[lug] ssh and pubkey

Warren Sanders sanders at montanalinux.org
Mon Aug 12 20:48:17 MDT 2002


Forgot to add the edits to /etc/ssh/sshd_config to include these lines 
as step 2.:
HostKey /etc/ssh/ssh_host_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
RSAAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys # (not sure this was needed 
but opened this up also)

My /etc/ssh/sshd_config at bottom...

j davis wrote:

> ok, i did all of that...when i tail -f /var/log/secure on the sshd server
> while i am trying to login using pubkey it says that
> pubkey auth and keyboard interactive has failed for root. i copied roots
> id_isa.pub and id_rsa.pub to /root/.ssh/authorized_keys on the sshd 
> server... 

Only need the id_rsa.pub to be copied to server as authorized_keys.  Not 
sure what id_isa.pub is

>
> here is my sshd config, sorry,...
>
> Port 22
> Protocol 2
> #ListenAddress 0.0.0.0
> #ListenAddress ::
>
> # HostKey for protocol version 1
> #HostKey /etc/ssh/ssh_host_key
> #HostKeys for protocol version 2
> HostKey /etc/ssh/ssh_host_rsa_key
> HostKey /etc/ssh/ssh_host_dsa_key
>
> # Lifetime and size of ephemeral version 1 server key
> #KeyRegenerationInterval 3600
> #ServerKeyBits 768
>
> # Logging
> #obsoletes QuietMode and FascistLogging
> #SyslogFacility AUTH
> SyslogFacility AUTHPRIV
> #LogLevel INFO
>
> # Authentication:
>
> #LoginGraceTime 600
> #PermitRootLogin yes
> PermitRootLogin without-password
> #StrictModes yes
>
> RSAAuthentication yes
> PubkeyAuthentication yes
> AuthorizedKeysFile        .ssh/authorized_keys
>
> # rhosts authentication should not be used
> #RhostsAuthentication no
> # Don't read the user's ~/.rhosts and ~/.shosts files
> #IgnoreRhosts yes
> # For this to work you will also need host keys in 
> /etc/ssh/ssh_known_hosts
> #RhostsRSAAuthentication no
> # similar for protocol version 2
> # HostbasedAuthentication yes
> # Change to yes if you don't trust ~/.ssh/known_hosts for
> #RhostsRSAAuthentication and HostbasedAuthentication
> #IgnoreUserKnownHosts no
>
> # To disable tunneled clear text passwords, change to no here!
> PasswordAuthentication no
> #PermitEmptyPasswords yes
>
> # Change to no to disable s/key passwords
> ChallengeResponseAuthentication yes
>
> # Kerberos options
> # KerberosAuthentication automatically enabled if keyfile exists
> #KerberosAuthentication no
> #KerberosOrLocalPasswd no
> #KerberosTicketCleanup no
>
> # AFSTokenPassing automatically enabled if k_hasafs() is true
> #AFSTokenPassing yes
>
> # Kerberos TGT Passing only works with the AFS kaserver
> #KerberosTgtPassing no
>
> # Set this to 'yes' to enable PAM keyboard-interactive authentication
> # Warning: enabling this may bypass the setting of 
> 'PasswordAuthentication'
> #PAMAuthenticationViaKbdInt yes
>
> #X11Forwarding no
> X11Forwarding yes
> #X11DisplayOffset 10
> #X11UseLocalhost yes
> PrintMotd yes
> #PrintLastLog yes
> #KeepAlive yes
> #UseLogin no
>
> #MaxStartups 10
> # no default banner path
> #Banner /some/path
> #VerifyReverseMapping no
> # override default of no subsystems
> Subsystem        sftp        /usr/libexec/openssh/sftp-server
>
>
>
> thanks,
> jd
>
>
>
>
>
>
>
>> From: Warren Sanders <sanders at montanalinux.org>
>> Reply-To: lug at lug.boulder.co.us
>> To: lug at lug.boulder.co.us
>> Subject: Re: [lug] ssh and pubkey
>> Date: Mon, 12 Aug 2002 19:14:19 -0600
>>
>> I did just this task today.  If I can remember the exact steps...
>> First off I think you may already know the first steps, but for the 
>> sake of others and documentation...
>>
>>   1. ssh-kegen -t rsa
>>   2. ssh-agent bash (or whatever shell)
>>   3. ssh-add
>>   4. scp $user/.ssh/id_rsa.pub 
>> $user at other-box:$user/.ssh/authorized_keys
>>
>> In my case I did localdomain root accounts on both sides.  I can 
>> access both sides without authentication.  My purpose for doing this 
>> was to run rsync over ssh transport as a cron job.
>>
>>
>> j davis wrote:
>>
>>> Hello,
>>> I tried setting up ssh to not use a passwd so i could have my
>>> scrips log in using id_dsa....so i got kinda confused here...
>>>
>>> You must now put the public key on the remote machine
>>>
>>>    * Copy the public key to the server: use scp, ftp, email, paste 
>>> it with a mouse, anything.
>>>    * Connect to the server with ssh and password authentication.
>>>    * put the key in the ``correct'' place. This depends on your 
>>> implementation and version.
>>>
>>> OpenSSH (SSH-1)
>>>
>>>    copy the key into  /.ssh/authorized_keys
>>> OpenSSH (SSH-2)
>>>
>>>    copy the key into  /.ssh/authorized_keys2
>>> Sun SSH Solaris 9 (SSH-2)
>>>
>>>    copy the key into  /.ssh/authorized_keys
>>> Commercial SSH (SSH-1)
>>>
>>>    copy the key into  /.ssh/authorized_keys
>>> Commercial SSH (SSH-2)
>>>
>>> copy the key to the file  /.ssh2/mykey.pub and create a file called  
>>> /.ssh2/authorization that contains a line Key mykey.pub
>>>
>>> um...does /.ssh mean create .ssh/authorized_keys in / or what...
>>> im using rh7.3 up2dated sshd.
>>>
/
#Port 22
Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 3600
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 600
#PermitRootLogin yes
#StrictModes yes

RSAAuthentication yes
#PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys

# rhosts authentication should not be used
#RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

#AFSTokenPassing no

# Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no

# Set this to 'yes' to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt yes

X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
UsePrivilegeSeparation yes
Compression no

#MaxStartups 10
# no default banner path
#Banner /some/path
#VerifyReverseMapping no

# override default of no subsystems
Subsystem       sftp    /usr/lib/ssh/sftp-server

/BTW my sshd server is a Mandrake 7.1 with latest ssh and my client is 
RH 7.3 also latest ssh.

-- 
Warren Sanders
http://MontanaLinux.org






More information about the LUG mailing list