www.webdeveloper.com
Results 1 to 11 of 11

Thread: [RESOLVED] scp/ssh identities: generating and installing key pairs

  1. #1
    Join Date
    Jan 2007
    Location
    Wisconsin
    Posts
    2,120

    resolved [RESOLVED] scp/ssh identities: generating and installing key pairs

    Hey folks,

    I'm having a spot of trouble getting a password-less login using SSH key pairs.

    I've generated key pairs for SSH/SCP using ssh-keygen, leaving the passphrase blank. The public key has been placed in .ssh/authorized_keys on the remote server. And, the private key resides in my home directory, chmoded to 600. When I attempt to log in using something like ssh -i <private key filename> <username>@<host>, I am still prompted for a password.

    Not sure where to start troubleshooting this or what some common rookie mistakes might be. Any thoughts? I've never done this before--so a list of the most basic and idiotic mistakes I could be making could/would be a great start.

    Thanks!

  2. #2
    Join Date
    Sep 2008
    Location
    Mexico
    Posts
    786
    Nice tutorial about this here

  3. #3
    Join Date
    Jan 2007
    Location
    Wisconsin
    Posts
    2,120
    Thanks for the link. This is somewhat similar to some of the tutorials I've read on this--but the first mention of keyagent. Though, keyagent should only come into play if I need to create a pass-phrase protected private key, correct?

  4. #4
    Join Date
    Sep 2008
    Location
    Mexico
    Posts
    786
    Right. If at some point you added a passphrase you need something to handle that... usually a keychain on a usb chip so that it's portable and removable. Lots of options there for all OS.
    If you are using cPanel on your server there is a tutorial there that should help out also.

  5. #5
    Join Date
    Jan 2007
    Location
    Wisconsin
    Posts
    2,120
    There are two servers I'm trying to get this working on. One, at work, which is running some cygwin copssh thing. The other is a CentOS VPS, which I administer via SSH. I'm trying to get this to work on the VPS first, because I assume that CentOS will have a more standard configuration, and I won't run into issues with copssh and windows fighting each other ...

    Perhaps I should just post the command sequence, and you (or someone) can tell me if you spot a problem:
    Code:
    <localhost>$ ssh-keygen
    Generating public/private rsa key pair.
    Enter file in which to save the key (/Users/<local username>/.ssh/id_rsa): testkey
    Enter passphrase (empty for no passphrase): <left blank>
    Enter same passphrase again: <left blank>
    Your identification has been saved in testkey.
    Your public key has been saved in testkey.pub.
    The key fingerprint is:
    <fingerprint> <local user>@<localhost>
    The key's randomart image is:
     <ascii image>
    <localhost>$ scp testkey.pub <remote user>@<remote host>:testkey.pub 
    <remote user>@<remote host>'s password: 
    testkey.pub                                                                                                    100%  403     0.4KB/s   00:00    
    <localhost>$ ssh <remote user>@<remote host>
    <remote user>@<remote host>'s password: 
    Last login: Tue Oct 20 09:06:17 2009 from <some host>
    <remote host>$ cat testkey.pub >> .ssh/authorized_keys
    <remote host>$ exit
    <localhost>$ chmod 600 teskey
    <localhost>$ ssh -i testkey <remote user>@<remote host>
      <remote user>@<remote host>'s password:
    ... Shouldn't I be seeing my remote shell, rather than a password prompt, at this point?

  6. #6
    Join Date
    Sep 2008
    Location
    Mexico
    Posts
    786
    OK... that set up the keys. Private and public.
    Now connect. Connecting SSH will / should return the fingerprint of the private key and ask for trust. From that point you trust or not and (trusting the key will normally create a cache) and then log in. What telnet are you using? PuTTY is a good one for Windows and is straight forward.

  7. #7
    Join Date
    Jan 2007
    Location
    Wisconsin
    Posts
    2,120
    Local system is OS X. I'm attempting to log in using the packaged command-line ssh client. Remote system is CentOS.

    I tried again with verbose output:
    Code:
    OpenSSH_5.1p1, OpenSSL 0.9.7l 28 Sep 2006
    debug1: Reading configuration data /etc/ssh_config
    debug1: Connecting to <remote host> [<remote ip>] port 22.
    debug1: Connection established.
    debug1: identity file testkey type 1
    debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
    debug1: match: OpenSSH_4.3 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_5.1
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: server->client aes128-cbc hmac-md5 none
    debug1: kex: client->server aes128-cbc hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug1: Host '<remote host>' is known and matches the RSA host key.
    debug1: Found key in /Users/<local username>/.ssh/known_hosts:2
    debug1: ssh_rsa_verify: signature correct
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey,gssapi-with-mic,password
    debug1: Next authentication method: publickey
    debug1: Offering public key: svidgen-testkey
    debug1: Authentications that can continue: publickey,gssapi-with-mic,password
    debug1: Offering public key: svidgen-testkey
    debug1: Authentications that can continue: publickey,gssapi-with-mic,password
    debug1: Next authentication method: password
    So, my local client appears to be offering the key twice--it's being rejected/ignored by the server, if I'm interpreting this correctly. Is there some additional configuration that may be required server-side?

    I've chmodded the server-side .ssh folder to 700 and .ssh/authorized_keys to 600, as recommended by http://sial.org/howto/openssh/publickey-auth/problems/. And, I'm not entirely sure what to try in terms of possible versioning issues--it looks to me like the local ssh client and remote sshd daemon are agreeing on SSH 2.0 protocol. Is that not the protocol that my key pair would be compatible with?

  8. #8
    Join Date
    Jan 2007
    Location
    Wisconsin
    Posts
    2,120
    I overlooked user home directory permission--needs to have group write turned off, apparently ... Hopefully I can do this without breaking apache ...

    ... thanks for helping me dig through this.

  9. #9
    Join Date
    Sep 2008
    Location
    Mexico
    Posts
    786

    puzzling...

    PERMS should be
    • /.ssh 0700
    • privatekey 0600

    you probably don't have access to the perms on the /home directory itself.

    have you tried a new keyset?

    never used the Mac ssh terminal and did some looking for info... looks like you have to have a password? not sure
    here are some instructions from a hosting co. and this is a ssh agent for OSX
    don't know what might be being overlooked.

  10. #10
    Join Date
    Jan 2007
    Location
    Wisconsin
    Posts
    2,120
    Yeah, I got one of the servers working.

    I was trying to get this figured out on my VPS (that one I got working) and a pair of servers at work. The one at the office is still misbehaving--it's windows server, running copssh (a cygwin component). I've got the public key in place. And after having seemingly appropriately set the permissions from within cygwin, I am still seeing errors related to the permissions on the user and .ssh folders.

    I'm wondering if I need to set this permissions using the Windows interface, despite the cygwin shell reporting the correct permissions. And if so, how do I translate 700 and 600 into the Windows security scheme, wherein permissions can be assigned in a seemingly unlimited number of ways?

  11. #11
    Join Date
    Sep 2008
    Location
    Mexico
    Posts
    786
    you should be bable to chmod directly from copSSH
    chmod 700 .ssh
    chmod 600 .ssh/privatekey

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles