ssh key generation

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

ssh key generation

LLLActive@GMX.Net
Hi all,

I've done the following procedure to get a passwordless login on a
remote server:

as root:

$ ssh-keygen
Enter file in which to save the key (/home/your_user/.ssh/id_rsa): <Enter>
Enter passphrase (empty for no passphrase): <Enter>
Enter same passphrase again: <Enter>
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is: (-:)
co:ec:aa:a1:de:34:5c:95:24:1d:25:4a:84:aq:65:ca root@server
The key's randomart image is:
+--[ RSA 2048]----+
|    .*******      |
|   ..B-.-.        |
|    kjak        |
|   . ..+<-,         |
|    . #+#^´        |
|       .         |
|                 |
|                 |
|                 |
+-----------------+


        Then I upload the key

as root:
$ ssh-copy-id [hidden email]
Password:

message:
Now try logging into the machine, with "ssh '[hidden email]'",
and check in:
~/.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.

Now, when I login, the password is asked *again*.

Where does the id_rsa get used? It is in /root/.ssh/ together with
id_rsa.pub when generated by ssh-keygen. I am root when performing the
login on the remote server at the moment. Later, I will use a dedicated
user.

Any suggestions welcome.

:-)
Dreiel


--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ssh key generation

James Knott
[hidden email] wrote:
> Any suggestions welcome.

You also have to turn off passwords.  I have the following in
/etc/ssh/ssh_config:

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
ChallengeResponseAuthentication no


--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ssh key generation

Ken Schneider - openSUSE
In reply to this post by LLLActive@GMX.Net
On 03/07/2012 10:39 PM, [hidden email] pecked at the keyboard and wrote:

> Hi all,
>
> I've done the following procedure to get a passwordless login on a
> remote server:
>
> as root:
>
> $ ssh-keygen
> Enter file in which to save the key (/home/your_user/.ssh/id_rsa): <Enter>
> Enter passphrase (empty for no passphrase): <Enter>
> Enter same passphrase again: <Enter>
> Your identification has been saved in /root/.ssh/id_rsa.
> Your public key has been saved in /root/.ssh/id_rsa.pub.
> The key fingerprint is: (-:)
> co:ec:aa:a1:de:34:5c:95:24:1d:25:4a:84:aq:65:ca root@server
> The key's randomart image is:
> +--[ RSA 2048]----+
> | .******* |
> | ..B-.-. |
> | kjak |
> | . ..+<-, |
> | . #+#^´ |
> | . |
> | |
> | |
> | |
> +-----------------+
>
>
> Then I upload the key
>
> as root:
> $ ssh-copy-id [hidden email]
> Password:
>
> message:
> Now try logging into the machine, with "ssh '[hidden email]'",
> and check in:
> ~/.ssh/authorized_keys
> to make sure we haven't added extra keys that you weren't expecting.
>
> Now, when I login, the password is asked *again*.
>
> Where does the id_rsa get used? It is in /root/.ssh/ together with
> id_rsa.pub when generated by ssh-keygen. I am root when performing the
> login on the remote server at the moment. Later, I will use a dedicated
> user.
>
> Any suggestions welcome.
>
> :-)
> Dreiel
>
>

This was passed on from David Rankin and worked well for me:

Local Box (client):

(1) create the keys you need with 'ssh-keygen -t dsa'. (just hit return
for empty passwords) That will create id_dsa and id_dsa.pub in ~/.ssh by
default. Give the id_dsa.pub key a usable name used when you copy it
over to the remote box: (i.e. cp id_dsa.pub id_dsa.pub.$HOSTNAME)

(2) rsync your key with the usable name to the remote box:

rsync -uav ~/.ssh/id_dsa.pub.$HOSTNAME) remote.host.tld:~/.ssh


Remote Box:

(3) ssh into the remote box and append the new usable key to
~/.ssh/authorized_keys i.e.:

cat ~/.ssh/id_dsa.pub.$HOSTNAME) >> ~/.ssh/authorized_keys

** you could just do this step from the Local Box with:

ssh remote.host 'cat ~/.ssh/id_dsa.pub.$HOSTNAME) >> ~/.ssh/authorized_keys'

Don't forget to use the '>>' instead of a '>' much cussing...

