Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: another SSH/public key problem

  1. #1

    Default another SSH/public key problem

    Greetings

    I have SSH configured and working on an OpenSuse 11.1 system - now I'm trying to set up public key authentication. I've followed the instructions in
    HTML Code:
    http://en.opensuse.org/Public_Key_Authentication
    , but I must've hosed up something, b/c I'm still being prompted for a password.

    below is my sshd_config from the server:

    # obsoletes QuietMode and FascistLogging
    #SyslogFacility AUTH
    #LogLevel INFO

    # Authentication:

    #LoginGraceTime 2m
    #PermitRootLogin yes
    #StrictModes yes
    #MaxAuthTries 6
    #MaxSessions 10

    #RSAAuthentication yes
    PubkeyAuthentication yes
    AuthorizedKeysFile ~/.ssh/authorized_keys

    # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
    #RhostsRSAAuthentication no
    # similar for protocol version 2
    #HostbasedAuthentication no
    # Change to yes if you don't trust ~/.ssh/known_hosts for
    # RhostsRSAAuthentication and HostbasedAuthentication
    #IgnoreUserKnownHosts no
    # Don't read the user's ~/.rhosts and ~/.shosts files
    #IgnoreRhosts yes

    # To disable tunneled clear text passwords, change to no here!
    PasswordAuthentication no
    #PermitEmptyPasswords no

    this is the SSH_config file from the client:

    # 1. command line options
    # 2. user-specific file
    # 3. system-wide file
    # Any configuration value is only changed the first time it is set.
    # Thus, host-specific definitions should be at the beginning of the
    # configuration file, and defaults at the end.

    # Site-wide defaults for various options

    # Host *
    # ForwardAgent no
    # ForwardX11 no
    # RhostsAuthentication no
    # RhostsRSAAuthentication yes
    # RSAAuthentication yes
    # PasswordAuthentication yes
    # FallBackToRsh no
    # UseRsh no
    # BatchMode no
    # CheckHostIP yes
    # StrictHostKeyChecking yes
    # IdentityFile ~/.ssh/identity
    # IdentityFile ~/.ssh/id_dsa
    IdentityFile ~/.ssh/id_rsa
    # Port 22
    Protocol 2
    # Protocol 2,1
    # Cipher blowfish
    # EscapeChar ~

    Can anybody look at this and tell me what must be obvious that I'm not seeing?

  2. #2
    Join Date
    Jun 2008
    Location
    Frisco, TX
    Posts
    1,235

    Default Re: another SSH/public key problem

    dsteven1 wrote:
    > Greetings
    >
    > I have SSH configured and working on an OpenSuse 11.1 system - now I'm
    > trying to set up public key authentication. I've followed the
    > instructions in
    > http://en.opensuse.org/Public_Key_Authentication, but I
    > must've hosed up something, b/c I'm still being prompted for a
    > password.
    >

    Is it possible that your private key has a passphrase? In order
    to do passwordless logins, the idea is to allow your private key
    answer the public key challenge, but that requires you to have
    allowed use of your key, which, if you assigned a passphrase to it,
    you'll be prompted for it. Nothing goes across the wire, the
    passphrase is just used to allow use of your private key to
    answer the challenge.

    Another way to avoid having to constantly type in your
    passphrase is to use something that loads them up at one time.. e.g.
    ssh-agent. If you're on a Windows box using PuTTY, you'd use
    pageant (PuTTY agent).

    Just a guess...
    Chris

  3. #3

    Default Re: another SSH/public key problem

    Chris

    Thanks for the reply.

    There is no passphrase on the key.

    I'll have to look in to ssh-agent.

    Dan

  4. #4
    Join Date
    Aug 2008
    Location
    Temporarily, planet Earth
    Posts
    104

    Default Re: another SSH/public key problem

    SSHD is picky about file protections on the authorized_keys file. It or the containing directories cannot be group writable.

  5. #5
    Vahis NNTP User

    Default Re: another SSH/public key problem

    dsteven1 wrote:
    > Greetings
    >
    > I have SSH configured and working on an OpenSuse 11.1 system - now I'm
    > trying to set up public key authentication. I've followed the
    > instructions in
    > http://en.opensuse.org/Public_Key_Authentication, but I
    > must've hosed up something, b/c I'm still being prompted for a
    > password.


    This is my normal way to do it:
    First have sshd running on the remote machine so that the normal log in
    is possible. Then locally:

    ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_rsa

    And then:

    cat ~/.ssh/id_rsa.pub | ssh <user>@>remote machine> 'cat - >>
    ~/.ssh/authorized_keys'

    >
    > Can anybody look at this and tell me what must be obvious that I'm not
    > seeing?
    >
    >


    The above has always worked, so I wouldn't know...

