[RESOLVED] scp/ssh identities: generating and installing key pairs

This site is best viewed in a modern browser with JavaScript enabled.

[RESOLVED] scp/ssh identities: generating and installing key pairs

svidgen

Hey folks,

I'm having a spot of trouble getting a password-less login using SSH key pairs.

I've generated key pairs for SSH/SCP using ssh-keygen, leaving the passphrase blank. The public key has been placed in .ssh/authorized_keys on the remote server. And, the private key resides in my home directory, chmoded to 600. When I attempt to log in using something like ssh -i <private key filename> <username>@<host>, I am still prompted for a password.

Not sure where to start troubleshooting this or what some common rookie mistakes might be. Any thoughts? I've never done this before--so a list of the most basic and idiotic mistakes I could be making could/would be a great start.

Thanks!

opifex

Nice tutorial about this here

svidgen

Thanks for the link. This is somewhat similar to some of the tutorials I've read on this--but the first mention of keyagent. Though, keyagent should only come into play if I need to create a pass-phrase protected private key, correct?

opifex

Right. If at some point you added a passphrase you need something to handle that... usually a keychain on a usb chip so that it's portable and removable. Lots of options there for all OS.
If you are using cPanel on your server there is a tutorial there that should help out also.

svidgen

There are two servers I'm trying to get this working on. One, at work, which is running some cygwin copssh thing. The other is a CentOS VPS, which I administer via SSH. I'm trying to get this to work on the VPS first, because I assume that CentOS will have a more standard configuration, and I won't run into issues with copssh and windows fighting each other ...

Perhaps I should just post the command sequence, and you (or someone) can tell me if you spot a problem:

<localhost>$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/<local username>/.ssh/id_rsa): testkey
Enter passphrase (empty for no passphrase): <left blank>
Enter same passphrase again: <left blank>
Your identification has been saved in testkey.
Your public key has been saved in testkey.pub.
The key fingerprint is:
<fingerprint> <local user>@<localhost>
The key's randomart image is:
 <ascii image>
<localhost>$ scp testkey.pub <remote user>@<remote host>:testkey.pub 
<remote user>@<remote host>'s password: 
testkey.pub                                                                                                    100%  403     0.4KB/s   00:00    

<localhost>$ ssh <remote user>@<remote host>
<remote user>@<remote host>'s password: 
Last login: Tue Oct 20 09:06:17 2009 from <some host>
<remote host>$ cat testkey.pub >> .ssh/authorized_keys
<remote host>$ exit
<localhost>$ chmod 600 teskey
<localhost>$ ssh -i testkey <remote user>@<remote host>
  <remote user>@<remote host>'s password:

... Shouldn't I be seeing my remote shell, rather than a password prompt, at this point?

opifex

OK... that set up the keys. Private and public.
Now connect. Connecting SSH will / should return the fingerprint of the private key and ask for trust. From that point you trust or not and (trusting the key will normally create a cache) and then log in. What telnet are you using? PuTTY is a good one for Windows and is straight forward.

svidgen

Local system is OS X. I'm attempting to log in using the packaged command-line ssh client. Remote system is CentOS.

I tried again with verbose output:

OpenSSH_5.1p1, OpenSSL 0.9.7l 28 Sep 2006
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to <remote host> [<remote ip>] port 22.
debug1: Connection established.
debug1: identity file testkey type 1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '<remote host>' is known and matches the RSA host key.
debug1: Found key in /Users/<local username>/.ssh/known_hosts:2
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: publickey
debug1: Offering public key: svidgen-testkey
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Offering public key: svidgen-testkey
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: password

So, my local client appears to be offering the key twice--it's being rejected/ignored by the server, if I'm interpreting this correctly. Is there some additional configuration that may be required server-side?

I've chmodded the server-side .ssh folder to 700 and .ssh/authorized_keys to 600, as recommended by http://sial.org/howto/openssh/publickey-auth/problems/. And, I'm not entirely sure what to try in terms of possible versioning issues--it looks to me like the local ssh client and remote sshd daemon are agreeing on SSH 2.0 protocol. Is that not the protocol that my key pair would be compatible with?

svidgen

I overlooked user home directory permission--needs to have group write turned off, apparently ... Hopefully I can do this without breaking apache ...

... thanks for helping me dig through this.

opifex

PERMS should be

/.ssh 0700
privatekey 0600

you probably don't have access to the perms on the /home directory itself.

have you tried a new keyset?

never used the Mac ssh terminal and did some looking for info... looks like you have to have a password? not sure
here are some instructions from a hosting co. and this is a ssh agent for OSX
don't know what might be being overlooked.

svidgen

Yeah, I got one of the servers working.

I was trying to get this figured out on my VPS (that one I got working) and a pair of servers at work. The one at the office is still misbehaving--it's windows server, running copssh (a cygwin component). I've got the public key in place. And after having seemingly appropriately set the permissions from within cygwin, I am still seeing errors related to the permissions on the user and .ssh folders.

I'm wondering if I need to set this permissions using the Windows interface, despite the cygwin shell reporting the correct permissions. And if so, how do I translate 700 and 600 into the Windows security scheme, wherein permissions can be assigned in a seemingly unlimited number of ways?

opifex

you should be bable to chmod directly from copSSH
chmod 700 .ssh
chmod 600 .ssh/privatekey