| Linode Forum https://forum.linode.com/ |
|
| SSH key problems https://forum.linode.com/viewtopic.php?f=19&t=3294 |
Page 1 of 1 |
| Author: | A32 [ Mon May 26, 2008 9:17 pm ] |
| Post subject: | SSH key problems |
Hi. I'm hoping someone might be able to shed some light on my situation. Earlier today I decided it would be a good idea to change the keys I log into SSH with. It turns out it wasn't a great idea after all. I used ssh-keygen and generated these keys: ssh_host_rsa_key ssh_host_dsa_key Then just to make things interesting I forgot the password(s) I entered. I got 2 tries and then DenyHosts cut me off for good. Now, after fiddling around I can now login to my node through LISH but not through my SSH client. When I try, it just disconnects me. Here's what I have tried so far: Delete everything in /etc/hosts.deny Quote: echo > /etc/hosts.deny Check IPtables to see if I'm listed in there. Quote: iptables -L -n
Quote: Nothing's in there (at all). Hmm.. Let's delete all the keys and start over. Quote: rm /etc/ssh/ssh_host* Now generate some new keys (remember them this time)! Then save them to /etc/ssh/ Quote: ssh-keygen -t rsa <snip> ssh-keygen -t dsa <snip> Try using my SSH client to login.. Nope! Disconnected right away. Let's take a look at my auth.log Quote: May 26 18:56:19 FUS sshd[1612]: error: Could not load host key: /etc/ssh/ssh_host_key May 26 18:56:19 FUS sshd[1612]: error: Could not load host key: /etc/ssh/ssh_host_rsa_key May 26 18:56:19 FUS sshd[1612]: error: Could not load host key: /etc/ssh/ssh_host_dsa_key I'm so lost I don't know where to go from here. Can anybody help? Am I missing a step somewhere? Thanks |
|
| Author: | rweir [ Mon May 26, 2008 9:42 pm ] |
| Post subject: | Re: SSH key problems |
A32 wrote: Hi. I'm hoping someone might be able to shed some light on my situation. Earlier today I decided it would be a good idea to change the keys I log into SSH with. It turns out it wasn't a great idea after all. I used ssh-keygen and generated these keys: ssh_host_rsa_key ssh_host_dsa_key Well, the second round of Debian ssh updates automatically regenerated the host keys, so you didn't need to delete it at all. The simplest way to get them back, assuming you haven't otherwise altered the sshd configuration, is to 'sudo dpkg --force-depends -P openssh-server ; sudo apt-get install openssh-server' - from lish. Obviously won't be able to login over ssh while doing that, etc, etc. A32 wrote: Now, after fiddling around I can now login to my node through LISH but not through my SSH client. When I try, it just disconnects me.
denyhosts doesn't use iptables (by default). If you have a static IP that you want to prevent being blocked by denyhosts, pop it in /var/lib/denyhosts/allowed-hosts. I suspect the above plus this will let you login again. |
|
| Author: | sweh [ Mon May 26, 2008 10:05 pm ] |
| Post subject: | |
Your ssh-keygen commands won't have created files of the right names (it would have created id_rsa and id_dsa) and you haven't created the ssh1 key either. Try: Code: ssh-keygen -t rsa1 -f ssh_host_key -C '' -N '' The -C and -N options ensure no passwords or comments. There should NOT be a password on the host key otherwise sshd can't load them at boot time. Now restart sshd on the server. This won't solve the denyhosts option, but should get sshd running properly! |
|
| Author: | A32 [ Mon May 26, 2008 11:03 pm ] |
| Post subject: | |
Thanks for all your help. I'm now able to login to my node through my SSH client. However, I think I'm missing some knowledge at a very basic level. I use Putty from Windows. I used puttygen to generate a new public and private key. I added the public key to the home/.ssh/authorized_keys2 file. I changed the private key file in Putty to the one I just generated with puttygen. Now after all your guys' suggestions and changing these things above, everything is back to normal (with a different password). My (stupid) question is: How do the puttygen generated files and the ssh-keygen files relate to each other? Is the puttygen key only for authentication and the ssh-keygen key for encrypting data communications between client/server? Thanks again |
|
| Author: | sweh [ Tue May 27, 2008 12:41 pm ] |
| Post subject: | |
ssh-keygen is used to generate public/private key pairs. There's no fundamental difference between a host key and a user key. I use ssh-keygen for all of my keys. "puttygen" is merely the putty specific version of ssh-keygen. Now SSH does two things for you; 1) encrypt traffic, 2) provide key based authentication. When you stick a public key into $HOME/.ssh/authorized_keys (authorized_keys2 is deprecated; don't use it any more) you are telling ssh that you'll allow key based authentication, rather than password authentication. But whether you use keys or passwords, ssh can still provide "on the wire" encryption. |
|
| Author: | A32 [ Tue May 27, 2008 6:20 pm ] |
| Post subject: | |
Okay. I think I get it now. So I can use ssh-keygen to generate a public and private key, add the public key to authorized_keys, download that private key to my computer, tell putty to use that private key. -OR- use puttygen to generate public and private keys, add the public key to authorized_keys, tell putty to use the private key puttygen generated. Right? -------------- I've done both and I think this was the catalyst to the problems I had. I used ssh-keygen with a password. As you say you can't do that because then the key can't be opened. But generating the key through puttygen doesn't seem to have that "caveat". Again thanks for all the help! |
|
| Author: | mwalling [ Tue May 27, 2008 6:54 pm ] |
| Post subject: | |
one question that has been bugging me about this thread: why were you messing with the host keys? in theory, once they're generated on the first startup, they shouldn't be touched. If you were doing this in response to the Debian openssh package maintainer's new found knowledge of cryptography, I was under the impression that the replacement package handled that for you. |
|
| Author: | sweh [ Tue May 27, 2008 8:59 pm ] |
| Post subject: | |
What I said was the _HOST_ keys can't have a password. These are the /etc/ssh/ssh_host*key files. You should(!) never need to change these, but because you did I told you how to generate new ones. User keys can have a password. |
|
| Author: | jacko [ Tue Jun 17, 2008 11:46 pm ] |
| Post subject: | |
HOST keys are public keys. Things open to the public can't have passwords or that makes them sort of useless. |
|
| Author: | sweh [ Wed Jun 18, 2008 10:42 am ] |
| Post subject: | |
jacko wrote: HOST keys are public keys.
Not quite. Like everything using this technology, there's a private key and a public key and these two are related mathematically. So you'll see /etc/ssh_host_key and /etc/ssh_key_key.pub. The "pub" version is the public key, the other one is the private key. Unlike normal user private keys, however, this private key should NOT have a password on it, otherwise the ssh daemon process can not load it up at boot time, and ssh will fail to run. |
|
| Page 1 of 1 | All times are UTC-04:00 |
| Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |
|