[lug] ssh and pubkey

j davis davis_compz at hotmail.com
Mon Aug 12 22:29:11 MDT 2002 

excuse me id_isa is supposed to be id_dsa.pub

thanks
jd


>From: Warren Sanders <sanders at montanalinux.org>
>Reply-To: lug at lug.boulder.co.us
>To: lug at lug.boulder.co.us
>Subject: Re: [lug] ssh and pubkey
>Date: Mon, 12 Aug 2002 20:48:17 -0600
>
>Forgot to add the edits to /etc/ssh/sshd_config to include these lines as 
>step 2.:
>HostKey /etc/ssh/ssh_host_key
>HostKey /etc/ssh/ssh_host_rsa_key
>HostKey /etc/ssh/ssh_host_dsa_key
>RSAAuthentication yes
>AuthorizedKeysFile      .ssh/authorized_keys # (not sure this was needed 
>but opened this up also)
>
>My /etc/ssh/sshd_config at bottom...
>
>j davis wrote:
>
>>ok, i did all of that...when i tail -f /var/log/secure on the sshd server
>>while i am trying to login using pubkey it says that
>>pubkey auth and keyboard interactive has failed for root. i copied roots
>>id_isa.pub and id_rsa.pub to /root/.ssh/authorized_keys on the sshd 
>>server...
>
>Only need the id_rsa.pub to be copied to server as authorized_keys.  Not 
>sure what id_isa.pub is
>
>>
>>here is my sshd config, sorry,...
>>
>>Port 22
>>Protocol 2
>>#ListenAddress 0.0.0.0
>>#ListenAddress ::
>>
>># HostKey for protocol version 1
>>#HostKey /etc/ssh/ssh_host_key
>>#HostKeys for protocol version 2
>>HostKey /etc/ssh/ssh_host_rsa_key
>>HostKey /etc/ssh/ssh_host_dsa_key
>>
>># Lifetime and size of ephemeral version 1 server key
>>#KeyRegenerationInterval 3600
>>#ServerKeyBits 768
>>
>># Logging
>>#obsoletes QuietMode and FascistLogging
>>#SyslogFacility AUTH
>>SyslogFacility AUTHPRIV
>>#LogLevel INFO
>>
>># Authentication:
>>
>>#LoginGraceTime 600
>>#PermitRootLogin yes
>>PermitRootLogin without-password
>>#StrictModes yes
>>
>>RSAAuthentication yes
>>PubkeyAuthentication yes
>>AuthorizedKeysFile        .ssh/authorized_keys
>>
>># rhosts authentication should not be used
>>#RhostsAuthentication no
>># Don't read the user's ~/.rhosts and ~/.shosts files
>>#IgnoreRhosts yes
>># For this to work you will also need host keys in 
>>/etc/ssh/ssh_known_hosts
>>#RhostsRSAAuthentication no
>># similar for protocol version 2
>># HostbasedAuthentication yes
>># Change to yes if you don't trust ~/.ssh/known_hosts for
>>#RhostsRSAAuthentication and HostbasedAuthentication
>>#IgnoreUserKnownHosts no
>>
>># To disable tunneled clear text passwords, change to no here!
>>PasswordAuthentication no
>>#PermitEmptyPasswords yes
>>
>># Change to no to disable s/key passwords
>>ChallengeResponseAuthentication yes
>>
>># Kerberos options
>># KerberosAuthentication automatically enabled if keyfile exists
>>#KerberosAuthentication no
>>#KerberosOrLocalPasswd no
>>#KerberosTicketCleanup no
>>
>># AFSTokenPassing automatically enabled if k_hasafs() is true
>>#AFSTokenPassing yes
>>
>># Kerberos TGT Passing only works with the AFS kaserver
>>#KerberosTgtPassing no
>>
>># Set this to 'yes' to enable PAM keyboard-interactive authentication
>># Warning: enabling this may bypass the setting of 
>>'PasswordAuthentication'
>>#PAMAuthenticationViaKbdInt yes
>>
>>#X11Forwarding no
>>X11Forwarding yes
>>#X11DisplayOffset 10
>>#X11UseLocalhost yes
>>PrintMotd yes
>>#PrintLastLog yes
>>#KeepAlive yes
>>#UseLogin no
>>
>>#MaxStartups 10
>># no default banner path
>>#Banner /some/path
>>#VerifyReverseMapping no
>># override default of no subsystems
>>Subsystem        sftp        /usr/libexec/openssh/sftp-server
>>
>>
>>
>>thanks,
>>jd
>>
>>
>>
>>
>>
>>
>>
>>>From: Warren Sanders <sanders at montanalinux.org>
>>>Reply-To: lug at lug.boulder.co.us
>>>To: lug at lug.boulder.co.us
>>>Subject: Re: [lug] ssh and pubkey
>>>Date: Mon, 12 Aug 2002 19:14:19 -0600
>>>
>>>I did just this task today.  If I can remember the exact steps...
>>>First off I think you may already know the first steps, but for the sake 
>>>of others and documentation...
>>>
>>>   1. ssh-kegen -t rsa
>>>   2. ssh-agent bash (or whatever shell)
>>>   3. ssh-add
>>>   4. scp $user/.ssh/id_rsa.pub 
>>>$user at other-box:$user/.ssh/authorized_keys
>>>
>>>In my case I did localdomain root accounts on both sides.  I can access 
>>>both sides without authentication.  My purpose for doing this was to run 
>>>rsync over ssh transport as a cron job.
>>>
>>>
>>>j davis wrote:
>>>
>>>>Hello,
>>>>I tried setting up ssh to not use a passwd so i could have my
>>>>scrips log in using id_dsa....so i got kinda confused here...
>>>>
>>>>You must now put the public key on the remote machine
>>>>
>>>>    * Copy the public key to the server: use scp, ftp, email, paste it 
>>>>with a mouse, anything.
>>>>    * Connect to the server with ssh and password authentication.
>>>>    * put the key in the ``correct'' place. This depends on your 
>>>>implementation and version.
>>>>
>>>>OpenSSH (SSH-1)
>>>>
>>>>    copy the key into  /.ssh/authorized_keys
>>>>OpenSSH (SSH-2)
>>>>
>>>>    copy the key into  /.ssh/authorized_keys2
>>>>Sun SSH Solaris 9 (SSH-2)
>>>>
>>>>    copy the key into  /.ssh/authorized_keys
>>>>Commercial SSH (SSH-1)
>>>>
>>>>    copy the key into  /.ssh/authorized_keys
>>>>Commercial SSH (SSH-2)
>>>>
>>>>copy the key to the file  /.ssh2/mykey.pub and create a file called  
>>>>/.ssh2/authorization that contains a line Key mykey.pub
>>>>
>>>>um...does /.ssh mean create .ssh/authorized_keys in / or what...
>>>>im using rh7.3 up2dated sshd.
>>>>
>/
>#Port 22
>Protocol 2,1
>#ListenAddress 0.0.0.0
>#ListenAddress ::
>
># HostKey for protocol version 1
>HostKey /etc/ssh/ssh_host_key
># HostKeys for protocol version 2
>HostKey /etc/ssh/ssh_host_rsa_key
>HostKey /etc/ssh/ssh_host_dsa_key
>
># Lifetime and size of ephemeral version 1 server key
>#KeyRegenerationInterval 3600
>#ServerKeyBits 768
>
># Logging
>#obsoletes QuietMode and FascistLogging
>#SyslogFacility AUTH
>#LogLevel INFO
>
># Authentication:
>
>#LoginGraceTime 600
>#PermitRootLogin yes
>#StrictModes yes
>
>RSAAuthentication yes
>#PubkeyAuthentication yes
>AuthorizedKeysFile      .ssh/authorized_keys
>
># rhosts authentication should not be used
>#RhostsAuthentication no
># Don't read the user's ~/.rhosts and ~/.shosts files
>#IgnoreRhosts yes
># For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
>#RhostsRSAAuthentication no
># similar for protocol version 2
>#HostbasedAuthentication no
># Change to yes if you don't trust ~/.ssh/known_hosts for
># RhostsRSAAuthentication and HostbasedAuthentication
>#IgnoreUserKnownHosts no
>
># To disable tunneled clear text passwords, change to no here!
>#PasswordAuthentication yes
>#PermitEmptyPasswords no
>
># Change to no to disable s/key passwords
>#ChallengeResponseAuthentication yes
>
># Kerberos options
>#KerberosAuthentication no
>#KerberosOrLocalPasswd yes
>#KerberosTicketCleanup yes
>
>#AFSTokenPassing no
>
># Kerberos TGT Passing only works with the AFS kaserver
>#KerberosTgtPassing no
>
># Set this to 'yes' to enable PAM keyboard-interactive authentication
># Warning: enabling this may bypass the setting of 'PasswordAuthentication'
>#PAMAuthenticationViaKbdInt yes
>
>X11Forwarding yes
>#X11DisplayOffset 10
>#X11UseLocalhost yes
>#PrintMotd yes
>#PrintLastLog yes
>#KeepAlive yes
>#UseLogin no
>UsePrivilegeSeparation yes
>Compression no
>
>#MaxStartups 10
># no default banner path
>#Banner /some/path
>#VerifyReverseMapping no
>
># override default of no subsystems
>Subsystem       sftp    /usr/lib/ssh/sftp-server
>
>/BTW my sshd server is a Mandrake 7.1 with latest ssh and my client is RH 
>7.3 also latest ssh.
>
>--
>Warren Sanders
>http://MontanaLinux.org
>
>
>
>_______________________________________________
>Web Page:  http://lug.boulder.co.us
>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>Join us on IRC: lug.boulder.co.us port=6667 channel=#colug


thanks,
jd

jd at taproot.bz
http://www.taproot.bz

_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com

More information about the LUG mailing list