Linux to Linux key authentication problem
Now I need to configure another Debian machine (lets call it debian2) to access debian1, using key authentication. I followed the instructions here Code:
1. Open PuttyGen Any idea on what could I be doing wrong? Thanks |
In the documentation on OpenSSH (and the man pages) are lists of requirements and things SSH will check. Among them are the permission and ownership of the home folder, the .ssh folder, and the files within the .ssh folder. As a first cut, I would check and compare those permissions. If a file or folder is group or world writable, it is not considered secure and ssh will not trust it without some special (and not recommended) settings or work-arounds.
|
In addition to the permission settings mentioned already, you might make sure that you are NOT using DSA. Not only is it no longer considered secure, the new versions of OpenSSH server ignore it. You can use 2048-bit RSA, if and only if you need backwards compatibility with specific old things, otherwise use ed25519 if you can. Ed25519 is currently considered the strong option.
Then there is the key format. PuTTY uses a weird one. So if you generate the key pair on Debian with the regular "ssh-keygen" and without PuTTY it should be fine. On Debian2: Code:
ssh-keygen -f ~/.ssh/debian1_ed25519 -t ed25519 -C "your note or comment" Code:
ssh-keygen -f ~/.ssh/debian1_rsa -t rsa -b 2048 -C "your note or comment" |
Thanks, I'll give it a go.
|
Best to view the logs on the server as well.
Code:
tail -f /var/log/auth.log |
You probably want to configure sshd so that, if you do not have a key, it will not prompt you for a password. So that, if you do not have a key, you have no opportunity to get in otherwise.
|
I agree with sundialsvcs. See PasswordAuthentication and ChallengeResponseAuthentication settings in "man sshd_config". You could even use a match block to only do it sometimes and not others. For instance, on my raspberry pi, I allow local LAN to use a password but if SSH sources are from the Internet then the only method allowed is public key. Here's how I accomplish that in my /etc/ssh/sshd_config.
Code:
Match Address 192.168.10.0/24 |
All times are GMT -5. The time now is 03:33 PM. |