Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
07-19-2007, 10:56 PM
|
#1
|
Member
Registered: Nov 2005
Distribution: redhat, debian, ubuntu
Posts: 47
Rep:
|
ssh issues from Windows
I'm trying to use a public key authentication from a Windows XP to Linux.
XP is using ssh secure shell client 3.2.9 and Linux is using openssh 3.6.1
I generated the private/public keys using ssh client on Windows and uploaded the public key to Linux: /home/username/.ssh and did:
ssh-keygen -i -f id_dsa_1024_a.pub >> authorized_keys
The directory/file permissions are correct:
Home Directory =750
.ssh =700
authorized_keys file =644
When I try to connect to Linux, I get "No further authentication methods available".
I did notice that when I was trying to upload the public key, it defaulted to .ssh2 but my Linux uses .ssh so I'm not sure if that has something to do with it.
It seems Linux isn't able to read the private key on the Windows client.
The debug file on Windows client shows the following:
Ssh2AuthPubKeyClient/authc-pubkey.c:983: All keys declined by server, disabling method.
Ssh2AuthClient/sshauthc.c:319: Method 'publickey' disabled.
Any suggestions?
Thanks.
|
|
|
07-20-2007, 08:55 AM
|
#2
|
LQ Guru
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,972
|
Beyond the admonition to very carefully read the SSH configuration files, and to review the Linux logs in /var/log, "not really."
SSH is a bit tricky to set up mainly because the documentation is not very great, but there's a cornucopia of good stuff on the Internet. The client is pretty much telling you what happened: of the various authentication-proposals that it offered to the server, none were accepted. (It might never have actually sent a password, because the first part of the exchange is to determine what credentials the server wishes to see.)
The server's logs will tell you more.
Been there. Done that.
|
|
|
07-20-2007, 09:22 AM
|
#3
|
Member
Registered: Oct 2004
Location: Germany
Distribution: Debian
Posts: 274
Rep:
|
well, I use the following working procedure:
use puttyGen on your windows machine to generate a private/public key, copy the contents of the public key field in puttyGen to the clipboard (or a plain textfile)
connect to your linux box and insert the copy of the public key in your auth. keys file
(using cat filename >> ~/.ssh/authorized_keys or by editing ~/.ssh/authorized_keys)
disconnect your connection and try connecting with the private key (using putty for example).
if it does not work, check if your server accepts puclic/private key auth, see /etc/ssh/sshd_config and its man page for this.
see http://www.vbulletin-germany.com/for...28&postcount=5 for a step by step HOWTO. (This one is in german, but with enough pictures to be really easy to understand.)
|
|
|
07-20-2007, 09:33 AM
|
#4
|
Senior Member
Registered: Nov 2003
Location: Perth, Western Australia
Distribution: Ubuntu, Debian, Various using VMWare
Posts: 2,088
Rep:
|
You don't use ssh-keygen on the server, only the client. You upload the public key to the server, and append it to ~/.ssh/authorized_keys, which must have 600 permissions.
Check /var/log/auth.log if the authentication is rejected - the error messages are generally pretty good.
Tip: By default, ssh-keygen will create file id_dsa and id_dsa.pub. If you just put the id_dsa file in your ~/.ssh/ directory (on the client), you do not need to specify it each time you connect to the server. SSH will check for this file automatically.
I have some information Here about setting up SSH on the client and server.
I hope this helps
--Ian
|
|
|
07-20-2007, 09:53 AM
|
#5
|
Member
Registered: Oct 2004
Location: Germany
Distribution: Debian
Posts: 274
Rep:
|
his client is Win, so he for sure did not use ssh-keygen there and "ssh-keygen -i" will use an existing key in a file and convert it for appending to authorized_keys, so that part seemed not so wrong.
If I understood him right, he created a public/private key on the client (by whatever means), copied the public part to the server, and tried to import it into authorized_keys there.
the rights seem bad indeed, 600 should be better than 644.
The part about the default folder when uploading the pub key is not clear to me. What SW did you use?
@IBall: your HOWTO seems really good, but I have one thing to mention:
you should not use the filename id_dsa.pub when uploading the "client" key to the server, because if one has used ssh-keygen on the machine, this file may already be present and contains the "server" public key (matching the "id_dsa" file). Better call it "client_id.pub" or something and add a step deleting the file after appending to authorized keys.
Last edited by doc.nice; 07-20-2007 at 10:00 AM.
|
|
|
07-21-2007, 12:41 AM
|
#6
|
Member
Registered: Nov 2005
Distribution: redhat, debian, ubuntu
Posts: 47
Original Poster
Rep:
|
I had to chmod to 700 = authorized_keys to get it to work. Not sure why that was.
Yes, the keys were generated on Windows. And ssh-keygen -i was to convert ssh2 format to openssh format since if left as ssh2 format, it won't be compatible.
What I meant by the default folder when uploading was that there's an option to upload from the client on Windows which will upload the public key to the target as long as you're already connected via ssh but the default folder will upload to .ssh2 instead of .ssh.
Thanks
|
|
|
07-21-2007, 02:14 PM
|
#7
|
Member
Registered: Oct 2004
Location: Germany
Distribution: Debian
Posts: 274
Rep:
|
ok, fine then, but set the rights to 600 instead of 700, the file should not be executable (bitmask 1)
|
|
|
07-22-2007, 11:05 PM
|
#8
|
Senior Member
Registered: Nov 2003
Location: Perth, Western Australia
Distribution: Ubuntu, Debian, Various using VMWare
Posts: 2,088
Rep:
|
Quote:
Originally Posted by doc.nice
@IBall: your HOWTO seems really good, but I have one thing to mention:
you should not use the filename id_dsa.pub when uploading the "client" key to the server, because if one has used ssh-keygen on the machine, this file may already be present and contains the "server" public key (matching the "id_dsa" file). Better call it "client_id.pub" or something and add a step deleting the file after appending to authorized keys.
|
Thanks for the feedback. I will look at this when I get time
|
|
|
All times are GMT -5. The time now is 04:57 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|