You are not logged in.
- Topics: Active | Unanswered
#1 2011-11-25 17:11:07
- nesk
- Member
- Registered: 2011-03-31
- Posts: 181
[Solved, useless thread - delete pls]sshd
When using rsa key without passphrase - generated by
# keygen-sshlocation of the key is put in /etc/ssh/sshd.conf. sshd is running fine.
But when I'm overriding this key with a newly generated one with a passphase (file permissions are set correctly)
sudo /usr/sbin/sshd -d
Password:
debug1: sshd version OpenSSH_5.9p1
debug1: key_parse_private_pem: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Could not load host key: /etc/ssh/lapsonykey
Disabling protocol version 2. Could not load host key
sshd: no hostkeys available -- exiting.Isn't sshd supposed to ask for a passphrase after reading the key?
Last edited by nesk (2011-11-27 08:20:05)
Offline
#2 2011-11-25 18:38:16
- jasonwryan
- Anarchist
- From: .nz
- Registered: 2009-05-09
- Posts: 30,424
- Website
Re: [Solved, useless thread - delete pls]sshd
Use IdentityFile (or the -i switch) to ensure that the correct key is passed to the host.
Offline
#3 2011-11-26 15:09:30
- nesk
- Member
- Registered: 2011-03-31
- Posts: 181
Re: [Solved, useless thread - delete pls]sshd
Hm, can't find anything definitive about IdentityFile, and -i (running from inetd) seems totally unrelated.
Anyway, it works with unpassphrased server keys.
Next question: how to set up keys whitelist for ssh logins?
What I have tried:
~/.ssh/authorized_keys
Lists the public keys (DSA/ECDSA/RSA) that can be used for
logging in as this user. The format of this file is described
above. The content of the file is not highly sensitive, but the
recommended permissions are read/write for the user, and not
accessible by others.
So, I created /home/nesk/.ssh/authorized_keys, copied generated for this user public key there, messed it up (replaced a few letters), restarted sshd, but still can login via ssh as this user. According to manual, I shouldn't be able to? Please advise, how to configure it.
Offline
#4 2011-11-26 18:20:28
- jasonwryan
- Anarchist
- From: .nz
- Registered: 2009-05-09
- Posts: 30,424
- Website
Re: [Solved, useless thread - delete pls]sshd
Hm, can't find anything definitive about IdentityFile
It's in man ssh_config.
Next question: how to set up keys whitelist for ssh logins?
What I have tried:man sshd wrote:~/.ssh/authorized_keys
Lists the public keys (DSA/ECDSA/RSA) that can be used for
logging in as this user. The format of this file is described
above. The content of the file is not highly sensitive, but the
recommended permissions are read/write for the user, and not
accessible by others.So, I created /home/nesk/.ssh/authorized_keys, copied generated for this user public key there, messed it up (replaced a few letters), restarted sshd, but still can login via ssh as this user. According to manual, I shouldn't be able to? Please advise, how to configure it.
Don't copy the public key to authorized_keys: cat it or use ssh-copy-id. See this post: http://kimmo.suominen.com/docs/ssh/
Offline
#5 2011-11-26 19:18:51
- nesk
- Member
- Registered: 2011-03-31
- Posts: 181
Re: [Solved, useless thread - delete pls]sshd
Goal is to make a whitelist on the server side.
Offline
#6 2011-11-26 20:52:09
- jasonwryan
- Anarchist
- From: .nz
- Registered: 2009-05-09
- Posts: 30,424
- Website
Re: [Solved, useless thread - delete pls]sshd
Goal is to make a whitelist on the server side.
That's what authorized_keys is for...
I think you want to spend a little time reading up on how SSH works.
Offline
#7 2011-11-26 20:57:39
- .:B:.
- Forum Fellow
- Registered: 2006-11-26
- Posts: 5,819
- Website
Re: [Solved, useless thread - delete pls]sshd
You whitelist them in authorized_keys, then you make the use of a key mandatory in sshd_config. Piece of cake.
To be on the safe side, set your SSH client to prefer keys over passwords (or the SSH server, I don't remember) and test whether you get in before you make keys mandatory. You don't want to lock yourself out.
Got Leenucks? :: Arch: Power in simplicity :: Get Counted! Registered Linux User #392717 :: Blog thingy
Offline
#8 2011-11-26 21:10:38
- R00KIE
- Forum Fellow
- From: Between a computer and a chair
- Registered: 2008-09-14
- Posts: 4,734
Re: [Solved, useless thread - delete pls]sshd
You whitelist them in authorized_keys, then you make the use of a key mandatory in sshd_config. Piece of cake.
To be on the safe side, set your SSH client to prefer keys over passwords (or the SSH server, I don't remember) and test whether you get in before you make keys mandatory. You don't want to lock yourself out.
On the server side I usually don't change much (apart from not allowing root logins and force protocol version 2). On the client side I tell it to use only publickey, keyboard-interactive and password and try publickey first. The advantage of limiting the types of authentication to use is connection establishment speed as ssh will not try things you know will not work with the servers you usually use.
My ~/.ssh/config (on the client):
Protocol 2
PreferredAuthentications publickey,keyboard-interactive,passwordThis is all in the man pages anyway.
R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K
Offline
#9 2011-11-27 08:14:54
- nesk
- Member
- Registered: 2011-03-31
- Posts: 181
Re: [Solved, useless thread - delete pls]sshd
Thanks for the input everyone, turns out I just didn't uncomment needed options after changing them in sshd.conf lol.
Last edited by nesk (2011-11-27 08:15:17)
Offline