Results 1 to 4 of 4

Thread: ssh public key authentication

  1. #1
    Join Date
    Nov 2009
    Location
    Uruguay
    Posts
    737

    Default ssh public key authentication

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Hi, I have a problem with the ssh public key...
    1- create a public key without passphrase (ssh-keygen)
    2- copy the id_rsa.pub file to the directory .ssh on my home dir in the
    server
    3- cat id_rsa.pub >> authorized_keys

    but when I ssh to the server still ask for the password
    If I do
    [user@client]:~/.ssh$ ssh -o PreferredAuthentications=publickey server
    Permission denied (publickey,keyboard-interactive).

    The server /etc/ssh/sshd_config file is:

    # $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

    # This is the sshd server system-wide configuration file. See
    # sshd_config(5) for more information.

    # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

    # The strategy used for options in the default sshd_config shipped with
    # OpenSSH is to specify options with their default value where
    # possible, but leave them commented. Uncommented options change a
    # default value.

    #Port 22
    #AddressFamily any
    #ListenAddress 0.0.0.0
    #ListenAddress ::

    # Disable legacy (protocol version 1) support in the server for new
    # installations. In future the default will change to require explicit
    # activation of protocol 1
    Protocol 2

    # HostKey for protocol version 1
    #HostKey /etc/ssh/ssh_host_key
    # HostKeys for protocol version 2
    #HostKey /etc/ssh/ssh_host_rsa_key
    #HostKey /etc/ssh/ssh_host_dsa_key

    # Lifetime and size of ephemeral version 1 server key
    #KeyRegenerationInterval 1h
    #ServerKeyBits 1024

    # Logging
    # obsoletes QuietMode and FascistLogging
    #SyslogFacility AUTH
    #LogLevel INFO

    # Authentication:

    #LoginGraceTime 2m
    PermitRootLogin no
    #StrictModes yes
    MaxAuthTries 3
    #MaxSessions 10

    #RSAAuthentication yes
    PubkeyAuthentication yes
    AuthorizedKeysFile .ssh/authorized_keys

    # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
    #RhostsRSAAuthentication no
    # similar for protocol version 2
    #HostbasedAuthentication no
    # Change to yes if you don't trust ~/.ssh/known_hosts for
    # RhostsRSAAuthentication and HostbasedAuthentication
    #IgnoreUserKnownHosts no
    # Don't read the user's ~/.rhosts and ~/.shosts files
    #IgnoreRhosts yes

    # To disable tunneled clear text passwords, change to no here!
    PasswordAuthentication no
    #PermitEmptyPasswords no

    # Change to no to disable s/key passwords
    #ChallengeResponseAuthentication yes

    # Kerberos options
    #KerberosAuthentication no
    #KerberosOrLocalPasswd yes
    #KerberosTicketCleanup yes
    #KerberosGetAFSToken no

    # GSSAPI options
    #GSSAPIAuthentication no
    #GSSAPICleanupCredentials yes

    # Set this to 'yes' to enable support for the deprecated 'gssapi'
    authentication
    # mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is
    included
    # in this release. The use of 'gssapi' is deprecated due to the presence
    of
    # potential man-in-the-middle attacks, which 'gssapi-with-mic' is not
    susceptible to.
    #GSSAPIEnableMITMAttack no




    # Set this to 'yes' to enable PAM authentication, account processing,
    # and session processing. If this is enabled, PAM authentication will
    # be allowed through the ChallengeResponseAuthentication and
    # PasswordAuthentication. Depending on your PAM configuration,
    # PAM authentication via ChallengeResponseAuthentication may bypass
    # the setting of "PermitRootLogin without-password".
    # If you just want the PAM account and session checks to run without
    # PAM authentication, then enable this but set PasswordAuthentication
    # and ChallengeResponseAuthentication to 'no'.
    UsePAM yes

    #AllowAgentForwarding yes
    #AllowTcpForwarding yes
    #GatewayPorts no
    X11Forwarding yes
    #X11DisplayOffset 10
    #X11UseLocalhost yes
    #PrintMotd yes
    #PrintLastLog yes
    #TCPKeepAlive yes
    #UseLogin no
    #UsePrivilegeSeparation yes
    #PermitUserEnvironment no
    #Compression delayed
    #ClientAliveInterval 0
    #ClientAliveCountMax 3
    #UseDNS yes
    #PidFile /var/run/sshd.pid
    #MaxStartups 10
    #PermitTunnel no
    #ChrootDirectory none

    # no default banner path
    #Banner none

    # override default of no subsystems
    Subsystem sftp /usr/lib64/ssh/sftp-server

    # This enables accepting locale enviroment variables LC_* LANG, see
    sshd_config(5).
    AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
    LC_MESSAGES
    AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
    AcceptEnv LC_IDENTIFICATION LC_ALL

    # Example of overriding settings on a per-user basis
    #Match User anoncvs
    # X11Forwarding no
    # AllowTcpForwarding no
    # ForceCommand cvs server

    - --
    VampirD

    General Failure is the supreme commander of the Microsoft army.
    All operation made by this army ends on him.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.12 (GNU/Linux)
    Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

    iEYEARECAAYFAksYMs8ACgkQuyH6KAqYAt299QCdHSqBhxiLbTYECKDoXQVZ1yCE
    ZfEAn2+9keJo4B7ldvIBkIpmvG7ayT8d
    =/Vs5
    -----END PGP SIGNATURE-----

  2. #2

    Default Re: ssh public key authentication

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Add some verbosity to your login (-v, -vv, or -vvv) and post the output
    here. Also make sure that your authorized_keys file, as well as the
    directories containing it, are not accessible to any user except you or to
    any group. Make permissions 600 (rw-------) for files or 700 (rwx------)
    for the .ssh directory and see if that helps. Make sure the key files are
    also locked down on your client side.

    Good luck.





    VampirD wrote:
    > Hi, I have a problem with the ssh public key...
    > 1- create a public key without passphrase (ssh-keygen)
    > 2- copy the id_rsa.pub file to the directory .ssh on my home dir in the
    > server
    > 3- cat id_rsa.pub >> authorized_keys
    >
    > but when I ssh to the server still ask for the password
    > If I do
    > [user@client]:~/.ssh$ ssh -o PreferredAuthentications=publickey server
    > Permission denied (publickey,keyboard-interactive).
    >
    > The server /etc/ssh/sshd_config file is:
    >
    > # $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
    >
    > # This is the sshd server system-wide configuration file. See
    > # sshd_config(5) for more information.
    >
    > # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
    >
    > # The strategy used for options in the default sshd_config shipped with
    > # OpenSSH is to specify options with their default value where
    > # possible, but leave them commented. Uncommented options change a
    > # default value.
    >
    > #Port 22
    > #AddressFamily any
    > #ListenAddress 0.0.0.0
    > #ListenAddress ::
    >
    > # Disable legacy (protocol version 1) support in the server for new
    > # installations. In future the default will change to require explicit
    > # activation of protocol 1
    > Protocol 2
    >
    > # HostKey for protocol version 1
    > #HostKey /etc/ssh/ssh_host_key
    > # HostKeys for protocol version 2
    > #HostKey /etc/ssh/ssh_host_rsa_key
    > #HostKey /etc/ssh/ssh_host_dsa_key
    >
    > # Lifetime and size of ephemeral version 1 server key
    > #KeyRegenerationInterval 1h
    > #ServerKeyBits 1024
    >
    > # Logging
    > # obsoletes QuietMode and FascistLogging
    > #SyslogFacility AUTH
    > #LogLevel INFO
    >
    > # Authentication:
    >
    > #LoginGraceTime 2m
    > PermitRootLogin no
    > #StrictModes yes
    > MaxAuthTries 3
    > #MaxSessions 10
    >
    > #RSAAuthentication yes
    > PubkeyAuthentication yes
    > AuthorizedKeysFile .ssh/authorized_keys
    >
    > # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
    > #RhostsRSAAuthentication no
    > # similar for protocol version 2
    > #HostbasedAuthentication no
    > # Change to yes if you don't trust ~/.ssh/known_hosts for
    > # RhostsRSAAuthentication and HostbasedAuthentication
    > #IgnoreUserKnownHosts no
    > # Don't read the user's ~/.rhosts and ~/.shosts files
    > #IgnoreRhosts yes
    >
    > # To disable tunneled clear text passwords, change to no here!
    > PasswordAuthentication no
    > #PermitEmptyPasswords no
    >
    > # Change to no to disable s/key passwords
    > #ChallengeResponseAuthentication yes
    >
    > # Kerberos options
    > #KerberosAuthentication no
    > #KerberosOrLocalPasswd yes
    > #KerberosTicketCleanup yes
    > #KerberosGetAFSToken no
    >
    > # GSSAPI options
    > #GSSAPIAuthentication no
    > #GSSAPICleanupCredentials yes
    >
    > # Set this to 'yes' to enable support for the deprecated 'gssapi'
    > authentication
    > # mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is
    > included
    > # in this release. The use of 'gssapi' is deprecated due to the presence
    > of
    > # potential man-in-the-middle attacks, which 'gssapi-with-mic' is not
    > susceptible to.
    > #GSSAPIEnableMITMAttack no
    >
    >
    >
    >
    > # Set this to 'yes' to enable PAM authentication, account processing,
    > # and session processing. If this is enabled, PAM authentication will
    > # be allowed through the ChallengeResponseAuthentication and
    > # PasswordAuthentication. Depending on your PAM configuration,
    > # PAM authentication via ChallengeResponseAuthentication may bypass
    > # the setting of "PermitRootLogin without-password".
    > # If you just want the PAM account and session checks to run without
    > # PAM authentication, then enable this but set PasswordAuthentication
    > # and ChallengeResponseAuthentication to 'no'.
    > UsePAM yes
    >
    > #AllowAgentForwarding yes
    > #AllowTcpForwarding yes
    > #GatewayPorts no
    > X11Forwarding yes
    > #X11DisplayOffset 10
    > #X11UseLocalhost yes
    > #PrintMotd yes
    > #PrintLastLog yes
    > #TCPKeepAlive yes
    > #UseLogin no
    > #UsePrivilegeSeparation yes
    > #PermitUserEnvironment no
    > #Compression delayed
    > #ClientAliveInterval 0
    > #ClientAliveCountMax 3
    > #UseDNS yes
    > #PidFile /var/run/sshd.pid
    > #MaxStartups 10
    > #PermitTunnel no
    > #ChrootDirectory none
    >
    > # no default banner path
    > #Banner none
    >
    > # override default of no subsystems
    > Subsystem sftp /usr/lib64/ssh/sftp-server
    >
    > # This enables accepting locale enviroment variables LC_* LANG, see
    > sshd_config(5).
    > AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
    > LC_MESSAGES
    > AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
    > AcceptEnv LC_IDENTIFICATION LC_ALL
    >
    > # Example of overriding settings on a per-user basis
    > #Match User anoncvs
    > # X11Forwarding no
    > # AllowTcpForwarding no
    > # ForceCommand cvs server
    >

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.9 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

