LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 06-04-2008, 02:06 AM   #1
ZAMO
Member
 
Registered: Mar 2007
Distribution: Redhat &CentOS
Posts: 598

Rep: Reputation: 30
Unhappy To login to a server using pub key


Hi all,

I used

ssh -l user@server

to login to the server , using password as authentication .
Similarly, how can I login to the same ,using the public key as authentication. My pub-key is already added to the ./ssh/authorized_keys of the home directory of the server.

Thanks
 
Old 06-04-2008, 02:19 AM   #2
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
is it also in your local machine's /home/user_name/.ssh/id_rsa.pub? If so, you should be able to just

ssh server

Last edited by billymayday; 06-04-2008 at 05:48 AM. Reason: typo
 
Old 06-04-2008, 02:24 AM   #3
ZAMO
Member
 
Registered: Mar 2007
Distribution: Redhat &CentOS
Posts: 598

Original Poster
Rep: Reputation: 30
Billymayday,,



Thank you for the quick reply. Its prompting for password , not for passphrase.

ssh server
localuser@servers's password:


Any idea...
 
Old 06-04-2008, 05:02 AM   #4
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 678Reputation: 678Reputation: 678Reputation: 678Reputation: 678Reputation: 678
Read through the sshd_config man page. Whether the server uses password authentication or public key authentication or tries pubkey before password is determined in the servers configuration.

You could try logging in with "ssh -v user@server" and see if public key authentication was tried.

Here are the non-default, non-blank lines from my desktop's /etc/ssh/sshd_config file. You may not want to totally disable password authentication until you get pubkey authentication working:
Code:
ssh hpmedia
Last login: Tue Jun  3 06:37:21 2008 from hpamd64.jesnet
jschiwal@hpmedia:~> sudo sed '/^$/d;/^#/d' /etc/ssh/sshd_config
root's password:
Protocol 2
PermitRootLogin no
RSAAuthentication no
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no

UsePAM yes
X11Forwarding yes
PrintMotd no
AllowUsers jschiwal testuser
Subsystem       sftp    /usr/lib64/ssh/sftp-server
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
There is a explaination in the comments about using PAM for controlling the session but not for authentication.
Code:
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
Since password authentication works on the server, you could use (if you have it):
ssh-copy-id [-i [identity_file]] [user@]machine
to add your local public key to the remote machine.

If you are the only user how logs into the remote machine via ssh, then using "AllowUsers <yourusername>" will help prevent abuse as well by disabling logins by any other username.

Last edited by jschiwal; 06-04-2008 at 05:05 AM.
 
Old 06-04-2008, 05:10 AM   #5
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Correct me if I'm wrong, but doesn't the ssh client get the public key from /home/user_name/.ssh/id_rsa.pub? I wouldn't think just having the key on the server would suffice.

Last edited by billymayday; 06-04-2008 at 05:48 AM. Reason: typo
 
Old 06-04-2008, 05:33 AM   #6
ZAMO
Member
 
Registered: Mar 2007
Distribution: Redhat &CentOS
Posts: 598

Original Poster
Rep: Reputation: 30
Guru,


Here is the output of my real environment...

Code:
ssh -v myuser@X.X.X.X
OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to X.X.X.X [X.X.X.X] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type 1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.9p1
debug1: match: OpenSSH_3.9p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.9p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'X.X.X.X' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: An invalid name was supplied
Unknown code krb5 243

debug1: An invalid name was supplied
Unknown code krb5 243

debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Offering public key: /root/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Next authentication method: password
myuser@X.X.X.X's password:

My user is there . I am unable to solve this issue for a couple of days(hope you know).What can i need to shange in ssh_config file...

any Idea..

Thanks for Your help..
 
Old 06-04-2008, 05:45 AM   #7
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Last try - it's not a config issue - you don't have the target user's key in /root/.ssh
 
Old 06-04-2008, 06:00 AM   #8
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 678Reputation: 678Reputation: 678Reputation: 678Reputation: 678Reputation: 678
Quote:
Originally Posted by billymayday View Post
Correct me if I'm wrong, but doesn't the ssh client get the public key from /home/user_name/.ssh/id_rsa.pub? I wouldn't think just having the key on the server would suffice.
Not exactly. The private key is used during authentication on the client to prove to the server that it owns the public key. Only your own local private key can decrypt a challenge by the server encoded with your public key which the server gets from authorized_keys.
 
Old 06-04-2008, 06:03 AM   #9
ZAMO
Member
 
Registered: Mar 2007
Distribution: Redhat &CentOS
Posts: 598

Original Poster
Rep: Reputation: 30
Billymayday,

From my local machine, (am a non-root user)trying to connect to a remote server, as a non-root user(say myuser). Now tell me ... In which location , the key is missing. This is no-way related to root user on both ends..

Thanks..
 
Old 06-04-2008, 06:44 AM   #10
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Sorry jschiwal, not thinking at the moment.

Zamo, the key pair for a typical ssh-keygen setup is id_rsa (private key, stays on client) and id_rsa.pub (public key, put in server authorized_keys).

I don't quite see why ssh is looking in /root/ssh for the private key (check /etc/ssh/ssh_config on the client machine for IdentityFile locations).

If the private key is in /home/myuser/.ssh/id_rsa, try using

ssh -i /home/myuser/.ssh/id_rsa

If not, make sure the correct private key is there

Edit - it could be id_dsa, or if you are using protocol 1, identity
 
Old 06-04-2008, 08:00 AM   #11
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 678Reputation: 678Reputation: 678Reputation: 678Reputation: 678Reputation: 678
It looks like you are running the client as root. Running as root is not a good idea. Also, when you login to ssh, ssh username@server, you are logging in as the "username" user on the server. The private key for the local effective uid is used locally, not the user in "username". So if your username on the client is jsmith and on the server is johns; on the local client the private key /home/jsmith/.ssh/id_rsa is used. On the server, the /home/johns/.ssh/authorized_keys file is used and the entry for johns@<client_host> is looked up. On the server, username@host means the local user name connecting from the remote host.

Using root may complicate things. The hosts keys in /etc/ssh/ and the root user's key in /root/.ssh/ exits for root@hostname. If these keys are different, that may cause problems. I've never used hostkey authentication however, so I'm not sure.

Since you are logging into a regular account, I don't see any reason you would run as root. Please use real usernames in your posting because it is too hard keeping straight what you are doing. We can't tell for sure which user you are logging into and which users public key you sent. You should add your local users public key to the target client users authorized keys file.

Another thing to check is the permissions used for /home/<username>, /home/<username>/.ssh/ and /home/<username>/.ssh/id_rsa.
SSH will refuse to allow a login if the private keys are world readable.

If you are responsible for the server, you might want to lock down ssh. Some things to do:
Don't allow root logins. ( Unless you need to connect in a cron job for automatic remote administration. )
Disable protocol 1.
Consider changing the port number used if ssh is exposed to the internet.
Use "AllowUsers" to control how can login. This is a server control.
Restrict where you can login from (if you have a fixed IP address). For example, a from= entry in your authorized keys with a list of hosts or networks that you connect from. This is a way for a client to add some more security which might guard against a lost key.

Last edited by jschiwal; 06-04-2008 at 08:14 AM.
 
Old 06-05-2008, 08:28 AM   #12
ZAMO
Member
 
Registered: Mar 2007
Distribution: Redhat &CentOS
Posts: 598

Original Poster
Rep: Reputation: 30
Thank you both for your continued support.
SORRY , for the delayed update....

I start the things from scratch. I have created a new id_rsa and add it to the server , using
cat id_rsa >> .ssh/authorized_keys. Now am able to login without a pass-phrase too.


Moving forward, I need to tunnel to another server , thro my remote server.
am trying with

ssh -L 9000:user@targetserver:22 remoteuser@remoteserver


Its again prompting for a password. Am I missing something...?

when i try with
ssh remoteuser@remoteserver
am able to login.....



SORRY , for the delayed update....
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
how to configure samba server every time login to that folder need key password. hocheetiong Linux - Software 1 11-23-2007 12:36 AM
GNUgpg & Kgpg export pub key issue imagineaxion Linux - Security 2 09-23-2006 04:35 PM
access lan web server thru dual homed host / webserver from internet with one pub IP. swilhelm Linux - Networking 2 08-02-2006 02:57 PM
Can't login with ssh pub keys fisayo Mandriva 2 11-17-2005 07:12 PM
using rsync with cron & pub. key kmitz Fedora 0 01-14-2005 08:01 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 12:29 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration