On Sun, 2004-05-02 at 17:12, Ken Foskey wrote:
> On Sun, 2004-05-02 at 17:07, Howard Lowndes wrote:
>
> > Mmmm. SSH2 on Deb doesn't mention the authorized_keys file in the man
> > pages, just the authorization file and the key files that are listed
> > therein. I already had done the above anyway as it is the way things
> > work on RedHat, but to no avail on Deb.
>
> Ping. Lightbulb.
>
> It is disabled by default on Debian because of the security concerns.
>
> Guessing but look for something like this in your /etc/ssh/sshd_config
> file.
>
> RSAAuthentication yes
> PubkeyAuthentication yes
> #AuthorizedKeysFile %h/.ssh/authorized_keys
This is getting weirder.
I put these lines into /etc/ssh2/sshd2_config and it objected to the
PubkeyAuthentication parameter, not once but twice. The parameter was
in there already but was commented out. When I remove _all_ reference
to PubkeyAuthentication it still complains about it, but this time only
once.
Here is my current /etc/ssh2/sshd2_config:
# sshd2_config
# SSH 2.0 Server Configuration File
*:
Port 22
ListenAddress 0.0.0.0
Ciphers AnyStd
# Ciphers AnyCipher
# Ciphers AnyStdCipher
# Ciphers 3des
IdentityFile identification
AuthorizationFile authorization
HostKeyFile hostkey
PublicHostKeyFile hostkey.pub
RandomSeedFile random_seed
ForwardAgent yes
ForwardX11 yes
# DEPRECATED PasswordAuthentication yes
PasswordGuesses 3
# MaxConnections 50
# 0 == number of connections not limited
MaxConnections 0
# PermitRootLogin nopwd
PermitRootLogin yes
# DEPRECATED
RSAAuthentication yes
# AuthorizedKeysFile %h/.ssh/authorized_keys
# AllowedAuthentications publickey,password,hostbased
AllowedAuthentications publickey,password
# RequiredAuthentications publickey,password
ForcePTTYAllocation no
VerboseMode no
PrintMotd yes
CheckMail yes
UserConfigDirectory "%D/.ssh2"
# UserConfigDirectory "/etc/ssh2/auth/%U"
SyslogFacility AUTH
# SyslogFacility LOCAL7
Ssh1Compatibility yes
Sshd1Path /usr/sbin/sshd1
# AllowHosts localhost, foobar.com, friendly.org
# DenyHosts evil.org, aol.com
# AllowSHosts trusted.host.org
# DenySHosts not.quite.trusted.org
# NoDelay yes
# KeepAlive yes
RequireReverseMapping yes
UserKnownHosts yes
# subsystem definitions
subsystem-sftp sftp-server
...and this is the dialogue that I get when I start sshd2 in debug mode:
# sshd2 -v
WARNING: Development-time debugging not compiled in.
WARNING: To enable, configure with --enable-debug and recompile.
WARNING: PubkeyAuthentication configuration keyword is deprecated. Use
AllowedAuthentications.
WARNING: Defining AllowedAuthentications. Parameter PubkeyAuthentication
(already defined) will be ignored.
WARNING: Development-time debugging not compiled in.
WARNING: To enable, configure with --enable-debug and recompile.
debug: Reading private host key from /etc/ssh2/hostkey
debug: Key comment: 1024-bit dsa, [EMAIL PROTECTED], Sun Apr 04 2004 13:33:50
+1000
debug: SshUnixConfig/sshunixconfig.c:270/ssh_server_load_host_key:
Reading public host key from: /etc/ssh2/hostkey.pub
debug: Becoming server.
debug: Creating listener
debug: Listener created
sshd2[1281]: Listener created on port 22.
sshd2[1281]: Daemon is running.
debug: Running event loop
...at this point I now try to log in and on the client I get:
# ssh -v bu
OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090701f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to bu [192.168.255.19] port 22.
debug1: Connection established.
debug1: identity file /root/.ssh/identity type 0
debug1: identity file /root/.ssh/id_rsa type 1
debug1: identity file /root/.ssh/id_dsa type 2
debug1: Remote protocol version 1.99, remote software version 2.0.13
(non-commercial)
debug1: match: 2.0.13 (non-commercial) pat
2.0.13*,2.0.14*,2.0.15*,2.0.16*,2.0.17*,2.0.18*,2.0.19*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.5p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client 3des-cbc hmac-md5 none
debug1: kex: client->server 3des-cbc hmac-md5 none
debug1: dh_gen_key: priv key bits set: 193/384
debug1: bits set: 517/1024
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug1: Host 'bu' is known and matches the DSA host key.
debug1: Found key in /root/.ssh/known_hosts:224
debug1: bits set: 497/1024
debug1: ssh_dss_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: buggy server: service_accept w/o service
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: publickey,password
debug1: next auth method to try is publickey
debug1: try pubkey: /root/.ssh/id_rsa
debug1: authentications that can continue: publickey,password
debug1: try pubkey: /root/.ssh/id_dsa
debug1: authentications that can continue: publickey,password
debug1: next auth method to try is password
[EMAIL PROTECTED]'s password:
...and on the server I get this continuation:
sshd2[1281]: connection from "192.168.255.17"
debug: Sshd2/sshd2.c:653/new_connection_callback: Wrapping stream with
ssh_server_wrap...
debug: ssh_server_wrap: creating transport protocol
debug: ssh_server_wrap: creating userauth protocol
debug: Sshd2/sshd2.c:663/new_connection_callback: done.
debug: new_connection_callback returning
debug: Remote version: SSH-2.0-OpenSSH_3.5p1
debug: ssh_sigchld_real_callback
debug: ssh_sigchld_real_callback
All of the perms look OK. At the client end:
# ll .ssh/
total 216
-rw-r--r-- 1 root root 1119 May 1 12:21 authorized_keys
-rw------- 1 root root 668 Mar 25 2001 id_dsa
-rw-r--r-- 1 root root 590 Mar 25 2001 id_dsa.pub
-rw------- 1 root root 515 Mar 29 2001 identity
-rw-r--r-- 1 root root 319 Mar 25 2001 identity.pub
-rw------- 1 root root 883 May 1 12:18 id_rsa
-rw-r--r-- 1 root root 210 May 1 12:18 id_rsa.pub
-rw-r--r-- 1 root root 69970 May 1 12:33 known_hosts
-rw-r--r-- 1 root root 108448 Dec 12 10:19 known_hosts2
>
>
> ...and at the server end:
# ll .ssh2/
total 24
-rw------- 1 root root 47 May 2 11:51 authorization
drwx------ 2 root root 4096 Apr 22 14:46 hostkeys
-rw------- 1 root root 590 May 2 11:36 id_dsa.pub
-rw------- 1 root root 319 May 2 11:37 id_rsa1.pub
-rw------- 1 root root 210 May 2 11:37 id_rsa2.pub
-rw------- 1 root root 512 May 3 12:33 random_seed
> --
> Thanks
> KenF
> OpenOffice.org developer
--
Howard.
LANNet Computing Associates - Your Linux people <http://www.lannetlinux.com>
------------------------------------------
Flatter government, not fatter government - Get rid of the Australian states.
------------------------------------------
To mess up a Linux box, you need to work at it;
to mess up your Windows box, you just need to work on it.
- Scott Granneman, SecurityFocus
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
