Hi Rich,
I struggle to understand what is local and what is remote and what
files you have where. So here is the minimum what you need to do/audit:
Local machine .ssh/:
id_ed25519 - r/w by user only (600)
id_ed25519.pub - r/w by user + r by group and others (644)
Remote machine(s) .ssh/:
authorized_keys - containing the public key line from your Local
id_ed25519.pub; must be by readable (at least 400)
This is all you need to have to be able to login from Local to Remote
using your signature. Naturally, the remote and local .ssh/ directories
can and will contain other files such as known_hosts, sshd_config. I
assume that you did not modify them.
Machine identification keys in /etc/ssh should be created automatically
when you start sshd at first boot. So you do not need to do anything
here. I assume that you did not modify them.
When you get it all working, you can (some would argue that you should)
disable password authentication without the public key. There are many
guides about how to do that on the remote side, for example: http://www
.linux.org/threads/how-to-force-ssh-login-via-public-key
-authentication.4253/
You should also disable ssh 1 protocol, root login and bunch of other
things on the remote side for security, but that is different topic for
another day.
If this does not get you there, try to find some interactive, hands on
help. I would not mind meeting/helping you to trouble shoot it
somewhere handy in Portland. Let me know if you need it.
I hope it helps, Tomas
On Sun, 2016-11-06 at 14:48 -0800, Rich Shepard wrote:
> On the server/workstation and a portable ~/.ssh has 700 perms
> while the
> authorized_keys, known_hosts, and *.pub key files in that directory
> have 644
> perms; the others are 600.
>
> I copied (via USB flash drive) the id_ed25519.pub from each host
> to
> ~/.ssh/authorized_keys on the other host. Recognizing the target
> host's
> public key appears to be the problem (see the output from portable to
> desktop below) and I don't know how to fix this situation.
>
> Trying to connect to the portable (running Slackware-14.2) from
> the
> workstation (running Slackware-14.1) fails:
>
> $ ssh -vv typha
> OpenSSH_7.3p1, OpenSSL 1.0.1u 22 Sep 2016
> debug1: Reading configuration data /home/rshepard/.ssh/config
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug2: resolving "typha" port 21498
> debug2: ssh_connect_direct: needpriv 0
> debug1: Connecting to typha [192.168.55.6] port 21498.
> debug1: connect to address 192.168.55.6 port 21498: Connection
> refused
> ssh: connect to host typha port 21498: Connection refused
>
> Adding an additional 'v' to the command does not increase the
> output.
>
> From the portable to the workstation I get much more detailed
> verbosity
> but still no connection:
>
> $ ssh -vv salmo
> OpenSSH_7.2p2, OpenSSL 1.0.2h 3 May 2016
> debug1: Reading configuration data /home/rshepard/.ssh/config
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug2: resolving "salmo" port 21498
> debug2: ssh_connect_direct: needpriv 0
> debug1: Connecting to salmo [127.0.0.1] port 21498.
> debug1: connect to address 127.0.0.1 port 21498: Connection refused
> debug1: Connecting to salmo [192.168.55.1] port 21498.
> debug1: Connection established.
> debug1: key_load_public: No such file or directory
> debug1: identity file /home/rshepard/.ssh/id_dsa type -1
> debug1: key_load_public: No such file or directory
> debug1: identity file /home/rshepard/.ssh/id_dsa-cert type -1
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_7.2
> debug1: Remote protocol version 2.0, remote software version
> OpenSSH_7.3
> debug1: match: OpenSSH_7.3 pat OpenSSH* compat 0x04000000
> debug2: fd 3 setting O_NONBLOCK
> debug1: Authenticating to salmo:21498 as 'rshepard'
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug2: local client KEXINIT proposal
> debug2: KEX algorithms: [email protected],ecdh-sha2
> -nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group
> -exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman
> -group14-sha1,ext-info-c
> debug2: host key algorithms: [email protected],ssh
> -ed25519,[email protected],
> [email protected],
> [email protected],[email protected]
> ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2
> -512,rsa-sha2-256,ssh-rsa
> debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256
> -ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
> debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256
> -ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
> debug2: MACs ctos: [email protected],[email protected],
> [email protected],[email protected],
> [email protected],[email protected],[email protected],hm
> ac-sha2-256,hmac-sha2-512,hmac-sha1
> debug2: MACs stoc: [email protected],[email protected],
> [email protected],[email protected],
> [email protected],[email protected],[email protected],hm
> ac-sha2-256,hmac-sha2-512,hmac-sha1
> debug2: compression ctos: none,[email protected],zlib
> debug2: compression stoc: none,[email protected],zlib
> debug2: languages ctos:
> debug2: languages stoc:
> debug2: first_kex_follows 0
> debug2: reserved 0
> debug2: peer server KEXINIT proposal
> debug2: KEX algorithms: [email protected],ecdh-sha2
> -nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group
> -exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18
> -sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
> debug2: host key algorithms: ssh-ed25519
> debug2: ciphers ctos: [email protected],aes128-ctr,aes192
> -ctr,aes256-ctr,[email protected],[email protected]
> debug2: ciphers stoc: [email protected],aes128-ctr,aes192
> -ctr,aes256-ctr,[email protected],[email protected]
> debug2: MACs ctos: [email protected],[email protected],
> [email protected],[email protected],
> [email protected],[email protected],[email protected],hm
> ac-sha2-256,hmac-sha2-512,hmac-sha1
> debug2: MACs stoc: [email protected],[email protected],
> [email protected],[email protected],
> [email protected],[email protected],[email protected],hm
> ac-sha2-256,hmac-sha2-512,hmac-sha1
> debug2: compression ctos: none,[email protected]
> debug2: compression stoc: none,[email protected]
> debug2: languages ctos:
> debug2: languages stoc:
> debug2: first_kex_follows 0
> debug2: reserved 0
> debug1: kex: algorithm: [email protected]
> debug1: kex: host key algorithm: ssh-ed25519
> debug1: kex: server->client cipher: aes128-ctr MAC:
> [email protected] compression: none
> debug1: kex: client->server cipher: aes128-ctr MAC:
> [email protected] compression: none
> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
> debug1: Server host key: ssh-ed25519
> SHA256:9T1sRfIPmzJvODsTIOexYiBawQAJp6fN9GS1S9zGewg
> debug1: Host '[salmo]:21498' is known and matches the ED25519 host
> key.
> debug1: Found key in /home/rshepard/.ssh/known_hosts:1
> debug2: set_newkeys: mode 1
> debug1: rekey after 4294967296 blocks
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug2: set_newkeys: mode 0
> debug1: rekey after 4294967296 blocks
> debug1: SSH2_MSG_NEWKEYS received
> debug2: key: /home/rshepard/.ssh/id_dsa ((nil))
> debug1: SSH2_MSG_EXT_INFO received
> debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2
> -512>
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentications that can continue: publickey
> debug1: Next authentication method: publickey
> debug1: Trying private key: /home/rshepard/.ssh/id_dsa
> debug2: we did not send a packet, disable method
> debug1: No more authentication methods to try.
> Permission denied (publickey).
>
> The only key type I specified with ssh-keygen (on both hosts is
> ed25519;
> no dsa present.
>
> I'm looking forward to learning what I did incorrectly and
> correcting it
> so I don't make the same error with other hosts.
>
> Rich
> _______________________________________________
> PLUG mailing list
> [email protected]
> http://lists.pdxlinux.org/mailman/listinfo/plug
_______________________________________________
PLUG mailing list
[email protected]
http://lists.pdxlinux.org/mailman/listinfo/plug
