Private/Public key vs. Password authentication w/ SSH

MykeV · 08-29-2007, 09:05 PM

Hey all, I run IPCop as my firewall/router on my network. I use SSH to access it from remote locations from time to time. I want to disable password authentication in the sshd_config file and go with private/public key authentication. However, on the windows laptop i use to access all my computers remotely, i have OpenSSH installed and already use a private key (id_rsa) for another linux server (serverB) i SSH into. I added the private key file from the IPCop server (ssh_host_rsa_key) into the same directory as the id_rsa key on my laptop. So i have 2 private keys for SSH authentication that reside in the same directory for 2 different SSH boxes. When i try to SSH from my laptop into the IPCop server (bubblicious) the private/public key authentication fails.

Code:

C:\Documents and Settings\MykeV>ssh -p 222 -v root@bubblicious
OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004
debug1: Connecting to bubblicious [192.168.168.1] port 222.
debug1: Connection established.
debug1: identity file /home/MykeV/.ssh/identity type -1
debug1: identity file /home/MykeV/.ssh/id_rsa type 1
debug1: identity file /home/MykeV/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.5
debug1: match: OpenSSH_4.5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'bubblicious' is known and matches the RSA host key.
debug1: Found key in /home/MykeV/.ssh/known_hosts:3
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/MykeV/.ssh/identity
debug1: Offering public key: /home/MykeV/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /home/MykeV/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password
root@bubblicious's password:

Do i need to have the private key file for IPCop renamed to id_rsa? I ask that 'cause if i do then i would effectively be overwriting the id_rsa private key for serverB. Is there a line in the sshd_config file or ssh_config file i can change to allow me to use a specific private key? I don't think it's permissible to use the private/public key files from serverB on the IPCop system 'cause the key files are specific to that system. I hope i am making sense. Anyway, your comments would be appreciated.

One more thing, connecting from my laptop to serverB using the associated private(id_rsa)/public key files works fine.

MykeV · 08-30-2007, 06:05 AM

I know someone out here has an answer. Help me please.

ntubski · 09-01-2007, 10:30 PM

From ssh man pages:

Code:

man ssh...

    -i identity_file
          Selects a file from which the  identity  (private  key)
          for  RSA or DSA authentication is read.  The default is
          ~/.ssh/identity   for   protocol   version    1,    and
          ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol version 2.
          Identity files may also  be  specified  on  a  per-host
          basis  in  the  configuration  file.  It is possible to
          have multiple -i options (and multiple identities spec-
          ified in configuration files).

man ssh_config...

     IdentityFile
          Specifies  a  file  from  which  the  user's RSA or DSA
          authentication  identity  is  read.   The  default   is
          ~/.ssh/identity    for    protocol   version   1,   and
          ~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol version 2.
          Additionally, any identities represented by the authen-
          tication agent will be used  for  authentication.   The
          file name may use the tilde syntax to refer to a user's
          home directory.  It is possible to have multiple  iden-
          tity  files specified in configuration files; all these
          identities will be tried in sequence.

devout · 11-25-2007, 02:37 AM

I have tryed adding ~/.ssh/NameOfPrivateKeyFile to the /etc/ssh/ssh_config file and have changed the name of id_rsa to NameOfPrivateKeyFile as mentioned above.

When I try ssh into my server I get the message
"/etc/ssh/ssh_config: line 52: Bad configureation option: ~/.ssh/NameOfPrivateKeyFile
/etc/ssh/ssh_config: terminating, 1 bad configuration options"

Have I missed something?

Also how do I go about changing the ~/.ssh/id_rsa.pub
I mean I can change it, but where do I set it in a config file?

Any help appreciated.

devout · 11-25-2007, 03:36 AM

silly me...
Needed the IdentityFile in front of it.
I've changed the name of my ids_rsa.pub and it seems to work.
Any ideas how ssh knows where to look for the public key, now that I've changed it's name?

ntubski · 11-25-2007, 11:49 AM

The public key has to be on the host, the machine that you are ssh'ing to. All the public keys go in the .ssh/authorized_keys file on the host. So after copying the public key to the host, you would do on the host

Code:

cat id_rsa.pub >>~/.ssh/authorized_keys

which would add the public key to public key file.