I read your procedure and it sounds right. Here's mine: this is all from one, and I don't really care what method ssh uses, so long as it does what I asked, so am not specifying DSA
1) ssh-keygen (hit <cr> for the passphrase, ie none, then repeat) 2) scp ~/.ssh/identity.pub [EMAIL PROTECTED]:~/.ssh/authorized_keys <enter password for hopefully the last time> 3) ssh-agent 4) ssh [EMAIL PROTECTED] <no passphrase needed> If you already have an authorized_keys on two, use the following 2a) scp ~/.ssh/identity.pub [EMAIL PROTECTED]:~/.ssh/foo <enter password> 2b) ssh [EMAIL PROTECTED] "cat ~/.ssh/foo >> ~/.ssh/authorized_keys" <enter password> then remove ~/.ssh/foo off two however you wish to clean up please note we're using a user account. Debian disallows remote root logins by policy. You can override this in /etc/ssh/sshd_config, but I recommend against it. On 20 Apr 2001, Mario Vukelic wrote: >Hi, > >please help before I tear my hair out. I'm trying to get >RhostsRSAAuthentication to work. What I want is to be able to ssh >between the machines on my home network without having to supply a >passphrase/-word (also supplying it once with ssh-agent I'd like to >avoid). The docs I've found on OpenSSH don't say much about this special >method, but from what I gleaned from them, RhostsRSAAuthentication would >give me what I want. However, since the info is scarce, I'm not even >sure if it in fact does what I think it does. Although I'm on a rather >secure home network I don't want to use RhostsAuthentication, since I >want to learn how to configure OpenSSH properly, and rhosts-only >authentication is insecure. Also, there's always the possibility that >one time I'll allow ssh access from my external interface, and I don't >want to have to reconfigure it then. In any way, if I set >"RhostsAuthentication yes" in sshd_config it doesn't work either. > >This is what I've done: > >I've generated the host keys with >[EMAIL PROTECTED]:/etc/ssh# ssh-keygen -t dsa -f ssh_host_dsa_key (with empty >passphrase) >(now send ONE's /etc/ssh/ssh_host_dsa_key.pub to [EMAIL PROTECTED]) >[EMAIL PROTECTED]:~# mv ssh_host_dsa_key.pub /etc/ssh/ssh_known_hosts2 AHA! you're using known_hosts, use authorized_keys. known_hosts is a list of hosts you've connected to. You don't have to do anything to get an entry in known_hosts: you get one when you first connect. authorized_keys is where you put DSA keys to do the automagic login... >I did this for the other host, too. Then I prepared >/etc/ssh/ssh_known_hosts2 on both hosts by adding the hostname field as >described in man sshd (SSH_KNOWN_HOSTS FILE FORMAT). > >I've also generated user keys and distributed them >[EMAIL PROTECTED]:~/.ssh$ ssh-keygen -t dsa >(now send ~/.ssh/id_dsa.pub to [EMAIL PROTECTED]) >[EMAIL PROTECTED]:~$ mv id_dsa.pub .ssh/authorized_keys2 Why are you appending a 2 to all of these? Are you trying to use ssh2 authentication or somesuch? There's no need to add a 2 to them, and it's probably breaking things. >(and vice versa) > >This is my config: >[EMAIL PROTECTED]:/etc/ssh# cat sshd_config >(excerpt) >Protocol 2,1 >HostKey /etc/ssh/ssh_host_dsa_key >IgnoreRhosts yes >IgnoreUserKnownHosts yes >RhostsAuthentication no >RhostsRSAAuthentication yes >RSAAuthentication yes >PasswordAuthentication yes > >[EMAIL PROTECTED]:/etc/ssh# cat ssh_config >(excerpt) >Host ONE >RhostsAuthentication no >RhostsRSAAuthentication yes >RSAAuthentication yes >PasswordAuthentication yes >FallBackToRsh no >UseRsh no >IdentityFile ~/.ssh/id_dsa >Protocol 2,1 > >[EMAIL PROTECTED]:/etc# cat hosts.equiv >+TWO >[EMAIL PROTECTED]:/etc# ls -l hosts.equiv >-rw-r--r-- 1 root root 13 Apr 20 12:17 ../hosts.equiv > >[EMAIL PROTECTED]:/etc# cat hosts.equiv >+ONE >[EMAIL PROTECTED]:/etc# ls -l hosts.equiv >-rw-r--r-- 1 root root 13 Apr 20 12:18 ../hosts.equiv > >Now I can ssh from TWO to ONE, and the host is already known to ssh, >although there is no ~/.ssh/known_hosts2. Therefore I think that the >host keys work. However, I still get asked for authentication: >[EMAIL PROTECTED]:~$ ls .ssh >authorized_keys2 id_dsa id_dsa.pub >[EMAIL PROTECTED]:~$ ssh ONE >Enter passphrase for key '/home/user/.ssh/id_dsa':[Enter] >[EMAIL PROTECTED]'s password:[Enter] >Permission denied, please try again. >[EMAIL PROTECTED]'s password:[Enter] >Permission denied, please try again. >[EMAIL PROTECTED]'s password:[Enter] >Permission denied (publickey,password). >[EMAIL PROTECTED]:~$ > > >It would be very nice if someone reviewed my config and told me if I've >commited mistakes somewhere (I'm afraid I wouldn't see it myself by now, >I'm already a bit dizzy after staring at the config files for hours). >Do I need a /etc/ssh/authorized_keys2, too. That is not mentioned in man >sshd, but still. >Any input is greatly appreciated. > > -- <a mailto:[EMAIL PROTECTED]>Who is John Galt?</a> Failure is not an option. It comes bundled with your Microsoft product. -- Ferenc Mantfeld