    iQIcBAEBAgAGBQJLGD+DAAoJEF+XTK08PnB5a9wQAMS+JlYu3dGu94+eL/8gI+/+
    +QHQdv3RcMAC8bb8WaJkanBB28J9aLCmR+kwLIYvgXQnXuXi+3oP3JSI6uRh1RoD
    n2AdxFRRzpjy0KRTu9dVUI3HsvHM0wIApZ1NIgNs5rqRpfuXBKiUfMFsYr+yYiQH
    TI6Y4pTq6B5RW88nbiy5kgmpN3Zrezmk1AZ61+/SaS1ud6WSzKe1tLjZ/idW1Eq5
    LGID2gJlNhKgMLWqvy/k8vadDdavOncmvgfqLNGN7nbgCJu1phr3bn5jVrbx0EV7
    olalRVHQAX/D/iIjA1GQ1UXDMBM2kbADcHdP0e3y6OT9FH8Pu9fWZsjTvgCrcESs
    osXE330aXAAFZK0NKv2Lcl5YkzCwyc4oG65832pu8D9jbqgHQZEOkXLh7cxjQmYY
    j6UBbwFymFls4XFSGPLzsdRM6cVjTeU+mjK1W0m1EFodlEJR+Dfh8MvgYvA3SCGd
    H+u92yIsaSx6tjg+xcVQ98ar9yNGgtDFkOTa3yhK/DymzzLNUHzaZkffG58+8E8Q
    kDvkHKNKGuTVgyrZvDKcqHgCi9iO0aPtbiOc8qW6cfk/yRQPH3ZAdysOrDmNzTl/
    R7c3o++bWQHWSj9vfpysBFan184UrIX5XTcUBA02BbbDE7mV62efUkBDMSSP77Cg
    7sl3aO50BZCnL2ADkbTW
    =go5s
    -----END PGP SIGNATURE-----

  3. #3
    Join Date
    Nov 2009
    Location
    Uruguay
    Posts
    737

    Default Re: ssh public key authentication

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Thanks ab, I changed the permissions and now it works ^_^

    - --
    VampirD

    General Failure is the supreme commander of the Microsoft army.
    All operation made by this army ends on him.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.12 (GNU/Linux)
    Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

    iEYEARECAAYFAksZPZMACgkQuyH6KAqYAt3IhgCfXdqADxVn/3iw4ezHEKEGPIa2
    Eo0Anil2Dhea/350jg54lbaDk3CQmuEw
    =+Ry8
    -----END PGP SIGNATURE-----

  4. #4

    Default Re: ssh public key authentication

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Good to hear. Thank-you for posting back your results.

    Good luck.





    VampirD wrote:
    > Thanks ab, I changed the permissions and now it works ^_^
    >

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.9 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

    iQIcBAEBAgAGBQJLGT6jAAoJEF+XTK08PnB5lUQP/28PnWUBGZim4VRn9kW+8jhK
    ++pMaTq307IvglPPCLB2hL7wTgJdskxCFnE3msQFgE5b0hR9rgZ5NO2tgEqz96wT
    K/I3h2zWBWpWSxQDOiksfMZl/7iQhMc/kYvYNSEMEuEkqSlUL0rWg+tHYrsa4le7
    R1HTlkgcDtUKBUAsSES7sVYJcdgRhMV8pxhmhOQ+pdmypvSIH3tJtaMQ+AZAO6gZ
    1YIQ5LYvl1yo0V87lmbd2nIgfyO0S7PZpxqpnY9XiW8jrfMyQXWcnd9H8e7cv9aH
    BdCOb+mVXT6AdB0DfhdrLLEwopva1pFB+SZ2PoG+6YvbeHFUIZZhk+4LwhN2FNLn
    to6p8OFhJZs1phXH32Tp086J+nWLXj3GfO65CDNVINrRp7gNo7sdZMpr0gsdg0nI
    bLSwWHhaficG9clMuykKdDwJ0ZCEvs+5sF11Gc5YZdSOXWr7jNQdXZWycxGYwafJ
    X4bAaksAZcy2EhjYyDL5tkRErEPU2pRp03E7l53oGD6aa744Cx18EH/2jmSQXXyV
    u5PWxiHGzVrY/zfQV/c2rru19n27DA9myz2hHo9FdF8Z8/8GiHsKAyrMcECyGYUG
    lK71xW+C0miwZN08adVDSDEdkdj/mDTs0Rmj7Z0jIKbokBBT/u/RQsvoZxuZyJb+
    sK/77E623DTtDlPDbiJG
    =bbPQ
    -----END PGP SIGNATURE-----

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •