Re: Re: Authentication with SSH using public keys
Following onto the e-mail I made before, apparently that little permissions difference for the directory, .ssh, was the problem. Changing it to 644 has, apparently, fixed the problem. Cool :) . I learnt this from my first SSH public-key authentication configuration ;) Ashish -- Of course I meant to say that changing the perms to 755 fixed it, not 644. I'm still reviewing the docs but I think that this directory could be made 700, is that correct? Or, at the least, 750? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Re: Authentication with SSH using public keys
On Tue, Nov 04, 2008 at 12:39:36PM -0800, [EMAIL PROTECTED] wrote: Following onto the e-mail I made before, apparently that little permissions difference for the directory, .ssh, was the problem. Changing it to 644 has, apparently, fixed the problem. Cool :) . I learnt this from my first SSH public-key authentication configuration ;) Ashish -- Of course I meant to say that changing the perms to 755 fixed it, not 644. I'm still reviewing the docs but I think that this directory could be made 700, is that correct? Or, at the least, 750? From ssh(1): ~/.ssh/ This directory is the default location for all user‐specific con‐ figuration and authentication information. There is no general requirement to keep the entire contents of this directory secret, but the recommended permissions are read/write/execute for the user, and not accessible by others. So 700 is not only possible, but also recommended. :-) Yuri ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Re: Authentication with SSH using public keys
On Tue, Nov 04, 2008 at 12:39:36PM -0800, [EMAIL PROTECTED] wrote: Following onto the e-mail I made before, apparently that little permissions difference for the directory, .ssh, was the problem. Changing it to 644 has, apparently, fixed the problem. Cool :) . I learnt this from my first SSH public-key authentication configuration ;) Ashish -- Of course I meant to say that changing the perms to 755 fixed it, not 644. I'm still reviewing the docs but I think that this directory could be made 700, is that correct? Or, at the least, 750? The ~/.ssh directory should be 700. Remember, sshd runs as root, which means the permissions shouldn't really matter (sans the execute bit, which as I said is needed for directories). You don't want 750 unless you ***really*** intend for members of the same group to have read access to your ~/.ssh/ directory. Based on the OP's description of the setup, he does not need this. -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Authentication with SSH using public keys
On Fri, Oct 31, 2008 at 6:46 PM, आशीष शुक्ल Ashish Shukla [EMAIL PROTECTED] wrote: In [EMAIL PROTECTED], Andrew Falanga wrote: Hi, My father recently setup a new 7.0-Release system for some web development. I use ssh to login remotely. I've normally not had any trouble configuring authentication through public key encryption using ssh-keygen and such. I have for myself a id_rsa.pub and an id_rsa key pair that I use for this purpose. Normally, I just copy, via scp, the file id_rsa.pub to my ~/.ssh/authorized_keys file on the remote host and the next time I attempt a login all is well. That is, I don't have to enter my password. However, on my Dad's new machine, this isn't the case. I still have to enter the password. Now, I've looked through his /etc/ssh/sshd_config file and nothing in there looks odd, or different, from other remote hosts I do this on. So, I'm embedding a copy/paste of an ssh login session on my father's host using -v -v to ssh: [/usr/home/andy/MCH] - ssh -v -v malumgat [...] debug1: Authentications that can continue: publickey,keyboard-interactive debug1: Next authentication method: publickey debug1: Trying private key: /home/andy/.ssh/identity debug1: Offering public key: /home/andy/.ssh/id_rsa debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,keyboard-interactive It seems OpenSSH (on your dad's box) hasn't recognized your private key, so how about checking permissions of ~/.ssh/authorized_keys and ~/.ssh on his box. Or how about enabling verbose logging on his box, using 'LogLevel' parameter in sshd_config. HTH Ashish Shukla The permissions on the machine where it works: [www:/home/afalanga] - ls -la .ssh/ total 6 drwxr-xr-x 2 afalanga staff 512 Sep 28 03:33 . drwxr-xr-x 3 afalanga staff 512 Oct 29 08:31 .. -rw-r--r-- 1 afalanga staff 393 Sep 28 03:33 authorized_keys The permissions on the machine where it doesn't work: [EMAIL PROTECTED] ~]$ ls -la .ssh/ total 6 drwxrwxr-x 2 andy wheel 512 Oct 10 04:30 . drwxr-xr-x 4 andy wheel 512 Oct 31 06:30 .. -rw-r--r-- 1 andy wheel 393 Oct 28 10:01 authorized_keys I see a difference in that the directory on the machine where it doesn't work is writable to the group, but on the machine where it does work the directory isn't writable. Other than that, the permissions don't look different, do they? Andy ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Authentication with SSH using public keys
debug1: Authentications that can continue: publickey,keyboard-interactive debug1: Next authentication method: publickey debug1: Trying private key: /home/andy/.ssh/identity debug1: Offering public key: /home/andy/.ssh/id_rsa debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,keyboard-interactive It seems OpenSSH (on your dad's box) hasn't recognized your private key, so how about checking permissions of ~/.ssh/authorized_keys and ~/.ssh on his box. Or how about enabling verbose logging on his box, using 'LogLevel' parameter in sshd_config. HTH Ashish Shukla Following onto the e-mail I made before, apparently that little permissions difference for the directory, .ssh, was the problem. Changing it to 644 has, apparently, fixed the problem. Andy ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Authentication with SSH using public keys
On Mon, Nov 03, 2008 at 07:29:46PM -0700, Andrew Falanga wrote: debug1: Authentications that can continue: publickey,keyboard-interactive debug1: Next authentication method: publickey debug1: Trying private key: /home/andy/.ssh/identity debug1: Offering public key: /home/andy/.ssh/id_rsa debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,keyboard-interactive It seems OpenSSH (on your dad's box) hasn't recognized your private key, so how about checking permissions of ~/.ssh/authorized_keys and ~/.ssh on his box. Or how about enabling verbose logging on his box, using 'LogLevel' parameter in sshd_config. HTH Ashish Shukla Following onto the e-mail I made before, apparently that little permissions difference for the directory, .ssh, was the problem. Changing it to 644 has, apparently, fixed the problem. Which doesn't make sense for two reasons: 1) Directories must have the execute bit set (644 lacks that), 2) ~/.ssh should be 700 for security reasons. -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Authentication with SSH using public keys
Andrew Falanga writes: debug1: Authentications that can continue: publickey,keyboard-interactive debug1: Next authentication method: publickey debug1: Trying private key: /home/andy/.ssh/identity debug1: Offering public key: /home/andy/.ssh/id_rsa debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,keyboard-interactive It seems OpenSSH (on your dad's box) hasn't recognized your private key, so how about checking permissions of ~/.ssh/authorized_keys and ~/.ssh on his box. Or how about enabling verbose logging on his box, using 'LogLevel' parameter in sshd_config. HTH Ashish Shukla Following onto the e-mail I made before, apparently that little permissions difference for the directory, .ssh, was the problem. Changing it to 644 has, apparently, fixed the problem. Cool :) . I learnt this from my first SSH public-key authentication configuration ;) Ashish -- () ascii ribbon campaign - against HTML e-mail /\ www.asciiribbon.org - against proprietary attachments ·-- ·- ·--- ·- ···- ·- ·--·-· --· -- ·- ·· ·-·· ·-·-·- -·-· --- -- % dig +short cname cdac.in @::1 ms.gov.in pgp4Immu00LG0.pgp Description: PGP signature
Authentication with SSH using public keys