    Vahis
    --
    "Sunrise 7:54am (EEST), sunset 6:18pm (EEST) at Espoo, Finland (10:23
    hours daylight)"
    http://waxborg.servepics.com
    Linux 2.6.25.20-0.5-default #1 SMP 2009-08-14 01:48:11 +0200 x86_64
    6:13am up 20 days 12:53, 13 users, load average: 0.00, 0.04, 0.03

  6. #6

    Default Re: another SSH/public key problem

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Even better... use ssh-copy-id which specifically makes sure to not
    overwrite the destination file and also makes sure that permissions are
    set correctly throughout.

    For troubleshooting use 'ssh -v' or '-vv' or -'vvv' and post the output here.

    Good luck.





    Vahis wrote:
    > dsteven1 wrote:
    >> Greetings
    >>
    >> I have SSH configured and working on an OpenSuse 11.1 system - now I'm
    >> trying to set up public key authentication. I've followed the
    >> instructions in
    >> http://en.opensuse.org/Public_Key_Authentication, but I
    >> must've hosed up something, b/c I'm still being prompted for a
    >> password.

    >
    > This is my normal way to do it:
    > First have sshd running on the remote machine so that the normal log in
    > is possible. Then locally:
    >
    > ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_rsa
    >
    > And then:
    >
    > cat ~/.ssh/id_rsa.pub | ssh <user>@>remote machine> 'cat - >>
    > ~/.ssh/authorized_keys'
    >
    >> Can anybody look at this and tell me what must be obvious that I'm not
    >> seeing?
    >>
    >>

    >
    > The above has always worked, so I wouldn't know...
    >
    > Vahis

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.9 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

    iQIcBAEBAgAGBQJK0qp4AAoJEF+XTK08PnB5wAEP/0kyudpeLL5De1XpudpfMhcW
    5VWTyKxdbuS3dvO5llpMkpTC/EGtA+cVekVPd8pd3c5xf4sj1lnsR/k3KN5qcBzJ
    AomNjFnKwxaTZLwTmXFhYjTzIbLb4kOvw8tjtU2zNDCFgUZeD0nlAYB7ReOppmHX
    T5maQrqPZEcyk5t+cikc+OS4yhjHNO+AoPuLAXR0NUuRdv4jV5aL7mEhzqyUk+ED
    LgLOCELj2rN4UDnLXZYdDI4PEi3oL34L2pHnOwpju+IZDY0NivKtpAC+o5mHYhFG
    B1ZnowoRrBwuaMmULACAqZlN4EUka1FW7X/MjCdOySy7weqyoEIoZT0t6mOhE+au
    bWz4d6KHXOa5EmAENMkx7/wvCLU9u8CT50K2gAg6+m3hyZe0m/xZg9qD5e3ILMWL
    1C2fv2H9pDqeQFeyDYeSWSTjyPKEgFbPsi8XPvE5nrWcUB/zIXcGZX9WH/y6Lp50
    g3nsFA+8fcYrokNINBplAMF+4fBSoYSM3YeBFb/hvbEdzH80p0ZzRS3qPV8eHfPV
    +1IIeFwMC9pauHhmpoj9hFRCeLDeEPveKY4aURNaHhCvaInevrsaPHMXkWSP+2G9
    J8cXPORwBy4xh+KhmRqFzPhGU6qdmqJe38f53aeNdWtM2jAs2pu37IqpigVQA0X9
    LGEIpwR0zKa0C6N5Ji9e
    =sp2y
    -----END PGP SIGNATURE-----

  7. #7
    Vahis NNTP User

    Default Re: another SSH/public key problem

    Vahis wrote:
    > dsteven1 wrote:
    >> Greetings
    >>
    >> I have SSH configured and working on an OpenSuse 11.1 system - now I'm
    >> trying to set up public key authentication. I've followed the
    >> instructions in
    >> http://en.opensuse.org/Public_Key_Authentication, but I
    >> must've hosed up something, b/c I'm still being prompted for a
    >> password.

    >
    > This is my normal way to do it:
    > First have sshd running on the remote machine so that the normal log in
    > is possible. Then locally:
    >
    > ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_rsa


    I forgot to mention:
    As the key is generated a passphrase will be prompted, twice, I think.
    Leave that empty (=just Enter) if you want passwoedless authentication
    with the key.
    >
    > And then:
    >
    > cat ~/.ssh/id_rsa.pub | ssh <user>@>remote machine> 'cat - >>
    > ~/.ssh/authorized_keys'


    This will append the key to the end of the file '~/.ssh/authorized_keys'
    on the remote machine.

    >> Can anybody look at this and tell me what must be obvious that I'm not
    >> seeing?
    >>
    >>

    >
    > The above has always worked, so I wouldn't know...
    >

    Vahis
    --
    "Sunrise 7:54am (EEST), sunset 6:18pm (EEST) at Espoo, Finland (10:23
    hours daylight)"
    http://waxborg.servepics.com
    Linux 2.6.25.20-0.5-default #1 SMP 2009-08-14 01:48:11 +0200 x86_64
    11:15am up 20 days 17:55, 13 users, load average: 0.06, 0.08, 0.04

  8. #8

    Default Re: another SSH/public key problem

    Botkeeper
    what SHOULD the permissions be for the directory/files? I believe my ~/.ssh folder permissions are 700; the files, I'll have to check again when I get in front of the system. I would think they should be pretty restrictive (maybe 400?)

    ab@novell.com
    where does ssh-copy-id run - on the client box or the server?

    Vahis
    I initially tried the "cat ~/.ssh..." command, but I think I might have already hosed up the file/folder permissions on the server; that said, I was able to use that command successfully when setting up public/private keys between two openSuse systems; this time, I'm going between a Windows 2003 Server box running Cygwin to an openSuse 11.1 system (as if that should make any difference).

  9. #9

    Default Re: another SSH/public key problem

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    700 and 400 are probably fine. Be sure nobody other than your user can
    get into the directory OR read the file (if the directory could be accessed).

    ssh-copy-id is run from the client to put the public key on the server.

    Good luck.





    dsteven1 wrote:
    > Botkeeper
    > what SHOULD the permissions be for the directory/files? I believe my
    > ~/.ssh folder permissions are 700; the files, I'll have to check again
    > when I get in front of the system. I would think they should be pretty
    > restrictive (maybe 400?)
    >
    > ab@novell.com
    > where does ssh-copy-id run - on the client box or the server?
    >
    > Vahis
    > I initially tried the "cat ~/.ssh..." command, but I think I might have
    > already hosed up the file/folder permissions on the server; that said, I
    > was able to use that command successfully when setting up public/private
    > keys between two openSuse systems; this time, I'm going between a
    > Windows 2003 Server box running Cygwin to an openSuse 11.1 system (as if
    > that should make any difference).
    >
    >

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.9 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

    iQIcBAEBAgAGBQJK04PeAAoJEF+XTK08PnB5U9wP/RFo7WvBh7vY4TtpFQSM3Rfs
    mKXW7+UCoKJTFC/aWofjsJCpXiMKXCvhJtxTuQ6XI7iHUXRvoouYXsEN4DIOlVPu
    lWJyCJbS0bA6Zi0EAyW4vcrTq1utPfqMZsp9SLLpkdo302kgG7xykEL5XUv7Nk3p
    0qbidi3UPXhRvWEkMKsSomxwA9ui9duIldBWzMjLvt1+y7zBel1Puddvvj16RTvM
    6B7pa0OH5KMo8HqCRrFor3DNnczHtdLUggdUEDIUY/L94PlSVj4XFv0CkeAg3R/k
    MG0aqBJgtAl8yIAraAuypquXhelmdr79s9lCMD9+CbTY9UNJsGM2QST3/vL3qGDk
    PRFEj0kU4UAYYVu1ZrLyromhlkweXsGx407s7RTVDkB5wqLRjRhT8fFjaJ2WmcRL
    f295nrGjYiK82CrafhxPd7KnL/dXXx6rGuTuoOsK5Ij3VuARriCClz4kfS48gTdu
    Z9aZdqlN85y+Frai1GHurjslgtYozC+gsFYXAtx07/1lDzbNiiQhrl8T2F/sqmbA
    ikuNSlvshryKnFYW75Eu/8FYc1SgbvFsrzdvSCaObMRclZdd6fy6VJI6y2/uAYek
    /KtyQ9xxXrHm15pZ4x9pFQTDjghVr9PTr7UxQZkEOqvUpDbhLUkpF/tIebGtI8vo
    AKgc0uPAOiTMH/I695ly
    =+TPx
    -----END PGP SIGNATURE-----

  10. #10

    Default Re: another SSH/public key problem

    I've verified the permissions on the directory and the files, still no luck. The stripped-down version of CYGWIN that I'm trying to use doesn't have a ssh-copy-id command in it, so I think I'm going to load up a couple of VMs and keep experimenting.

    Is it possible to unload/reload SSH on my existing openSuse PC, just so I can get things back to a pristine condition? (I know, shame on me for not having a backup in the first place).

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •