LinuxQuestions.org - DISCUSSION: Public key authentication with ssh

- LinuxAnswers Discussion (https://www.linuxquestions.org/questions/linuxanswers-discussion-27/)

- - DISCUSSION: Public key authentication with ssh (https://www.linuxquestions.org/questions/linuxanswers-discussion-27/discussion-public-key-authentication-with-ssh-126202/)

Excellent step-by-step articles. Got it working in the first shot.
Thank You.

omlex, atomicx,

On the client side, what does

Code:

cat /etc/ssh/ssh_config | grep 'IdentityFile'

show you?

On the server side, what does

Code:

cat /etc/ssh/sshd_config | grep 'Authorized'

show you?

These entries must coincide with what you're trying to name the files as. (Note that you may have to adjust these commands based on the file paths/names for your distro.)

One more step that I take in my work, is that I use multiple keys to get from one system to another.

If I want to do an interactive shell, I use a passphrase with the key.

If I want to automate a task, I generate a key-pair for that specific task.

On the <receiver> system, I modify the "authorized_keys" or "authorized_keys2" file to restrict a key to a specific command.

The format for this follows....

command="/path/to/script.sh" ssh-dss keystring

I then create a new line for each key and script that I want to run remotely.

From there, when I want to execute one of the commands, I use the following.

echo "parameter list" | ssh -i /path/to/identity/file remotesystem

This then connects to the remote system, executes the command determined by the authorized_keys file, and then said script, reads it's input from the "echo" command output stream.

The script runs, then exits.

It's simple, effective, and very secure.

Quote:

Originally Posted by omlex

pls. help.

I'm having problem with puttygen. Everytime i tried to login my Linux box is still asking me for my password. Here's what i did

1. Generated a public key from puttygen. I used ssh v2
2. Saved the private and public key in my Win2k desktop.
3. Copied the public key to my $HOME/.ssh/authorized_keys2 directory
4. Added the private key to puttgen for remote connection.

what else did i forget?

In my setup authorized_keys was a file.

Also after you've generated the key pair in puttygen make sure you copy and paste from the OpenSSH Text Area into the authorized_keys file instead of using the "Save Public Key" button.

That worked for me.

I had a similar problem and it turned out to be a line in the sshd_config file. One that said UsePAM yes. Comment that out and restart the ssh daemon.

Another docs for the same

Duplicate entry so edited:

DSA key authauication

i have solve the problem. i just used
client:
Use the command: /usr/bin/ssh-keygen -t dsa

Generating public/private rsa key pair.
Enter file in which to save the key (/home/user-id/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user-id/.ssh/id_dsa.
Your public key has been saved in /home/user-id/.ssh/id_dsa.pub.
The key fingerprint is:
XXXblablablaXXXaf:90:8f:dc:65:0d:XXXXXXXXXXXXXX user-id@node-name

Files generated:

$HOME/.ssh/id_dsa - binary
$HOME/.ssh/id_dsa.pub - ssh-dsa ...223564257432 email address - Multiple keys/lines allowd.

Server:
o FTP the file $HOME/.ssh/id_dsa.pub to the server
o cd $HOME/.ssh/
o cat id_dsa.pub >>authorized_keys

Directory does not exist ? :-(

Hi,

I've successfully set this up on my main server to access all my sub-servers which are all running Slackware Linux.

But, I'm now trying to set up access to my mail server which is running Fedora Core 4 and I'm getting an error message when I try

cat ~/.ssh/id_dsa.pub | ssh user@server "cat - >> ~/.ssh/authorized_keys"

It tells me that the directory does not exist ! I've looked on the FC4 server and indeed there is no root/.ssh/ directory.

What do I do ?

TIA

Mike

Silly me. I just created the .ssh directory under root and it all works now.

One of the finest howto's I've ever seen for any software... if only every one of them were done in this fashion and perfect amount of detail (not too much and not too little). Kudos!

I guess it's better to use ssh-copy-id to transfer the key to the server as described here

connection ssh publickey

Quote:

Originally Posted by gointomexico (Post 1206039)

I had to do this for a class project. I found this information extreemly infomrative, and helpful, thanks!

I had the same problem trying to get mine to work. I did a chmod on the server: <chmod 600 authorized_keys>
and then it started working. no password required!

hope this helps.

P.S. This was a debian to debian connection following the steps outlined in the guide.

Thanks I got same pb with Fedora 11, it was 660 I changed 600 and it worked. In fact the file must only be written by the owner, 644 works too.

Quote:

Originally Posted by atomicx (Post 1706800)

I'm still not able to connect without a password.

Here is my debug notes when I run -vv

Code:

[trichard@testserv110 trichard]$ ssh -vv trichard@ftpserv111

OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090701f

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Applying options for *

debug1: Rhosts Authentication disabled, originating port will not be trusted.

debug2: ssh_connect: needpriv 0

debug1: Connecting to ftpserv111 [192.168.0.111] port 22.

debug1: Connection established.

debug1: identity file /home/trichard/.ssh/identity type -1

debug1: identity file /home/trichard/.ssh/id_rsa type -1

debug2: key_type_from_name: unknown key type '-----BEGIN'

debug2: key_type_from_name: unknown key type '-----END'

debug1: identity file /home/trichard/.ssh/id_dsa type 2

debug1: Remote protocol version 1.99, remote software version OpenSSH_3.6.1p2

debug1: match: OpenSSH_3.6.1p2 pat OpenSSH*

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ssh-rsa,ssh-dss

debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se

debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,zlib

debug2: kex_parse_kexinit: none,zlib

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit: first_kex_follows 0

debug2: kex_parse_kexinit: reserved 0

debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ssh-rsa,ssh-dss

debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se

debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,zlib

debug2: kex_parse_kexinit: none,zlib

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit: first_kex_follows 0

debug2: kex_parse_kexinit: reserved 0

debug2: mac_init: found hmac-md5

debug1: kex: server->client aes128-cbc hmac-md5 none

debug2: mac_init: found hmac-md5

debug1: kex: client->server aes128-cbc hmac-md5 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug2: dh_gen_key: priv key bits set: 127/256

debug2: bits set: 1623/3191

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug1: Host 'ftpserv111' is known and matches the RSA host key.

debug1: Found key in /home/trichard/.ssh/known_hosts:1

debug2: bits set: 1592/3191

debug1: ssh_rsa_verify: signature correct

debug2: kex_derive_keys

debug2: set_newkeys: mode 1

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug2: set_newkeys: mode 0

debug1: SSH2_MSG_NEWKEYS received

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug1: Authentications that can continue: publickey,password,keyboard-interactive

debug1: Next authentication method: publickey

debug1: Trying private key: /home/trichard/.ssh/identity

debug1: Trying private key: /home/trichard/.ssh/id_rsa

debug1: Offering public key: /home/trichard/.ssh/id_dsa

debug2: we sent a publickey packet, wait for reply

debug1: Authentications that can continue: publickey,password,keyboard-interactive

debug2: we did not send a packet, disable method

debug1: Next authentication method: keyboard-interactive

debug2: userauth_kbdint

debug2: we sent a keyboard-interactive packet, wait for reply

debug1: Authentications that can continue: publickey,password,keyboard-interactive

debug2: we did not send a packet, disable method

debug1: Next authentication method: password

trichard@ftpserv111's password:

I have checked and the ~/.ssh/authorized_keys" exists on the server and contains a line the same as "~/.ssh/id_dsa.pub"

Any one know how to solve this,

Thanks
Troy

,,,,,,,,,,,,,,,,

i think that you have to make the remote host
ssh protocol to be set to version 2

vi /etc/sshd/sshd_config
change protocol to 2 instead of 1

& retry to connect again ,
hope this fix the problem

SSH doesn't like it if your home directory has group write access, change to 750.