Re: RSA Key authentication
On Lu, 31 dec 12, 12:58:05, Bob Proulx wrote: Thore wrote: Another question is: How must I configure it that I only can login with the user password my passphrase for the key and the keys? so tripple protection against brute force. I recommend not to do this. Make sure you have a good non-guessable password and then don't use it unless you need it. If you don't use it then it can't be sniffed. If it is secure then it can't be guessed. In which case it isn't safer to disable it. And having it available for that emergency when you need it is very useful. I understood that Thore wants to have triple authentication: passphrase for the key, the key *and* the user password. Kind regards, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic signature.asc Description: Digital signature
Re: RSA Key authentication
Andrei POPESCU wrote: Bob Proulx wrote: Thore wrote: Another question is: How must I configure it that I only can login with the user password my passphrase for the key and the keys? so tripple protection against brute force. I recommend not to do this. Make sure you have a good non-guessable password and then don't use it unless you need it. If you don't use it then it can't be sniffed. If it is secure then it can't be guessed. In which case it isn't safer to disable it. And having it available for that emergency when you need it is very useful. I understood that Thore wants to have triple authentication: passphrase for the key, the key *and* the user password. Oh! Require *both* the rsa ssh key AND the root password. Thanks for suggesting that clarification. I had read that as disabling the root password. I do not believe that is easily possible to require both. It isn't one of the standard configurations. It almost certainly seems possible to configure by some method through the PAM (pluggable authentication module) system however. If there is a solution to do this I think in the PAM area would be the place to look. The upstream openssh list would be the best place to discover this type of information. Bob signature.asc Description: Digital signature
RSA Key authentication
Hello, on my Server I want to configure an RSA SSH Authentication. I know how to generate and set the private and public key, but there are still some problems. Mostly I login as root, so i had to use the .ssh directory in the /root folder and put my generated public key in the authorized_keys folder. But it didn't works. I sedet the auto login username in putty it didn't worked. Are there settings wrong? I found one part in the sshd conf RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys it was exactly like this, is this right? I mean isn't the directory not availiable for the program because of the # at the begin of the line? I tried it out with an enter between it but then sshd meant that there was something wrong. Another question is: How must I configure it that I only can login with the user password my passphrase for the key and the keys? so tripple protection against brute force. Regards Thore -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/50e1df2d.4050...@datensumpf.de
Re: RSA Key authentication
Thore wrote: on my Server I want to configure an RSA SSH Authentication. Good. Everyone should. I know how to generate and set the private and public key, Good. but there are still some problems. Mostly I login as root, so i had to use the .ssh directory in the /root folder and put my generated public key in the authorized_keys folder. But it didn't works. The typical reason this does not work is because the file permission is incorrect. What is the output of (example from my system): # ls -ld / /root /root/.ssh /root/.ssh/authorized_keys | cat drwxr-xr-x 25 root root 4096 Dec 3 12:51 / drwxr-xr-x 20 root root 4096 Dec 2 15:33 /root drwx-- 2 root root 4096 Oct 29 2011 /root/.ssh -rw-r- 1 root root 1440 Oct 29 2011 /root/.ssh/authorized_keys If any of those are group or world writable then sshd will refuse the file. Also look in /var/log/auth.log and /var/log/syslog too. I sedet the auto login username in putty it didn't worked. Are there settings wrong? I found one part in the sshd conf RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys it was exactly like this, is this right? Yes. Those are okay. I mean isn't the directory not availiable for the program because of the # at the begin of the line? The default is included as documentation. If, and only if, you were going to change it from the default then you could uncomment the line and change the value. Another question is: How must I configure it that I only can login with the user password my passphrase for the key and the keys? so tripple protection against brute force. I recommend not to do this. Make sure you have a good non-guessable password and then don't use it unless you need it. If you don't use it then it can't be sniffed. If it is secure then it can't be guessed. In which case it isn't safer to disable it. And having it available for that emergency when you need it is very useful. Bob signature.asc Description: Digital signature
Re: RSA Key authentication
On Dec 31, 2012, at 12:58 PM, Bob Proulx wrote: Thore wrote: but there are still some problems. Mostly I login as root, so i had to use the .ssh directory in the /root folder and put my generated public key in the authorized_keys folder. But it didn't works. ssh is very touchy about root logins. That may be the trouble. I've never used putty, but there may be something in its config that needs to be changed from the default to allow it to try a root login. I know for sure there are defaults to be changed in sshd_config. There's a PermitRootLogin parameter. Its default has been no everywhere I've seen. But it can be changed to yes, or to allow_root_login_with_key_authentication_only (without-password). There's also a AllowUsers list of users allowed to log in in sshd_config that may be causing trouble. The typical reason this does not work is because the file permission is incorrect. What is the output of (example from my system): # ls -ld / /root /root/.ssh /root/.ssh/authorized_keys | cat drwxr-xr-x 25 root root 4096 Dec 3 12:51 / drwxr-xr-x 20 root root 4096 Dec 2 15:33 /root drwx-- 2 root root 4096 Oct 29 2011 /root/.ssh -rw-r- 1 root root 1440 Oct 29 2011 /root/.ssh/authorized_keys If any of those are group or world writable then sshd will refuse the file. Also look in /var/log/auth.log and /var/log/syslog too. That's right, but I'd remove any non-owner permissions from the files (already done for /root/.ssh). Inside the directory, consider owner rw only. -- Glenn English smime.p7s Description: S/MIME cryptographic signature
Re: RSA Key authentication
On Mon 31 Dec 2012 at 14:19:31 -0700, Glenn English wrote: I know for sure there are defaults to be changed in sshd_config. There's a PermitRootLogin parameter. Its default has been no everywhere I've seen. But it can be changed to yes, or to allow_root_login_with_key_authentication_only (without-password). No need for concern with PermitRootLogin on Debian. It has a sensible default value. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121231214043.GA32121@desktop
Re: RSA Key authentication
On Tue, Jan 1, 2013 at 8:19 AM, Glenn English g...@slsware.com wrote: On Dec 31, 2012, at 12:58 PM, Bob Proulx wrote: Thore wrote: but there are still some problems. Mostly I login as root, so i had to use the .ssh directory in the /root folder and put my generated public key in the authorized_keys folder. But it didn't works. ssh is very touchy about root logins. That may be the trouble. I've never used putty, but there may be something in its config that needs to be changed from the default to allow it to try a root login. I know for sure there are defaults to be changed in sshd_config. There's a PermitRootLogin parameter. Its default has been no everywhere I've seen. But it can be changed to yes, or to allow_root_login_with_key_authentication_only (without-password). There's also a AllowUsers list of users allowed to log in in sshd_config that may be causing trouble. The typical reason this does not work is because the file permission is incorrect. What is the output of (example from my system): # ls -ld / /root /root/.ssh /root/.ssh/authorized_keys | cat drwxr-xr-x 25 root root 4096 Dec 3 12:51 / drwxr-xr-x 20 root root 4096 Dec 2 15:33 /root drwx-- 2 root root 4096 Oct 29 2011 /root/.ssh -rw-r- 1 root root 1440 Oct 29 2011 /root/.ssh/authorized_keys If any of those are group or world writable then sshd will refuse the file. Also look in /var/log/auth.log and /var/log/syslog too. That's right, but I'd remove any non-owner permissions from the files (already done for /root/.ssh). Inside the directory, consider owner rw only. -- Glenn English This is correct, the main reason for this not working is if the key files and/or authorized_keys file have wrong (too loose) permissions ie they are world readable.