Re: SSH with Public Key Authentication (Was: Re: Attention: Giorgos Keramidas (Was: CVS Import Permissions))
On 2006-02-02 10:30, david bryce [EMAIL PROTECTED] wrote: On Tue, 31 Jan 2006 11:41:35 +0200, Giorgos Keramidas [EMAIL PROTECTED] said: We are currently using a pserver installation, with developers using windows machines. We need a way to achieve the same effect with a user on a windows machine doing an import. Do you have any idea how this can be done? Thank you! I'm not sure. I know that the setting of CVSUMASK on the server machine works if you use SSH tunneling though. If it's not too much trouble, you can set up SSH-based authentication instead of :pserver: and make sure the .bashrc or .cshrc of the developers on the server machine sets CVSUMASK correctly. SSH-tunneled CVS is what the FreeBSD project uses in the official CVS repository, so I guess this setup works as expected :) Giorgos, Thanks again for taking the time to reply. I have tried using SSH in the past, and got stuck setting up the public key login (that's why we're using pserver). I spent a few hours yesterday trying to get SSH going again. I can login with SSH from the windows machine using Putty, but only when I use password authentication. In order to use cvs with ssh (using the plink program in Putty), we must use public key authentication. Unfortunately, I can't help with the Windows side. I'm only using UNIX machines as clients, so Putty is something new to me :-( Perhaps someone else on freebsd-questions can help with Putty? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SSH with Public Key Authentication (Was: Re: Attention: Giorgos Keramidas (Was: CVS Import Permissions))
On Thu, 2 Feb 2006 01:48:37 +0200 Giorgos Keramidas [EMAIL PROTECTED] wrote: I spent a few hours yesterday trying to get SSH going again. I can login with SSH from the windows machine using Putty, but only when I use password authentication. In order to use cvs with ssh (using the plink program in Putty), we must use public key authentication. Unfortunately, I can't help with the Windows side. I'm only using UNIX machines as clients, so Putty is something new to me :-( erhm.. cd /usr/ports/security/putty;make install :-) -- grtjs, albi gpg-key: lynx -dump http://scii.nl/~albi/gpg.asc | gpg --import ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SSH with Public Key Authentication (Was: Re: Attention: Giorgos Keramidas (Was: CVS Import Permissions))
Try one or more of the following things: - Use puttygen to import your private key, and then export as .ppk - Load your key.ppk into pageant, and let it manage your private key(s) - Log in using your private key from the server (ie. login to the server with your password, and then from the shell ssh [EMAIL PROTECTED]). Please inform me of your results. On 2/2/06, david bryce [EMAIL PROTECTED] wrote: On Tue, 31 Jan 2006 11:41:35 +0200, Giorgos Keramidas [EMAIL PROTECTED] said: Giorgos, Thanks very much for replying! I wasn't aware of this environment variable (even though I spent quite a while on this problem). Using CVSUMASK certainly works when working on the server machine! We are currently using a pserver installation, with developers using windows machines. We need a way to achieve the same effect with a user on a windows machine doing an import. Do you have any idea how this can be done? Thank you! I'm not sure. I know that the setting of CVSUMASK on the server machine works if you use SSH tunneling though. If it's not too much trouble, you can set up SSH-based authentication instead of :pserver: and make sure the .bashrc or .cshrc of the developers on the server machine sets CVSUMASK correctly. SSH-tunneled CVS is what the FreeBSD project uses in the official CVS repository, so I guess this setup works as expected :) Giorgos, Thanks again for taking the time to reply. I have tried using SSH in the past, and got stuck setting up the public key login (that's why we're using pserver). I spent a few hours yesterday trying to get SSH going again. I can login with SSH from the windows machine using Putty, but only when I use password authentication. In order to use cvs with ssh (using the plink program in Putty), we must use public key authentication. We are getting a 'Key Refused' error when trying to use public key authentication. I have tried doing several things including editing the /etc/ssh/sshd_config file: PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys We also had to make these changes in order to get password based ssh to work: UsePAM no PermitRootLogin yes We also tried putting the public key into various files: .ssh/authorized_keys .ssh/authorized_keys2 .ssh2/authorized_keys .ssh2/authorized_keys2 (and made sure they are not group/world writable. The keys are SSH2 DSA 1024 bits) I tried looking in the /var/log/auth.log file, and what I'm seeing is: Feb 2 10:19:26 mail1 sshd2[15343]: connection from xxx.xx.xxx.x Feb 2 10:19:26 mail1 sshd2[15344]: WARNING: DNS lookup failed for xxx.xx.xxx.\ x. Feb 2 10:19:29 mail1 sshd2[15344]: Local disconnected: Connection closed. Feb 2 10:19:29 mail1 sshd2[15344]: connection lost: 'Connection closed.' (I set LogLevel DEBUG3 in sshd_config. I don't think the DNS error is relevant, because password based ssh is working. But I could wrong. What do you think?) Do you have any idea where I can look to find out why the key is being refused? Are there any other logfiles other than auth.log that could give a clue to what's going wrong? Thanks! Regards, DB -- david bryce [EMAIL PROTECTED] -- http://www.fastmail.fm - A fast, anti-spam email service. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SSH with Public Key Authentication (Was: Re: Attention: Giorgos Keramidas (Was: CVS Import Permissions))
On Thu, 2 Feb 2006 01:48:37 +0200, Giorgos Keramidas Giorgos, Thanks again for taking the time to reply. I have tried using SSH in the past, and got stuck setting up the public key login (that's why we're using pserver). I spent a few hours yesterday trying to get SSH going again. I can login with SSH from the windows machine using Putty, but only when I use password authentication. In order to use cvs with ssh (using the plink program in Putty), we must use public key authentication. Unfortunately, I can't help with the Windows side. I'm only using UNIX machines as clients, so Putty is something new to me :-( Perhaps someone else on freebsd-questions can help with Putty? Thanks, Giorgos! What about on the freebsd server side? Are there any logfiles I can look at on the server? Thanks! Regards, DB -- david bryce [EMAIL PROTECTED] -- http://www.fastmail.fm - mmm... Fastmail... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SSH with Public Key Authentication (Was: Re: Attention: Giorgos Keramidas (Was: CVS Import Permissions))
On Thu, 2 Feb 2006 01:04:19 +0100, Daniel A. [EMAIL PROTECTED] said: Thanks again for taking the time to reply. I have tried using SSH in the past, and got stuck setting up the public key login (that's why we're using pserver). I spent a few hours yesterday trying to get SSH going again. I can login with SSH from the windows machine using Putty, but only when I use password authentication. In order to use cvs with ssh (using the plink program in Putty), we must use public key authentication. We are getting a 'Key Refused' error when trying to use public key authentication. I have tried doing several things including editing the /etc/ssh/sshd_config file: Try one or more of the following things: - Use puttygen to import your private key, and then export as .ppk - Load your key.ppk into pageant, and let it manage your private key(s) - Log in using your private key from the server (ie. login to the server with your password, and then from the shell ssh [EMAIL PROTECTED]). Please inform me of your results. Daniel, Thank you for taking the time to reply. We are currently using pageant to manage the private key. However, the keys we are using are generated with puttygen (not from the server). The public key was then copied to the authorized_keys file on the server. Would you recommend generating the keys on the server? Do you have an idea where are some instructions about how to generate the keys on the server? Thanks! Regards, DB -- david bryce [EMAIL PROTECTED] -- http://www.fastmail.fm - The way an email service should be ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SSH with Public Key Authentication (Was: Re: Attention: Giorgos Keramidas (Was: CVS Import Permissions))
