| Linode Forum https://forum.linode.com/ |
|
| SSH keys don't do anything https://forum.linode.com/viewtopic.php?f=19&t=8216 |
Page 1 of 1 |
| Author: | Torva [ Fri Dec 23, 2011 5:32 am ] |
| Post subject: | SSH keys don't do anything |
I tried to enable SSH access to avoid having to supply a password each login, by uploading my public key generated by OpenSSH on my local FreeBSD box (it defaults to SSH2). I tried it for use with Lish by copy/pasting the key into the on-line dashboard, and with SSH by putting the key into the file /root/.ssh/authorized_keys as well as the ordinary user /jeff/.ssh/authorized_keys. I have the same key file on my local machine. But I'm still asked for a password when I attempt to login with Lish via SSH, SSH directly, or using Rsync. If you place the public keys (file permissions = 644) in that directory, is it just supposed to log you in without prompting for a password? Do I need to reboot the server first? Can't figure out what I'm doing wrong. The key was generated with a passphrase. If all was working properly would the passphrase have to be supplied even if the password was not? I'm trying to get this working so that I can run rsync via a local CRON script automatically. If using a script, should I not use a passphrase? The docs on Linode and others they point to, don't really explain very well how this is all supposed to work. |
|
| Author: | retrograde inversion [ Fri Dec 23, 2011 5:54 am ] |
| Post subject: | |
Pass the -v option to your ssh command line and examine the debug output. Is ssh picking up on your key? If it is, is it then accepting the key? Also make sure your .ssh/authorized_keys file is correct: keytype followed by key, no stray newlines in the key, ... |
|
| Author: | Azathoth [ Fri Dec 23, 2011 6:25 am ] |
| Post subject: | |
Permissions should be 600 not 644. Also, I suppose you did check sshd_config to see if PubkeyAuthentication is set to yes? Using a passphrase for the key is highly recommended, so you might wish to add the key to ssh-agent on your local computer. Things to man and google for more info: sshd_config ssh_config ssh-agent |
|
| Author: | NeonNero [ Fri Dec 23, 2011 8:14 am ] |
| Post subject: | |
I don't know if this will work for you, but the file name for the authorized keys on my servers is ~/.ssh/authorized_keys2 (where "~" is the user's home directory). Note the number 2 at the end of the file name. I'm also using OpenSSH. |
|
| Author: | db3l [ Fri Dec 23, 2011 7:51 pm ] |
| Post subject: | |
Note that authorized_keys2 (and known_hosts2) were deprecated with the release of OpenSSH 3.0 (back in late 2001). Originally they were introduced to differentiate keys for SSHv2 versus v1.x, but I'd be pretty surprised if any distribution currently in use at Linode needs them. (Actually I'm even mildly surprised OpenSSH is still reading them at this point) -- David |
|
| Author: | Torva [ Sat Dec 24, 2011 12:48 am ] |
| Post subject: | |
Thanks for all the advice! I just had to reboot my local FreeBSD box. All is well... |
|
| Author: | Torva [ Sat Dec 24, 2011 3:59 am ] |
| Post subject: | Rsync with or without an SSH private key pass phrase |
An added note: I tried to setup my local box to use rsync via CRON with my private key that has a pass phrase. It's not worth the hassle unless you think someone may steal your computer. You have to use a script to get SSH to use the SSH agent every time you boot up your local box, and you have to supply the pass phrase at boot up as well. See this method: http://meinit.nl/using-rsync-from-cron- ... passphrase I punted and regenerated a private key without a pass phrase - actually you can keep the current key and remove the pass phrase with: 'ssh-keygen -p', enter the old passphrase, and then hit CR each time for the new one. Also Filezilla (I'm using version 3.5.2) isn't yet able to work with private keys that have a pass phrase. The benefit of using keys for SSH is that you can then disable access to the server using a password and not have to worry anymore about brute force attacks. Just edit /etc/ssh/sshd_config and add "PasswordAuthentication no". |
|
| Author: | Torva [ Sun Dec 25, 2011 12:30 pm ] |
| Post subject: | |
Another note: I use PCBSD and Ubuntu with KDE on different machines and setup the key files on both. I use KDE's file manager, Dolphin, which supports SFTP. Now I don't need Filezilla anymore. I can use my file manager transparently and even launch a text editor or other program by double clicking any file, do my editing, and save it as usual. |
|
| Author: | hybinet [ Sun Dec 25, 2011 4:56 pm ] |
| Post subject: | Re: SSH keys don't do anything |
Hmm, it's really odd that you had to reboot your LOCAL box. By the way, if anyone else is wondering... Torva wrote: putting the key into the file /root/.ssh/authorized_keys as well as the ordinary user /jeff/.ssh/authorized_keys. I have the same key file on my local machine. The file on the server should be named authorized_keys, and it should contain your public key (one line). The file on your local machine should be named id_rsa, and it should contain your private key (many lines). Having the same key in both places doesn't do anything, because public key cryptography requires a pair of keys. Public on the server, private on your local machine. Azathoth wrote: Permissions should be 600 not 644.
The authorized_keys file can be either 644 or 600. After all, it only contains your public key, and public keys are safe to disclose to others. The id_rsa file on your local machine should be 600, because it contains your private key. SSH will refuse to use a private key with any other permission. |
|
| Author: | Torva [ Mon Dec 26, 2011 7:13 am ] |
| Post subject: | |
I also wouldn't have thought rebooting my local machine would be required, and in fact it may have been coincidence. I actually have no idea why the next day it just started working. Correct me if I'm wrong but don't you also need the public key to be in /authorized_keys on your local machine as well as the server? |
|
| Author: | hoopycat [ Mon Dec 26, 2011 8:27 am ] |
| Post subject: | |
Torva wrote: Correct me if I'm wrong but don't you also need the public key to be in /authorized_keys on your local machine as well as the server?
Only if you want to be able to use that public key when connecting to your local machine. |
|
| Page 1 of 1 | All times are UTC-04:00 |
| Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |
|