You are not logged in.
Hi Forum!
After some research I'm quite confused, so I think maybe this forum might help me to understand my problem :-)
The Purpose:
I have an raspberry pi with archarmv6 running as a server to connect to with ssh. OpenSSH seems to be already installed properly.
I have changed the deamons config to neither allow PAM, ChallengeResponse nor PasswordAuthentication. Defined a fixed "HostKey /etc/ssh/mykey".
I Want my server to use exactly and exclusivly that one private key. It is ed25519 locked with password with several hash-iterations. I copied to /etc/ssh/mykey myself.
The Problem:
sshd.service fails. when viewing the debug information I get:
# /sbin/sshd -d
debug1: sshd version OpenSSH_6.5 OpenSSL 1.0.1f 6 jan 2014
debug1: key_parse_private_pem: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Could not load host key: /etc/ssh/mykey
Disabling Protocol version 2. Could not load host key
sshd: no hostkeys available -- exiting
So I can think of 2 possiblities:
Obviously the key is not PEM format, from googling i guess that the ed25519 uses some new format, but which? seems so strange and very few information is available that I would not even try to solve it by converting the format.
Is the sshd used to only read plain key formats? If so do I need to save it in plain? Would also be an undesirable solution.
Or is it necessary to use ssh-agent to unlock it? If so I have several questions about ssh-agent... the concept of how it works is not totally clear to me, and googling did not help as much as I thought. man pages also do not explain how it works.
But at first the desirable solution: Can I make the sshd ask me for password when starting up and reading it?
When does the ssh-agent start? Does it ask for password when starting? Does it then open all keys and unlock them and keep them in RAM as plain or save the passord plain for unlocking the keys when needed?
Is this agent responsible for writing strange keys I do not want to neither have or use in my /etc/ssh/ (so it does unlock the keys with my password and write them in plain? in a directory?) from where does it take it's keys anyhow, where and how does it save the keys?
And how comes this behaviour? It appears that it generates at any time some keys and adds it into the /etc/ssh, but I cannot see it running in htop. Also when I try to ssh-add mykey then it tells:
Could not open a connection to your authentication agent.
So can anyone help me?^^
thnx in advance and sorry for strange complicated and poorly written post I cannot help it :-(
greetz Gordy
Offline
So an update: It appears that there are alot possibilities to start ssh-agent:
For all Users (at login)? adding the command to start the ssh-agent into /etc/profile
For $Username at his login adding the command to start the ssh-agent into /home/$Username/.bash_profile
When starting x-session in the .xinitrc, or the initscript of the loginmanager
and I guess many more ways. But for me none of those were applied.
The correct command to start the agent is:
eval $(ssh-agent)
When ssh-agent is running he forks into the background after creating a Socket to be spoken to. If I understand right. I could also understand it that any ssh connection somehow speaks to this socket, but that does not make any sense^^ It makes more sense that any application wanting to speak with the ssh-agent then speaks to the socket. That's why we must eval the ouput of the ssh-agent command, since it will then write the SSH_AUTH_SOCK and SSH_AGENT_PID to the environment variables.
So I could not find any evidence that the ssh-agent is necessary to run an openssh server. And I have no clue how these strange keys appear in the /etc/ssh directory since the ssh-agent as it possibly never ran on my system could not be responsible for it.
Last edited by Gordn Freeman (2014-02-11 09:04:27)
Offline
Well it appears that the sshd only wants to read plain passwords that's the reason of the unreadable format.
It appears to me that there is no really cool solution. Maybe mount a little encrypted partition only for starting sshd, or using the ssh-agent, if that works, so I will research more about how the ssh-agent works :-)
greetz Gordy
Offline