CVS & SSH & Public/private keys
Hello,
I am trying to get my public/ private keys auth working but it only work for user root(local and remote) Trying to connect to remote user 'admin' from local user 'admin' $ ssh domain.com Code:
OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003 I haved read many howto but i cant get it to work. My local system is FC3 $ ssh -V OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003 and my remote is RH8 $ ssh -V OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090701f EDIT On 05-09-08 i have upgraded openssh on my remote to version [root@remote root]$ ssh -V OpenSSH_4.2p1, OpenSSL 0.9.7a Feb 19 2003 END EDIT Thanks for any input, |
Or does anyone know how to connect to a remote cvs server (ext) without password ?
Thanks |
For the SSH bit, the best how-to I've read is here .
From your post, it looks like at least one of the keys in the authorized_keys files has extra text that is goofing things up: Quote:
ssh-dss FIRSTKEY ssh-dss SECONDKEY As for the CVS server, there are likely to be instructions on the site as to how to log in anonymously. |
Hello,
I have done this howto many times but without any results. (local user) admin (remote user) admin Code:
debug1: Next authentication method: publickey And when i do the same howto with 'root' user evrything work fine Code:
debug1: Next authentication method: publickey EDIT : For info, here is the file ownship for admin and root users. ::::LOCAL ::: /home/admin/ drwxr-xr-x 2 admin admin 4096 Sep 3 12:14 .ssh /home/admin/.ssh/ -rw------- 1 admin admin 668 Sep 3 12:13 id_dsa -rw-r--r-- 1 admin admin 618 Sep 3 12:13 id_dsa.pub -rw-r--r-- 1 admin admin 464 Sep 3 12:21 known_hosts /root/ drwxr-xr-x 2 root root 4096 Jul 21 21:19 .ssh /root/.ssh/ rw------- 1 root root 668 Jul 21 00:33 id_dsa -rw-r--r-- 1 root root 617 Jul 21 00:33 id_dsa.pub -rw-r--r-- 1 root root 470 Jul 21 00:33 known_hosts ::: REMOTE ::: /home/admin/ drwx------ 2 admin admin 4096 Sep 3 12:15 .ssh /home/admin/.ssh -rwx------ 1 admin admin 618 Sep 3 12:14 authorized_keys -rw-r--r-- 1 admin admin 242 Sep 3 12:15 known_hosts /root drwx------ 2 root root 4096 Sep 1 13:46 .ssh /root/.ssh/ -rwx------ 1 root root 618 Jul 21 21:18 authorized_keys -rw-r--r-- 1 root root 242 Jul 21 00:31 known_hosts Note that root's autorized_keys file have one byte more that id_dsa.pub. END EDIT Thanks in advance, |
Well, the config file should be in /etc/ssh and is called sshd_config. You should look and see if there is an AllowUsers directive (which may prevent admin from logging on). You also should have a look at the system logs. SSH usually leaves a lot in /var/logs/messages and it may give us a clue. By any chance can admin log in with a username and password instead of a key? If you can, that suggests a key problem, not an ssh config problem. Of course there is also regenerating a key pair for admin an see if something strange happened when the public key was installed on the remote system.
|
Hello,
Yes admin can login with password, /var/log/messages Sep 7 08:51:23 domain sshd(pam_unix)[19248]: session opened for user root by (uid=0) Sep 7 08:52:00 domain sshd(pam_unix)[19309]: session opened for user admin by (uid=502) Note : root login using key pair and admin login with password I look in the /etc/ssh/sshd_config and i dont have an AllowUsers directive. I generated many times the keys for admin and i never get anything that go wrong. Thanks |
Quote:
|
Quote:
Is it possible that Openssh v3_5 and 3_9 are incompatibles ? Just in case .... [root@remote root]# cat /etc/passwd | grep admin admin:x:502:502::/home/admin:/bin/bash /// EDIT Could you try to use public/private keys on my server if i create a test account ? With this we could know if the problem come from my server or local. /// END EDIT Thanks |
Quote:
|
Ok,
I have upgraded my remote but it still dosent work [root@remote root]$ ssh -V OpenSSH_4.2p1, OpenSSL 0.9.7a Feb 19 2003 |
Well, at least you now have a more secure system!
I'm about out of ideas, but I do have one more. The /home/admin/.ssh directory should have 755 permissions. The files in the directory can be 644, but I think the directory itself should be 755. |
Hi,
I have read somwhere(lost source) that the private key must be 600 because if perms are something else the server could maybe reject the key. Can you send me your public key by email or the forum so i could see if my problem come from my server or local ? Thanks |
Well on my system the ~/.ssh directory is 755 and the files in that directory are 644. If you really are using 600, that may very well be the problem since that restricts reading to the user only and the ssh daemon isn't going to be able to read the files. I'm using OpenSSH 3.9, so the idea that the permissions must be 600 isn't correct.
Click on the email link below to contact me and I'll send you a public key I know works. |
I have found the problem !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
This look like it not documented anywhere but when i change my admin home directory permisions(on remote) (/home/admin) from 770 to 700 the keys start to work !! It dosent work with 770 and 760 but it work with 750 and any other permision that only owner can write Thanks for your help Hangdog, |
Well, congratulations on figuring that one out. I've never heard of that sort of a restriction on the home directory, but I suppose it is possible. On my server the home directories are 755 (which must be the default because I don't think I've ever messed with them) so that does fit into what you've found.
Now that you've got it working, I would take some additional security steps and not allow root access via SSH. If you get into your /etc/ssh/sshd_config file there is a directive you can change to turn off root access. I'd also turn off username and password access, particularly with a login name as obvious as admin. Restricting access to those with keys is a good thing since the dictionary attacks that will happen to your ssh server do cover a LOT of common usernames. And you can descend further into paranoia by using the AllowUsers directive, which restricts access to only those users listed on the AllowUsers line. But in the case of SSH, paranoia is a good thing because they are out to get you. |
To prevent(block) ssh attacks i use a little script that run and block users that failed many times(5) to login with password and block theirs ips on the port 22. I alaway have a few ips blocked evrydays.
The script : http://www.pettingers.org/code/sshblack.html |
All times are GMT -5. The time now is 03:19 AM. |