Private/Public key vs. Password authentication w/ SSH
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Private/Public key vs. Password authentication w/ SSH
Hey all, I run IPCop as my firewall/router on my network. I use SSH to access it from remote locations from time to time. I want to disable password authentication in the sshd_config file and go with private/public key authentication. However, on the windows laptop i use to access all my computers remotely, i have OpenSSH installed and already use a private key (id_rsa) for another linux server (serverB) i SSH into. I added the private key file from the IPCop server (ssh_host_rsa_key) into the same directory as the id_rsa key on my laptop. So i have 2 private keys for SSH authentication that reside in the same directory for 2 different SSH boxes. When i try to SSH from my laptop into the IPCop server (bubblicious) the private/public key authentication fails.
Code:
C:\Documents and Settings\MykeV>ssh -p 222 -v root@bubblicious
OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004
debug1: Connecting to bubblicious [192.168.168.1] port 222.
debug1: Connection established.
debug1: identity file /home/MykeV/.ssh/identity type -1
debug1: identity file /home/MykeV/.ssh/id_rsa type 1
debug1: identity file /home/MykeV/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.5
debug1: match: OpenSSH_4.5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'bubblicious' is known and matches the RSA host key.
debug1: Found key in /home/MykeV/.ssh/known_hosts:3
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/MykeV/.ssh/identity
debug1: Offering public key: /home/MykeV/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /home/MykeV/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password
root@bubblicious's password:
Do i need to have the private key file for IPCop renamed to id_rsa? I ask that 'cause if i do then i would effectively be overwriting the id_rsa private key for serverB. Is there a line in the sshd_config file or ssh_config file i can change to allow me to use a specific private key? I don't think it's permissible to use the private/public key files from serverB on the IPCop system 'cause the key files are specific to that system. I hope i am making sense. Anyway, your comments would be appreciated.
One more thing, connecting from my laptop to serverB using the associated private(id_rsa)/public key files works fine.
man ssh...
-i identity_file
Selects a file from which the identity (private key)
for RSA or DSA authentication is read. The default is
~/.ssh/identity for protocol version 1, and
~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol version 2.
Identity files may also be specified on a per-host
basis in the configuration file. It is possible to
have multiple -i options (and multiple identities spec-
ified in configuration files).
man ssh_config...
IdentityFile
Specifies a file from which the user's RSA or DSA
authentication identity is read. The default is
~/.ssh/identity for protocol version 1, and
~/.ssh/id_rsa and ~/.ssh/id_dsa for protocol version 2.
Additionally, any identities represented by the authen-
tication agent will be used for authentication. The
file name may use the tilde syntax to refer to a user's
home directory. It is possible to have multiple iden-
tity files specified in configuration files; all these
identities will be tried in sequence.
I have tryed adding ~/.ssh/NameOfPrivateKeyFile to the /etc/ssh/ssh_config file and have changed the name of id_rsa to NameOfPrivateKeyFile as mentioned above.
When I try ssh into my server I get the message
"/etc/ssh/ssh_config: line 52: Bad configureation option: ~/.ssh/NameOfPrivateKeyFile
/etc/ssh/ssh_config: terminating, 1 bad configuration options"
Have I missed something?
Also how do I go about changing the ~/.ssh/id_rsa.pub
I mean I can change it, but where do I set it in a config file?
silly me...
Needed the IdentityFile in front of it.
I've changed the name of my ids_rsa.pub and it seems to work.
Any ideas how ssh knows where to look for the public key, now that I've changed it's name?
The public key has to be on the host, the machine that you are ssh'ing to. All the public keys go in the .ssh/authorized_keys file on the host. So after copying the public key to the host, you would do on the host
Code:
cat id_rsa.pub >>~/.ssh/authorized_keys
which would add the public key to public key file.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.