Reusing ssh keys on a new installation, was Re: OpenSSH: cause of random kex_exchange_identification errors?
On Wed 02 Feb 2022 at 14:28:40 (-0500), Greg Wooledge wrote: > On Wed, Feb 02, 2022 at 02:21:08PM -0500, gene heskett wrote: > > When I change something, like rebooting the rpi4 running my big Sheldon > > lathe, from debian buster to debian bullseye, the keyfile changes, and I > > get an explicit error telling me to run ssh-keygen to remove the > > offending key, which I do, [...] > > What *I* would do is copy the host key files from the buster instance > (the one that your client recognizes as valid) into the bullseye > instance. That way, the client will recognize *both* server instances > as the same host. > > The host keys are in the /etc/ssh/ directory in Debian. There are > several files, and they all begin with ssh_host. Just copy them over > and make sure the permissions are retained. (The ones without .pub on > the end are meant to be private, so they have tighter permissions.) > > If you're not running Debian, but instead are running some perverse > derivative that changes everything but still calls its releases "buster" > and "bullseye" in order to maximize confusion, then your host keys might > be in some other directory. I do similar, after checking that the keys look as if they were generated by the same scheme. I do this just after Grub has been installed on the disk, ie at "Finish the installation". In a shell on VC2, or another remote ssh connection, I type: # mount /dev/ /mnt # cp -ipr /mnt/etc/ssh/s*[by] /target/etc/ssh/ # cp -ipr /mnt/root/.ssh (and most of root's dotfiles) /target/root/ The reason I do this in the d-i is because I typically install over a ssh connection, and when the machine reboots at the end and I want to login remotely to finish the configuration, I can just type (from local's root): # ssh -X hostname and I'm in. To summarise, the upshot is that to install a new system, I visit the machine to plug in a USB installer stick, boot up from it using the one-time-boot option, and run these commands: │ Choose language │ │ Configure the keyboard │ │ Detect and mount CD-ROM │ │ Load installer components from CD │ → network-console: Continue installation remotely using SSH ← │ Detect network hardware │ │ Configure the network │ │ Continue installation remotely using SSH│ set a password (I use the hostname) and return to my comfortable chair. I never /have to/ revisit the target machine again.¹ One other trick: I run the remote installer with: $ ssh -o GlobalKnownHostsFile=/dev/null -o UserKnownHostsFile=/dev/null installer@hostname which avoids polluting my ~/.ssh/known_hosts with the ephemeral host key being used by the installer. ¹ unless I want my stick back. (Desktop machines are configured with magic-packet wake-up in the BIOS.) Cheers, David.
[SOLVED] Re: Subject: network-console installation and ssh keys
Quoting Christian Seiler (christ...@iwakd.de): - Host temporarily has a different key because of a running installation (or rescue CD or so), but will have the right keys again in the future. I have the following alias defined: alias sshnv='ssh -o GlobalKnownHostsFile=/dev/null -o UserKnownHostsFile=/dev/null' (Just one line, but my mail client wants to wrap.) This allows me to do sshnv user@host, but the temporary key will not be remembered (I still have to accept it though). Perfect, thanks. I now have installer-on which runs ssh -o GlobalKnownHostsFile=/dev/null -o UserKnownHostsFile=/dev/null installer@$1 for my particular case of running the installer. This is also useful if I don't want to remember the key even if it's not already in the known_hosts file. - Host will permanently have a new key. ssh-keygen -R hostname This will remove all keys for a given host from the known_hosts file, and then a new key can be accepted for that host, which will be stored permanently. And thanks for others' similar suggestions, but I prefer not having to create a user configuration file. Cheers, David. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150420032430.GB19705@alum
Re: Subject: network-console installation and ssh keys
On 20150414_2134+, Liam O'Toole wrote: On 2015-04-14, David Wright da...@lionunicorn.co.uk wrote: I like the new Network Console option in the installer. However, when I reinstall Debian onto a machine called, say, desk select the necessary options, type in the password for the installer session, and then sit back with a machine called, lap, when I type ssh installer@desk I get the usual @@@ @WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is because the installer has generated and is running with fresh keys. (I frequently connect from lap to desk and vice versa and so have authorised_keys as well as know_hosts there.) What do most people do here? On this one, I think *most*people* are like me. I ignore the warning. Unless I am doing the install in a coffee shop with 'free' internet access that I have never used before. But at home, if I am using an ISP that I have been using for several years, and that has a good reputation in my part of the world, I know the warning does not apply to me, in my particular situation. HTH, YMMY, etc., etc. Cheers, David. Put the following in ~/.ssh/config: Host desk UserKnownHostsFile /dev/null StrictHostKeyChecking no See the man page of ssh_config for details. I think this will silence the warning forever, or at least until you think to delete those lines from your ~/.ssh/config. I do not want to do that, because I am too cautious to commit, long term, to such a departure from what Debian gurus consider to be best practice. ;-) YMMV, Cheers, -- Paul E Condon pecon...@mesanetworks.net -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150415202628.ga16...@big.lan.gnu
Re: Subject: network-console installation and ssh keys
On 2015-04-15, Paul E Condon pecon...@mesanetworks.net wrote: On 20150414_2134+, Liam O'Toole wrote: SNIP Put the following in ~/.ssh/config: Host desk UserKnownHostsFile /dev/null StrictHostKeyChecking no See the man page of ssh_config for details. I think this will silence the warning forever, or at least until you think to delete those lines from your ~/.ssh/config. SNIP To overcome that concern, you could do: Host desk_temporary HostName desk UserKnownHostsFile /dev/null StrictHostKeyChecking no -- Liam -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/slrnmitlc3.5hq.liam.p.otoole@dipsy.tubbynet
Re: Subject: network-console installation and ssh keys
On 2015-04-14, David Wright da...@lionunicorn.co.uk wrote: I like the new Network Console option in the installer. However, when I reinstall Debian onto a machine called, say, desk select the necessary options, type in the password for the installer session, and then sit back with a machine called, lap, when I type ssh installer@desk I get the usual @@@ @WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is because the installer has generated and is running with fresh keys. (I frequently connect from lap to desk and vice versa and so have authorised_keys as well as know_hosts there.) What do most people do here? Cheers, David. Put the following in ~/.ssh/config: Host desk UserKnownHostsFile /dev/null StrictHostKeyChecking no See the man page of ssh_config for details. -- Liam -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/slrnmir1ui.1t0.liam.p.otoole@dipsy.tubbynet
Re: Subject: network-console installation and ssh keys
On 04/14/2015 10:31 PM, David Wright wrote: I like the new Network Console option in the installer. However, when I reinstall Debian onto a machine called, say, desk select the necessary options, type in the password for the installer session, and then sit back with a machine called, lap, when I type ssh installer@desk I get the usual @@@ @WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is because the installer has generated and is running with fresh keys. (I frequently connect from lap to desk and vice versa and so have authorised_keys as well as know_hosts there.) What do most people do here? It depends on what I want to achieve: - Host temporarily has a different key because of a running installation (or rescue CD or so), but will have the right keys again in the future. I have the following alias defined: alias sshnv='ssh -o GlobalKnownHostsFile=/dev/null -o UserKnownHostsFile=/dev/null' (Just one line, but my mail client wants to wrap.) This allows me to do sshnv user@host, but the temporary key will not be remembered (I still have to accept it though). This is also useful if I don't want to remember the key even if it's not already in the known_hosts file. - Host will permanently have a new key. ssh-keygen -R hostname This will remove all keys for a given host from the known_hosts file, and then a new key can be accepted for that host, which will be stored permanently. Hope that helps. Christian -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/552d9814.6060...@iwakd.de
Subject: network-console installation and ssh keys
I like the new Network Console option in the installer. However, when I reinstall Debian onto a machine called, say, desk select the necessary options, type in the password for the installer session, and then sit back with a machine called, lap, when I type ssh installer@desk I get the usual @@@ @WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is because the installer has generated and is running with fresh keys. (I frequently connect from lap to desk and vice versa and so have authorised_keys as well as know_hosts there.) What do most people do here? Cheers, David. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150414203155.ga13...@alum.home
gpg signature ssh keys
hi, can my gpg signature ssh keys (public private) be imported to a new installation of debian just by synching my home folder (same user as in the new system)? thanks. -- Regards, Umarzuki Mochlis http://debmal.my -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAHW9mbxzhbPtUJQb2r4w0TcSnyeGs7HyPyjTyW5q3=tr_-y...@mail.gmail.com
Re: gpg signature ssh keys
On 25/07/2012 8:50 PM, Umarzuki Mochlis wrote: hi, can my gpg signature ssh keys (public private) be imported to a new installation of debian just by synching my home folder (same user as in the new system)? thanks. The GPG keys should be storedin ~/.gpg and the SSH keys in ~/.ssh so as long as you get the dot files/folders you should be right. Just remember to make sure that the permissions are correct on the new system for the files. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/500feebf.7070...@shthead.com
Re: gpg signature ssh keys
can my gpg signature ssh keys (public private) be imported to a new installation of debian just by synching my home folder (same user as in the new system)? Yes. Your public and private ssh keys should be in ~/.ssh Your gpg keys should be in ~/.gnupg As long as you copy these two folders to your new debian installation, everything should be alright. If you are using gnome, you might also want to copy seahorse keyrings (in ./gnome2 last time I checked, but that might have changed). To sum up, if you copy your whole user directory to a new installation, everything should be right where you left them. Regards, Gaël -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1343221711.8462.28.ca...@p76-nom-gd.cnrs-imn.fr
Re: gpg signature ssh keys
2012/7/25 Gaël DONVAL gael.don...@cnrs-imn.fr: can my gpg signature ssh keys (public private) be imported to a new installation of debian just by synching my home folder (same user as in the new system)? Yes. Your public and private ssh keys should be in ~/.ssh Your gpg keys should be in ~/.gnupg As long as you copy these two folders to your new debian installation, everything should be alright. If you are using gnome, you might also want to copy seahorse keyrings (in ./gnome2 last time I checked, but that might have changed). To sum up, if you copy your whole user directory to a new installation, everything should be right where you left them. thanks for the confirmation -- Regards, Umarzuki Mochlis http://debmal.my -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAHW9mbzwA5Qs4PZRsE1eox5Fi5=+5tmqp_ikklsfpsyvwm8...@mail.gmail.com
Re: gpg signature ssh keys
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, On 25.07.2012 15:50, Umarzuki Mochlis wrote: hi, can my gpg signature ssh keys (public private) be imported to a new installation of debian just by synching my home folder (same user as in the new system)? I think that they can, but you should remove ~/.gnupg/random_seed . SSH keys are stored to ~/.ssh and gpg keyrings and config file are stored in ~/.gnupg. If you wanted to move only gpg keys, use gpg --export -a pubring.asc gpg --export-secret-keys -a secring.asc Those commands create files called pubring.asc (public keyring) and secring.asc (private keyring) to current directory (probably your homefolder). PS. I presume that you mean GPG keys with GPG signature. - -- Mika Suomalainen NOTICE! I am on mobile broadband with very limited time, so I cannot read emails very much. The best time to contact me is probably weekends when I have better connectivity with good luck. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Public key: http://mkaysi.github.com/PGP/key.txt Comment: Fingerprint = 24BC 1573 B8EE D666 D10A AA65 4DB5 3CFE 82A4 6728 Comment: Why do I (clear)sign emails? http://git.io/6FLzWg Comment: Please remove PGP lines in replies. http://git.io/nvHrDg Comment: Charset of this message should be UTF-8. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCgAGBQJQEBNFAAoJEE21PP6CpGcoViMP/RPNqd8hGrDOpzw/fzCy1/jx d8KB3rCUlnWTL5cA0n11g6MZGFB1wmD3zEhiYVAKNzz0NKTaBHMJra7WS4jGbnOI 07P8Bi2YxP99bvRLgT/a6ouApNZWzCjuK/meyzs59y7oRq/fubzUGdBETYMK6Yr0 Pbt+3YGTZHg4A06UHpBb/e6L0h9vH6jLof7dOF0VJ87eenPtQs4ivMRTOr/rEoxM Syb0vyyEpjbobY7iu9Xfn4D/ecyNMlZxHMSCf2jjkL8nJOnr4tdG5pj3FZBz5UuE QtLz+5AvBAvdvvQFagEScp4pL2wbflsF/jXhxcrtIYbY49YUuKxU1xZLHnzErsNs AEPzFZrFCEm56Zmz5c3ZIsMxMBWDpWnxEDVbaXZpanZmtvQaEWb8gUz4QAbqOx6u MUmFQgcZGx25x+J67mWEwOQH8zvTflusnDHbmEUjjvXCdg/oUOYCw+1gqsBOB24k a0ViUyrvGutnwOlPMmB5CS1LqBQhs0y6sV+vq29ihIJYi3BYZZm7E9rjdKCCxIyt ZsaXzDcnDc1tSlRglWim8Ts0oXOk7yeijP9fps0V2270yyoMu9XD9za2cMN8EcI8 +RDBn3PF4IDyRidBw6UcTcYzfwOFpOumuPsfCWpOx6xmgT70q8F9O/7tkl6jsV8C lM3SVx1eaKNPssZmbGWu =4ykL -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/50101349.3030...@hotmail.com
midnight commander and ssh keys
Hi, how can I use mc with ssh rssa/dsa keys? regards -r -- *L'unica speranza di catarsi, ammesso che ne esista una, resta affidata all'istinto di ribellione, alla rivolta non isterilita in progetti, alla protesta violenta e viscerale.*
Re: midnight commander and ssh keys
On Sat, Dec 24, 2011 at 11:28:21AM +0100, Raffaele Morelli wrote: Hi, how can I use mc with ssh rssa/dsa keys? regards Once you've generated your keys and installed them, mc will use them to connect. In mc press F9 and select Shell link... -- Greg Donoghue g...@gmx.us -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20111224193128.GA9758@SDF
Re: midnight commander and ssh keys
Greg Donoghue wrote: On Sat, Dec 24, 2011 at 11:28:21AM +0100, Raffaele Morelli wrote: Hi, how can I use mc with ssh rssa/dsa keys? regards Once you've generated your keys and installed them, mc will use them to connect. In mc press F9 and select Shell link... Good info. Thanks Hugo -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jd5s9a$hhs$1...@dough.gmane.org
Re: Cron and ssh keys
T o n g wrote: How do you handle situations that you need to do rsync etc ssh related tasks in cron? When running under cron you cannot use a passphrase on your ssh private key. Since no passphrase can be used you have to ask if you are working in an NFS environment or not. If under NFS then the only safe user is the root user since root is converted to nobody due to root_squash behavior. In which case all cron activity would need to be under root's account. If not in an NFS environment then you can safely use filesystem permissions to protect your key. Create a key without a passphrase and use it for use in cron. I know it need my passphrase before hand, but what if (somehow) the machine is rebooted and I haven't get around keying the passphrase yet? That is exactly why going that path can't work. Bob signature.asc Description: Digital signature
SSH Keys and Debian
I have two deb machines I ssh to constantly on our lan. I had previously set up ssh-keys on these machines to rsync files to one machine. This morning I ran the ssh update the system update wanted me to run and can't ssh to this machine without using a password. I've rerun the keygen on the other machines and transfered them to the computer I log into but still get prompted for the password. Any ideas? I figure it's something to do with the update as it generated all new host keys, etc after it was installed. Thanks, Ed -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SSH Keys and Debian
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 2008-05-23 19:34, Ed Curtis wrote: I have two deb machines I ssh to constantly on our lan. I had previously set up ssh-keys on these machines to rsync files to one machine. This morning I ran the ssh update the system update wanted me to run and can't ssh to this machine without using a password. I've rerun the keygen on the other machines and transfered them to the computer I log into but still get prompted for the password. Any ideas? I figure it's something to do with the update as it generated all new host keys, etc after it was installed. Have you really deleted *all* the vulnerable keys, ie. user keys and machine keys? (As root run ssh-vulnkey -a to check for vulnerable keys. ) Delete all vulnerable keys, ie. all that were generated or could possibly be created with the affected versions of openssh/openssl. Create new keys. Debian won't allow log in of users or machines with vulnerable keys. NB: Be careful, if you have to do this via ssh to a remote box. You might not be able to log into that box, if you commit a mistake. HTH, Johannes -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFINw1SC1NzPRl9qEURApTnAJ40hDWixnuaRHBfii5Naa7qpq5/QACfVuMV r0GA+aiczyA5WvjpYI8HXB4= =Aprd -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Updating known_hosts SSH Keys
Hey, I was recently connecting from one host to another via ssh, and the remote host's host key had changed. I was expecting this change (I made it myself in fact), so naturally I just wanted to connect anyway, despite the warning that SSH gave me, and update my known_hosts file. I could not find a graceful way to do this. After hacking around enough, I noticed that SSH told me which line of my known_hosts file contained the old key. I just removed that line and voila. But I was anticipating some pretty command or command-line option for ssh that would replace the key automatically. Is there any such option? Or does everyone out there basically do what I did? Thanks, - GM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.16.7/619 - Release Date: 1/7/2007 6:29 PM -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Updating known_hosts SSH Keys
On Mon, Jan 08, 2007 at 09:11:28PM -0500, Grok Mogger wrote: Hey, I was recently connecting from one host to another via ssh, and the remote host's host key had changed. I was expecting this change (I made it myself in fact), so naturally I just wanted to connect anyway, despite the warning that SSH gave me, and update my known_hosts file. I could not find a graceful way to do this. After hacking around enough, I noticed that SSH told me which line of my known_hosts file contained the old key. I just removed that line and voila. But I was anticipating some pretty command or command-line option for ssh that would replace the key automatically. Is there any such option? Or does everyone out there basically do what I did? What you did. You would never want ssh to automatically replace the known_hosts entry. It would completely compromise the security of ssh. You should manually chech the fingerprint. In this case, since you made the change, you can implicitly trust yourself that it is the correct key. Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Re: ssh keys
on Tue, Jan 24, 2006 at 03:44:34PM -0800, Paul Johnson ([EMAIL PROTECTED]) wrote: On Tuesday 24 January 2006 08:36, Juraj Fedel wrote: On Mon, Jan 23, 2006 at 04:26:47PM -0300, Jos? Pablo Ezequiel Fern?ndez wrote: On Mon 23 Jan 2006 15:53, Andreas Janssen wrote: Are root logins allowed on the server? What does the server's auth.log say? That was it, thank you! How do you enable root login if they are disallowed? Don't. Log in as a normal user and use su or sudo. Most preferably sudo. The reason being: while it's still possible that a user account may be compromised: 1. If you're using sudo, not 'su', then you may be able to keep the root password from being a widely known secret. Which is to say, not a secret. Very poor (if however, common) practice. 2. You can now identify *which* user account is compromised. If you can do this *before* root is compromised, you may be able to both prevent a root compromise *and* block that user from accessing until they've resecured their own authentication tokens. 3. Even should root be compromised, following a restore/rebuild of your system from known trusted media, you can then limit access by the account(s) known to be untrusted. Pariticularly if you limit remote SSH access to other than persistent password tokens (e.g.: public key authentication, one-time passawords, password generators, etc.). While it's true that evil evildoers of evil can do things like wipe logs (you *do* have a remote, separately authenticated logging host, right?), you've got a much better likelihood of being able to determine the route by which an attacker gained access to your system and take appropriate countermeasures. Suddenly finding out that root isn't trusted and having nothing to go on is a markedly worse situation. Peace. -- Karsten M. Self kmself@ix.netcom.comhttp://kmself.home.netcom.com/ What Part of Gestalt don't you understand? MX Radio - With Bob Edwards, who needs NPR? http://www.xmradio.com/ signature.asc Description: Digital signature
Re: ssh keys
On Mon, Jan 23, 2006 at 04:26:47PM -0300, Jos? Pablo Ezequiel Fern?ndez wrote: On Mon 23 Jan 2006 15:53, Andreas Janssen wrote: Are root logins allowed on the server? What does the server's auth.log say? That was it, thank you! -- Jos? Pablo Ezequiel Fern?ndez How do you enable root login if they are disallowed? Juraj -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh keys
Hello Juraj Fedel ([EMAIL PROTECTED]) wrote: [ssh server] How do you enable root login if they are disallowed? Juraj Change PermitRootLogin no to PermitRootLogin yes in your /etc/ssh/sshd_config. However I recommend you don't log in as root directly, instead only allow logins for users, and use sudo or something similar. best regards Andreas Janssen -- Andreas Janssen [EMAIL PROTECTED] PGP-Key-ID: 0xDC801674 ICQ #17079270 Registered Linux User #267976 http://www.andreas-janssen.de/debian-tipps-sarge.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh keys
On Tuesday 24 January 2006 08:36, Juraj Fedel wrote: On Mon, Jan 23, 2006 at 04:26:47PM -0300, Jos? Pablo Ezequiel Fern?ndez wrote: On Mon 23 Jan 2006 15:53, Andreas Janssen wrote: Are root logins allowed on the server? What does the server's auth.log say? That was it, thank you! How do you enable root login if they are disallowed? Don't. Log in as a normal user and use su or sudo. -- Paul Johnson Email and IM (XMPP Google Talk): [EMAIL PROTECTED] Jabber: Because it's time to move forward http://ursine.ca/Ursine:Jabber pgpb3LA3vXXff.pgp Description: PGP signature
ssh keys
Hello I've installed my ssh public keys to various servers. All worked untill a case which didn't work. A server named dev, I installed the key on [EMAIL PROTECTED]:/home/pupeno/.ssh/authorized_keys and it worked (I can connect to [EMAIL PROTECTED] using the key), I copied the same key to /root/.ssh/authorized_keys of that same computer and I can't connect to [EMAIL PROTECTED] using the key. At the end of the email is the whole log. Any ideas of what might be happening ? Thank you. -- José Pablo Ezequiel Fernández $ ssh -v [EMAIL PROTECTED] OpenSSH_4.1p1 Debian-7ubuntu4, OpenSSL 0.9.7g 11 Apr 2005 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to dev [192.168.0.32] port 22. debug1: Connection established. debug1: identity file /home/pupeno/.ssh/identity type -1 debug1: identity file /home/pupeno/.ssh/id_rsa type -1 debug1: identity file /home/pupeno/.ssh/id_dsa type 2 debug1: Remote protocol version 2.0, remote software version OpenSSH_3.8.1p1 Debian-8.sarge.4 debug1: match: OpenSSH_3.8.1p1 Debian-8.sarge.4 pat OpenSSH_3.* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_4.1p1 Debian-7ubuntu4 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server-client aes128-cbc hmac-md5 none debug1: kex: client-server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(102410248192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'dev' is known and matches the RSA host key. debug1: Found key in /home/pupeno/.ssh/known_hosts:5 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,keyboard-interactive debug1: Next authentication method: publickey debug1: Offering public key: /home/pupeno/.ssh/id_dsa debug1: Server accepts key: pkalg ssh-dss blen 434 debug1: Authentications that can continue: publickey,keyboard-interactive debug1: Offering public key: /home/pupeno/.ssh/id_dsa debug1: Authentications that can continue: publickey,keyboard-interactive debug1: Trying private key: /home/pupeno/.ssh/identity debug1: Trying private key: /home/pupeno/.ssh/id_rsa debug1: Next authentication method: keyboard-interactive Password: pgpdmkk0Cpk8B.pgp Description: PGP signature
Re: ssh keys
Hello José Pablo Ezequiel Fernández ([EMAIL PROTECTED]) wrote: I've installed my ssh public keys to various servers. All worked untill a case which didn't work. A server named dev, I installed the key on [EMAIL PROTECTED]:/home/pupeno/.ssh/authorized_keys and it worked (I can connect to [EMAIL PROTECTED] using the key), I copied the same key to /root/.ssh/authorized_keys of that same computer and I can't connect to [EMAIL PROTECTED] using the key. Are root logins allowed on the server? What does the server's auth.log say? best regards Andreas Janssen -- Andreas Janssen [EMAIL PROTECTED] PGP-Key-ID: 0xDC801674 ICQ #17079270 Registered Linux User #267976 http://www.andreas-janssen.de/debian-tipps-sarge.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh keys
On Mon 23 Jan 2006 15:53, Andreas Janssen wrote: Are root logins allowed on the server? What does the server's auth.log say? That was it, thank you! -- José Pablo Ezequiel Fernández pgpjf18814PFJ.pgp Description: PGP signature
SSH-Keys auf USB-Sticks (war: Re: laufender Angriffsversuch?)
Hi! On Tue, 13 Dec 2005 12:03:48 +0100 André Bischof [EMAIL PROTECTED] wrote: Andreas Pakulat schrieb: ?? Wozu gibts usb-sticks? Ok, mit putty als client ists bisschen problematischer... Ist es? Zumindest die früheren Versionen (hab puTTY schon lange nicht mehr benutzt) konnte man doch einfach ausführen. Man müsste daher doch eigentlich ein laufendes puTTY auf dem Stick mit sich führen können!? Oder ist der Aufwand zum Passwort-Knacken eines Schlüssels genauso hoch wie den Schlüssel selbst zu entschlüsseln, also abhängig von Verfahren und Schlüssellänge? Würde mich auch interessieren. André -- Best regards... Ace
Re: SSH-Keys und PW-Eingabe
Am Dienstag, 7. Juni 2005 23:53 schrieb Thomas Schoepfer: Die KEys funktionieren soweit, allerdings wird bei fehlendem KEy immer noch die interaktive PW-Eingabe angeboten, was ich nicht will. Habe ich evtl. noch einen Schalter vergessen an- bzw. auszustellen? Hallo, am Ende der /etc/ssh/sshd_config steht UsePAM yes das muss auskommentiert werden oder auf no gesetzt werden, dann kann man sich nur noch per Key einloggen. Hth Guido -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: SSH-Keys und PW-Eingabe
On Saturday 04 June 2005 17.47, Andreas Pakulat wrote: On 04.Jun 2005 - 17:20:00, Stephan Holl wrote: Hallo Liste, habe gerade meinen Server von Suse auf debian umgebaut und ein Problem mit dem ssh-server. Ich möchte, dass sich nur die Benutzer mit gültigem ssh-key einloggen dürfen, PW-Eingabe soll deaktiviert werden. Laut Doku geschieht dies mit den Switches PubkeyAuthentication yes PasswordAuthentication no Die KEys funktionieren soweit, allerdings wird bei fehlendem KEy immer noch die interaktive PW-Eingabe angeboten, was ich nicht will. Habe ich evtl. noch einen Schalter vergessen an- bzw. auszustellen? Lief letzten oder vorletzten Monat ueber die ML, such mal im Archiv. Ich weiss leider nicht mehr was da genau war, IIRC hatte es was mit PAM zu tun... Das könnte ChallengeResponseAuthentication no sein. Thomas -- BOFH excuse #205: Quantum dynamics are affecting the transistors
Re: SSH-Keys und PW-Eingabe
On 4.06.05, Stephan Holl wrote: PubkeyAuthentication yes PasswordAuthentication no Du kannst: a) interaktive Anmeldung generall abschalten ChallengeResponseAuthentication no b) PAM-Authentifizierung deaktivieren UsePAM no c) nur die Passwort-Authentifizierung in PAM abschalten, in dem du pam_unix.so aus /etc/pam.d/ssh nimmst Je nachdem, was du mchtest. Ren van Bevern pgpPqEzS1O8SR.pgp Description: PGP signature
Re: SSH-Keys und PW-Eingabe
On 04.Jun 2005 - 17:20:00, Stephan Holl wrote: Hallo Liste, habe gerade meinen Server von Suse auf debian umgebaut und ein Problem mit dem ssh-server. Ich möchte, dass sich nur die Benutzer mit gültigem ssh-key einloggen dürfen, PW-Eingabe soll deaktiviert werden. Laut Doku geschieht dies mit den Switches PubkeyAuthentication yes PasswordAuthentication no Die KEys funktionieren soweit, allerdings wird bei fehlendem KEy immer noch die interaktive PW-Eingabe angeboten, was ich nicht will. Habe ich evtl. noch einen Schalter vergessen an- bzw. auszustellen? Lief letzten oder vorletzten Monat ueber die ML, such mal im Archiv. Ich weiss leider nicht mehr was da genau war, IIRC hatte es was mit PAM zu tun... Andreas -- Good day to deal with people in high places; particularly lonely stewardesses. -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: SSH-Keys und PW-Eingabe
am 04.06.2005, um 17:20:00 +0200 mailte Stephan Holl folgendes: PasswordAuthentication no Okay. Die KEys funktionieren soweit, allerdings wird bei fehlendem KEy immer noch die interaktive PW-Eingabe angeboten, was ich nicht will. Schuß ins Blaue: SSHD neu gestartet? Habe ich evtl. noch einen Schalter vergessen an- bzw. auszustellen? Vielleicht spuckt Dir PAM in die Suppe... Andreas -- Andreas Kretschmer(Kontakt: siehe Header) Heynitz: 035242/47212, D1: 0160/7141639 GnuPG-ID 0x3FFF606C http://wwwkeys.de.pgp.net ===Schollglas Unternehmensgruppe=== -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: SSH-Keys und PW-Eingabe
On 2005-06-04 17:20, Stephan Holl wrote: habe gerade meinen Server von Suse auf debian umgebaut und ein Problem mit dem ssh-server. Ich möchte, dass sich nur die Benutzer mit gültigem ssh-key einloggen dürfen, PW-Eingabe soll deaktiviert werden. Laut Doku geschieht dies mit den Switches PubkeyAuthentication yes PasswordAuthentication no zusätzlich noch: UsePAM no cheers, -- Gerald Holl http://holl.co.at
[OT] 2 oder mehr SSH Keys nutzen
Hossa, ist es irgendwie moeglich 2 oder mehr SSH-keys als Client zu nutzen (Private Schluessel)?. Zweck und Sinn ist zum Beispiel ein Rechner in unterschiedlichen Arbeitsumgebungen, ich hab ehrlich gesagt nicht dne Nerv dazu meinen Schluessel ins authorized_keys File zu kopieren wenn mir nen SSH Key zur verfuegugn gestellt wird *g* thanks in advice, rainer -- - Rainer 'Ny' Bendig | http://UnresolvedIssue.org | GPG-Key: 0xCC7EA575 -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: [OT] 2 oder mehr SSH Keys nutzen
am 15.12.2004, um 10:03:42 +0100 mailte Rainer Bendig aka Ny folgendes: Hossa, ist es irgendwie moeglich 2 oder mehr SSH-keys als Client zu nutzen (Private Schluessel)?. Du hast in der man-Page -i übersehen. Andreas -- Andreas Kretschmer(Kontakt: siehe Header) Tel. NL Heynitz: 035242/47212 GnuPG-ID 0x3FFF606C http://wwwkeys.de.pgp.net ===Schollglas Unternehmensgruppe=== -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Frage zu standard SSH-Keys
Servus, ich arbeite gerade an einer automatischen Installation und bin dabei auf ein kleines Problem gestoßen... Alles funktioniert soweit perfekt, nur ist mir das mit den SSH-Keys noch eingefallen. Ich habe ein Ausgangs- system, welches auf andere Hardware dupliziert wird. Natürlich möchte ich an dieser Stelle nicht immer die gleichen SSH-Keys verwenden. Meine Frage ist daher, wie werden die standard-Keys bei der Installation von SSH (v2 only) generiert? Genau mit diesem Befehl würde ich dann beim Duplizieren neue Schlüssel auf dem 'geklonten' System ablegen. Mich interessiert daher der Aufruf von ssh-keygen, der bei der Installation durchgeführt wird. Ich kann zwar über rm -rf /zielsystem/etc/ssh/ssh_host_* chroot /zielsystem/ dpkg-reconfigure ssh die Schlüssel generieren, aber sauber läuft das nicht und Interaktion ist dadurch auch notwendig. Wäre klasse, wenn mir jemand den entsprechenden Hinweis liefern könnte... Grüße Mathias -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: Frage zu standard SSH-Keys
Hallo Mathias Tauber ([EMAIL PROTECTED]) wrote: ich arbeite gerade an einer automatischen Installation und bin dabei auf ein kleines Problem gestoßen... Alles funktioniert soweit perfekt, nur ist mir das mit den SSH-Keys noch eingefallen. Ich habe ein Ausgangs- system, welches auf andere Hardware dupliziert wird. Natürlich möchte ich an dieser Stelle nicht immer die gleichen SSH-Keys verwenden. Meine Frage ist daher, wie werden die standard-Keys bei der Installation von SSH (v2 only) generiert? In /var/lib/dpkg/info/ssh.postinst kannst Du nachlesen, wie das funktioniert. Grüße Andreas Janssen -- Andreas Janssen [EMAIL PROTECTED] PGP-Key-ID: 0xDC801674 ICQ #17079270 Registered Linux User #267976 http://www.andreas-janssen.de/debian-tipps.html -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: Frage zu standard SSH-Keys
On 03.08.2004 12:30, Mathias Tauber wrote: Genau mit diesem Befehl würde ich dann beim Duplizieren neue Schlüssel auf dem 'geklonten' System ablegen. Mich interessiert daher der Aufruf von ssh-keygen, der bei der Installation durchgeführt wird. Ich kann zwar über rm -rf /zielsystem/etc/ssh/ssh_host_* chroot /zielsystem/ dpkg-reconfigure ssh die Schlüssel generieren, aber sauber läuft das nicht und Interaktion ist dadurch auch notwendig. Wäre klasse, wenn mir jemand den entsprechenden Hinweis liefern könnte... In /var/lib/dpkg/info findest du die Post-Install-Scripte aller installierten Pakete. Bei ssh handelt es sich um ssh.postinst. Darin findest du sicherlich die nötigen Hinweise. Grüße, Martin -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: Frage zu standard SSH-Keys
Mathias Tauber [EMAIL PROTECTED] wrote: Genau mit diesem Befehl würde ich dann beim Duplizieren neue Schlüssel auf dem 'geklonten' System ablegen. Mich interessiert daher der Aufruf von ssh-keygen, der bei der Installation durchgeführt wird. Du kannst ja den Shell-Code aus dem postinst von ssh klauen, oder einmal im ssh-init-Script von Knoppix spicken. S° -- BOFH excuse #58: high pressure system failure -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
SSH keys einrichten
Hi! Ich möchte die ssh-keys für die jeweiligen Benutzer einrichten, weiß aber leider nicht wie. Nachdem ich mir die diversen manpages durchgeschaut habe, weiß ich nun zumindest in welchem format die $HOME/.ssh/authorized_keys haben muss: options, bits, exponent, modulus, comment So weit so gut, aber leider habe ich keine Ahnung, wie ich das mit dem Keyfile verbinden soll, was ich erstellt habe. Ich habe schon probiert, den key in die authorized_keys zu kopieren, aber ohne Erfolg. Kann mir da jemand weiterhelfen? Woher weiß ich zum Beispiel den Exponenten meines Keys? MfG, Thorsten PS: ssh/stable uptodate 1:3.4p1-1.woody.3
Re: SSH keys einrichten
am Thu, dem 01.07.2004, um 16:57:26 +0200 mailte ThoTi folgendes: Kann mir da jemand weiterhelfen? Woher weiß ich zum Beispiel den Exponenten meines Keys? Ist es so schwer, mal Google zu befragen, wie SSH funktioniert? Da gibt es massig Seiten. Zum Bleistift http://schlittermann.de/ssh Andreas -- Diese Message wurde erstellt mit freundlicher Unterstützung eines freilau- fenden Pinguins aus artgerechter Freilandhaltung. Er ist garantiert frei von Micro$oft'schen Viren. (#97922 http://counter.li.org) GPG 7F4584DA Was, Sie wissen nicht, wo Kaufbach ist? Hier: N 51.05082°, E 13.56889° ;-) -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: ssh, ssh-agent und ssh-keys
On Sun, 2 Feb 2003 22:41:09 +0100, Kai Weber [EMAIL PROTECTED] wrote: * Marc Haber [EMAIL PROTECTED]: Was genau ist der Vorteil von keychain im Vergleich zu use-ssh-agent in /etc/X11/Xsession.options in Verbindung mit /etc/X11/Xsession.d/90xfree86-common_ssh-agent? Man muss keine XSession starten, um in den Genuss eines laufenden ssh-agent'en samt gemerkten Passwörtern zu kommen. Das bedeutet, dass jeder, der sich mit meinen Rechten einloggen kann, auch die Keys benutzen kann, die ich in meiner eigenen Session geladen habe? Darüberhinaus führt keychain alle notwendigen Aktionen durch, um sich *einmal* zu authentifizieren. Das setzen von use-ssh-agent in /etc/X11/Xsession.options genügt dazu offensichtlich nicht. Nein, zusätzlich zum use-ssh-agent braucht's noch ssh-add mit den entsprechenden Keys. Man will ja nicht immer alle Keys geladen haben. Grüße Marc -- -- !! No courtesy copies, please !! - Marc Haber |Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG Rightful Heir | Fax: *49 721 966 31 29 -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: ssh, ssh-agent und ssh-keys
* Marc Haber [EMAIL PROTECTED]: Was genau ist der Vorteil von keychain im Vergleich zu use-ssh-agent in /etc/X11/Xsession.options in Verbindung mit /etc/X11/Xsession.d/90xfree86-common_ssh-agent? Man muss keine XSession starten, um in den Genuss eines laufenden ssh-agent'en samt gemerkten Passwörtern zu kommen. Darüberhinaus führt keychain alle notwendigen Aktionen durch, um sich *einmal* zu authentifizieren. Das setzen von use-ssh-agent in /etc/X11/Xsession.options genügt dazu offensichtlich nicht. -- » [EMAIL PROTECTED] http://www.glorybox.de -- Häufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: ssh, ssh-agent und ssh-keys
On Wed, 29 Jan 2003 17:51:32 +0100, Torsten Wolf [EMAIL PROTECTED] wrote: Da sollte Dir keychain - An OpenSSH key manager weiterhelfen. Was genau ist der Vorteil von keychain im Vergleich zu use-ssh-agent in /etc/X11/Xsession.options in Verbindung mit /etc/X11/Xsession.d/90xfree86-common_ssh-agent? Grüße Marc -- -- !! No courtesy copies, please !! - Marc Haber |Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG Rightful Heir | Fax: *49 721 966 31 29 -- Häufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: ssh keys from two behind-the-firewall boxes?
On 1 Feb 2003, Jean-Marc V. Liotier wrote: # On the local host : ssh-keygen -t dsa -f id_dsa # When prompted for a password, just press 'enter'. scp id_dsa.pub [EMAIL PROTECTED]:~/ I would strongly recommend using a good pass phrase and ssh-agent. If someone gets your password less private key then they can have access to all the machine you connect to (that have your public key). It's like having a plain text file on your local machine with the username and password of all the machines you connect to. # On the remote host : test -d ~/.ssh || mkdir ~/.ssh chmod 700 ~/.ssh cd ~/.ssh touch authorized_keys2 cat ~/id_dsa.pub authorized_keys2 chmod 640 authorized_keys2 rm -f ~/id_dsa.pub You also need to check which sshd server is running on the remote. This caused me a bit of pain one day: If the remote machine is using a SSH Communications (ssh.com) server, you need to convert your public keys with the ssh-keygen $ ssh-keygen -e -f id_dsa.pub id_dsa.pub.secsh then scp that to ~/.ssh2/ on the remote machine and then add that key's file name to the ~/.ssh2/authorization file: key id_dsa.pub.secsh There was an article in Sys Admin magazine not too long about about how to setup more secure password-less for use with cron and other automated tasks, although I can't remember the tool right now. Anyone? -- Bill Moseley [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh keys from two behind-the-firewall boxes?
will trillich said: at what point are the passphrases required? if passwordless login/scp is the objective, where are the passphrases used? ssh-agent is designed to prompt you for your passphrase, then it stores it in memory, and automatically 'inputs' it when you connect. That is until you logout or reboot or something. I have never used ssh-agent myself. for my personal account I use SSH w/passphrase and just input it every time. I use passphrase-less keys for mostly non interactive stuff. running w/o a passphrase is still probably the most common way to perform automated tasks. that is, stuff from cron etc. if the system is properly secured the chance of a key getting compromised is not that great. on my more secure systems I lock them down to key logins only, so even if they have my root password or account password they have no opportunity to input them. nate -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh keys from two behind-the-firewall boxes?
On Sat, Feb 01, 2003 at 12:57:08PM -0800, nate wrote: will trillich said: at what point are the passphrases required? if passwordless login/scp is the objective, where are the passphrases used? ssh-agent is designed to prompt you for your passphrase, then it stores it in memory, and automatically 'inputs' it when you connect. That is until you logout or reboot or something. I have never used ssh-agent myself. for my personal account I use SSH w/passphrase and just input it every time. I use passphrase-less keys for mostly non interactive stuff. afaik ssh-agent stores the key in memory, not the passphrase (you never give ssh-agent the passphrase, that's from ssh-add). ssh-agent outputs some environment variables that can be inherited by child processes, and then you load in your key with ssh-add or ssh-askpass. all the child processes that get spawned from the process that launched ssh-agent inheret certain env variables that let them know how to communicate with the agent, that then provides the key-based authentication for connections. this process can further be forwarded onto another machine, and the real beauty of it is that on the remote machine nothing is stored other than a socket to talk back to the agent on the home machine. for example, this is in my .xsession, and lets me ssh without a password even though i have a passphrase on my key in any child process of my xsession (xterms, et c.): eval `ssh-agent` ssh-add .ssh/id_dsa /dev/null running w/o a passphrase is still probably the most common way to perform automated tasks. that is, stuff from cron etc. true. you can however limit what commands can be executed from authorizing with a specific key. it'd be neat to see some way someone could spawn off cron using ssh-agent, but it'd make boot-up require someone be at the console. if the system is properly secured the chance of a key getting compromised is not that great. that's no attitude to take towards security. on my more secure systems I lock them down to key logins only, so even if they have my root password or account password they have no opportunity to input them. right, but if they're storing a passphraseless key on another machine to which someone else has root, that someone else now has access to your machine too. if that's your root key... sean msg27985/pgp0.pgp Description: PGP signature
Re: ssh keys from two behind-the-firewall boxes?
sean finney said: right, but if they're storing a passphraseless key on another machine to which someone else has root, that someone else now has access to your machine too. if that's your root key... yes thats a good point, forgot about that. I can't remember the last time I had access to another system and didn't have root on it so I guess it just didn't pop into my head. And of course I don't store my personal keys even on servers where another trusted person has access(e.g. my former company's servers, though I stored them on my desktop, to which nobody but I had root to and even then they were not passphrase-less, yeah I'm paranoid :) ). nate -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
ssh keys from two behind-the-firewall boxes?
this is probably item #2 of the really-obvious-faq that i'm not yet aware of, so i'll go ahead and ask because i haven't taken the opportunity to look like a goober in, oh, about half a day, now... doing the ssh-keygen thing works like a charm; you copy your private keys to the remote box and then just slap it into your ~/.ssh/authorized_keys file and poof, no more passwords! so now you can run ssh-driven scripts without having to worry about the username/password interruption. it's ip-based, isn't it? workstation workstation workstation 192.168.1.2192.168.1.100192.168.1.201 key xyzpdq key 1234567 key x0x0x0x0 | || +---++ | 192.168.1.5 firewall 208.33.90.85 | {web} | 11.22.33.44 remote box but the remote just sees all the 192.168.1.* boxes as 208.33.90.85, right? where's the doc on getting ALL the 192.168.1.* boxes to ssh password-free to the remote machine? (or, when it challenges, the challenge only reaches the firewall, something like that. hmm?) so far, my experience has been that i can ssh password-free only from the 'on-the-public-link' firewall. -- I use Debian/GNU Linux version 3.0; Linux server 2.4.20-k6 #1 Mon Jan 13 23:49:14 EST 2003 i586 unknown DEBIAN NEWBIE TIP #65 from der.hans [EMAIL PROTECTED] : Wondering about which KEYBOARD SHORTCUTS ARE UNDERSTOOD BY BASH? Enter this at your bash shell prompt: bind -p | less and see how much of that you can interpret :). For more info about all of this stuff, do man bash then search for emacs and readline (to search a manpage, press / and then the pattern to look for). Also see http://newbieDoc.sourceForge.net/ ... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh keys from two behind-the-firewall boxes?
will trillich said: it's ip-based, isn't it? in my experience it is key based. though I think with ssh2 you have a more extensive set of options available to you to restrict access further, perhaps to the IP level. but if you just have the keys themselves in ~/.ssh/authorized_keys it should be allowed in, doesn't matter what the IP is. Though I still use SSH v1 RSA keys for my stuff, haven't gotten around to migrating to SSH v2 yet. nate -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh keys from two behind-the-firewall boxes?
Hi, On Fri, Jan 31, 2003 at 06:08:31PM -0600, will trillich wrote: this is probably item #2 of the really-obvious-faq that i'm not yet aware of, so i'll go ahead and ask because i haven't taken the opportunity to look like a goober in, oh, about half a day, now... doing the ssh-keygen thing works like a charm; you copy your private keys to the remote box and then just slap it into your NO! You copy public key to remote machine. You keep private key in local machine in front of you securely :-) This way, even if this key is stolen, all the thief can do is send you a e-mail and invite you to log into their machine without key word. ~/.ssh/authorized_keys file and poof, no more passwords! so now you can run ssh-driven scripts without having to worry about the username/password interruption. it's ip-based, isn't it? SSH checks IP as a part of prudence but its core authentication process is not IP based. workstation workstation workstation 192.168.1.2192.168.1.100192.168.1.201 key xyzpdq key 1234567 key x0x0x0x0 | || +---++ | 192.168.1.5 firewall 208.33.90.85 | {web} | 11.22.33.44 remote box but the remote just sees all the 192.168.1.* boxes as 208.33.90.85, right? where's the doc on getting ALL the 192.168.1.* boxes to ssh password-free to the remote machine? (or, when it challenges, the challenge only reaches the firewall, something like that. hmm?) so far, my experience has been that i can ssh password-free only from the 'on-the-public-link' firewall. -- I use Debian/GNU Linux version 3.0; Linux server 2.4.20-k6 #1 Mon Jan 13 23:49:14 EST 2003 i586 unknown -- ~\^o^/~~~ ~\^.^/~~~ ~\^*^/~~~ ~\^_^/~~~ ~\^+^/~~~ ~\^:^/~~~ ~\^v^/~~~ + Osamu Aoki [EMAIL PROTECTED] Cupertino CA USA, GPG-key: A8061F32 .''`. Debian Reference: post-installation user's guide for non-developers : :' : http://qref.sf.net and http://people.debian.org/~osamu `. `' Our Priorities are Our Users and Free Software --- Social Contract -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh keys from two behind-the-firewall boxes?
On Fri, Jan 31, 2003 at 06:08:31PM -0600, will trillich wrote: this is probably item #2 of the really-obvious-faq that i'm not yet aware of, so i'll go ahead and ask because i haven't taken the opportunity to look like a goober in, oh, about half a day, now... doing the ssh-keygen thing works like a charm; you copy your private keys to the remote box and then just slap it into your ~/.ssh/authorized_keys file and poof, no more passwords! so now you can run ssh-driven scripts without having to worry about the username/password interruption. Does anyone have a FAQ on how to set this all up? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh keys from two behind-the-firewall boxes?
Matthew Daubenspeck said: Does anyone have a FAQ on how to set this all up? i have a real quick basic thing with SSH v1 on my mrtg page: http://howto.aphroland.de/HOWTO/MRTG/IPFWCountersWithMRTG SSH v2 is not *too* much different. though it's been a while since I tried it with DSA authentication, last time I tried it, it was a real bitch to get working(this was about a year ago) nate -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh keys from two behind-the-firewall boxes?
On Sat, 2003-02-01 at 01:55, Matthew Daubenspeck wrote: On Fri, Jan 31, 2003 at 06:08:31PM -0600, will trillich wrote: doing the ssh-keygen thing works like a charm; you copy your private keys to the remote box and then just slap it into your ~/.ssh/authorized_keys file and poof, no more passwords! so now you can run ssh-driven scripts without having to worry about the username/password interruption. Does anyone have a FAQ on how to set this all up? Below is what worked for me. I think that it may vary according to the version of the SSH protocol that you want to use, but it works like that on a stock Debian unstable. # On the local host : ssh-keygen -t dsa -f id_dsa # When prompted for a password, just press 'enter'. scp id_dsa.pub [EMAIL PROTECTED]:~/ # On the remote host : test -d ~/.ssh || mkdir ~/.ssh chmod 700 ~/.ssh cd ~/.ssh touch authorized_keys2 cat ~/id_dsa.pub authorized_keys2 chmod 640 authorized_keys2 rm -f ~/id_dsa.pub That's it, you are set with passwordless SSH. Taking advantage of ssh-agent to avoid using passwordless keys would be the next evolutionary step, but I'm not there yet and I am already very happy to be able to script scp, rsync and unison sessions, and to be able to login everywhere without repetitive keyboard entry. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh keys from two behind-the-firewall boxes?
On Fri, Jan 31, 2003 at 05:39:22PM -0800, nate wrote: SSH v2 is not *too* much different. though it's been a while since I tried it with DSA authentication, last time I tried it, it was a real bitch to get working(this was about a year ago) erm, iirc it's the same thing, only if you're using an older version of sshd you need to put the public key in ~/.ssh/authorized_keys2 instead. here's a really simple example: oil[~]20:58:57$ ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/home/finney/.ssh/id_dsa): Created directory '/home/finney/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/finney/.ssh/id_dsa. Your public key has been saved in /home/finney/.ssh/id_dsa.pub. The key fingerprint is: e1:a2:6a:bc:e3:c9:b8:19:57:bc:a7:6c:b6:82:87:ac [EMAIL PROTECTED] oil[~]20:59:34$ cat .ssh/id_dsa.pub .ssh/authorized_keys2 oil[~]21:00:18$ ssh oil # == look ma, no passwd! Kickstart-installed Red Hat Linux Thu Jan 16 10:36:39 EST 2003 # ^===(disclaimer: not my machine) :) oil[~]21:00:26$ logout Connection to oil closed. oil[~]21:00:27$ however, the above example uses a passphraseless key, which isn't the best wrt security (same goes if you're using sshv1 rsa keys too). what's better is to use ssh-agent and a passphrase on your key. sean msg2/pgp0.pgp Description: PGP signature
Re: ssh keys from two behind-the-firewall boxes?
On Sat, Feb 01, 2003 at 02:57:01AM +0100, Jean-Marc V. Liotier wrote: On Sat, 2003-02-01 at 01:55, Matthew Daubenspeck wrote: Does anyone have a FAQ on how to set this all up? Below is what worked for me. I think that it may vary according to the version of the SSH protocol that you want to use, but it works like that on a stock Debian unstable. # On the local host : ssh-keygen -t dsa -f id_dsa # When prompted for a password, just press 'enter'. scp id_dsa.pub [EMAIL PROTECTED]:~/ # On the remote host : test -d ~/.ssh || mkdir ~/.ssh chmod 700 ~/.ssh cd ~/.ssh touch authorized_keys2 cat ~/id_dsa.pub authorized_keys2 chmod 640 authorized_keys2 rm -f ~/id_dsa.pub authorized_keys2 is for backward compatibility. You can simply use authorized_keys. The ssh-copy-id script shipped with ssh automates this process, except for the initial ssh-keygen stage. Cheers, -- Colin Watson [[EMAIL PROTECTED]] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh, ssh-agent und ssh-keys
Hallo Andreas, * Andreas Metzler [EMAIL PROTECTED] [29-01-03 23:00]: ssh-askpass? Danke für den Tip, genau das Proggi hat mir noch gefehlt. -- Gruss Matthias -- Häufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: ssh, ssh-agent und ssh-keys
am 29.01.2003, um 23:00:29 +0100 mailte Andreas Metzler folgendes: Unter $ANDERE_DISTRI hatte ich es geschafft, daß nach Login via KDM ich nach dem Passphrase gefragt wurde. War ein kleines Fensterle, wo man das eintippsen mußte. [...] ssh-askpass? Ja, genau. apt-get install ssh-askpass habe ich gemacht, aber wie erreiche ich, daß es an passender Stelle aufgerufen wird? Andreas -- Andreas Kretschmer(Kontakt: siehe Header) Tel. NL Heynitz: 035242/47212 GnuPG-ID 0x3FFF606C http://wwwkeys.de.pgp.net ===Schollglas Unternehmensgruppe=== -- Häufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: ssh, ssh-agent und ssh-keys
Hallo, On Wednesday 29 January 2003 15:31, Matthias Fechner wrote: [...] Aber wie kann ich erreichen, das ich die passphrase nur einmal eingeben muss, z.B. solange meine xsession läuft oder für eine bestimmte Zeit. in meiner .bashrc (die auch von .bash_profile gesourced wird) steht: if [ $PS1 ]; then ... case $TERM in xterm*) ... [ -z $SSH_TTY ] ssh-add -l /dev/null || ssh-add ~/.ssh/id_dsa ;; *) ;; esac ... fi Damit wird beim (lokalen) Öffnen eines xterms überprüft, ob der ssh-agent schon meinen Key kennt. Wenn nicht, dann fragt er. ;-) Schöne Grüße, Stephan -- /* Stephan Hakuli // http://www.hakuli.net // GPG-ID 4006A977 Encryption with GPG or PGG is strongly encouraged, my public key is available on my website or on common public keyservers. */ -- Häufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: ssh, ssh-agent und ssh-keys
Hallo Andreas, * Andreas Kretschmer [EMAIL PROTECTED] [30-01-03 11:11]: Ja, genau. apt-get install ssh-askpass habe ich gemacht, aber wie erreiche ich, daß es an passender Stelle aufgerufen wird? Ich hab in meiner .Xsession einfach ssh-add eingetragen, ssh-add ruft dann automatisch ssh-askpass auf. -- Gruss Matthias -- Häufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: ssh, ssh-agent und ssh-keys
On Thu, 30 Jan 2003 11:11:17 +0100, Andreas Kretschmer wrote: ssh-askpass? Ja, genau. apt-get install ssh-askpass habe ich gemacht, aber wie erreiche ich, daß es an passender Stelle aufgerufen wird? ssh-add ruft automagisch ssh-askpass auf, wenn ssh-add keine kein Terminal hat um nach dem Paßwort zu fragen Das Thema hatten wir doch kürzlich erst: http://mailman.schlittermann.de/pipermail/lug-dd/2003-January/019367.html Reinhard -- Häufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: ssh, ssh-agent und ssh-keys
On Don, 30 Jan 2003, Andreas Kretschmer wrote: Ja, genau. apt-get install ssh-askpass habe ich gemacht, aber wie erreiche ich, daß es an passender Stelle aufgerufen wird? /etc/X11/Xsession.options siehe Xsession.options(5) Herzliche Grüße Norbert --- Norbert Preining preining AT logic DOT at Technische Universität Wien gpg DSA: 0x09C5B094 fp: 14DF 2E6C 0307 BE6D AD76 A9C0 D2BF 4AA3 09C5 B094 --- AINDERBY QUERNHOW (n.) One who continually bemoans the 'loss' of the word 'gay' to the English language, even though they had never used the word in any context at all until they started complaining that they couldn't use it any more. --- Douglas Adams, The Meaning of Liff -- Häufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: ssh, ssh-agent und ssh-keys
* Andreas Kretschmer [EMAIL PROTECTED] [30-01-03 11:11]: am 29.01.2003, um 23:00:29 +0100 mailte Andreas Metzler folgendes: Unter $ANDERE_DISTRI hatte ich es geschafft, daß nach Login via KDM ich nach dem Passphrase gefragt wurde. War ein kleines Fensterle, wo man das eintippsen mußte. [...] ssh-askpass? Ja, genau. apt-get install ssh-askpass habe ich gemacht, aber wie erreiche ich, daß es an passender Stelle aufgerufen wird? Das Programm wird von ssh-add aufgerufen, wenn ssh-add in deiner .xsession aufgerufen wird. $ cat .xsession ... /usr/bin/ssh-add exec blackbox Siehe man ssh-add. HTH Jens -- Häufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: ssh, ssh-agent und ssh-keys
am 30.01.2003, um 12:30:23 +0100 mailte Reinhard Foerster folgendes: ssh-add ruft automagisch ssh-askpass auf, wenn ssh-add keine kein Terminal hat um nach dem Paßwort zu fragen Das Thema hatten wir doch kürzlich erst: http://mailman.schlittermann.de/pipermail/lug-dd/2003-January/019367.html Ja, werde zwar alt, kann mich aber dunkel erinnern ;-) Problem gelöst: mein Fehler war, daß ich im KDM kde3 als WM eingestellt hatte. Da wird die .xsession offensichtlich nicht beachtet. Lasse ich default stehen, nimmt er die .xsession, und alles wird gut ;-) Andreas -- Andreas Kretschmer(Kontakt: siehe Header) Tel. NL Heynitz: 035242/47212 GnuPG-ID 0x3FFF606C http://wwwkeys.de.pgp.net ===Schollglas Unternehmensgruppe=== -- Häufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
ssh, ssh-agent und ssh-keys
Hi, ich möchte ssh bei mir jetzt gerne so umstellen, das ich mit ssh-key's arbeiten kann(das geht jetzt schon). Dieser Key soll mit einer passphrase geschützt sein, was auch schon geht. Aber wie kann ich erreichen, das ich die passphrase nur einmal eingeben muss, z.B. solange meine xsession läuft oder für eine bestimmte Zeit. -- Gruss Matthias -- Häufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: ssh, ssh-agent und ssh-keys
am 29.01.2003, um 15:31:45 +0100 mailte Matthias Fechner folgendes: Hi, ich möchte ssh bei mir jetzt gerne so umstellen, das ich mit ssh-key's arbeiten kann(das geht jetzt schon). Dieser Key soll mit einer passphrase geschützt sein, was auch schon geht. Aber wie kann ich erreichen, das ich die passphrase nur einmal eingeben muss, z.B. solange meine xsession läuft oder für eine bestimmte Zeit. Unter $ANDERE_DISTRI hatte ich es geschafft, daß nach Login via KDM ich nach dem Passphrase gefragt wurde. War ein kleines Fensterle, wo man das eintippsen mußte. Dann startete KDE und die Passphrase war im Agenten. Irgendwie habe ich das bisher noch nicht geschafft, ich behelfe mich, nach dem Login in einem Terminal 'ssh-add' einzutippen, dann fragt er nach der Passphrase und behält diese bis zum Logout aus KDE. Andreas, an einer Lösung wie unter $ANDERE_DISTRI interessiert... -- Andreas Kretschmer(Kontakt: siehe Header) Tel. NL Heynitz: 035242/47212 GnuPG-ID 0x3FFF606C http://wwwkeys.de.pgp.net ===Schollglas Unternehmensgruppe=== -- Häufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: ssh, ssh-agent und ssh-keys
On Mit, 29 Jan 2003, Matthias Fechner wrote: Aber wie kann ich erreichen, das ich die passphrase nur einmal eingeben muss, z.B. solange meine xsession läuft oder für eine bestimmte Zeit. Da sollte Dir keychain - An OpenSSH key manager weiterhelfen. Gruß Torsten -- Häufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: ssh, ssh-agent und ssh-keys
On Wed, Jan 29, 2003 at 03:31:45PM +0100, Matthias Fechner wrote: ich möchte ssh bei mir jetzt gerne so umstellen, das ich mit ssh-key's arbeiten kann(das geht jetzt schon). Dieser Key soll mit einer passphrase geschützt sein, was auch schon geht. Aber wie kann ich erreichen, das ich die passphrase nur einmal eingeben muss, z.B. solange meine xsession läuft oder für eine bestimmte Zeit. einmal nach dem Login 'ssh-add' starten (z.B. mittels eines Skripts im Autostart) reicht. Du kannst es auch in die .xsession oder so packen. Damit wird auch - solange du X fährst - keychain überflüssig. -- mfg, Jens Benecke http://www.hitchhikers.de: Europas Mitfahrzentrale seit 1998 Fahren Sie zusammen, sparen Sie Geld - unkompliziert und schnell! NEU: Jetzt mit kostengünstiger, umfassender Unfallversicherung! msg34293/pgp0.pgp Description: PGP signature
Re: ssh, ssh-agent und ssh-keys
On Wed, 29 Jan 2003 15:31:45 +0100, Matthias Fechner wrote: Aber wie kann ich erreichen, das ich die passphrase nur einmal eingeben muss, z.B. solange meine xsession läuft oder für eine bestimmte Zeit. Die ganze X-Session sollte aus Kindprozessen des ssh-agent bestehen. Dann gibst du dem ssh-agent per ssh-add die Passphrase an um den key freizuschalten und alle Prozesse der X-Session (also auch alle sshs) können mit dem key arbeiten ohne nochmal dein Passwort zu erfragen. Bitte man ssh-agent lesen. Reinhard -- Häufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: ssh, ssh-agent und ssh-keys
Andreas Kretschmer [EMAIL PROTECTED] wrote: am 29.01.2003, um 15:31:45 +0100 mailte Matthias Fechner folgendes: ich möchte ssh bei mir jetzt gerne so umstellen, das ich mit ssh-key's arbeiten kann(das geht jetzt schon). Dieser Key soll mit einer passphrase geschützt sein, was auch schon geht. Aber wie kann ich erreichen, das ich die passphrase nur einmal eingeben muss, z.B. solange meine xsession läuft oder für eine bestimmte Zeit. ssh-add. Unter $ANDERE_DISTRI hatte ich es geschafft, daß nach Login via KDM ich nach dem Passphrase gefragt wurde. War ein kleines Fensterle, wo man das eintippsen mußte. [...] ssh-askpass? cu andreas -- Häufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: ssh keys keep changing.
On one machine, I get this message everytime I connect to it. I have tried to reinstall ssh via apt-get remove/install ssh, and I still get the error message everytime. Reinstalling ssh won't solve the problem as some simple reading would make clear. See below. actually if you are using potato then apt-get'ing ssh will get you openssh not the older version which is now ssh-nonfree. Try following the directions given here. Take a look at your ~/.ssh/known_hosts file and make sure the key for mrfan listed in the file matches the key on mrfan. i had this exact same problem when i tried upgrading to openssh a week ago. i thought at first that it was just that openssh must store the keys in a different format then the old ssh program so i blew away my known_hosts file... but no. after i'd deleted the known_hosts file i could connect to any given host once, but after that i would get the above error ... no matter what i tried. since i use ssh a lot for work i quickly reverted back to ssh-nonfree. adam.
ssh keys keep changing.
Hello I keep getting HOST IDENTIFICATION HAS CHANGED! errors. How do I prevent these errors and how do I ensure that my machines are not under attack from someone? On one machine, I get this message everytime I connect to it. I have tried to reinstall ssh via apt-get remove/install ssh, and I still get the error message everytime. John The facts, suit:~$ ssh mrfan @@@ @ WARNING: HOST IDENTIFICATION HAS CHANGED! @ @@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the host key has just been changed. Please contact your system administrator. Add correct host key in /home/davis/.ssh/known_hosts to get rid of this message. Agent forwarding is disabled to avoid attacks by corrupted servers. X11 forwarding is disabled to avoid attacks by corrupted servers. Are you sure you want to continue connecting (yes/no)? no suit:~$ John Davis
Re: ssh keys keep changing.
On Fri, Feb 25, 2000 at 11:22:35AM -0500, John Davis wrote: Hello I keep getting HOST IDENTIFICATION HAS CHANGED! errors. How do I prevent these errors and how do I ensure that my machines are not under attack from someone? On one machine, I get this message everytime I connect to it. I have tried to reinstall ssh via apt-get remove/install ssh, and I still get the error message everytime. Reinstalling ssh won't solve the problem as some simple reading would make clear. See below. suit:~$ ssh mrfan @@@ @ WARNING: HOST IDENTIFICATION HAS CHANGED! @ @@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the host key has just been changed. Please contact your system administrator. [ start paying attention now :) ] Add correct host key in /home/davis/.ssh/known_hosts to get rid of this message. Try following the directions given here. Take a look at your ~/.ssh/known_hosts file and make sure the key for mrfan listed in the file matches the key on mrfan. Cheers, -- Nathan Norman Eschew Obfuscation Network Engineer GPG Key ID 1024D/51F98BB7http://home.midco.net/~nnorman/ Key fingerprint = C5F4 A147 416C E0BF AB73 8BEF F0C8 255C 51F9 8BB7 pgpcrUaI3nbhJ.pgp Description: PGP signature
Re: ssh keys keep changing.
On Fri, 25 Feb 2000, John Davis wrote: davis Hello davis davis I keep getting HOST IDENTIFICATION HAS CHANGED! errors. How do I prevent davis these errors and how do I ensure davis that my machines are not under attack from someone? remove the file ~/.ssh/known_hosts or edit it to remove the host ID for the host your having problems with, ssh will prompt you to save it next time you connect. nate [mailto:[EMAIL PROTECTED] ]-- Vice President Network Operations http://www.firetrail.com/ Firetrail Internet Services Limited http://www.aphroland.org/ Everett, WA 425-348-7336http://www.linuxpowered.net/ Powered By:http://comedy.aphroland.org/ Debian 2.1 Linux 2.0.36 SMPhttp://yahoo.aphroland.org/ -[mailto:[EMAIL PROTECTED] ]-- 9:57am up 189 days, 22:18, 1 user, load average: 1.10, 1.05, 1.00