On 2006-02-02 11:27, david bryce [EMAIL PROTECTED] wrote: On Thu, 2 Feb 2006 01:48:37 +0200, Giorgos Keramidas I have tried using SSH in the past, and got stuck setting up the public key login (that's why we're using pserver). I spent a few hours yesterday trying to get SSH going again. I can login with SSH from the windows machine using Putty, but only when I use password authentication. In order to use cvs with ssh (using the plink program in Putty), we must use public key authentication. Unfortunately, I can't help with the Windows side. I'm only using UNIX machines as clients, so Putty is something new to me :-( Perhaps someone else on freebsd-questions can help with Putty? What about on the freebsd server side? Are there any logfiles I can look at on the server? Thanks! /var/log/auth.log and /var/log/messages are the ones I'd look at. But I didn't notice anything interesting in the auth.log snippet you posted. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SSH with Public Key Authentication (Was: Re: Attention: Giorgos Keramidas (Was: CVS Import Permissions))
On Feb 1, 2006, at 4:33 PM, david bryce wrote: On Thu, 2 Feb 2006 01:04:19 +0100, Daniel A. [EMAIL PROTECTED] said: Thanks again for taking the time to reply. I have tried using SSH in the past, and got stuck setting up the public key login (that's why we're using pserver). I spent a few hours yesterday trying to get SSH going again. I can login with SSH from the windows machine using Putty, but only when I use password authentication. In order to use cvs with ssh (using the plink program in Putty), we must use public key authentication. We are getting a 'Key Refused' error when trying to use public key authentication. I have tried doing several things including editing the /etc/ssh/sshd_config file: Try one or more of the following things: - Use puttygen to import your private key, and then export as .ppk - Load your key.ppk into pageant, and let it manage your private key(s) - Log in using your private key from the server (ie. login to the server with your password, and then from the shell ssh [EMAIL PROTECTED]). Please inform me of your results. Daniel, Thank you for taking the time to reply. We are currently using pageant to manage the private key. However, the keys we are using are generated with puttygen (not from the server). The public key was then copied to the authorized_keys file on the server. Would you recommend generating the keys on the server? Do you have an idea where are some instructions about how to generate the keys on the server? Thanks! Regards, DB -- david bryce [EMAIL PROTECTED] -- http://www.fastmail.fm - The way an email service should be Can you login using any key in the authorized_keys file? Also, what's the umask for authorized keys (ls -l .ssh/authorized_keys)? -Garrett ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SSH with Public Key Authentication (Was: Re: Attention: Giorgos Keramidas (Was: CVS Import Permissions))
On Thu, Feb 02, 2006 at 11:27:54AM +1100, david bryce wrote: What about on the freebsd server side? Are there any logfiles I can look at on the server? Thanks! I often find it more useful to temporarily run a second sshd on an alternate port, with stderr directed to the console and sshd in no-detach and debug mode. Try the following: $ sshd -d -d -d -e -D -p 222 Then watch the output as you try to connect on that port $ sshd myhost -p 222 If you'd like, you can redirect the output to a file, too, but I find that screen(1)'s scrollback usually is enough for me. -- o--{ Will Maier }--o | jabber:[EMAIL PROTECTED] | email:[EMAIL PROTECTED] | | [EMAIL PROTECTED] | [EMAIL PROTECTED] | *--[ BSD Unix: Live Free or Die ]--* ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SSH with Public Key Authentication (Was: Re: Attention: Giorgos Keramidas (Was: CVS Import Permissions))
On 2006-02-02 00:57, albi [EMAIL PROTECTED] wrote: On Thu, 2 Feb 2006 01:48:37 +0200 Giorgos Keramidas [EMAIL PROTECTED] wrote: I spent a few hours yesterday trying to get SSH going again. I can login with SSH from the windows machine using Putty, but only when I use password authentication. In order to use cvs with ssh (using the plink program in Putty), we must use public key authentication. Unfortunately, I can't help with the Windows side. I'm only using UNIX machines as clients, so Putty is something new to me :-( erhm.. cd /usr/ports/security/putty;make install :-) Heh! Well, fancy that... That's one of the side-effects of having an SSH client in the base-system, I guess. Thanks to DES, I never needed Putty on FreeBSD so far :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SSH with Public Key Authentication (Was: Re: Attention: Giorgos Keramidas (Was: CVS Import Permissions))
david bryce wrote: On Thu, 2 Feb 2006 01:04:19 +0100, Daniel A. [EMAIL PROTECTED] said: Thanks again for taking the time to reply. I have tried using SSH in the past, and got stuck setting up the public key login (that's why we're using pserver). I spent a few hours yesterday trying to get SSH going again. I can login with SSH from the windows machine using Putty, but only when I use password authentication. In order to use cvs with ssh (using the plink program in Putty), we must use public key authentication. We are getting a 'Key Refused' error when trying to use public key authentication. I have tried doing several things including editing the /etc/ssh/sshd_config file: Try one or more of the following things: - Use puttygen to import your private key, and then export as .ppk - Load your key.ppk into pageant, and let it manage your private key(s) - Log in using your private key from the server (ie. login to the server with your password, and then from the shell ssh [EMAIL PROTECTED]). Please inform me of your results. Daniel, Thank you for taking the time to reply. We are currently using pageant to manage the private key. However, the keys we are using are generated with puttygen (not from the server). The public key was then copied to the authorized_keys file on the server. Would you recommend generating the keys on the server? Do you have an idea where are some instructions about how to generate the keys on the server? Thanks! Regards, DB Out of curiosity did you use save public key or copy and paste out of the public key for pasting in openssh authorized_keys file box? If I remember correctly, the save public key does not produce an openssh compatible public key. Doing the copy and paste routine should work. HTH, Micah ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SSH with Public Key Authentication (Was: Re: Attention: Giorgos Keramidas (Was: CVS Import Permissions))
On Feb 1, 2006, at 4:54 PM, Giorgos Keramidas wrote: On 2006-02-02 00:57, albi [EMAIL PROTECTED] wrote: On Thu, 2 Feb 2006 01:48:37 +0200 Giorgos Keramidas [EMAIL PROTECTED] wrote: I spent a few hours yesterday trying to get SSH going again. I can login with SSH from the windows machine using Putty, but only when I use password authentication. In order to use cvs with ssh (using the plink program in Putty), we must use public key authentication. Unfortunately, I can't help with the Windows side. I'm only using UNIX machines as clients, so Putty is something new to me :-( erhm.. cd /usr/ports/security/putty;make install :-) Heh! Well, fancy that... That's one of the side-effects of having an SSH client in the base-system, I guess. Thanks to DES, I never needed Putty on FreeBSD so far :) Putty's just a nice lightweight GUI ssh client for Windows that was ported to Unix sometime in the past 2 years. -Garrett ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SSH with Public Key Authentication (Was: Re: Attention: Giorgos Keramidas (Was: CVS Import Permissions))
On Thu, 2 Feb 2006 02:38:29 +0200, Giorgos Keramidas [EMAIL PROTECTED] said: On 2006-02-02 11:27, david bryce [EMAIL PROTECTED] wrote: On Thu, 2 Feb 2006 01:48:37 +0200, Giorgos Keramidas I have tried using SSH in the past, and got stuck setting up the public key login (that's why we're using pserver). I spent a few hours yesterday trying to get SSH going again. I can login with SSH from the windows machine using Putty, but only when I use password authentication. In order to use cvs with ssh (using the plink program in Putty), we must use public key authentication. Unfortunately, I can't help with the Windows side. I'm only using UNIX machines as clients, so Putty is something new to me :-( Perhaps someone else on freebsd-questions can help with Putty? What about on the freebsd server side? Are there any logfiles I can look at on the server? Thanks! /var/log/auth.log and /var/log/messages are the ones I'd look at. But I didn't notice anything interesting in the auth.log snippet you posted. Thanks, Giorgos! /var/log/messages didn't have anything in it either. You'd think there'd be a way to force sshd to write to the log why it rejected a private key. Thank you! Regards. DB -- david bryce [EMAIL PROTECTED] -- http://www.fastmail.fm - Access all of your messages and folders wherever you are ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SSH with Public Key Authentication (Was: Re: Attention: Giorgos Keramidas (Was: CVS Import Permissions))
On Wed, 01 Feb 2006 16:59:53 -0800, Micah [EMAIL PROTECTED] said: david bryce wrote: We are currently using pageant to manage the private key. However, the keys we are using are generated with puttygen (not from the server). The public key was then copied to the authorized_keys file on the server. Would you recommend generating the keys on the server? Do you have an idea where are some instructions about how to generate the keys on the server? Thanks! Regards, DB Out of curiosity did you use save public key or copy and paste out of the public key for pasting in openssh authorized_keys file box? If I remember correctly, the save public key does not produce an openssh compatible public key. Doing the copy and paste routine should work. HTH, Micah Thanks, Micah! I did use copy and paste out of the public key memo box. Regards, DB -- david bryce [EMAIL PROTECTED] -- http://www.fastmail.fm - Send your email first class ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SSH with Public Key Authentication (Was: Re: Attention: Giorgos Keramidas (Was: CVS Import Permissions))
On Wed, 01 Feb 2006 16:59:53 -0800, Micah [EMAIL PROTECTED] said: david bryce wrote: On Thu, 2 Feb 2006 01:04:19 +0100, Daniel A. [EMAIL PROTECTED] said: Thanks again for taking the time to reply. I have tried using SSH in the past, and got stuck setting up the public key login (that's why we're using pserver). Out of curiosity did you use save public key or copy and paste out of the public key for pasting in openssh authorized_keys file box? If I remember correctly, the save public key does not produce an openssh compatible public key. Doing the copy and paste routine should work. HTH, Micah Hi All, I must apologize to all, as there seems to be a sshd2 installation on this machine which was muddying the water. Please see the thread titled Attention: Garrett Cooper (Was: SSH with Public Key Authentication). Regards, DB -- david bryce [EMAIL PROTECTED] -- http://www.fastmail.fm - Faster than the air-speed velocity of an unladen european swallow ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SSH with Public Key Authentication (Was: Re: Attention: Giorgos Keramidas (Was: CVS Import Permissions))
david bryce wrote: On Thu, 2 Feb 2006 02:38:29 +0200, Giorgos Keramidas [EMAIL PROTECTED] said: On 2006-02-02 11:27, david bryce [EMAIL PROTECTED] wrote: On Thu, 2 Feb 2006 01:48:37 +0200, Giorgos Keramidas I have tried using SSH in the past, and got stuck setting up the public key login (that's why we're using pserver). I spent a few hours yesterday trying to get SSH going again. I can login with SSH from the windows machine using Putty, but only when I use password authentication. In order to use cvs with ssh (using the plink program in Putty), we must use public key authentication. Unfortunately, I can't help with the Windows side. I'm only using UNIX machines as clients, so Putty is something new to me :-( Perhaps someone else on freebsd-questions can help with Putty? What about on the freebsd server side? Are there any logfiles I can look at on the server? Thanks! /var/log/auth.log and /var/log/messages are the ones I'd look at. But I didn't notice anything interesting in the auth.log snippet you posted. Thanks, Giorgos! /var/log/messages didn't have anything in it either. You'd think there'd be a way to force sshd to write to the log why it rejected a private key. Thank you! You do know that putty generates keys using the preferred SSH2-compatible format of SSH Corp (http://www.ssh.com/) whereas the FreeBSD box you're trying to log into uses the slightly different format from the OpenSSH project (http://www.openssh.org/)? If you generate your keys within putty, then copy the public key onto your FreeBSD box you can convert the format like so: # ssh-keygen -i -f putty.pubkey openssh.pubkey If you examine the two files, you'll see that the differences are that the OpenSSH one doesn't have the 'BEGIN' and 'END' lines, and all of the data is on one single long line. There's also a '-e' option for exporting OpenSSH keys to the SSH2-compatible format. Oh, and to get more logging info out of sshd, run it with 3 '-d' flags on a separate port number: sshd -d -d -d -p That will cause ssh not to daemonize, so it will quit when you end your ssh session. You don't want to run sshd with max debug turned on all the time, as it will potentially leak sensitive information. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature