CVS & SSH & Public/private keys
 

Hello,

I am trying to get my public/ private keys auth working but it only work for user root(local and remote)


Trying to connect to remote user 'admin' from local user 'admin'
$ ssh domain.com

I haved read many howto but i cant get it to work.

My local system is FC3
$ ssh -V
OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003

and my remote is RH8
$ ssh -V
OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090701f

EDIT On 05-09-08 i have upgraded openssh on my remote to version
[root@remote root]$ ssh -V
OpenSSH_4.2p1, OpenSSL 0.9.7a Feb 19 2003
END EDIT

Thanks for any input,

Or does anyone know how to connect to a remote cvs server (ext) without password ?


Thanks

For the SSH bit, the best how-to I've read is here .

From your post, it looks like at least one of the keys in the authorized_keys files has extra text that is goofing things up:

For the authorized_keys file you need to make sure that the ENTIRE key is on a single line and there there isn't a bunch of extra text. On my box the file looks something like this:

ssh-dss FIRSTKEY
ssh-dss SECONDKEY


As for the CVS server, there are likely to be instructions on the site as to how to log in anonymously.

Hello,


I have done this howto many times but without any results.
(local user) admin (remote user) admin

And when i do the same howto with 'root' user evrything work fine

This look like a configuration problem. Do you know where in config files the pub/private login could be restricted to 'root'

EDIT :
For info, here is the file ownship for admin and root users.

::::LOCAL :::
/home/admin/
drwxr-xr-x 2 admin admin 4096 Sep 3 12:14 .ssh
/home/admin/.ssh/
-rw------- 1 admin admin 668 Sep 3 12:13 id_dsa
-rw-r--r-- 1 admin admin 618 Sep 3 12:13 id_dsa.pub
-rw-r--r-- 1 admin admin 464 Sep 3 12:21 known_hosts

/root/
drwxr-xr-x 2 root root 4096 Jul 21 21:19 .ssh
/root/.ssh/
rw------- 1 root root 668 Jul 21 00:33 id_dsa
-rw-r--r-- 1 root root 617 Jul 21 00:33 id_dsa.pub
-rw-r--r-- 1 root root 470 Jul 21 00:33 known_hosts

::: REMOTE :::
/home/admin/
drwx------ 2 admin admin 4096 Sep 3 12:15 .ssh
/home/admin/.ssh
-rwx------ 1 admin admin 618 Sep 3 12:14 authorized_keys
-rw-r--r-- 1 admin admin 242 Sep 3 12:15 known_hosts

/root
drwx------ 2 root root 4096 Sep 1 13:46 .ssh
/root/.ssh/
-rwx------ 1 root root 618 Jul 21 21:18 authorized_keys
-rw-r--r-- 1 root root 242 Jul 21 00:31 known_hosts

Note that root's autorized_keys file have one byte more that id_dsa.pub.
END EDIT



Thanks in advance,

Well, the config file should be in /etc/ssh and is called sshd_config. You should look and see if there is an AllowUsers directive (which may prevent admin from logging on). You also should have a look at the system logs. SSH usually leaves a lot in /var/logs/messages and it may give us a clue. By any chance can admin log in with a username and password instead of a key? If you can, that suggests a key problem, not an ssh config problem. Of course there is also regenerating a key pair for admin an see if something strange happened when the public key was installed on the remote system.

Hello,

Yes admin can login with password,


/var/log/messages
Sep 7 08:51:23 domain sshd(pam_unix)[19248]: session opened for user root by (uid=0)
Sep 7 08:52:00 domain sshd(pam_unix)[19309]: session opened for user admin by (uid=502)
Note : root login using key pair and admin login with password

I look in the /etc/ssh/sshd_config and i dont have an AllowUsers directive.


I generated many times the keys for admin and i never get anything that go wrong.



Thanks

OK, that and the lack of AllowUsers rules out the brutally obvious problems. I guess I'm back to thinking that there may be a problem with the format of the /home/admin/.ssh/authorized_keys file. As I said before, the key has to be on a single line. It might be worth a double check on this.

I did that so many times :confused: with all kind of method (cp, ftp , manual copy/paste) the only think i didint try is to copy the key manualy :p

Is it possible that Openssh v3_5 and 3_9 are incompatibles ?

Just in case ....
[root@remote root]# cat /etc/passwd | grep admin
admin:x:502:502::/home/admin:/bin/bash


/// EDIT
Could you try to use public/private keys on my server if i create a test account ? With this we could know if the problem come from my server or local.
/// END EDIT


Thanks

Sorry, I should have caught this earlier.....I suppose its possible that you have some version incompatibility, but more to the point, you really should upgrade the 3.5 box. There were a lot of serious security bugs in OpenSSH not too long ago and I would defintely upgrade all my systems before doing anything else. I can tell you from my own logs that every single day somebody tries to crack my ssh server and I wouldn't want to be using anything other than the latest version. There are known ssh exploits out there and you need to upgrade.

Ok,
I have upgraded my remote but it still dosent work

[root@remote root]$ ssh -V
OpenSSH_4.2p1, OpenSSL 0.9.7a Feb 19 2003

Well, at least you now have a more secure system!

I'm about out of ideas, but I do have one more. The /home/admin/.ssh directory should have 755 permissions. The files in the directory can be 644, but I think the directory itself should be 755.

Hi,
I have read somwhere(lost source) that the private key must be 600 because if perms are something else the server could maybe reject the key.

Can you send me your public key by email or the forum so i could see if my problem come from my server or local ?


Thanks

Well on my system the ~/.ssh directory is 755 and the files in that directory are 644. If you really are using 600, that may very well be the problem since that restricts reading to the user only and the ssh daemon isn't going to be able to read the files. I'm using OpenSSH 3.9, so the idea that the permissions must be 600 isn't correct.

Click on the email link below to contact me and I'll send you a public key I know works.

I have found the problem !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

This look like it not documented anywhere but when i change my admin home directory permisions(on remote) (/home/admin) from 770 to 700 the keys start to work !!

It dosent work with 770 and 760 but it work with 750 and any other permision that only owner can write

Thanks for your help Hangdog,

Well, congratulations on figuring that one out. I've never heard of that sort of a restriction on the home directory, but I suppose it is possible. On my server the home directories are 755 (which must be the default because I don't think I've ever messed with them) so that does fit into what you've found.

Now that you've got it working, I would take some additional security steps and not allow root access via SSH. If you get into your /etc/ssh/sshd_config file there is a directive you can change to turn off root access. I'd also turn off username and password access, particularly with a login name as obvious as admin. Restricting access to those with keys is a good thing since the dictionary attacks that will happen to your ssh server do cover a LOT of common usernames. And you can descend further into paranoia by using the AllowUsers directive, which restricts access to only those users listed on the AllowUsers line. But in the case of SSH, paranoia is a good thing because they are out to get you.

To prevent(block) ssh attacks i use a little script that run and block users that failed many times(5) to login with password and block theirs ips on the port 22. I alaway have a few ips blocked evrydays.


The script :
http://www.pettingers.org/code/sshblack.html