[opensuse] ssh key generation
Hi all, I've done the following procedure to get a passwordless login on a remote server: as root: $ ssh-keygen Enter file in which to save the key (/home/your_user/.ssh/id_rsa): <Enter> Enter passphrase (empty for no passphrase): <Enter> Enter same passphrase again: <Enter> Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: (-:) co:ec:aa:a1:de:34:5c:95:24:1d:25:4a:84:aq:65:ca root@server The key's randomart image is: +--[ RSA 2048]----+ | .******* | | ..B-.-. | | kjak | | . ..+<-, | | . #+#^´ | | . | | | | | | | +-----------------+ Then I upload the key as root: $ ssh-copy-id user@myserver.org Password: message: Now try logging into the machine, with "ssh 'user@ssh.yourserver.org'", and check in: ~/.ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting. Now, when I login, the password is asked *again*. Where does the id_rsa get used? It is in /root/.ssh/ together with id_rsa.pub when generated by ssh-keygen. I am root when performing the login on the remote server at the moment. Later, I will use a dedicated user. Any suggestions welcome. :-) Dreiel -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
LLLActive@GMX.Net wrote:
Any suggestions welcome.
You also have to turn off passwords. I have the following in /etc/ssh/ssh_config: # To disable tunneled clear text passwords, change to no here! PasswordAuthentication no #PermitEmptyPasswords no # Change to no to disable s/key passwords ChallengeResponseAuthentication no -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
LLLActive@GMX.Net wrote:
Any suggestions welcome.
You also have to turn off passwords. I have the following in /etc/ssh/ssh_config:
# To disable tunneled clear text passwords, change to no here! PasswordAuthentication no #PermitEmptyPasswords no
# Change to no to disable s/key passwords ChallengeResponseAuthentication no
Thanks James! OK, it was the latter, ChallengeResponseAuthentication. It was commented out. Default seems to be 'yes'. Now it seems to get through, but now I have to get the keys put in the right places. I get the message: 'Permission denied (publickey).' It is reading the public key, but where is it comparing? I am on the client as root, and the keys are under /root/.ssh/. On the server id_rsa.pub was copied to /home/sshuser/.ssh/authorized_keys. I login as the user 'sshuser' onto the server. (I disabled root login for ssh). I get 'Permission denied (publickey)' I am looking at: http://en.opensuse.org/SDB:Configure_openSSH#Public_Key_Authentication (one of many). I even tried 'AuthorizedKeysFile %h/.ssh/authorized_keys' in /etc/ssh/sshd_config, to no avail. :-) Dreiel -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 03/07/2012 10:39 PM, LLLActive@GMX.Net pecked at the keyboard and wrote:
Hi all,
I've done the following procedure to get a passwordless login on a remote server:
as root:
$ ssh-keygen Enter file in which to save the key (/home/your_user/.ssh/id_rsa): <Enter> Enter passphrase (empty for no passphrase): <Enter> Enter same passphrase again: <Enter> Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: (-:) co:ec:aa:a1:de:34:5c:95:24:1d:25:4a:84:aq:65:ca root@server The key's randomart image is: +--[ RSA 2048]----+ | .******* | | ..B-.-. | | kjak | | . ..+<-, | | . #+#^´ | | . | | | | | | | +-----------------+
Then I upload the key
as root: $ ssh-copy-id user@myserver.org Password:
message: Now try logging into the machine, with "ssh 'user@ssh.yourserver.org'", and check in: ~/.ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting.
Now, when I login, the password is asked *again*.
Where does the id_rsa get used? It is in /root/.ssh/ together with id_rsa.pub when generated by ssh-keygen. I am root when performing the login on the remote server at the moment. Later, I will use a dedicated user.
Any suggestions welcome.
:-) Dreiel
This was passed on from David Rankin and worked well for me: Local Box (client): (1) create the keys you need with 'ssh-keygen -t dsa'. (just hit return for empty passwords) That will create id_dsa and id_dsa.pub in ~/.ssh by default. Give the id_dsa.pub key a usable name used when you copy it over to the remote box: (i.e. cp id_dsa.pub id_dsa.pub.$HOSTNAME) (2) rsync your key with the usable name to the remote box: rsync -uav ~/.ssh/id_dsa.pub.$HOSTNAME) remote.host.tld:~/.ssh Remote Box: (3) ssh into the remote box and append the new usable key to ~/.ssh/authorized_keys i.e.: cat ~/.ssh/id_dsa.pub.$HOSTNAME) >> ~/.ssh/authorized_keys ** you could just do this step from the Local Box with: ssh remote.host 'cat ~/.ssh/id_dsa.pub.$HOSTNAME) >> ~/.ssh/authorized_keys' Don't forget to use the '>>' instead of a '>' much cussing... HTH -- Ken Schneider SuSe since Version 5.2, June 1998 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, 08 Mar 2012 04:39:00 +0100
"LLLActive@GMX.Net"
Hi all,
I've done the following procedure to get a passwordless login on a remote server:
as root:
$ ssh-keygen Enter file in which to save the key (/home/your_user/.ssh/id_rsa): <Enter> Enter passphrase (empty for no passphrase): <Enter> Enter same passphrase again: <Enter> Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: (-:) co:ec:aa:a1:de:34:5c:95:24:1d:25:4a:84:aq:65:ca root@server The key's randomart image is: +--[ RSA 2048]----+ | .******* | | ..B-.-. | | kjak | | . ..+<-, | | . #+#^´ | | . | | | | | | | +-----------------+
Then I upload the key
as root: $ ssh-copy-id user@myserver.org Password:
message: Now try logging into the machine, with "ssh 'user@ssh.yourserver.org'", and check in: ~/.ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting.
Now, when I login, the password is asked *again*.
Where does the id_rsa get used? It is in /root/.ssh/ together with id_rsa.pub when generated by ssh-keygen. I am root when performing the login on the remote server at the moment. Later, I will use a dedicated user.
Any suggestions welcome.
:-) Dreiel
I'm doing this all the time now and the way it's typically set up your procedure should 'just work' with one small change. Don't become root on your local system before generating the public / private key pair. It isn't necessary and is likely the source of your problem. IOW: as user: ssh-keygen [enter, enter, enter] ssh-copy-id user@domain.tld [password when prompted] [This appends the public key in ~/'user'/.ssh/authorized_keys on the remote system] now, to log in: ssh user@domain.tld That's it. If this doesn't work, the remote host configuration is most likely not 'default,' in which case you already know where to look. But be careful turning off password authentication if physical access to the machine is costly or unpleasant. Better to use 'fail2ban' or something similar to fend off the script kiddies. hth & regards, Carl -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, 08 Mar 2012 04:39:00 +0100 "LLLActive@GMX.Net"
wrote: Hi all,
I've done the following procedure to get a passwordless login on a remote server:
as root:
$ ssh-keygen Enter file in which to save the key (/home/your_user/.ssh/id_rsa): <Enter> Enter passphrase (empty for no passphrase):<Enter> Enter same passphrase again:<Enter> Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: (-:) co:ec:aa:a1:de:34:5c:95:24:1d:25:4a:84:aq:65:ca root@server The key's randomart image is: +--[ RSA 2048]----+ | .******* | | ..B-.-. | | kjak | | . ..+<-, | | . #+#^� | | . | | | | | | | +-----------------+
Then I upload the key
as root: $ ssh-copy-id user@myserver.org Password:
message: Now try logging into the machine, with "ssh 'user@ssh.yourserver.org'", and check in: ~/.ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting.
Now, when I login, the password is asked *again*.
Where does the id_rsa get used? It is in /root/.ssh/ together with id_rsa.pub when generated by ssh-keygen. I am root when performing the login on the remote server at the moment. Later, I will use a dedicated user.
Any suggestions welcome.
:-) Dreiel
I'm doing this all the time now and the way it's typically set up your procedure should 'just work' with one small change. Don't become root on your local system before generating the public / private key pair. It isn't necessary and is likely the source of your problem. IOW:
as user: ssh-keygen [enter, enter, enter]
ssh-copy-id user@domain.tld [password when prompted] [This appends the public key in ~/'user'/.ssh/authorized_keys on the remote system]
now, to log in: ssh user@domain.tld
That's it. If this doesn't work, the remote host configuration is most likely not 'default,' in which case you already know where to look. But be careful turning off password authentication if physical access to the machine is costly or unpleasant. Better to use 'fail2ban' or something similar to fend off the script kiddies.
hth& regards,
Carl Hi Carl,
I'm sure I tied all you said before, but I deleted all the keys everywhere and reverted to the default in the /etc/ssh/ssh_config file. Now it works on one local server. Indeed, the access to the server was impossible when I changed the "PasswordAuthentication no" and the "ChallengeResponseAuthentication no". Only access to the server console allowed access again. Your warning "be careful turning off password authentication if physical access to the machine is costly or unpleasant", is well advised!!! I can not physically get to another server where I have the same problem with the 'PasswordAuthentication no". Is there another method to get to it? It is a virtual server at an ISP :( Is there a way to override these settings when logging in with ssh? I'll look into fail2ban (like denyhosts ?). :-) Dreiel -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
LLLActive@GMX.Net wrote:
On Thu, 08 Mar 2012 04:39:00 +0100 "LLLActive@GMX.Net"
wrote: Hi all,
I've done the following procedure to get a passwordless login on a remote server:
as root:
$ ssh-keygen Enter file in which to save the key (/home/your_user/.ssh/id_rsa): <Enter> Enter passphrase (empty for no passphrase):<Enter> Enter same passphrase again:<Enter> Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: (-:) co:ec:aa:a1:de:34:5c:95:24:1d:25:4a:84:aq:65:ca root@server The key's randomart image is: +--[ RSA 2048]----+ | .******* | | ..B-.-. | | kjak | | . ..+<-, | | . #+#^� | | . | | | | | | | +-----------------+
Then I upload the key
as root: $ ssh-copy-id user@myserver.org Password:
message: Now try logging into the machine, with "ssh 'user@ssh.yourserver.org'", and check in: ~/.ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting.
Now, when I login, the password is asked *again*.
Where does the id_rsa get used? It is in /root/.ssh/ together with id_rsa.pub when generated by ssh-keygen. I am root when performing the login on the remote server at the moment. Later, I will use a dedicated user.
Any suggestions welcome.
:-) Dreiel
I'm doing this all the time now and the way it's typically set up your procedure should 'just work' with one small change. Don't become root on your local system before generating the public / private key pair. It isn't necessary and is likely the source of your problem. IOW:
as user: ssh-keygen [enter, enter, enter]
ssh-copy-id user@domain.tld [password when prompted] [This appends the public key in ~/'user'/.ssh/authorized_keys on the remote system]
now, to log in: ssh user@domain.tld
That's it. If this doesn't work, the remote host configuration is most likely not 'default,' in which case you already know where to look. But be careful turning off password authentication if physical access to the machine is costly or unpleasant. Better to use 'fail2ban' or something similar to fend off the script kiddies.
hth& regards,
Carl Hi Carl,
I'm sure I tied all you said before, but I deleted all the keys everywhere and reverted to the default in the /etc/ssh/ssh_config file. Now it works on one local server.
Indeed, the access to the server was impossible when I changed the "PasswordAuthentication no" and the "ChallengeResponseAuthentication no". Only access to the server console allowed access again. Your warning "be careful turning off password authentication if physical access to the machine is costly or unpleasant", is well advised!!!
I can not physically get to another server where I have the same problem with the 'PasswordAuthentication no". Is there another method to get to it? It is a virtual server at an ISP :( Is there a way to override these settings when logging in with ssh?
You create the keys on the system you use to access the remote host and then copy the public key to the host you wish to connect to. You can do that via ssh (scp) so you don't need physical access. I don't know why you're seeing that warning about physical access without passwords, as you normally don't use ssh on the same box. So, what you should be doing is: 1) Generate the keys. 2) Copy the public key to the server. 3) Once that's working, then worry about disabling the password. This process has to be done as the user you intend on connecting as, not root. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
LLLActive@GMX.Net wrote:
On Thu, 08 Mar 2012 04:39:00 +0100 "LLLActive@GMX.Net"
wrote: Hi all,
I've done the following procedure to get a passwordless login on a remote server:
as root:
$ ssh-keygen Enter file in which to save the key (/home/your_user/.ssh/id_rsa): <Enter> Enter passphrase (empty for no passphrase):<Enter> Enter same passphrase again:<Enter> Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: (-:) co:ec:aa:a1:de:34:5c:95:24:1d:25:4a:84:aq:65:ca root@server The key's randomart image is: +--[ RSA 2048]----+ | .******* | | ..B-.-. | | kjak | | . ..+<-, | | . #+#^� | | . | | | | | | | +-----------------+
Then I upload the key
as root: $ ssh-copy-id user@myserver.org Password:
message: Now try logging into the machine, with "ssh 'user@ssh.yourserver.org'", and check in: ~/.ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting.
Now, when I login, the password is asked *again*.
Where does the id_rsa get used? It is in /root/.ssh/ together with id_rsa.pub when generated by ssh-keygen. I am root when performing the login on the remote server at the moment. Later, I will use a dedicated user.
Any suggestions welcome.
:-) Dreiel
I'm doing this all the time now and the way it's typically set up your procedure should 'just work' with one small change. Don't become root on your local system before generating the public / private key pair. It isn't necessary and is likely the source of your problem. IOW:
as user: ssh-keygen [enter, enter, enter]
ssh-copy-id user@domain.tld [password when prompted] [This appends the public key in ~/'user'/.ssh/authorized_keys on the remote system]
now, to log in: ssh user@domain.tld
That's it. If this doesn't work, the remote host configuration is most likely not 'default,' in which case you already know where to look. But be careful turning off password authentication if physical access to the machine is costly or unpleasant. Better to use 'fail2ban' or something similar to fend off the script kiddies.
hth& regards,
Carl Hi Carl,
I'm sure I tied all you said before, but I deleted all the keys everywhere and reverted to the default in the /etc/ssh/ssh_config file. Now it works on one local server.
Indeed, the access to the server was impossible when I changed the "PasswordAuthentication no" and the "ChallengeResponseAuthentication no". Only access to the server console allowed access again. Your warning "be careful turning off password authentication if physical access to the machine is costly or unpleasant", is well advised!!!
I can not physically get to another server where I have the same problem with the 'PasswordAuthentication no". Is there another method to get to it? It is a virtual server at an ISP :( Is there a way to override these settings when logging in with ssh?
You create the keys on the system you use to access the remote host and then copy the public key to the host you wish to connect to. You can do that via ssh (scp) so you don't need physical access. "Permission denied (publickey)" I don't know why you're seeing that warning about physical access without passwords, as you normally don't use ssh on the same box. ? It is a Virtual Server at a service provider, not the local machine. I have 2 Servers, ons local network and another at the ISP as a Virtual Server. I connect to the local server and the Virtual Server (openSUSE) with a desktop (MacBook), and can also connect to the Virtual Server at the ISP from the local server (openSUSE).
|-|------------normal-----------|=|--------->| DSL |---------|ISP-VS| MacBook Local Sever ^ Virtual Server | | |------------alternative----------------------|
So, what you should be doing is:
1) Generate the keys. 2) Copy the public key to the server. Well, this does not work because it does not do "PasswordAuthentication no" and "ChallengeResponseAuthentication no". Now it brings the error: "Permission denied (publickey)". With ssh-copy-id also needs a password, but because of the settings before, it is not Authenticated/Challenged. All users receive "Permission denied (publickey)"
:-(
3) Once that's working, then worry about disabling the password.
This process has to be done as the user you intend on connecting as, not root.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 03/08/2012 05:18 PM, LLLActive@GMX.Net wrote:
1) Generate the keys.
2) Copy the public key to the server. Well, this does not work because it does not do "PasswordAuthentication no" and "ChallengeResponseAuthentication no". Now it brings the error: "Permission denied (publickey)". With ssh-copy-id also needs a password, but because of the settings before, it is not Authenticated/Challenged. All users receive "Permission denied (publickey)"
My ISP offers a web application to walk thru the filesystem. There, you can change the sshd_config, and restart SSHD. Probably yours also has ... Have a nice day, Berny -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 03/08/2012 02:19 PM, LLLActive@GMX.Net wrote:
Is there another method to get to it? It is a virtual server at an ISP :(
Maybe - some ISPs provide serial console access. Have a nice day, Berny -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, 08 Mar 2012 14:19:44 +0100
"LLLActive@GMX.Net"
I can not physically get to another server where I have the same problem with the 'PasswordAuthentication no". Is there another method to get to it? It is a virtual server at an ISP :( Is there a way to override these settings when logging in with ssh?
I can think of four approaches to this problem: a. If you're certain 'ssh-copy-id user@IP-or-domain.tld' worked, you may have a way into the box, but the login attempt must originate from an account using the correct public / private key pair. This account cannot be root on the local system because that is what caused your original password request problem. Try this: Create a new user on your local system and temporarily copy root's ~/.ssh/* into ~/newuser/.ssh/ (make sure to select the original 'root' that was used to create the correct public / private key pair and don't forget to chmod -R newuser:users ~/newuser/.ssh) Then try passwordless login from the new local user's account via 'ssh user@domain.tld'. If this gets you in, repair sshd_config on the remote system and restart sshd b. If you have X installed and VNC access to a desktop on the remote VPS you can sign into the desktop there, open a terminal, 'su -' to root privileges, use vi to repair /etc/ssh/sshd_config, run 'rcsshd restart' and then you ought to be close to where you first started. c. As has already been mentioned, many VPS providers supply a control panel with some form of 'emergency' access to the VPS's filesystem for just these kinds of circumstances. d. If you can IM or voice chat (Skype or telephone) a support person at the VPS provider they have root access to the host system and can repair sshd_config for you and restart sshd. They might need your root password for the VPS, which is why I recommend IM or voice so you're not sending this through e-mail. hth, good luck & regards, Carl -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (5)
-
Bernhard Voelker
-
Carl Hartung
-
James Knott
-
Ken Schneider - openSUSE
-
LLLActive@GMX.Net