Also the permissions on the .ssh directory must be 700. I apologize if this has already been mentioned, but have you tried to telnet to port 22 on the target box? That would answer any questions about connectivity.
Cathy -- Cathy L. Smith IT Engineer Pacific Northwest National Laboratory Operated by Battelle for the U.S. Department of Energy Phone: 509.375.2687 Fax: 509.375.4399 Email: [email protected] -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Damon Bull Sent: Wednesday, November 02, 2016 9:00 AM To: Portland Linux/Unix Group <[email protected]> Subject: Re: [PLUG] Re-doing ssh key phrase and key type Rich, Maybe check your target users home directory permissions. It's a poorly documented that in addition to the restrictive permission on the ~/.ssh directory and the authorized_keys file, your home directory on the target system must also be restricted. It must not have more than read and execute permissions for group and everyone for ssh to work without password prompt. In other words, your target user home directory permissions must be no more permissive than rwxr-xr-x. Hope this helps. db. On Wednesday, November 2, 2016 8:35 AM, Louis Kowolowski <[email protected]> wrote: > On Oct 26, 2016, at 5:51 PM, Rich Shepard <[email protected]> wrote: > >> On Tue, 25 Oct 2016, Rich Shepard wrote: >> >> Having new installations of Slackware-14.2 on three hosts now (two >> more to go after I get these three fully functional), I want to >> change my ssh private and public keys using a new passphrase and type. > > Keeping the same thread going, I've read the ssh, sshd, ssh_config, >sshd_config, ssh-keygen, and ssh-agen man pages and searched the web >for usage examples and still have a few unanswered questions. > > On the desktop I generated a new ed25519 key pair. Wanting to set up >communications between this host and the ThinkPad I tried > > scp ~/.ssh/id_ed25519.pub typha:.ssh > > (and a couple of different references to the remote host) but the > connection was refused. > > I copied the public key to a USB thumb drive and manually installed >it in > typha: ~/.ssh. > > Then, logged into typha, I tried to scp ~/ from the desktop. Openssh >told me it didn't recognize the remote machine and asked it I wanted to >continue. > I responded, "yes," and the public key was added to the ThinkPad's >authorized_hosts file, but the connection was refused. Is the next step >to specify verbotisty levels, e.g., 'ssh -vv <remote_host>'? > Yes. If this doesn't show you the problem, you may have to start sshd with debugging. Of note, when you do this, sshd will terminate after the first connection. Be careful. > On a related issue, as authorized_hosts holds public keys from remote >hosts, and I'm essentially starting from a clean slate with the >portables and the desktop, can I remove that old file from the >desktop's ~/.ssh/ and start over again when I use ssh/scp from a portable to >the desktop? > Are you mixing up authorized_keys and known_hosts? Authorized_keys contains your ssh pub keys Known_hosts is a list of previously connected-to hosts and their fingerprints The latter is only meaningful in the sense that you don't get prompted if you save the information into known hosts. > On another related OpenSSH issue: ssh-agent. I've not before used it >but it looks useful. If I understand the man page, I run it on hosts >that will remotely connect to the desktop (the portables) so when they >boot they'll have the public key available to all shells and I'll not >need to enter my pass phrase each time I want to establish a secure >connection. Is this correct? Should I also run it on the desktop? > Not exactly. Typically, when you login, you run ssh-add <key> (either manually or automagically) and it will prompt for passphrase of key and add it to your ssh agent. If you use the ssh agent, when you connect to a host via ssh (assuming you aren't passing options to disable the agent) it will look for keys in the agent and auth with them. You don't need to provide a password in this case because you've already done so when you added the key to the agent. You can forward the agent information to the remote host and continue this daisy-chain process. This will work for any keys in the agent. This allows you to use ssh keys but not copy the private key to a remote system. I run it on my desktop and laptop, because I use both to connect to remote hosts. I don't run it on remote hosts that I don't physically login to. I also don't copy the ssh private key to any host I don't trust. Sent from my iPhone _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
