Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I got a problem with my Open SSH server, I want the authentication to be made using
a public key file and password.
When I generated keys using SSH-KEYGEN and adding a passphrase, the server couldnt read the keys.
I got the error: "Could not open host key" or such.
I now generated keys without a passphrase and the server starts properly, i can also connect using the public key file and user name + password. Although it doesnt matter if i connect using the public key or not, not specifying the public key still allows me access using username and password, I want it to require both. Also I would like to get it working with a passphrase on my keys.
Any ideas?
Running Ubuntu Server, 6.10 "Edgy Eft", thanks in advance!
the server couldnt read the keys.
I got the error: "Could not open host key" or such.
Maybe we could revisit that. Can you recreate the problem and post the exact message?
Quote:
Although it doesnt matter if i connect using the public key or not, not specifying the public key still allows me access using username and password, I want it to require both.
I don't think it is possible to require both (well, maybe it is using some custom PAM configuration, but I don't know how). You're referring to two different types of authentication. 1. If you enable password authentication or challengeresponse authentication, users will be able to authenticate using their username and password on the *nix system; 2. If you enable pubkey authentication, users will be able to authenticate using the generated keys.
If you only want pubkey authentication (+ a passphrase), then you will want to disable both authentication forms in point #1. Make sense?
ssh-keygen -t dsa -b 1024
Location: /etc/ssh/ssh_host_dsa_key
Enter passphrase:
ssh-keygen -t rsa -b 2048
Location: /etc/ssh/ssh_host_rsa_key
Enter passphrase:
I feel completely confused regarding whats private and public. I read that the first file it creates, the ssh_host_dsa_key, contain both the public and private key, and shouldnt be protected by a passphrase, but with file permissions 0700.
But i guess the ssh_host_dsa_key.pub file is the public key which should be distributed to users?
Thing is if I try to change the password using ssh-keygen, it want a private key, and even if i specify the .pub file, it whine it hasnt strict permissions enough. Also afaik the public key can without worry be world readable since its supposed to be protected by a passphrase?
I guess the error stated in my first post comes due to the host key being protected by a passphrase when creating a pair of keys like stated above in this post? (if i enter a key and not just press enter for an empty?)
Most common distros create the host keys if they don't exist. You could try deleting them and restart your daemon. Otherwise you could use the keys that you generated.
Drop all four of those files in /etc/ssh on your server. The private keys should be 600, and the pub keys should be 644. Make sure that the file names match what is in your sshd_config file. Restart your sshd daemon.
On your client, run the ssh-keygen to create an RSA key. Copy the pub key to ~/.ssh/authorized_keys on your server. Test your ssh connection.
Most common distros create the host keys if they don't exist. You could try deleting them and restart your daemon. Otherwise you could use the keys that you generated.
Drop all four of those files in /etc/ssh on your server. The private keys should be 600, and the pub keys should be 644. Make sure that the file names match what is in your sshd_config file. Restart your sshd daemon.
On your client, run the ssh-keygen to create an RSA key. Copy the pub key to ~/.ssh/authorized_keys on your server. Test your ssh connection.
So basically, I create all host keys without a passphrase, and then I create the authentication keys, with a passphrase, copying those to the authorized_keys file and using it on the client to authenticate?
But what use do the host keys private and public have then?
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
The host keys are necessary for the clients to identify the server.
For users to authenticate using public/private keys, you need to generate a different set of keys for each user. ssh-keygen creates both a private and a public key. It asks you for the name of the private key, and automatically creates a public key with the same name and .pub appended to it.
The user's private key is their authentication token, which they use in place of a password. The user supplies their passphrase to "unlock" the private key so that they can send it as authentication. In this way the actual passphrase isn't sent over the wire, only the private key is. In order for the private key to be accepted for authentication, the public portion needs to be in the user's ~/.ssh/authorized_keys file on the machine that they're logging in to. Each user has their own authorized_keys file that tells the ssh daemon (server) running on that machine which private keys should be allowed to login as that user. Ideally a user should generate a different private key for each machine they will be logging in from. That allows them to revoke only that public key out of authorized_keys if a machine or private key is compromised.
Assume you have a machine, "host1", that you want to be able to ssh from to login to another machine, "host2". Here are the steps to enable public/private key authentication.
If you want to connect to host2 from host3, host4, etc, then repeat the steps above, only substituting host[34] in place of host1. Also, you don't have to create the .ssh directory and change the permissions on host2 for each public key after the original.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.