Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Using puttygen I created a private and a public key.
I copied the public key in in ~/ssh/authorized_keys on a Debian machine (lets call it debian1)
I configured Putty to use private.ppk and now I can access debian1 from windows, using key authentication
I also disabled password authentication in etc/ssh/sshd_config on debian1
Everything is working perfectly and as expected.
Now I need to configure another Debian machine (lets call it debian2) to access debian1, using key authentication.
I followed the instructions here
Code:
1. Open PuttyGen
2. Click Load
3. Load your private key
4. Go to Conversions->Export OpenSSH and export your private key
5. Copy your private key to ~/.ssh/id_dsa (or id_rsa).
6. Create the RFC 4716 version of the public key using ssh-keygen
ssh-keygen -e -f ~/.ssh/id_dsa > ~/.ssh/id_dsa_com.pub
7. Convert the RFC 4716 version of the public key to the OpenSSH format:
ssh-keygen -i -f ~/.ssh/id_dsa_com.pub > ~/.ssh/id_dsa.pub
But when connecting from debian2 to debian1, I still get a password prompt.
Any idea on what could I be doing wrong?
In the documentation on OpenSSH (and the man pages) are lists of requirements and things SSH will check. Among them are the permission and ownership of the home folder, the .ssh folder, and the files within the .ssh folder. As a first cut, I would check and compare those permissions. If a file or folder is group or world writable, it is not considered secure and ssh will not trust it without some special (and not recommended) settings or work-arounds.
In addition to the permission settings mentioned already, you might make sure that you are NOT using DSA. Not only is it no longer considered secure, the new versions of OpenSSH server ignore it. You can use 2048-bit RSA, if and only if you need backwards compatibility with specific old things, otherwise use ed25519 if you can. Ed25519 is currently considered the strong option.
Then there is the key format. PuTTY uses a weird one. So if you generate the key pair on Debian with the regular "ssh-keygen" and without PuTTY it should be fine.
You probably want to configure sshd so that, if you do not have a key, it will not prompt you for a password. So that, if you do not have a key, you have no opportunity to get in otherwise.
I agree with sundialsvcs. See PasswordAuthentication and ChallengeResponseAuthentication settings in "man sshd_config". You could even use a match block to only do it sometimes and not others. For instance, on my raspberry pi, I allow local LAN to use a password but if SSH sources are from the Internet then the only method allowed is public key. Here's how I accomplish that in my /etc/ssh/sshd_config.
Code:
Match Address 192.168.10.0/24
PasswordAuthentication yes
Match All
PasswordAuthentication no
ChallengeResponseAuthentication no
192.168.10.0/24 is my LAN and All other sources include the Internet. See "man sshd_config" to learn more. It's wonderfully powerful. Also, I don't recommend exposing your SSH port to the Internet (I'm an experienced sysadmin who is capable of securing and monitoring my home services). Additionally, I implement further layers of security around my SSH service such as port knocking and fail2ban.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.