"Eric J. Schwertfeger" <[EMAIL PROTECTED]> writes:
> Now for the hard part: educating myself enough to write up a quick
> howto-type document. I promise I will write up everything I learn and
> allow it to be disseminated far and wide. I do html, but not man or info
> (yet).
Good. One detail: you never write info by hand, you write texinfo. But
HTML or even plain text should be a good start.
> Two points, both almost certainly educational:
>
> How does one set up ~/.lsh/known_hosts? I generated NEW_KEY, NEW_KEY.pub,
> ~/.lsh/identity and ~/.lsh/identity.pub.
>
> As root, I'm running
>
> ./lshd -p 4711 -h NEW_KEY --debug --trace -v
>
> As expected, I received
>
> Received unauthenticated key for host localhost
>
> when I tried to connect. Simple enough question, I assume that
> ~/.lsh/known_hosts has something to do with this. What do I put there?
> All I do know is that copying the data from captured_keys to known_hosts
> doesn't cut it. And is there a global place to place trusted host keys?
Copying kwys from captured_keys to known_hosts should work. There's no
global file for trusted host keys. In the longer run, you would
probably create one master key pair for your site, distribute it to
your users, and then use it for signing each of your host key. But the
support for spki certificates does not exist yet.
> It looks like copying NEW_KEY to /etc/lsh_host_key should make it so
> that I don't have to have -h NEW_KEY on the command line every time,
> correct?
Correct. /etc/lsh_host_key is the default for that option.
> Second, when I added --sloppy-host-authentication to the lsh command line,
> I got (from lshd, lsh just said "Unhandled exception of type 0x4001:
> Public key userauth failed.")
>
> DEBUG: received SSH_MSG_USERAUTH_REQUEST *****
> handle_connection: Received packet of type 50
> (SSH_MSG_USERAUTH_REQUEST) Unknown publickey algorithm
> server_publickey.c:100: do_authenticate: Raising exception Unsupported
> public key algorithm. (type 16385), using handler installed by
> server_userauth.c:453: do_userauth
Hmm. There seems to be two problems here: First of all, neither lsh
nor lshd should die if public key user auth failes. You don't say if
the server survived or not? Secondly, the unknown algorithm message
seems strange; both sides should support the same two algorithms: spki
and ssh-dss. But the latter problem should not be fatal.
> When generating the identity files, I just used
>
> ./lsh_keygen -l 8 | ./lsh_writekey
>
> and it created ~/.lsh for me. I then did
>
> cat ~/.lsh/identity.pub | ./sexp_conv -i transport -o canonical | md5
> touch ~/.lsh/authorized_keys_md5/26440d245a2d73a6f48916f0d39baafa
>
> What did I miss? I'm assuming that this is something I did
> wrong, since Balazs had it working (which is where I found the
> two lines above).
Current versions uses sha1 rather than md5. The right command is
something like
touch ~/.lsh/authorized_keys_sha1/`sexp_conv < some_pubkey --hash sha1 --raw-hash
--once`
Or use the script src/lsh-authorize.
> And how would one go about having multiple incoming identities? Say if I
> generate a key for each workstation I'd be logging in from?
You usually don't want to copy the private keys between machines. So
you generate one keypair for each machine you want to log in from.
Then copy each of the public keys to the machine you want to log in to
and authorize them as above.
/Niels
