ssh login with rsa/dsa authentication

ssh login with rsa/dsa authentication

Post by Mark » Thu, 20 Mar 2003 07:06:18



Hi,

I've been trying to create a rsa or dsa keypair so I can login from a
client to my linux server at home without having to type a password
everytime. I have read vaious documents and tried various things, but I
can't seem to get it to work.

Here is wat I understand of it. First of all I have to generate the key
pair on the client. I don't know which is better, dsa or rsa. but I have
tried both. So for a dsa keypair I do: ssh-keygen -t dsa
this will create an id_dsa and an id_dsa.pub file. I scp teh id_dsa.pub
file to the server machine. On that machine I add the contents of this
file to the authorized_keys file. In fact I have just renamed it the
last time because I didn't want all the old stuff in that file. I
figured it might mess things up.
After that I should be able to log in to the server without a password.
I do have to specify a passphrase, but that should be solvable with
ssh-agent or something. didn't get to the point where I wanted to try that.
But for some reason I cannot login this way. I need to specify a
password anyway everytime. No matter what I try.

Can anybody tell me what I am doing wrong, or point me to a realy good
site, not one that covers only half of it, and another site which
explains things totaly different. I also came acros a site which told me
to create the keypair on the server, and distribute the id_rsa file to
the client. But that means you have to send it to all the clients from
which you would want to be able to login. Which doesn't make much sense
I think.

Another thing which bothers me is that as far as I figured out, the
username of the account on the server should be the same of the username
with which you are logged in on the client. Is this correct or am I
doing something really wrong here also?

Any help would be appreciated.
   Mark

 
 
 

ssh login with rsa/dsa authentication

Post by Rancid Mot » Thu, 20 Mar 2003 07:43:42



Quote:> Hi,

> I've been trying to create a rsa or dsa keypair so I can login from a
> client to my linux server at home without having to type a password
> everytime. I have read vaious documents and tried various things, but I
> can't seem to get it to work.

> Here is wat I understand of it. First of all I have to generate the key
> pair on the client. I don't know which is better, dsa or rsa. but I have
> tried both. So for a dsa keypair I do: ssh-keygen -t dsa
> this will create an id_dsa and an id_dsa.pub file. I scp teh id_dsa.pub
> file to the server machine. On that machine I add the contents of this
> file to the authorized_keys file. In fact I have just renamed it the
> last time because I didn't want all the old stuff in that file. I
> figured it might mess things up.
> After that I should be able to log in to the server without a password.
> I do have to specify a passphrase, but that should be solvable with
> ssh-agent or something. didn't get to the point where I wanted to try
that.
> But for some reason I cannot login this way. I need to specify a
> password anyway everytime. No matter what I try.

> Can anybody tell me what I am doing wrong, or point me to a realy good
> site, not one that covers only half of it, and another site which
> explains things totaly different. I also came acros a site which told me
> to create the keypair on the server, and distribute the id_rsa file to
> the client. But that means you have to send it to all the clients from
> which you would want to be able to login. Which doesn't make much sense
> I think.

i think what you have done so far is correct, however i am recalling reading
from somewhere that DSA keys will only work with SSH 2 (someone might like
to confirm this).  anyway, you should only use SSH2 because SSH1 isnt as
secure.  your key generation is correct.  copy the id_dsa.pub over to the
server you want to connect to, and cat it into an authorised_keys2 file in
the .ssh directory of the user you wish to login as, i.e.

cat /home/someuser/.ssh/id_dsa.pub >> /home/someuser/.ssh/authorized_keys2

in your /etc/ssh/sshd_config, modify the first couple of entries...

Protocol 2
ListenAddress X.X.X.X

where X.X.X.X is the ip address you want the ssh service to listen on.
(important if your machine has multiple NIC's or virtual IP's), and the
protocol option forces only secure ssh2 connections.

make sure

RSAAuthentication yes

and that

PasswordAuthentication no

and modify the other options as you see fit, restart sshd via
/etc/init.d/sshd restart, or via other init scripts that you have created

If you are using ssh from the command line to connect to the server then you
will need to force the second protocol via

ssh -2 -p 22 X.X.X.X

-p is port that ssh is runing on

if you are running Secure CRT from a windows box (very handy), then you will
first need to create a public protocol 2 key from Secure CRT.  you then copy
this over to your ssh server and in the home directory run the following

ssh-keygen -X -f secure-crt.pub >>authorized_keys2

which strips the key and adds it to the authorized file.

cheers
moth

- Show quoted text -

Quote:

> Another thing which bothers me is that as far as I figured out, the
> username of the account on the server should be the same of the username
> with which you are logged in on the client. Is this correct or am I
> doing something really wrong here also?

> Any help would be appreciated.
>    Mark


 
 
 

ssh login with rsa/dsa authentication

Post by Jeremy Gra » Thu, 20 Mar 2003 09:09:22



> Here is wat I understand of it. First of all I have to generate the
> key pair on the client. I don't know which is better, dsa or rsa. but
> I have tried both. So for a dsa keypair I do: ssh-keygen -t dsa this
> will create an id_dsa and an id_dsa.pub file. I scp teh id_dsa.pub
> file to the server machine. On that machine I add the contents of this
> file to the authorized_keys file. In fact I have just renamed it the
> last time because I didn't want all the old stuff in that file. I
> figured it might mess things up.  After that I should be able to log
> in to the server without a password.  I do have to specify a
> passphrase, but that should be solvable with ssh-agent or something.
> didn't get to the point where I wanted to try that.  But for some
> reason I cannot login this way. I need to specify a password anyway
> everytime. No matter what I try.

There are many authentication methods available for ssh.  For things to
work, the server and the client must be configured so that the both
allow a common method.  Since you want to use key pair authentication,
you need to ensure that method is enabled in both the server and the
client.  The specifics are in the sshd_config and ssh_config manpages,
but look at the PubkeyAuthentication and PasswordAuthentication options.  

Quote:> Another thing which bothers me is that as far as I figured out, the
> username of the account on the server should be the same of the
> username with which you are logged in on the client. Is this correct
> or am I doing something really wrong here also?

ssh assumes this to be the case, but the username to use on the server
is configurable via the User option.  

--
Jeremy A. Gray

"Remember the Pueblo." -- the Fourth Law of Marvin

 
 
 

ssh login with rsa/dsa authentication

Post by joe dek » Thu, 20 Mar 2003 08:13:31



> Hi,

> After that I should be able to log in to the server without a password.
> I do have to specify a passphrase, but that should be solvable with
> ssh-agent or something. didn't get to the point where I wanted to try that.
> But for some reason I cannot login this way. I need to specify a
> password anyway everytime. No matter what I try.

> Can anybody tell me what I am doing wrong, or point me to a realy good
> site, not one that covers only half of it, and another site which
> explains things totaly different. I also came acros a site which told me
> to create the keypair on the server, and distribute the id_rsa file to
> the client. But that means you have to send it to all the clients from
> which you would want to be able to login. Which doesn't make much sense
> I think.

> Another thing which bothers me is that as far as I figured out, the
> username of the account on the server should be the same of the username
> with which you are logged in on the client. Is this correct or am I
> doing something really wrong here also?

> Any help would be appreciated.
>   Mark

Read man pages.  man ssh. man sshd.

Is your authorized_keys in .ssh directory in home directory?

Make sure permission of .ssh and its contents are correct.

-v switch will give you verbose progress as you log in.

-l switch will let you set user name.

You obviously did not read man pages even though you said
you have read a lot.

 
 
 

ssh login with rsa/dsa authentication

Post by Michael Heimin » Thu, 20 Mar 2003 08:45:00



> Here is wat I understand of it. First of all I have to generate the key
> pair on the client. I don't know which is better, dsa or rsa. but I have

dsa is ssh2, rsa ssh1, AFAIK, check the man pages, better use dsa.

Quote:> tried both. So for a dsa keypair I do: ssh-keygen -t dsa
> this will create an id_dsa and an id_dsa.pub file. I scp teh id_dsa.pub
> file to the server machine. On that machine I add the contents of this
> file to the authorized_keys file. In fact I have just renamed it the

Isn't it?

~/.ssh/authorized_keys2

'ssh -vvvv <remote>' should show were the problem is.

File/dir permissions could be one out of numerous problems.

There's comp.security.ssh for ssh specific questions, but this doesn't
sound very difficult.

Read the FAQ how to go on about debugging your problem, most ssh
problems aren't very difficult to solve, once you know how to
debug them.

http://www.snailbook.com/faq/general-debugging.auto.html

Good luck

--
Michael Heiming

Remove +SIGNS and www. if you expect an answer, sorry for
inconvenience, but I get tons of SPAM

 
 
 

ssh login with rsa/dsa authentication

Post by Rancid Mot » Thu, 20 Mar 2003 09:19:25




> > Here is wat I understand of it. First of all I have to generate the key
> > pair on the client. I don't know which is better, dsa or rsa. but I have

> dsa is ssh2, rsa ssh1, AFAIK, check the man pages, better use dsa.

> > tried both. So for a dsa keypair I do: ssh-keygen -t dsa
> > this will create an id_dsa and an id_dsa.pub file. I scp teh id_dsa.pub
> > file to the server machine. On that machine I add the contents of this
> > file to the authorized_keys file. In fact I have just renamed it the

> Isn't it?

> ~/.ssh/authorized_keys2

yes it is.  refer to my previous post
Quote:

> 'ssh -vvvv <remote>' should show were the problem is.

> File/dir permissions could be one out of numerous problems.

> There's comp.security.ssh for ssh specific questions, but this doesn't
> sound very difficult.

> Read the FAQ how to go on about debugging your problem, most ssh
> problems aren't very difficult to solve, once you know how to
> debug them.

> http://www.snailbook.com/faq/general-debugging.auto.html

> Good luck

> --
> Michael Heiming

> Remove +SIGNS and www. if you expect an answer, sorry for
> inconvenience, but I get tons of SPAM

 
 
 

ssh login with rsa/dsa authentication

Post by Jeremy Gra » Thu, 20 Mar 2003 11:56:12






>>> tried both. So for a dsa keypair I do: ssh-keygen -t dsa
>>> this will create an id_dsa and an id_dsa.pub file. I scp teh id_dsa.pub
>>> file to the server machine. On that machine I add the contents of this
>>> file to the authorized_keys file. In fact I have just renamed it the

>> Isn't it?

>> ~/.ssh/authorized_keys2

> yes it is.  refer to my previous post

Recent versions of openssh (at least as of 3.4p1) no longer require
authorized_keys2 (or known_hosts2), but will still read them.  So, all
your pubkeys can be placed in authorized_keys.  

--
Jeremy A. Gray

"Remember the Pueblo." -- the Fourth Law of Marvin

 
 
 

ssh login with rsa/dsa authentication

Post by Rancid Mot » Thu, 20 Mar 2003 11:24:08







> >>> tried both. So for a dsa keypair I do: ssh-keygen -t dsa
> >>> this will create an id_dsa and an id_dsa.pub file. I scp teh
id_dsa.pub
> >>> file to the server machine. On that machine I add the contents of this
> >>> file to the authorized_keys file. In fact I have just renamed it the

> >> Isn't it?

> >> ~/.ssh/authorized_keys2

> > yes it is.  refer to my previous post

> Recent versions of openssh (at least as of 3.4p1) no longer require
> authorized_keys2 (or known_hosts2), but will still read them.  So, all
> your pubkeys can be placed in authorized_keys.

nice to know.  thanks.

cheers
moth

- Show quoted text -

> --
> Jeremy A. Gray

> "Remember the Pueblo." -- the Fourth Law of Marvin

 
 
 

ssh login with rsa/dsa authentication

Post by Mark » Thu, 20 Mar 2003 18:08:02





> > Hi,

> > I've been trying to create a rsa or dsa keypair so I can login from a
> > client to my linux server at home without having to type a password
> > everytime. I have read vaious documents and tried various things, but I
> > can't seem to get it to work.

> > Here is wat I understand of it. First of all I have to generate the key
> > pair on the client. I don't know which is better, dsa or rsa. but I have
> > tried both. So for a dsa keypair I do: ssh-keygen -t dsa
> > this will create an id_dsa and an id_dsa.pub file. I scp teh id_dsa.pub
> > file to the server machine. On that machine I add the contents of this
> > file to the authorized_keys file. In fact I have just renamed it the
> > last time because I didn't want all the old stuff in that file. I
> > figured it might mess things up.
> > After that I should be able to log in to the server without a password.
> > I do have to specify a passphrase, but that should be solvable with
> > ssh-agent or something. didn't get to the point where I wanted to try
> that.
> > But for some reason I cannot login this way. I need to specify a
> > password anyway everytime. No matter what I try.

> > Can anybody tell me what I am doing wrong, or point me to a realy good
> > site, not one that covers only half of it, and another site which
> > explains things totaly different. I also came acros a site which told me
> > to create the keypair on the server, and distribute the id_rsa file to
> > the client. But that means you have to send it to all the clients from
> > which you would want to be able to login. Which doesn't make much sense
> > I think.

> i think what you have done so far is correct, however i am recalling
reading
> from somewhere that DSA keys will only work with SSH 2 (someone might like
> to confirm this).  anyway, you should only use SSH2 because SSH1 isnt as
> secure.  your key generation is correct.  copy the id_dsa.pub over to the
> server you want to connect to, and cat it into an authorised_keys2 file in
> the .ssh directory of the user you wish to login as, i.e.

> cat /home/someuser/.ssh/id_dsa.pub >> /home/someuser/.ssh/authorized_keys2

> in your /etc/ssh/sshd_config, modify the first couple of entries...

> Protocol 2
> ListenAddress X.X.X.X

> where X.X.X.X is the ip address you want the ssh service to listen on.
> (important if your machine has multiple NIC's or virtual IP's), and the
> protocol option forces only secure ssh2 connections.

> make sure

> RSAAuthentication yes

> and that

> PasswordAuthentication no

> and modify the other options as you see fit, restart sshd via
> /etc/init.d/sshd restart, or via other init scripts that you have created

> If you are using ssh from the command line to connect to the server then
you
> will need to force the second protocol via

> ssh -2 -p 22 X.X.X.X

> -p is port that ssh is runing on

> if you are running Secure CRT from a windows box (very handy), then you
will
> first need to create a public protocol 2 key from Secure CRT.  you then
copy
> this over to your ssh server and in the home directory run the following

> ssh-keygen -X -f secure-crt.pub >>authorized_keys2

> which strips the key and adds it to the authorized file.

> cheers
> moth

> > Another thing which bothers me is that as far as I figured out, the
> > username of the account on the server should be the same of the username
> > with which you are logged in on the client. Is this correct or am I
> > doing something really wrong here also?

> > Any help would be appreciated.
> >    Mark

Thanks, this helped a lot.
I didn't change that much, but I changed the group owner of the ~/.ssh which
was set incorrect. and I made a ~/.ssh/authorized_keys, and a hardlink to
that file called ~/.ssh/authorized_keys2. I don't know what did the trick,
but it works.
But now I have another problem. I am able to setup the ssh-agent by putting
a script in my .bash_profile. After that I can do a ssh-add, Then it promts
for my passphrase. If I enter it, and I ssh to the server, it works perfect.
But, when I close my shell and login again. I need to do ssh-add again or it
wont work. This is not realy what I'd expect. I don't see much advantage
using it this way.
Again I am probably doing something wrong. I have read the man pages for
ssh-agent and ssh-add, but I connot find anything about this. I know it is
also possible to have ssh-agent to be the ancestor of an x-session. This way
all applications can use the keys from this agent. This will probably work
until you logout or restart your x-session. So you'd keep on strugling with
the same problems.

Any help would again be appreciated.
  Mark

 
 
 

ssh login with rsa/dsa authentication

Post by Jeremy Gra » Fri, 21 Mar 2003 06:16:36



> But now I have another problem. I am able to setup the ssh-agent by putting
> a script in my .bash_profile. After that I can do a ssh-add, Then it promts
> for my passphrase. If I enter it, and I ssh to the server, it works perfect.
> But, when I close my shell and login again. I need to do ssh-add again or it
> wont work. This is not realy what I'd expect. I don't see much advantage
> using it this way.

Google for keychain.  And please trim.  

--
Jeremy A. Gray

"Remember the Pueblo." -- the Fourth Law of Marvin