Hi, My father recently setup a new 7.0-Release system for some web development. I use ssh to login remotely. I've normally not had any trouble configuring authentication through public key encryption using ssh-keygen and such. I have for myself a id_rsa.pub and an id_rsa key pair that I use for this purpose. Normally, I just copy, via scp, the file id_rsa.pub to my ~/.ssh/authorized_keys file on the remote host and the next time I attempt a login all is well. That is, I don't have to enter my password. However, on my Dad's new machine, this isn't the case. I still have to enter the password. Now, I've looked through his /etc/ssh/sshd_config file and nothing in there looks odd, or different, from other remote hosts I do this on. So, I'm embedding a copy/paste of an ssh login session on my father's host using -v -v to ssh: [/usr/home/andy/MCH] - ssh -v -v malumgat OpenSSH_4.5p1 FreeBSD-20061110, OpenSSL 0.9.7e-p1 25 Oct 2004 debug1: Reading configuration data /etc/ssh/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to malumgat [24.59.91.121] port 22. debug1: Connection established. debug1: identity file /home/andy/.ssh/identity type -1 debug2: key_type_from_name: unknown key type '-BEGIN' debug2: key_type_from_name: unknown key type '-END' debug1: identity file /home/andy/.ssh/id_rsa type 1 debug1: identity file /home/andy/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_4.5p1 FreeBSD-20061110 debug1: match: OpenSSH_4.5p1 FreeBSD-20061110 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_4.5p1 FreeBSD-20061110 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-dss,ssh-rsa debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[EMAIL PROTECTED],zlib debug2: kex_parse_kexinit: none,[EMAIL PROTECTED],zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[EMAIL PROTECTED] debug2: kex_parse_kexinit: none,[EMAIL PROTECTED] debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server-client aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client-server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(102410248192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 132/256 debug2: bits set: 526/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'malumgat' is known and matches the DSA host key. debug1: Found key in /home/andy/.ssh/known_hosts:9 debug2: bits set: 494/1024 debug1: ssh_dss_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /home/andy/.ssh/identity (0x0) debug2: key: /home/andy/.ssh/id_rsa (0x5308a0) debug2: key: /home/andy/.ssh/id_dsa (0x0) debug1: Authentications that can continue: publickey,keyboard-interactive debug1: Next authentication method: publickey debug1: Trying private key: /home/andy/.ssh/identity debug1:
Re: Authentication with SSH using public keys
In [EMAIL PROTECTED], Andrew Falanga wrote: Hi, My father recently setup a new 7.0-Release system for some web development. I use ssh to login remotely. I've normally not had any trouble configuring authentication through public key encryption using ssh-keygen and such. I have for myself a id_rsa.pub and an id_rsa key pair that I use for this purpose. Normally, I just copy, via scp, the file id_rsa.pub to my ~/.ssh/authorized_keys file on the remote host and the next time I attempt a login all is well. That is, I don't have to enter my password. However, on my Dad's new machine, this isn't the case. I still have to enter the password. Now, I've looked through his /etc/ssh/sshd_config file and nothing in there looks odd, or different, from other remote hosts I do this on. So, I'm embedding a copy/paste of an ssh login session on my father's host using -v -v to ssh: [/usr/home/andy/MCH] - ssh -v -v malumgat [...] debug1: Authentications that can continue: publickey,keyboard-interactive debug1: Next authentication method: publickey debug1: Trying private key: /home/andy/.ssh/identity debug1: Offering public key: /home/andy/.ssh/id_rsa debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,keyboard-interactive It seems OpenSSH (on your dad's box) hasn't recognized your private key, so how about checking permissions of ~/.ssh/authorized_keys and ~/.ssh on his box. Or how about enabling verbose logging on his box, using 'LogLevel' parameter in sshd_config. HTH Ashish Shukla -- ·-- ·- ·--- ·- ···- ·- ·--·-· --· -- ·- ·· ·-·· ·-·-·- -·-· --- -- () ascii ribbon campaign - against HTML e-mail /\ www.asciiribbon.org - against proprietary attachments pgp8PJhFoQuVv.pgp Description: PGP signature
