Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
09-29-2003, 12:58 AM
|
#1
|
LQ Newbie
Registered: Aug 2003
Posts: 7
Rep:
|
ssh RSA key
For the last few nights i've been attempting to get RSA authentication for the user root up and running. My goal is to be able to log in as a regular user using a password but require RSA authentication (which i want to save on a floppy and use Putty to log in) for root access. I'm running the OpenSSH_3.6.1p2 server off a Mandrake 9.1 machine on my network. I thought it would be a simple task to accomplish, was I ever wrong...
my 'ssh -v -l root -i id_rsa 192.168.0.104' output looks like this:
OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090701f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: Connecting to rhost [192.168.0.104] port 22.
debug1: Connection established.
debug1: identity file id_rsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.6.1p2
debug1: match: OpenSSH_3.6.1p2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '192.168.0.104' is known and matches the RSA host key.
debug1: Found key in /home/*user*/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: id_rsa
Enter passphrase for key 'id_rsa':
Enter passphrase for key 'id_rsa':
Enter passphrase for key 'id_rsa':
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password
Notice the three attempted authentications?
Then it asks for a password (which is disabled for root)
I've heard there was a problem with MD5, the authentication used for passphrases on an ssh-key. So i installed the libsasl2-plug-crammd5-2.1.12-1mdk , but to my dismay did not fix my problem
ANY HELP/LINKS/EXPERIENCE will be greatly appreciated... GREATLY
|
|
|
09-29-2003, 03:33 AM
|
#2
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
well it'd appear that you've created an rsa with a passphrase in it. if you don't want one you'll need to recreate the rsa key, and just press enter when prompted, instead of typing in a passphrase.
|
|
|
09-29-2003, 06:41 AM
|
#3
|
Moderator
Registered: May 2001
Posts: 29,415
|
...besides that you sneaked in this little phrase: "for root access", and I tell you you must NOT do that. "Best practices" advice is to treate and use a regular user account to log in to the system and then use sudo to su to root.
|
|
|
09-29-2003, 10:51 PM
|
#4
|
LQ Newbie
Registered: Aug 2003
Posts: 7
Original Poster
Rep:
|
Thank you for you replies.
thank you for noticing the passphrase thing, but yes that was my initial intention, i much rather set it up to be valid ONLY with a passphrase, my concern is more as to how i can add support to the openssh library (OpenSSH_3.6.1p2) to support passphrase authentication through my Putty clilent (on a floppy).
Unspawn: thank you for the security advisory any clues on how to set RSA authentication for a regular user?
preciate any help...
|
|
|
All times are GMT -5. The time now is 01:08 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|