LinuxQuestions.org - Ssh (again) and ssh key?

- Linux - General (https://www.linuxquestions.org/questions/linux-general-1/)

- - Ssh (again) and ssh key? (https://www.linuxquestions.org/questions/linux-general-1/ssh-again-and-ssh-key-26498/)

don't know?

mine will not accept a login without it. If I don't have the key it will ask if I want to download it.

If I say no it will not connect.

The authenticity of host 'mydomain.net (192.168.0.1)' can't be established.
RSA key fingerprint is vg:4a:0b:51:2g:97:75:92:d5:6v:14e:26:23:12:15:74.
Are you sure you want to continue connecting (yes/no)? no
Host key verification failed.

if I say yes

it will download the key to ~/.ssh/known_hosts

the format is

mydomain.net,192.168.0.1 ssh-rsa FJFLKJALKFUOIAUFU)**FU&*&
)*F)(UIFUA)*&Q)*R&UEW&(*YUF(&F(*YF(&YA(FYA(&^F&(AEFT
&AEYTD&(YT&*EYF(&^&A^^A%T*YA%T*&DYA(*^&Y(&Q^E=
mydomain2.net,192.168.1.1 ssh-rsa JEAF809u09EIUOI4Wr76E987Y
R9872LKJZSHDKLJHSoiupfjsE988U08EU7F8WEU8FU0W70898wu09r
9u8eyd987y87d7ud89798d73789798uoidullkjdfkjkef=

If the name and ip address of the server does not match a known host it will download a new key

Maybe I should not call it a key, since it is not the same as actually using a key instead of a password.

Maybe this is of some interest

Passwords are used with usernames and are not the same as passphrases, used for private keys. A passphrase can be a gibberish sentence with spaces, therefore much more difficult to attack using brutforce.

>The authenticity of host 'myserver.net (192.168.0.1)' can't be established.
>RSA key fingerprint is >cd:da:eb:b41:2g:95:79:70:d8:65:14:2r:2g:42:15:77.
>Are you sure you want to continue connecting (yes/no)?

This is the fingerprint and public key of the host, therefor going in the knownhosts file. This is asked to verify HOST authentication not user. This is to make sure your host is who they say they are and if you "trust" them you download this key and it will never ask you again.

Once that is established it asks for the user authentication. Here are 2 methods.
1) Username/Password is the lowest form

Username/Password uses the same sign-on as if you telneted. This means it can be guessed easier using brutforce adn you should change your passwords more frequently.

2)Public/Private key authentication, RSA authentication.

Public/Private (key pair) key usage. The Host will encrypt the data with your public prior to sending the info. This information can only be decrypted using the the private key of that key pair. You should have a safe backup copy of your private key and NEVER give it out. On top of that, if it was given out or stolen, the person would have to guess a long "passphrase" which may include spaces or a complete sentence.

Ok, so as I said, if you want to use encryption, you MUST use key authentication, right?

And if you want to use key, you have to:
1-Create keys with ssh-keygen
2-Put the .pub key in a FILES (and not folder) called authorized_key, in the folder .ssh, in the home of the system you wish to use as "local"
3-Keep id-xx.pub and id-xx (xx is rsa or dsa) in the ~/.ssh/ folder of the remote machine (the one runing sshd)

Is all these steps are ok? I want to figure why I can't use these damn key. Do I need to add different option while ./configure to enable key authentication???

http://www.csua.berkeley.edu/ssh-howto.html

this explains it.

Basically not having to type a password is a convenience. It uses an agent to take care of the password.

Using a password is not insecure with ssh.

Unless your password is something like..

apple

Quote:

Originally posted by Half_Elf
Ok, so as I said, if you want to use encryption, you MUST use key authentication, right?

And if you want to use key, you have to:
1-Create keys with ssh-keygen
2-Put the .pub key in a FILES (and not folder) called authorized_key, in the folder .ssh, in the home of the system you wish to use as "local"
3-Keep id-xx.pub and id-xx (xx is rsa or dsa) in the ~/.ssh/ folder of the remote machine (the one runing sshd)

Is all these steps are ok? I want to figure why I can't use these damn key. Do I need to add different option while ./configure to enable key authentication???

1)Yes, create the keys with a command like: "ssh-keygen -t rsa -b 2048".

2) Then copy .pub to ~/.ssh/authorized_keys, with chmod 600 on authorized_keys on the HOST machine (the one you want to connect to).
NOTE!!! authorized_keys is plural, because you can have more then one pub key in this file. Why? Because you may ssh from multiple clients using different private keys for each host, therefore putting their public keys in one file.

3) Keep id_xx in ~/.ssh/id_xx, with permissons set to chmod 600 on the client (sshing from).

4) Now on the HOST!! (running sshd) machine's /etc/ssh/sshd_conf set "RSAAuthentication yes" and "PasswordAuthentication no" (on the HOST machine)

Hum it's exactly what I already tried.... (hrrmmpppfff) I will forgot key authentication I think.... Anyways my password is more like "Tf43ybn$#bFFF4" :0p

Hopefully, you have backups of the ssh config files you modified or you may be best off removing ssh and reinstalling it on the client and host if you messed with too many areas. Then follow the four steps above should do it. Shouldn't take more then 5 mins.

OH, I just thought of something. Are you restarting sshd on the host after changing it's /etc/ssh/sshd_config file to have RSAAuthentication yes. You must restart or reload sshd after configuring the file. To restart ssh run this from a command line as root /etc/init.d/sshd restart.

Of course I do... I will try reinstall and come back with good news (I hope)

ok.. :) just making sure. sometimes the little things escape us in frustration.

good luck