HTH

--
Ken Schneider
SuSe since Version 5.2, June 1998

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ssh key generation

LLLActive@GMX.Net
In reply to this post by James Knott
> [hidden email] wrote:
>> Any suggestions welcome.
>
> You also have to turn off passwords.  I have the following in
> /etc/ssh/ssh_config:
>
> # To disable tunneled clear text passwords, change to no here!
> PasswordAuthentication no
> #PermitEmptyPasswords no
>
> # Change to no to disable s/key passwords
> ChallengeResponseAuthentication no
>
>
Thanks James!

OK, it was the latter, ChallengeResponseAuthentication. It was commented
out. Default seems to be 'yes'.

Now it seems to get through, but now I have to get the keys put in the
right places.

I get the message: 'Permission denied (publickey).' It is reading the
public key, but where is it comparing?

I am on the client as root, and the keys are under /root/.ssh/.

On the server id_rsa.pub was copied to /home/sshuser/.ssh/authorized_keys.

I login as the user 'sshuser' onto the server. (I disabled root login
for ssh). I get 'Permission denied (publickey)'

I am looking at:
http://en.opensuse.org/SDB:Configure_openSSH#Public_Key_Authentication 
(one of many). I even tried
'AuthorizedKeysFile %h/.ssh/authorized_keys'  in /etc/ssh/sshd_config,
to no avail.

:-)
Dreiel




--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ssh key generation

Carl Hartung-2
In reply to this post by LLLActive@GMX.Net
On Thu, 08 Mar 2012 04:39:00 +0100
"[hidden email]" <[hidden email]> wrote:

> Hi all,
>
> I've done the following procedure to get a passwordless login on a
> remote server:
>
> as root:
>
> $ ssh-keygen
> Enter file in which to save the key (/home/your_user/.ssh/id_rsa):
> <Enter> Enter passphrase (empty for no passphrase): <Enter>
> Enter same passphrase again: <Enter>
> Your identification has been saved in /root/.ssh/id_rsa.
> Your public key has been saved in /root/.ssh/id_rsa.pub.
> The key fingerprint is: (-:)
> co:ec:aa:a1:de:34:5c:95:24:1d:25:4a:84:aq:65:ca root@server
> The key's randomart image is:
> +--[ RSA 2048]----+
> |    .*******      |
> |   ..B-.-.        |
> |    kjak        |
> |   . ..+<-,         |
> |    . #+#^´        |
> |       .         |
> |                 |
> |                 |
> |                 |
> +-----------------+
>
>
>         Then I upload the key
>
> as root:
> $ ssh-copy-id [hidden email]
> Password:
>
> message:
> Now try logging into the machine, with "ssh
> '[hidden email]'", and check in:
> ~/.ssh/authorized_keys
> to make sure we haven't added extra keys that you weren't expecting.
>
> Now, when I login, the password is asked *again*.
>
> Where does the id_rsa get used? It is in /root/.ssh/ together with
> id_rsa.pub when generated by ssh-keygen. I am root when performing
> the login on the remote server at the moment. Later, I will use a
> dedicated user.
>
> Any suggestions welcome.
>
> :-)
> Dreiel
>
>

I'm doing this all the time now and the way it's typically set up your
procedure should 'just work' with one small change. Don't become root
on your local system before generating the public / private key pair.
It isn't necessary and is likely the source of your problem. IOW:

as user:
ssh-keygen [enter, enter, enter]

ssh-copy-id [hidden email] [password when prompted]
[This appends the public key in ~/'user'/.ssh/authorized_keys on the
remote system]

now, to log in:
ssh [hidden email]

That's it. If this doesn't work, the remote host configuration is most
likely not 'default,' in which case you already know where to look. But
be careful turning off password authentication if physical access to
the machine is costly or unpleasant. Better to use 'fail2ban' or
something similar to fend off the script kiddies.

hth & regards,

Carl
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ssh key generation

LLLActive@GMX.Net
> On Thu, 08 Mar 2012 04:39:00 +0100
> "[hidden email]"<[hidden email]>  wrote:
>
>> Hi all,
>>
>> I've done the following procedure to get a passwordless login on a
>> remote server:
>>
>> as root:
>>
>> $ ssh-keygen
>> Enter file in which to save the key (/home/your_user/.ssh/id_rsa):
>> <Enter>  Enter passphrase (empty for no passphrase):<Enter>
>> Enter same passphrase again:<Enter>
>> Your identification has been saved in /root/.ssh/id_rsa.
>> Your public key has been saved in /root/.ssh/id_rsa.pub.
>> The key fingerprint is: (-:)
>> co:ec:aa:a1:de:34:5c:95:24:1d:25:4a:84:aq:65:ca root@server
>> The key's randomart image is:
>> +--[ RSA 2048]----+
>> |    .*******      |
>> |   ..B-.-.        |
>> |    kjak        |
>> |   . ..+<-,         |
>> |    . #+#^�        |
>> |       .         |
>> |                 |
>> |                 |
>> |                 |
>> +-----------------+
>>
>>
>>          Then I upload the key
>>
>> as root:
>> $ ssh-copy-id [hidden email]
>> Password:
>>
>> message:
>> Now try logging into the machine, with "ssh
>> '[hidden email]'", and check in:
>> ~/.ssh/authorized_keys
>> to make sure we haven't added extra keys that you weren't expecting.
>>
>> Now, when I login, the password is asked *again*.
>>
>> Where does the id_rsa get used? It is in /root/.ssh/ together with
>> id_rsa.pub when generated by ssh-keygen. I am root when performing
>> the login on the remote server at the moment. Later, I will use a
>> dedicated user.
>>
>> Any suggestions welcome.
>>
>> :-)
>> Dreiel
>>
>>
> I'm doing this all the time now and the way it's typically set up your
> procedure should 'just work' with one small change. Don't become root
> on your local system before generating the public / private key pair.
> It isn't necessary and is likely the source of your problem. IOW:
>
> as user:
> ssh-keygen [enter, enter, enter]
>
> ssh-copy-id [hidden email] [password when prompted]
> [This appends the public key in ~/'user'/.ssh/authorized_keys on the
> remote system]
>
> now, to log in:
> ssh [hidden email]
>
> That's it. If this doesn't work, the remote host configuration is most
> likely not 'default,' in which case you already know where to look. But
> be careful turning off password authentication if physical access to
> the machine is costly or unpleasant. Better to use 'fail2ban' or
> something similar to fend off the script kiddies.
>
> hth&  regards,
>
> Carl
Hi Carl,

I'm sure I tied all you said before, but I deleted all the keys
everywhere and reverted to the default in the /etc/ssh/ssh_config file.
Now it works on one local server.

Indeed, the access to the server was impossible when I changed the
"PasswordAuthentication no"
  and the "ChallengeResponseAuthentication no". Only access to the
server console allowed access again.
Your warning "be careful turning off password authentication if physical
access to the machine is costly or unpleasant", is well advised!!!

I can not physically get to another server where I have the same problem
with the 'PasswordAuthentication no". Is there another method to get to
it? It is a virtual server at an ISP :(
Is there a way to override these settings when logging in with ssh?

I'll look into fail2ban (like denyhosts ?).


:-)
Dreiel


--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ssh key generation

James Knott
[hidden email] wrote:

>> On Thu, 08 Mar 2012 04:39:00 +0100
>> "[hidden email]"<[hidden email]>  wrote:
>>
>>> Hi all,
>>>
>>> I've done the following procedure to get a passwordless login on a
>>> remote server:
>>>
>>> as root:
>>>
>>> $ ssh-keygen
>>> Enter file in which to save the key (/home/your_user/.ssh/id_rsa):
>>> <Enter>  Enter passphrase (empty for no passphrase):<Enter>
>>> Enter same passphrase again:<Enter>
>>> Your identification has been saved in /root/.ssh/id_rsa.
>>> Your public key has been saved in /root/.ssh/id_rsa.pub.
>>> The key fingerprint is: (-:)
>>> co:ec:aa:a1:de:34:5c:95:24:1d:25:4a:84:aq:65:ca root@server
>>> The key's randomart image is:
>>> +--[ RSA 2048]----+
>>> |    .*******      |
>>> |   ..B-.-.        |
>>> |    kjak        |
>>> |   . ..+<-,         |
>>> |    . #+#^�        |
>>> |       .         |
>>> |                 |
>>> |                 |
>>> |                 |
>>> +-----------------+
>>>
>>>
>>>          Then I upload the key
>>>
>>> as root:
>>> $ ssh-copy-id [hidden email]
>>> Password:
>>>
>>> message:
>>> Now try logging into the machine, with "ssh
>>> '[hidden email]'", and check in:
>>> ~/.ssh/authorized_keys
>>> to make sure we haven't added extra keys that you weren't expecting.
>>>
>>> Now, when I login, the password is asked *again*.
>>>
>>> Where does the id_rsa get used? It is in /root/.ssh/ together with
>>> id_rsa.pub when generated by ssh-keygen. I am root when performing
>>> the login on the remote server at the moment. Later, I will use a
>>> dedicated user.
>>>
>>> Any suggestions welcome.
>>>
>>> :-)
>>> Dreiel
>>>
>>>
>> I'm doing this all the time now and the way it's typically set up your
>> procedure should 'just work' with one small change. Don't become root
>> on your local system before generating the public / private key pair.
>> It isn't necessary and is likely the source of your problem. IOW:
>>
>> as user:
>> ssh-keygen [enter, enter, enter]
>>
>> ssh-copy-id [hidden email] [password when prompted]
>> [This appends the public key in ~/'user'/.ssh/authorized_keys on the
>> remote system]
>>
>> now, to log in:
>> ssh [hidden email]
>>
>> That's it. If this doesn't work, the remote host configuration is most
>> likely not 'default,' in which case you already know where to look. But
>> be careful turning off password authentication if physical access to
>> the machine is costly or unpleasant. Better to use 'fail2ban' or
>> something similar to fend off the script kiddies.
>>
>> hth&  regards,
>>
>> Carl
> Hi Carl,
>
> I'm sure I tied all you said before, but I deleted all the keys
> everywhere and reverted to the default in the /etc/ssh/ssh_config
> file. Now it works on one local server.
>
> Indeed, the access to the server was impossible when I changed the
> "PasswordAuthentication no"
>  and the "ChallengeResponseAuthentication no". Only access to the
> server console allowed access again.
> Your warning "be careful turning off password authentication if
> physical access to the machine is costly or unpleasant", is well
> advised!!!
>
> I can not physically get to another server where I have the same
> problem with the 'PasswordAuthentication no". Is there another method
> to get to it? It is a virtual server at an ISP :(
> Is there a way to override these settings when logging in with ssh?

You create the keys on the system you use to access the remote host and
then copy the public key to the host you wish to connect to.  You can do
that via ssh (scp) so you don't need physical access.  I don't know why
you're seeing that warning about physical access without passwords, as
you normally don't use ssh on the same box.  So, what you should be
doing is:

1) Generate the keys.
2) Copy the public key to the server.
3) Once that's working, then worry about disabling the password.


This process has to be done as the user you intend on connecting as, not
root.


--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ssh key generation

Bernhard Voelker
In reply to this post by LLLActive@GMX.Net
On 03/08/2012 02:19 PM, [hidden email] wrote:
>  Is there another method to get to
> it? It is a virtual server at an ISP :(

Maybe - some ISPs provide serial console access.

Have a nice day,
Berny
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ssh key generation

LLLActive@GMX.Net
In reply to this post by James Knott
> [hidden email] wrote:
>>> On Thu, 08 Mar 2012 04:39:00 +0100
>>> "[hidden email]" <[hidden email]>  wrote:
>>>
>>>> Hi all,
>>>>
>>>> I've done the following procedure to get a passwordless login on a
>>>> remote server:
>>>>
>>>> as root:
>>>>
>>>> $ ssh-keygen
>>>> Enter file in which to save the key (/home/your_user/.ssh/id_rsa):
>>>> <Enter>  Enter passphrase (empty for no passphrase):<Enter>
>>>> Enter same passphrase again:<Enter>
>>>> Your identification has been saved in /root/.ssh/id_rsa.
>>>> Your public key has been saved in /root/.ssh/id_rsa.pub.
>>>> The key fingerprint is: (-:)
>>>> co:ec:aa:a1:de:34:5c:95:24:1d:25:4a:84:aq:65:ca root@server
>>>> The key's randomart image is:
>>>> +--[ RSA 2048]----+
>>>> |    .*******      |
>>>> |   ..B-.-.        |
>>>> |    kjak        |
>>>> |   . ..+<-,         |
>>>> |    . #+#^�        |
>>>> |       .         |
>>>> |                 |
>>>> |                 |
>>>> |                 |
>>>> +-----------------+
>>>>
>>>>
>>>>          Then I upload the key
>>>>
>>>> as root:
>>>> $ ssh-copy-id [hidden email]
>>>> Password:
>>>>
>>>> message:
>>>> Now try logging into the machine, with "ssh
>>>> '[hidden email]'", and check in:
>>>> ~/.ssh/authorized_keys
>>>> to make sure we haven't added extra keys that you weren't expecting.
>>>>
>>>> Now, when I login, the password is asked *again*.
>>>>
>>>> Where does the id_rsa get used? It is in /root/.ssh/ together with
>>>> id_rsa.pub when generated by ssh-keygen. I am root when performing
>>>> the login on the remote server at the moment. Later, I will use a
>>>> dedicated user.
>>>>
>>>> Any suggestions welcome.
>>>>
>>>> :-)
>>>> Dreiel
>>>>
>>>>
>>> I'm doing this all the time now and the way it's typically set up your
>>> procedure should 'just work' with one small change. Don't become root
>>> on your local system before generating the public / private key pair.
>>> It isn't necessary and is likely the source of your problem. IOW:
>>>
>>> as user:
>>> ssh-keygen [enter, enter, enter]
>>>
>>> ssh-copy-id [hidden email] [password when prompted]
>>> [This appends the public key in ~/'user'/.ssh/authorized_keys on the
>>> remote system]
>>>
>>> now, to log in:
>>> ssh [hidden email]
>>>
>>> That's it. If this doesn't work, the remote host configuration is most
>>> likely not 'default,' in which case you already know where to look. But
>>> be careful turning off password authentication if physical access to
>>> the machine is costly or unpleasant. Better to use 'fail2ban' or
>>> something similar to fend off the script kiddies.
>>>
>>> hth&  regards,
>>>
>>> Carl
>> Hi Carl,
>>
>> I'm sure I tied all you said before, but I deleted all the keys
>> everywhere and reverted to the default in the /etc/ssh/ssh_config
>> file. Now it works on one local server.
>>
>> Indeed, the access to the server was impossible when I changed the
>> "PasswordAuthentication no"
>>  and the "ChallengeResponseAuthentication no". Only access to the
>> server console allowed access again.
>> Your warning "be careful turning off password authentication if
>> physical access to the machine is costly or unpleasant", is well
>> advised!!!
>>
>> I can not physically get to another server where I have the same
>> problem with the 'PasswordAuthentication no". Is there another method
>> to get to it? It is a virtual server at an ISP :(
>> Is there a way to override these settings when logging in with ssh?
>
> You create the keys on the system you use to access the remote host
> and then copy the public key to the host you wish to connect to.  You
> can do that via ssh (scp) so you don't need physical access.
"Permission denied (publickey)"
> I don't know why you're seeing that warning about physical access
> without passwords, as you normally don't use ssh on the same box.
? It is a Virtual Server at a service provider, not the local machine. I
have 2 Servers, ons local network and another at the ISP as a Virtual
Server. I connect to the local server and the Virtual Server (openSUSE)
with a desktop (MacBook), and can also connect to the Virtual Server at
the ISP from the local server (openSUSE).

|-|------------normal-----------|=|--------->| DSL |---------|ISP-VS|
MacBook                       Local Sever       ^             Virtual Server
   |                                             |
   |------------alternative----------------------|


> So, what you should be doing is:
>
> 1) Generate the keys.
> 2) Copy the public key to the server.
Well, this does not work because it does not do "PasswordAuthentication
no" and "ChallengeResponseAuthentication no". Now it brings the error:
"Permission denied (publickey)". With ssh-copy-id also needs a password,
but because of the settings before, it is not Authenticated/Challenged.
All users receive "Permission denied (publickey)"

:-(
> 3) Once that's working, then worry about disabling the password.
>
>
> This process has to be done as the user you intend on connecting as,
> not root.
>
>



--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ssh key generation

Bernhard Voelker
On 03/08/2012 05:18 PM, [hidden email] wrote:
>> 1) Generate the keys.
>> > 2) Copy the public key to the server.
> Well, this does not work because it does not do "PasswordAuthentication
> no" and "ChallengeResponseAuthentication no". Now it brings the error:
> "Permission denied (publickey)". With ssh-copy-id also needs a password,
> but because of the settings before, it is not Authenticated/Challenged.
> All users receive "Permission denied (publickey)"

My ISP offers a web application to walk thru the filesystem.
There, you can change the sshd_config, and restart SSHD.
Probably yours also has ...

Have a nice day,
Berny
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ssh key generation

Carl Hartung-2
In reply to this post by LLLActive@GMX.Net
On Thu, 08 Mar 2012 14:19:44 +0100
"[hidden email]" <[hidden email]> wrote:
<trimmed>
> I can not physically get to another server where I have the same
> problem with the 'PasswordAuthentication no". Is there another method
> to get to it? It is a virtual server at an ISP :(
> Is there a way to override these settings when logging in with ssh?

I can think of four approaches to this problem:

a. If you're certain 'ssh-copy-id [hidden email]' worked, you may
have a way into the box, but the login attempt must originate from an
account using the correct public / private key pair. This account
cannot be root on the local system because that is what caused your
original password request problem. Try this: Create a new user on your
local system and temporarily copy root's ~/.ssh/* into ~/newuser/.ssh/
(make sure to select the original 'root' that was used to create the
correct public / private key pair and don't forget to chmod -R
newuser:users ~/newuser/.ssh) Then try passwordless login from the new
local user's account via 'ssh [hidden email]'. If this gets you in,
repair sshd_config on the remote system and restart sshd

b. If you have X installed and VNC access to a desktop on the remote
VPS you can sign into the desktop there, open a terminal, 'su -' to
root privileges, use vi to repair /etc/ssh/sshd_config, run 'rcsshd
restart' and then you ought to be close to where you first started.

c. As has already been mentioned, many VPS providers supply a control
panel with some form of 'emergency' access to the VPS's filesystem for
just these kinds of circumstances.

d. If you can IM or voice chat (Skype or telephone) a support person at
the VPS provider they have root access to the host system and can
repair sshd_config for you and restart sshd. They might need your root
password for the VPS, which is why I recommend IM or voice so you're
not sending this through e-mail.

hth, good luck & regards,

Carl
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]