ok people, server is 9.3 suse open ssh xp-box is winscp. I made a public & private key with PuTTY, copy-paste the public to a text file: renamed it public.pub put it in /home/xxxx/.ssh did: touch authorized_keys chmod 600 authorized_keys cat public.pub >>authorized_keys rm public.pub loaded private key (private.pkk) in peagent key on de xp-box but cannot login why???? ---------------------------------------------------------------- here is my ssh file: ............................. # $OpenBSD: ssh_config,v 1.19 2003/08/13 08:46:31 markus Exp $ # This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for # users, and the values can be changed in per-user configuration files # or on the command line. # Configuration data is parsed as follows: # 1. command line options # 2. user-specific file # 3. system-wide file # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the # configuration file, and defaults at the end. # Site-wide defaults for various options Host * # ForwardAgent no # ForwardX11 no # If you do not trust your remote host (or its administrator), you # should not forward X11 connections to your local X11-display for # security reasons: Someone stealing the authentification data on the # remote side (the "spoofed" X-server by the remote sshd) can read your # keystrokes as you type, just like any other X11 client could do. # Set this to "no" here for global effect or in your own ~/.ssh/config # file if you want to have the remote X11 authentification data to # expire after two minutes after remote login. ForwardX11Trusted yes # RhostsRSAAuthentication no # DSAAuthentication yes # RSAAuthentication yes # PasswordAuthentication yes # HostbasedAuthentication no # BatchMode no # CheckHostIP yes # AddressFamily any # ConnectTimeout 0 # StrictHostKeyChecking ask # IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa # Port 22 # Protocol 2 # Cipher 3des # Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc # EscapeChar ~ # GSSAPIAuthentication no # GSSAPIDelegateCredentials no # Set this to 'yes' to enable support for the deprecated 'gssapi' authentication # mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included # in this release. The use of 'gssapi' is deprecated due to the presence of # potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to. # GSSAPIEnableMITMAttack no # This enables sending locale enviroment variables LC_* LANG, see ssh_config(5). SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT SendEnv LC_IDENTIFICATION LC_ALL ............................ ............................ sshd file ............................. # $OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. #Port 22 #Protocol 2,1 ; is de orginele regel geinterpreteerd als het volgende: Protocol 2 #ListenAddress 0.0.0.0 #ListenAddress :: # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key #HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 768 # Logging #obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m PermitRootLogin no #StrictModes yes #MaxAuthTries 6 #volgende regel toegevoegd nav vosberg: piet #DSAAuthentication yes RSAAuthentication yes #PubkeyAuthentication yes AuthorizedKeysFile ~/.ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! PasswordAuthentication no PermitEmptyPasswords no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes # Set this to 'yes' to enable support for the deprecated 'gssapi' #authentication # mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is #included # in this release. The use of 'gssapi' is deprecated due to the presence #of # potential man-in-the-middle attacks, which 'gssapi-with-mic' is not #susceptible to. #GSSAPIEnableMITMAttack no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication mechanism. # Depending on your PAM configuration, this may bypass the setting of # PasswordAuthentication, PermitEmptyPasswords, and # "PermitRootLogin without-password". If you just want the PAM account #and # session checks to run without PAM authentication, then enable this but #set # ChallengeResponseAuthentication=no #UsePAM yes #AllowTcpForwarding yes #GatewayPorts no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression yes #ClientAliveInterval 0 ClientAliveCountMax 3 #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 # no default banner path #Banner /some/path # override default of no subsystems Subsystem sftp /usr/lib/ssh/sftp-server # This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5). AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL ...................................................................... regards, piet regards, piet
piet
ok people,
server is 9.3 suse open ssh
xp-box is winscp. I made a public & private key with PuTTY, copy-paste the public to a text file: renamed it public.pub put it in /home/xxxx/.ssh
did: touch authorized_keys chmod 600 authorized_keys cat public.pub >>authorized_keys rm public.pub
loaded private key (private.pkk) in peagent key on de xp-box
but cannot login why????
[snipped]
# This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5). AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL ...................................................................... [snipped]
I had to comment the lines above in order to make it work for me. The reason is, i guess, related to your ssh version. Cheers, Miguel Albuquerque Network Administrator CODaLIS SA Chemin de Trèfle-Blanc 18 1228 Plan-Les-Ouates / CH TEL : +41 22 827 30 80 FAX : +41 22 827 30 33 http://www.codalis.ch DISCLAIMER - This message is intended for the use of the named person only. The information contained in this E-mail is confidential and any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited. This message does not represent a formal commitment by Codalis SA. Codalis SA is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt.
Hi, Miguel ALBUQUERQUE wrote:
piet
wrote on 14.12.2005 17:04:19: ok people,
server is 9.3 suse open ssh
xp-box is winscp. I made a public & private key with PuTTY, copy-paste the public to a text file: renamed it public.pub put it in /home/xxxx/.ssh
You did export it as openssh-key right?
did: touch authorized_keys chmod 600 authorized_keys cat public.pub >>authorized_keys rm public.pub
loaded private key (private.pkk) in peagent key on de xp-box
but cannot login why????
I guess, becaus you didn`t ;-) . Give it a try the other way: use ssh-keygen on the linux box. ssh-keygen -b 4096 -t rsa -C my_linux_box_key -f my_linux_box_key Give a propper passphrase. cat my_linux_box_key.pub >> authorized_keys Copy the my_linux_box_key to youre win Box, and open the key with puttygen. Save it afterwards in ppk format and use this key to connect to the linux box. Test the connection. Delete the private key on the Linux Box. Have fun. Dirk TRIA IT-consulting GmbH Joseph-Wild-Straße 20 81829 München Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de Registergericht München HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschäftsführer: Richard Hofbauer kaufm. Geschäftsleitung: Rosa Igl-------------------------------------------------------- Nachricht von: Dirk.Schreiner@tria.de Nachricht an: miguel.albuquerque@codalis.ch, prooroa@wanadoo.nl, suse-security@suse.com # Dateianhänge: 0
Dirk Schreiner wrote:
Hi,
Miguel ALBUQUERQUE wrote:
piet
wrote on 14.12.2005 17:04:19: ok people,
server is 9.3 suse open ssh
xp-box is winscp. I made a public & private key with PuTTY, copy-paste the public to a PuTTyKey-gen on my XP box stated I should copy & paste the key for open-ssh: so that's what I did.
text file: renamed it public.pub put it in /home/xxxx/.ssh
You did export it as openssh-key right?
did: touch authorized_keys chmod 600 authorized_keys cat public.pub >>authorized_keys rm public.pub
loaded private key (private.pkk) in peagent key on de xp-box
but cannot login why????
I guess, becaus you didn`t ;-) .
Give it a try the other way:
use ssh-keygen on the linux box.
ssh-keygen -b 4096 -t rsa -C my_linux_box_key -f my_linux_box_key
Give a propper passphrase.
cat my_linux_box_key.pub >> authorized_keys
Copy the my_linux_box_key to youre win Box, and open the key with puttygen. Save it afterwards in ppk format and use this key to connect to the linux box.
Test the connection. connection failed.... so I guess there is something else wrong.. but what??
Delete the private key on the Linux Box.
Have fun.
Dirk
TRIA IT-consulting GmbH Joseph-Wild-Straße 20 81829 München Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de
Registergericht München HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschäftsführer: Richard Hofbauer kaufm. Geschäftsleitung: Rosa Igl-------------------------------------------------------- Nachricht von: Dirk.Schreiner@tria.de Nachricht an: miguel.albuquerque@codalis.ch, prooroa@wanadoo.nl, suse-security@suse.com # Dateianhänge: 0
Hi, piet schrieb:
Dirk Schreiner wrote:
Hi,
Miguel ALBUQUERQUE wrote:
piet
wrote on 14.12.2005 17:04:19: ok people,
server is 9.3 suse open ssh
xp-box is winscp. I made a public & private key with PuTTY, copy-paste the public to a
PuTTyKey-gen on my XP box stated I should copy & paste the key for open-ssh: so that's what I did.
Hmm, Line endings? (Btw. I had problems doing so with older Putty Versions. So I stopped doing it that way.)
text file: renamed it public.pub
[...]
Test the connection.
connection failed.... so I guess there is something else wrong.. but what??
Hmm, maybe sshd is configured for ssh2 only and Putty tries to connect using sshv1. (Just guessing.) If this doesn`t help please post output of Putty _and_ syslog | grep sshd. Dirk
Dirk Schreiner wrote:
Hi,
piet schrieb:
Dirk Schreiner wrote:
Hi,
Miguel ALBUQUERQUE wrote:
piet
wrote on 14.12.2005 17:04:19: ok people,
server is 9.3 suse open ssh
xp-box is winscp. I made a public & private key with PuTTY, copy-paste the public to a
PuTTyKey-gen on my XP box stated I should copy & paste the key for open-ssh: so that's what I did.
Hmm, Line endings? (Btw. I had problems doing so with older Putty Versions. So I stopped doing it that way.)
text file: renamed it public.pub
[...]
Test the connection.
connection failed.... so I guess there is something else wrong.. but what??
Hmm, maybe sshd is configured for ssh2 only and Putty tries to connect using sshv1. (Just guessing.)
If this doesn`t help please post output of Putty _and_ syslog | grep sshd.
Dirk
ok to copy and paste all info is to complicated now, but the winscp log states a fingerprint at the host (i assume my suse 9.3 server) has 1024 but as I followed your mail you advised 4096. So why is the finger print 1024??? instead of 4096, regards, piet
Dirk Schreiner said:
Miguel ALBUQUERQUE wrote:
piet
wrote on 14.12.2005 17:04:19: I made a public & private key with PuTTY, copy-paste the public to a text file: renamed it public.pub put it in /home/xxxx/.ssh
You did export it as openssh-key right? [...] Give it a try the other way:
use ssh-keygen on the linux box.
ssh-keygen -b 4096 -t rsa -C my_linux_box_key -f my_linux_box_key
Give a propper passphrase.
cat my_linux_box_key.pub >> authorized_keys
Copy the my_linux_box_key to youre win Box, and open the key with puttygen. Save it afterwards in ppk format and use this key to connect to the linux box.
It's better to convert the public key from putty into openssh format.
This can be done by hand or with ssh-keygen:
ssh-keygen -i -f public.pub > ~/.ssh/public_openssh.pub
cat public_openssh.pub >>authorized_keys
And don't forget to remove the previous entries for this key from
authorized_keys.
What is the output if you try to connect with putty on your suse server?
Try: plink.exe -v -i
Michel Messerschmidt wrote:
Dirk Schreiner said:
Miguel ALBUQUERQUE wrote:
piet
wrote on 14.12.2005 17:04:19: I made a public & private key with PuTTY, copy-paste the public to a text file: renamed it public.pub put it in /home/xxxx/.ssh You did export it as openssh-key right? [...] Give it a try the other way:
use ssh-keygen on the linux box.
ssh-keygen -b 4096 -t rsa -C my_linux_box_key -f my_linux_box_key
Give a propper passphrase.
cat my_linux_box_key.pub >> authorized_keys
Copy the my_linux_box_key to youre win Box, and open the key with puttygen. Save it afterwards in ppk format and use this key to connect to the linux box.
It's better to convert the public key from putty into openssh format. This can be done by hand or with ssh-keygen: ssh-keygen -i -f public.pub > ~/.ssh/public_openssh.pub cat public_openssh.pub >>authorized_keys
And don't forget to remove the previous entries for this key from authorized_keys.
What is the output if you try to connect with putty on your suse server? Try: plink.exe -v -i
<user>@<host>
goodmorning to All, one thing that strikes me is the files generated on XP are executable should this be changed? I frolliced with that without result to avoid being trapped in some 4096 1024 bug, I am trying (without succes) a regular RSA 1024 key, as thats the default with putty of winscp. If I do Pam password on in the sshd_config I can logon, so I guess (?) there is no firewall problem Maybe it is an idea to let sshkeygen make the putty key too... is that possible? piet ................................................................... here is the plink output: plink -v -i my_SuSE_pri v_key.ppk piet@192.168.0.3 Server version: SSH-2.0-OpenSSH_3.9p1 We claim version: SSH-2.0-PuTTY_Release_0.58 Using SSH protocol version 2 Doing Diffie-Hellman group exchange Doing Diffie-Hellman key exchange Host key fingerprint is: ssh-rsa 1024 f8:e3:73:18:44:78:f8:48:0c:5c:89:c3:8a:01:f1:64 Initialised AES-256 client->server encryption Initialised HMAC-SHA1 client->server MAC algorithm Initialised AES-256 server->client encryption Initialised HMAC-SHA1 server->client MAC algorithm Using username "piet". Reading private key file "my_SuSE_priv_key.ppk" Offered public key Server refused our key Server refused public key Keyboard-interactive authentication refused No supported authentication methods left to try! No supported authentications offered. Disconnecting Server closed network connection
Good Morning @all. piet schrieb:
Michel Messerschmidt wrote:
Dirk Schreiner said:
Miguel ALBUQUERQUE wrote:
piet
wrote on 14.12.2005 17:04:19: I made a public & private key with PuTTY, copy-paste the public to a text file: renamed it public.pub put it in /home/xxxx/.ssh
You did export it as openssh-key right? [...] Give it a try the other way:
use ssh-keygen on the linux box.
ssh-keygen -b 4096 -t rsa -C my_linux_box_key -f my_linux_box_key
Give a propper passphrase.
cat my_linux_box_key.pub >> authorized_keys
Copy the my_linux_box_key to youre win Box, and open the key with puttygen. Save it afterwards in ppk format and use this key to connect to the linux box.
It's better to convert the public key from putty into openssh format. This can be done by hand or with ssh-keygen: ssh-keygen -i -f public.pub > ~/.ssh/public_openssh.pub cat public_openssh.pub >>authorized_keys
I guess it doesn`t matter, if you convert Putty-->ssh or vice versa. Putty-->ssh didn`t work with older putty versions, but this schould be fixed today.
Important is --> it works for you.
And don't forget to remove the previous entries for this key from authorized_keys.
What is the output if you try to connect with putty on your suse server? Try: plink.exe -v -i
<user>@<host> goodmorning to All,
one thing that strikes me is the files generated on XP are executable should this be changed? I frolliced with that without result
to avoid being trapped in some 4096 1024 bug, I am trying (without succes) a regular RSA 1024 key, as thats the default with putty of winscp.
This is no bug, but the level of security. Nowadays there are 1024 Bit PPK Keys no longer considered as secure. (This is not from me, but from B. Schneier.) Use a minimum of 2048 Bit, or if you want to be secure in the Future think of using 4096 Bit. Btw. this is your`e Personal Key. SuSE generates the Host-Key with a Size of 1024 Bit. You can change this by substituting every 1024 by 2048 in /etc/init.d/sshd Removing every HostKey in /etc/ssh/ and restarting sshd (Do this local, til you really know what you do ;-) ) Another thing Puttygen often Bluescreens generating Keys with 4096 Bit ;-) (At least on my System.)
If I do Pam password on in the sshd_config I can logon, so I guess (?) there is no firewall problem
Maybe it is an idea to let sshkeygen make the putty key too... is that possible? piet ................................................................... here is the plink output:
plink -v -i my_SuSE_pri v_key.ppk piet@192.168.0.3 Server version: SSH-2.0-OpenSSH_3.9p1 We claim version: SSH-2.0-PuTTY_Release_0.58 Using SSH protocol version 2 Doing Diffie-Hellman group exchange Doing Diffie-Hellman key exchange Host key fingerprint is: ssh-rsa 1024 f8:e3:73:18:44:78:f8:48:0c:5c:89:c3:8a:01:f1:64 Initialised AES-256 client->server encryption Initialised HMAC-SHA1 client->server MAC algorithm Initialised AES-256 server->client encryption Initialised HMAC-SHA1 server->client MAC algorithm Using username "piet". Reading private key file "my_SuSE_priv_key.ppk" Offered public key Server refused our key Server refused public key Keyboard-interactive authentication refused No supported authentication methods left to try! No supported authentications offered. Disconnecting Server closed network connection
As you can see, the Server is refusing the Key. So please Try a Login, and afterwards mail the Output of: grep "sshd" /var/log/* | tail -n 100 And just to be sure, make a su - {user} chmod -R 600 .ssh exit bevore. Dirk TRIA IT-consulting GmbH Joseph-Wild-Straße 20 81829 München Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de Registergericht München HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschäftsführer: Richard Hofbauer kaufm. Geschäftsleitung: Rosa Igl-------------------------------------------------------- Nachricht von: Dirk.Schreiner@tria.de Nachricht an: suse-security@suse.com # Dateianhänge: 0
Hello, Am Donnerstag, 15. Dezember 2005 11:42 schrieb Dirk Schreiner:
And just to be sure, make a
su - {user} chmod -R 600 .ssh
This is too strict - directories with mode 600 (without x) can't be entered anymore. Better use chown -R go-rwx .ssh to remove all permissions for group and others. Regards, Christian Boltz --
Habt ihr noch einen Vorschlag, wie ich das System beschleunigen könnte? Aus dem Fenster werfen. Beschleunigung mit 9,82 m/s² [> Jan Voehringer und Holger Krull in suse-linux]
Hello,
Am Donnerstag, 15. Dezember 2005 11:42 schrieb Dirk Schreiner:
And just to be sure, make a
su - {user} chmod -R 600 .ssh
This is too strict - directories with mode 600 (without x) can't be entered anymore.
Better use chown -R go-rwx .ssh to remove all permissions for group and others.
Regards,
Christian Boltz
Christian Boltz wrote: there now is server contact keys are excepted but the session is terminated by: server refuses to do a shell command. anyones guess is better then mine, regards, piet
piet
wrote on 14.12.2005 17:04:19: ok people,
server is 9.3 suse open ssh
xp-box is winscp. I made a public & private key with PuTTY, copy-paste the public to a text file: renamed it public.pub put it in /home/xxxx/.ssh
did: touch authorized_keys chmod 600 authorized_keys cat public.pub >>authorized_keys rm public.pub
loaded private key (private.pkk) in peagent key on de xp-box
but cannot login why????
[snipped]
# This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5). AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL ...................................................................... [snipped]
I had to comment the lines above in order to make it work for me. The reason is, i guess, related to your ssh version.
Cheers,
Miguel Albuquerque Network Administrator
CODaLIS SA
Chemin de Trèfle-Blanc 18 1228 Plan-Les-Ouates / CH
TEL : +41 22 827 30 80 FAX : +41 22 827 30 33 http://www.codalis.ch
DISCLAIMER - This message is intended for the use of the named person only. The information contained in this E-mail is confidential and any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited. This message does not represent a formal commitment by Codalis SA. Codalis SA is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt. I put a # infront of all of them (in sshd as I asumed) but it did not help...
Miguel ALBUQUERQUE wrote: piet
Piet, I think you have an error in your sshd_config file:
#volgende regel toegevoegd nav vosberg: piet #DSAAuthentication yes RSAAuthentication yes #PubkeyAuthentication yes AuthorizedKeysFile ~/.ssh/authorized_keys
As this is read by the sshd daemon, ~ maps to the home directory of the daemon user :) Either remove this line (and use the default setting "AuthorizedKeysFile .ssh/authorized_keys") or change to "AuthorizedKeysFile %h/.ssh/authorized_keys". Also remember that "PubkeyAuthentication" must be set to yes (should be no problem, because it's the default). "RSAAuthentication" is for protocol version 1 only and may be disabled. See `man sshd_config` for further details. HTH, Michel
participants (5)
-
Christian Boltz
-
Dirk Schreiner
-
Michel Messerschmidt
-
Miguel ALBUQUERQUE
-
piet