HOWTO: SSH & Public Keys

[dmccarney]

Nevermind. I figured it out by RTFM. Putty has a side program that will do this. Anyone who is interested should check out Public Keys With Putty. Also, the PUTTY docs hint to a possible weakness in the DSA key for use with the SSH-2 protocol and recommends using RSA for SSH-2 instead so I modified your how-to to do that. Its all the same steps except for a different argument when you generate the key-pairs and of course point all of the other steps to the correct RSA keys.

The changed line in the howto at the start is

Code:

ssh-keygen -t dsa

changed to:

Code:

ssh-keygen -t rsa

Make sure you change all the subsequent lines to point to the RSA files and not a DSA file.

Thanks again for a great tutorial.

[KmL]

OOPS Missed the comment that's the bad thing with copy and paste. As far as changing it in the sshd_config file I don't have one on my system. At least not in /etc/ssh/ which is where it should be according to the documentaion at OpenSSH.

Also I don't see the anything about the "UsePAM no" option in the manual.

Code:

man ssh_config

Hi, first post,

I recently tried to set public_keys with this how to, and it's work. But the file to edit is indeed sshd_config file in /etc/ssh/.

At the begin of the howto, you wrote that the ssh-keygen has to be done in the host, correct me if I'm wrong, but is'nt in the client?

great howto, before this, I didn't understand public-keys for ssh.

sonoma

[arjay1]

Beernut - thanks for a great tutorial. Really helped me.

However, I now have the same problem that others have had - I did the last bit of the posts re editing the sshd_config file (including usepam no) but I still have to log in when I ssh to the remote computer.

I thought this wouldn't happen any more?

TIA

[Jaymoid]

[noob post]I followed the guide exactly, but it only worked when I renamed the authorized_keys2 file to be authorized_keys on the remote server. Guessing this reverts to version 1 of the protocol.[/noob]

Also something quite handy is that if you enter a blank passphrase then you don't have to enter a passphrase when ssh-ing over to your remote server. Obviously this is not as secure, but its quite fun. Also handy for automating/crontabbing scp of files.

[ggnore]

[noob post]I followed the guide exactly, but it only worked when I renamed the authorized_keys2 file to be authorized_keys on the remote server. Guessing this reverts to version 1 of the protocol.[/noob]

Also something quite handy is that if you enter a blank passphrase then you don't have to enter a passphrase when ssh-ing over to your remote server. Obviously this is not as secure, but its quite fun. Also handy for automating/crontabbing scp of files.

It can be secured : i use this method to backup some files on another computer by using crontab.
I created a user who cant log on at all (login disabled)
When i use scp to copy all my files on the other computer, i just use this account. rsa and dsa keys are only available for this user. It's powerfull and may be secured, if you cant.

[Jaymoid]

It can be secured : i use this method to backup some files on another computer by using crontab.
I created a user who cant log on at all (login disabled)
When i use scp to copy all my files on the other computer, i just use this account. rsa and dsa keys are only available for this user. It's powerfull and may be secured, if you cant.

Splendid idea! Thanks for that.

[RandomGeek]

Many thanks for the how to. I was getting very confused - particularly at why the file needed to be called authorized_keys2 (duh, two protocols)

As others have mentioned, I'm still able to login using regular passwords which I really want to turn off. The option "UsePAM no" causes a config error for me, it won't start the service when I add that option to ssh_config.

Are you sure it's not sshd_config? What's the difference between the two?

What I want is an ssh config that only allows me to login with one private key. Are the config files locked down as much as possible now?

Also, could somebody explain how to restart the service from the command line? I thought it was "/etc/init.d/ssh restart" but this gives me peculiar message and I can't see sshd which is what I'd expect. Sorry if this is a dumb question

[grugnog]

OK, having played around with this for quite a while I finally figured out the problem I was having.
If you always get asked for a password (even when the keys are found, match and correct passphrase entered) then try this! None of the above advice works for me...
This is for Ubuntu Breezy trying to SSH into Debian Etch, both fresh installs.

On Debian, as root, edit /etc/ssh/sshd_config and edit the line

StrictModes yes

to read

StrictModes no

Then, on Ubuntu, as a regular user run:

ssh-keygen -t rsa
ssh-copy-id -i ~/.ssh/id_rsa.pub you@debian

any then

ssh you@debian

to check it worked.

Simple really, but to find that StrictModes option took a lot of trial and error

[msr7x57]

For those of you who are thinking that ".ssh/authothized_keys" is ssh1 and ".ssh/authothized_key2" is ssh2, my "man ssh" tells me that when using ssh-keygen under ssh1, you get keys called "$HOME/.ssh/identity" and a public key in "$HOME/.ssh/identity.pub".

In ssh2, you get "$HOME/.ssh/id_dsa or $HOME/.ssh/id_rsa" and the equivalent *.pub files.

HTH

[Felipe_U]

Also, could somebody explain how to restart the service from the command line? I thought it was "/etc/init.d/ssh restart" but this gives me peculiar message and I can't see sshd which is what I'd expect. Sorry if this is a dumb question

I restart the ssh service with this command: sudo /etc/init.d/./ssh restart

Greetings,
Felipe