LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-19-2007, 10:56 PM   #1
pridefc
Member
 
Registered: Nov 2005
Distribution: redhat, debian, ubuntu
Posts: 47

Rep: Reputation: 15
ssh issues from Windows


I'm trying to use a public key authentication from a Windows XP to Linux.
XP is using ssh secure shell client 3.2.9 and Linux is using openssh 3.6.1
I generated the private/public keys using ssh client on Windows and uploaded the public key to Linux: /home/username/.ssh and did:
ssh-keygen -i -f id_dsa_1024_a.pub >> authorized_keys
The directory/file permissions are correct:

Home Directory =750
.ssh =700
authorized_keys file =644

When I try to connect to Linux, I get "No further authentication methods available".
I did notice that when I was trying to upload the public key, it defaulted to .ssh2 but my Linux uses .ssh so I'm not sure if that has something to do with it.
It seems Linux isn't able to read the private key on the Windows client.

The debug file on Windows client shows the following:

Ssh2AuthPubKeyClient/authc-pubkey.c:983: All keys declined by server, disabling method.

Ssh2AuthClient/sshauthc.c:319: Method 'publickey' disabled.

Any suggestions?

Thanks.
 
Old 07-20-2007, 08:55 AM   #2
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,972
Blog Entries: 4

Rep: Reputation: 4027Reputation: 4027Reputation: 4027Reputation: 4027Reputation: 4027Reputation: 4027Reputation: 4027Reputation: 4027Reputation: 4027Reputation: 4027Reputation: 4027
Beyond the admonition to very carefully read the SSH configuration files, and to review the Linux logs in /var/log, "not really."

SSH is a bit tricky to set up mainly because the documentation is not very great, but there's a cornucopia of good stuff on the Internet. The client is pretty much telling you what happened: of the various authentication-proposals that it offered to the server, none were accepted. (It might never have actually sent a password, because the first part of the exchange is to determine what credentials the server wishes to see.)

The server's logs will tell you more.

Been there. Done that.
 
Old 07-20-2007, 09:22 AM   #3
doc.nice
Member
 
Registered: Oct 2004
Location: Germany
Distribution: Debian
Posts: 274

Rep: Reputation: 34
well, I use the following working procedure:
use puttyGen on your windows machine to generate a private/public key, copy the contents of the public key field in puttyGen to the clipboard (or a plain textfile)

connect to your linux box and insert the copy of the public key in your auth. keys file
(using cat filename >> ~/.ssh/authorized_keys or by editing ~/.ssh/authorized_keys)

disconnect your connection and try connecting with the private key (using putty for example).

if it does not work, check if your server accepts puclic/private key auth, see /etc/ssh/sshd_config and its man page for this.

see http://www.vbulletin-germany.com/for...28&postcount=5 for a step by step HOWTO. (This one is in german, but with enough pictures to be really easy to understand.)
 
Old 07-20-2007, 09:33 AM   #4
IBall
Senior Member
 
Registered: Nov 2003
Location: Perth, Western Australia
Distribution: Ubuntu, Debian, Various using VMWare
Posts: 2,088

Rep: Reputation: 62
You don't use ssh-keygen on the server, only the client. You upload the public key to the server, and append it to ~/.ssh/authorized_keys, which must have 600 permissions.

Check /var/log/auth.log if the authentication is rejected - the error messages are generally pretty good.

Tip: By default, ssh-keygen will create file id_dsa and id_dsa.pub. If you just put the id_dsa file in your ~/.ssh/ directory (on the client), you do not need to specify it each time you connect to the server. SSH will check for this file automatically.

I have some information Here about setting up SSH on the client and server.

I hope this helps
--Ian
 
Old 07-20-2007, 09:53 AM   #5
doc.nice
Member
 
Registered: Oct 2004
Location: Germany
Distribution: Debian
Posts: 274

Rep: Reputation: 34
his client is Win, so he for sure did not use ssh-keygen there and "ssh-keygen -i" will use an existing key in a file and convert it for appending to authorized_keys, so that part seemed not so wrong.
If I understood him right, he created a public/private key on the client (by whatever means), copied the public part to the server, and tried to import it into authorized_keys there.

the rights seem bad indeed, 600 should be better than 644.
The part about the default folder when uploading the pub key is not clear to me. What SW did you use?

@IBall: your HOWTO seems really good, but I have one thing to mention:
you should not use the filename id_dsa.pub when uploading the "client" key to the server, because if one has used ssh-keygen on the machine, this file may already be present and contains the "server" public key (matching the "id_dsa" file). Better call it "client_id.pub" or something and add a step deleting the file after appending to authorized keys.

Last edited by doc.nice; 07-20-2007 at 10:00 AM.
 
Old 07-21-2007, 12:41 AM   #6
pridefc
Member
 
Registered: Nov 2005
Distribution: redhat, debian, ubuntu
Posts: 47

Original Poster
Rep: Reputation: 15
I had to chmod to 700 = authorized_keys to get it to work. Not sure why that was.
Yes, the keys were generated on Windows. And ssh-keygen -i was to convert ssh2 format to openssh format since if left as ssh2 format, it won't be compatible.
What I meant by the default folder when uploading was that there's an option to upload from the client on Windows which will upload the public key to the target as long as you're already connected via ssh but the default folder will upload to .ssh2 instead of .ssh.

Thanks
 
Old 07-21-2007, 02:14 PM   #7
doc.nice
Member
 
Registered: Oct 2004
Location: Germany
Distribution: Debian
Posts: 274

Rep: Reputation: 34
ok, fine then, but set the rights to 600 instead of 700, the file should not be executable (bitmask 1)
 
Old 07-22-2007, 11:05 PM   #8
IBall
Senior Member
 
Registered: Nov 2003
Location: Perth, Western Australia
Distribution: Ubuntu, Debian, Various using VMWare
Posts: 2,088

Rep: Reputation: 62
Quote:
Originally Posted by doc.nice
@IBall: your HOWTO seems really good, but I have one thing to mention:
you should not use the filename id_dsa.pub when uploading the "client" key to the server, because if one has used ssh-keygen on the machine, this file may already be present and contains the "server" public key (matching the "id_dsa" file). Better call it "client_id.pub" or something and add a step deleting the file after appending to authorized keys.
Thanks for the feedback. I will look at this when I get time
 
  


Reply

Tags
solution


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH issues theoneandonly19 Red Hat 18 07-01-2007 08:18 PM
ssh onto remote computer (issues) tuxhats Linux - Networking 3 06-06-2006 11:11 AM
ssh display issues dsheppa4 Linux - Networking 1 11-24-2004 01:55 PM
SSH connectivity issues wvrhlu Linux - Software 11 04-01-2003 09:59 PM
ssh issues cuss Linux - Security 9 12-19-2002 12:52 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:57 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration