compression yes

#MaxStartups 10
# no default banner path
#Banner /some/path
#VerifyReverseMapping no

# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server

Regards,

Sven