> I'd think this would be widely known if it were true; which suggests > that I'm just doing something wrong.
its just a sshd config thing. no biggie. > This is my preferred theory, as > if I'm doing something wrong I can just change to doing the right > thing -- once I discover what it is. > > So, the problem: On my solaris box (SunOS fsfs 5.11 snv_44 i86pc i386 > i86pc) I've got sshd running (it's set up by default in the install, > so I don't think I had much chance to mung that). yep .. I agree > In my user account, > I've created a .ssh directory and created an authorized_keys file > containing the public key I normally use for remote access. I copied > this file from a debian linux box, where it was working. I cannot, > however, get public-key access into this system; I always have to > provide my password. by "into this system" you must mean the Solaris Express server and not the Debian linux server. > I also can't figure out where sshd is logging anything; that might > tell me something useful about what's going on I suppose. again, by default it doesn't do a lot of logging. > I've > enabled debugging on the client side (and I've tried two clients; ssh > from debian sarge, and putty on my windows box; I use both regularly > and they work in all other cases, and they work to Solaris except that > they ignore the public-key authentication and make me provide the > password every time). I guess you setup putty to provide a key. No problem. I do the same thing although I am running Sol10u2 on an old pentium box at the moment. My desktop is whereever I am on whatever is in front of me and I always use public key stuff too. > I've asked about this before, and gotten no input. Even if all you > can tell me is that you do run ssh sessions with public key > authentication between putty on windows or openssh on debian, please > tell me that. Knowing it works for everybody else is useful > information. you know what? Let's document it and post it. Here is my sshd_config on my server : bash-3.1$ cat /etc/ssh/sshd_config # # Copyright 2004 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # ident "@(#)sshd_config 1.8 04/05/10 SMI" # # Configuration file for sshd(1m) # Protocol versions supported # # The sshd shipped in this release of Solaris has support for major versions # 1 and 2. It is recommended due to security weaknesses in the v1 protocol # that sites run only v2 if possible. Support for v1 is provided to help sites # with existing ssh v1 clients/servers to transition. # Support for v1 may not be available in a future release of Solaris. # # To enable support for v1 an RSA1 key must be created with ssh-keygen(1). # RSA and DSA keys for protocol v2 are created by /etc/init.d/sshd if they # do not already exist, RSA1 keys for protocol v1 are not automatically created. # Uncomment ONLY ONE of the following Protocol statements. # Only v2 (recommended) Protocol 2 # Both v1 and v2 (not recommended) #Protocol 2,1 # Only v1 (not recommended) #Protocol 1 # Listen port (the IANA registered port number for ssh is 22) Port 22 # The default listen address is all interfaces, this may need to be changed # if you wish to restrict the interfaces sshd listens on for a multi homed host. # Multiple ListenAddress entries are allowed. # IPv4 only #ListenAddress 0.0.0.0 # IPv4 & IPv6 ListenAddress :: # Port forwarding AllowTcpForwarding no # If port forwarding is enabled, specify if the server can bind to INADDR_ANY. # This allows the local port forwarding to work when connections are received # from any remote host. GatewayPorts no # X11 tunneling options X11Forwarding yes X11DisplayOffset 10 # X11UseLocalhost yes # The maximum number of concurrent unauthenticated connections to sshd. # start:rate:full see sshd(1) for more information. # The default is 10 unauthenticated clients. #MaxStartups 10:30:60 # Banner to be printed before authentication starts. Banner /etc/ssh/ssh_banner # Should sshd print the /etc/motd file and check for mail. # On Solaris it is assumed that the login shell will do these # (eg /etc/profile). PrintMotd no # KeepAlive specifies whether keep alive messages are sent to the client. # See sshd(1) for detailed description of what this means. # Note that the client may also be sending keep alive messages to the server. KeepAlive yes # Syslog facility and level SyslogFacility auth LogLevel info # # Authentication configuration # # Host private key files # Must be on a local disk and readable only by the root user (root:sys 600). HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key # Default Encryption algorithms and Message Authentication codes #Ciphers aes128-ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc #MACS hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96 # Length of the server key # Default 768, Minimum 512 ServerKeyBits 768 # sshd regenerates the key every KeyRegenerationInterval seconds. # The key is never stored anywhere except the memory of sshd. # The default is 1 hour (3600 seconds). KeyRegenerationInterval 300 # Ensure secure permissions on users .ssh directory. StrictModes yes # Length of time in seconds before a client that hasn't completed # authentication is disconnected. # Default is 600 seconds. 0 means no time limit. LoginGraceTime 30 # Maximum number of retries for authentication # Default is 6. Default (if unset) for MaxAuthTriesLog is MaxAuthTries / 2 MaxAuthTries 6 MaxAuthTriesLog 3 # Are logins to accounts with empty passwords allowed. # If PermitEmptyPasswords is no, pass PAM_DISALLOW_NULL_AUTHTOK # to pam_authenticate(3PAM). PermitEmptyPasswords no # To disable tunneled clear text passwords, # change PasswordAuthentication to no. PasswordAuthentication no # Use PAM via keyboard interactive method for authentication. # Depending on the setup of pam.conf(4) this may allow tunneled clear text # passwords even when PasswordAuthentication is set to no. This is dependent # on what the individual modules request and is out of the control of sshd # or the protocol. # PAMAuthenticationViaKBDInt yes PAMAuthenticationViaKBDInt no # Are root logins permitted using sshd. # Note that sshd uses pam_authenticate(3PAM) so the root (or any other) user # maybe denied access by a PAM module regardless of this setting. # Valid options are yes, without-password, no. PermitRootLogin no # sftp subsystem Subsystem sftp /usr/lib/ssh/sftp-server # SSH protocol v1 specific options # # The following options only apply to the v1 protocol and provide # some form of backwards compatibility with the very weak security # of /usr/bin/rsh. Their use is not recommended and the functionality # will be removed when support for v1 protocol is removed. # Should sshd use .rhosts and .shosts for password less authentication. IgnoreRhosts yes RhostsAuthentication no # Rhosts RSA Authentication # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts. # If the user on the client side is not root then this won't work on # Solaris since /usr/bin/ssh is not installed setuid. RhostsRSAAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication. #IgnoreUserKnownHosts yes # Is pure RSA authentication allowed. # Default is yes RSAAuthentication yes # # from CSW OpenSSH PubkeyAuthentication yes ClientAliveInterval 100 bash-3.1$ have a look at that and see what you have and then let's see if I can help you. Dennis _______________________________________________ opensolaris-help mailing list [email protected]
